Text messaging is a powerful tool that helps businesses reach customers faster and more effectively, but it also comes with important legal responsibilities. Texting may feel informal, yet it is regulated by strict laws and regulations just like emails or phone calls. Unsolicited or non-compliant texts aren’t just annoying to consumers—they can lead to serious penalties.
Regulators have reported a surge in spam texts and associated fraud. In recent years, the Federal Communications Commission (FCC) received, on average, 15,450 annual consumer complaints about unwanted text messages. The Federal Trade Commission (FTC) noted that Americans lost over $372 million to text message scams in one recent year. Additionally, businesses have faced costly lawsuits for texting without proper consent, with some companies being hit with multi-million dollar class-action settlements for TCPA violations.
In this article, we are breaking down the important text message rules and regulations and compliance best practices that every business owner should know.
Telephone Consumer Protection Act (TCPA) and Texting Compliance
Why does the TCPA exist?
The U.S. Telephone Consumer Protection Act was enacted in 1991 to curb telemarketing abuses. It’s the primary federal law that regulates phone communications, including text messages. The TCPA and its implementing FCC regulations make it illegal to send text messages (SMS or MMS) to someone’s mobile phone using an autodialer without prior written consent. In other words, businesses cannot mass text people out of the blue. The law treats text messages similarly to phone calls for consumer protection purposes.
Consent Requirements:
For marketing or promotional texts, TCPA requires prior express written consent from the recipient. “Written” consent can be obtained via online forms, a text opt-in, email or even paper, as long as it’s documented. Simply having a customer’s phone number (say, from a past purchase) is not enough; if they didn’t specifically agree to receive your marketing texts, you cannot send them. Informational or transactional texts (like appointment reminders or order updates) also require prior consent, though oral consent may suffice in those cases.
Identification and Transparency:
The TCPA and FCC rules also emphasize that consumers have a right to know who’s texting them and to make it stop if desired. Every marketing text should identify your business or organization as the sender. While not explicitly spelled out in the TCPA’s text, this is a best practice and is required under many industry guidelines. In some states, it’s the law (for example, Florida prohibits masking the identity of the sender in texts).
Opt-Out Mechanism:
One of the most crucial text message rules is to offer an opt-out and honor it promptly. Consumers must be able to stop messages at any time. Typically, businesses include a line like “Reply STOP to unsubscribe” in texts. The TCPA mandates that if a consumer revokes consent, you must stop sending messages.
Recent FCC rulings in 2023-2024 have strengthened these TCPA opt-out requirements. The FCC now makes clear that consumers can revoke consent through any reasonable method–for example, replying “STOP”, texting back “unsubscribe” or even calling or emailing a removal request. You cannot require a specific opt-out method that’s hard to use; any clear indication from the consumer that they don’t want texts must be honored. Moreover, businesses must process opt-out requests within 10 business days under the new rules. You are allowed to send a one-time confirmation text to acknowledge an opt-out, but nothing further after that.
Penalties for Non-Compliance:
The TCPA packs a punch. Violations can result in $500 in damages per text and up to $1,500 per text if a court finds the violation was willful. There’s no maximum cap, so a bulk texting blast to thousands without consent can add up to millions in liability. Individuals can sue over unsolicited texts and even form class actions, turning a single mistake into a multi-million dollar lawsuit. Ensuring compliance with text message rules isn’t just legal box-checking, it’s essential risk management.
Text Message Rules and Regulations by State
In addition to the federal TCPA, many states have their own texting laws and consumer protection statutes. Business owners need to be aware of the laws in any state where their customers live. These text messaging laws by state can sometimes be even stricter than federal law, creating a patchwork of requirements.
Florida’s Mini-TCPA (FTSA):
Florida’s Telephone Solicitation Act was amended in 2021 to tighten robocall and text rules. It requires prior express written consent for telemarketing texts to Florida residents (similar to TCPA). Florida also imposes “quiet hours,” stating that no marketing texts or automated calls can be sent before 8:00 a.m. or after 8:00 p.m. local time, stricter than the federal 9:00 p.m. cutoff. Additionally, Florida limits the frequency of contact. A business may make no more than three call/text attempts to the same person within 24 hours regarding the same subject matter.
New Jersey’s Text Advertisement Law:
New Jersey enacted a law (Assembly Bill 617) prohibiting unsolicited marketing texts to state residents without prior permission. The law requires explicit consent specifying the exact phone number to be texted and consumers can revoke consent at any time. New Jersey also set statutory penalties for violators, up to $500 for a first offense and $1,000 for each subsequent offense, enforced by the state Attorney General.
Connecticut’s Telemarketing Law:
Connecticut law likewise mandates express consent for marketing texts and imposes even steeper fines, up to $20,000 per violation of its unsolicited texting provisions. Violating Connecticut’s texting law is also deemed an unfair trade practice, giving consumers a right to sue in addition to state enforcement. This shows how some states treat text spam as a serious consumer protection issue, even beyond the TCPA.
Other States:
A number of other states have laws or regulations touching on texting for business. For example, Arizona classifies certain unwanted texts as a misdemeanor and extends its Do Not Call list to texts. Indiana includes text messages in its telemarketing and do-not-call statutes. And broadly, states like California have privacy laws (e.g. CCPA) that, while not specific to texting, regulate the handling of personal data, which can include phone numbers and text communications.
Always check the rules for any state where you’re texting customers, and if one state’s law is stricter, it’s wise to comply with that higher standard for those residents.
Privacy and Best Practices (Opt-Outs, Disclosures and Data Protection)
Aside from explicit telemarketing laws, businesses should be mindful of general text message rules and best practices. Text messages are considered a form of electronic communication that garners privacy protection. Consumers expect that their personal information and conversations won’t be misused.
Here are some best practices to stay compliant and build trust:
Clear Disclosures and Terms:
When someone opts in to your text marketing, make sure they know what they’re signing up for. Provide a clear description of the program in your opt-in form or initial text, e.g. the types of messages, frequency and any associated costs (like “Msg & Data rates may apply”). In fact, to comply with TCPA’s consent requirements, businesses should give a “clear, conspicuous disclosure” before sending the first message. Many companies accomplish this with a welcome text that confirms the subscription and includes helpful info like: the business name, customer support contact, a link to full terms and conditions or a privacy policy and instructions to text “STOP” to opt out or “HELP” for help. Not only do these disclosures set the right expectations, they also serve as evidence of consent if questions arise later.
Respecting Privacy and Sensitive Content:
Be careful about what you include in a text. Certain information is protected by privacy laws. For instance, if you’re in healthcare or finance, do not send personal sensitive data via text unless you’re complying with laws like HIPAA or GLBA. Even generally, avoid putting someone’s full account numbers, passwords or other highly sensitive info in a text. If a customer needs to provide personal details, steer them to a secure channel.
Personal text message privacy also means you shouldn’t share or sell customers’ phone numbers without permission. Under laws like CCPA in California, consumers have rights regarding how their personal data, which includes contact info, is used.
Maintain Internal Compliance Records:
Keep logs of when and how each person gave consent to your texting program. Retain copies of opt-in forms or text confirmations, and keep an updated list of anyone who opted out with the date and time of the opt-out. These records demonstrate your legal compliance if ever challenged. They can also be crucial if a customer complains, as you can show that they did opt in on a certain date, for example.
While the TCPA doesn’t mandate a specific retention period, businesses should keep records of text message campaigns, including consent logs, for at least five years. This aligns with the updated recordkeeping requirements under the Telemarketing Sales Rule (TSR), which went into effect in October 2024, and also helps cover the TCPA’s statute of limitations, which can extend up to four years.
Know the CAN-SPAM Act (if it applies):
Most business texting is governed by the TCPA, but there’s also a law called the CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography and Marketing Act) that primarily covers commercial email. One part of CAN-SPAM extends to messages sent to a wireless device via email. To be safe, if you ever send mass texts through an email-to-SMS gateway, follow CAN-SPAM rules, in addition to TCPA requirements. This means including an identification that the message is an advertisement, a valid physical postal address for the business and a clear opt-out mechanism.
Stay Compliant and Connected
Business texting offers unmatched immediacy and engagement, but it’s governed by a complex and evolving patchwork of regulations. From the TCPA and FCC rules to state-specific laws, understanding and following text message rules is essential to protecting your business from legal risk.
A critical update all businesses should act on: as of December 1, 2024, any company texting from a business phone number, including toll-free or landline, must register their 10-digit long codes (10DLCs) with The Campaign Registry (TCR). This carrier-enforced rule helps ensure message deliverability and compliance. Unregistered numbers will be blocked from sending texts.
The good news? You don’t have to navigate it alone.
TextMyBusiness takes the guesswork out of business texting. Our centralized texting platform gives you a fast, reliable way to reach your customers, and we’ll guide you through 10DLC registration to make sure everything runs smoothly.
Start texting smarter with TextMyBusiness.
