To send marketing (advertising/telemarketing) SMS in the U.S., you generally need "prior express written consent" when the texts are sent using automated technology covered by the TCPA and FCC rules.
For purely informational/transactional texts (e.g., appointment reminders), the consent standard is typically "prior express consent" (not written), as long as the message contains no promotional content.
You can collect this consent in a number of ways, such as through web forms, checkboxes, point-of-sale sign-ups, and more. Failing to comply with the TCPA can result in fines of up to $1500 per SMS, which can add up quickly.
This guide explains what prior express written consent means under the TCPA, how to gain consent legally, what consent language you should use on your website or in your SMS messages, and how to document your consent process properly. Following the TCPA compliance process protects your business from legal liability and financial losses.
- 1. What is the Telephone Consumer Protection Act (TCPA)?
- 2. What is SMS consent under the TCPA?
- 3. What does written consent mean under the TCPA?
- 3.1. What is one-to-one consent?
- 4. How to collect SMS consent under the TCPA?
- 4.1. Web forms
- 4.2. Keyword response (Text-to-Join)
- 4.3. Checkboxes
- 4.4. QR codes
- 4.5. Point-of-sale sign ups
- 4.6. What is a double opt-in?
- 5. What consent language is required for the TCPA?
- 5.1. What are the Cellular Telecommunications Industry Association (CTIA) guidelines?
- 6. What does "clear and conspicuous" mean under the TCPA?
- 7. How does the National Do-Not-Call Registry relate to the TCPA?
- 8. How can customers revoke consent under the TCPA?
- 9. What consent documentation should you keep for your TCPA audit trail?
- 10. Summary
What is the Telephone Consumer Protection Act (TCPA)?
The Telephone Consumer Protection Act (TCPA) is a US federal law that regulates telemarketing calls, autodialed calls, prerecorded messages, SMS messages, and faxes. The TCPA requires you to get prior express written consent before SMS marketing texts, such as promotional messages like "Check out our Black Friday Sale! Up to 50% off!". Messages such as opt-out confirmations, appointment reminders or fraud alerts are informational messages and only need "prior express consent". These transactional or informational messages must not contain promotional content.
Under the TCPA you can face fines of $500 - $1500 per violation, i.e. per violating text message. The TCPA also allows customers to sue businesses directly for violations. If you willfully or knowingly violate the TCPA, the fines are higher.
The text of the TCPA only refers to telemarketing calls but it also applies to sending SMS marketing messages as well. This was clarified in a statement from the FCC which you can see below.
To prevent your business from facing fines under the TCPA, you need to make sure your consent process is compliant with TCPA SMS marketing rules.
ATDS note (why many businesses still collect written consent): In Facebook, Inc. v. Duguid (2021), the U.S. Supreme Court narrowed the definition of an "automatic telephone dialing system" (ATDS) to equipment that uses a random or sequential number generator to store or produce numbers. Even with that narrower definition, TCPA SMS disputes frequently turn on technical details of how a platform sends messages, so many programs collect written consent and detailed logs as a risk-control measure.
What is SMS consent under the TCPA?
If you send marketing/advertising texts using automated technology covered by the TCPA (commonly described as "robotexts"), you should obtain prior express written consent. That written consent must be a clear, documented agreement (digital is fine) that authorizes your business to send marketing texts to the specific number.
Practical takeaway: If you are using an SMS platform, treat your marketing program as "robotext" risk by default and collect written consent + logs, because plaintiffs often litigate whether a system qualifies as an ATDS
Under the TCPA you need to get express written consent, as shown in section 47 CFR § 64.1200 below. This means you need to get consent in advance, in writing, and that it's a clear and explicit act of agreement. In addition, consent under the TCPA should be documented and stored.
It was clarified by the FCC that the consent must be written. The FCC states in their guidance below that "prior express written consent is required for autodialed texts that include or introduce an advertisement." What written consent means is covered in the next section.
The FCC also says that "Even if a person has provided such consent, however, his or her later opt-out request requires the sender to stop sending text advertisements." Opt-out processes are also covered in a later section in this guide.
What does written consent mean under the TCPA?
Written consent under the TCPA means that the consent needs to be given with a signature, including electronic signatures or other forms of electronic agreement. Written consent is some kind of recordable consent that shows the person agreed.
The TCPA states that "The term prior express written consent means an agreement, in writing, bearing the signature of the person called that clearly authorizes the seller to deliver or cause to be delivered to the person called advertisements or telemarketing messages."
You can see this in section 47 CFR § 64.1200(f)(9) of the TCPA.
You can also see from section 47 CFR § 64.1200(f)(9)(i)(B) of the TCPA below that when it comes to "written" consent, the term signature includes "an electronic or digital form of signature, to the extent that such form of signature is recognized as a valid signature under applicable federal law or state contract law".
You can also see this reiterated in the FCC's order below. Being able to use electronic forms of signature makes it much easier for you to collect prior express written consent online.
The FCC order clarifies aspects of the TCPA, and explains how it interacts with the Telemarketing Sales Rule (TSR). The TSR is a Federal Trade Commission (FTC) Regulation.
The FCC explained that like the FTC, "we now similarly conclude that consent obtained in compliance with the E-SIGN Act will satisfy the requirements of our revised rule, including permission obtained via an email, website form, text message, telephone keypress, or voice recording."
This means that you can use these methods to collect written consent, and they will be valid as an electronic signature for the purposes of the TCPA:
- Website form
- Text message
- Telephone keypress
However, courts have found that voice recordings are no longer sufficient for "written" consent under the TCPA.
Voice recordings can be used as evidence only if the consent process meets the E-SIGN Act requirements for electronic records and signatures (including required consumer disclosures and a record that can be retained and accurately reproduced).
The FCC has stated that E-SIGN compliant consent can satisfy the written-consent requirement and has referenced methods such as telephone keypress and voice recording in that context.
Practical takeaway: use a checkbox/web form + timestamped audit trail as your primary written-consent method, and treat call recordings as supporting evidence, not your only proof.
What is one-to-one consent?
One-to-one consent was an FCC ruling that said sellers and customers could only agree to consent on a one-to-one basis. This came from a FCC rule that was released in 2024. Before this ruling came into effect it was struck down by the Eleventh Circuit Court of Appeals.
Practical takeaway: even without a formal "one-to-one" rule, consent collected through lead generators and multi-seller bundles remains high-risk unless your brand is clearly and conspicuously identified at the point of opt-in.
If you have multiple different companies or brands that you want to offer SMS marketing for, include checkboxes or forms for each company separately. Don't bundle them together in one sign-up.
How to collect SMS consent under the TCPA?
You can collect SMS consent under the TCPA using web forms, keyword responses, checkboxes, QR codes, or point-of-sale consent. Each of these provide ways for customers to get prior, express, written consent to SMS marketing.
Let's take a look at each of those ways to get consent now.
Web forms
You can use a web form to gain consent, as long as the text on your web form is clear and obvious to your users. It should be clear when your users click the button to submit their data, such as their name, phone number, and email, that their data will be used to send them SMS marketing messages.
It should also be clear that signing up to SMS marketing is not part of the sale of the product.
Here's an example from Jetride:
You can see that the web form has boxes where users can enter their personal information. Then, at the bottom the web form states "By providing your phone number, you authorize JetRide to send informational & marketing text messages to the mobile number provided, sometimes using automated technology."
It's clear from this message that if the user types in their phone number, the user may receive marketing SMS messages.
You can also see that it clearly states that "Consent is not a condition of purchase. Message & data rates apply. Message frequency may vary." This makes sure the user knows they don't have to sign-up, and that there may be charges.
It also includes an opt-out message, and refers users to the Privacy Policy, saying "Text STOP to opt-out at any time or HELP for additional assistance. See our privacy policy and terms & conditions here (jetride.com/privacy-policy/)".
Providing clear information, opt-out wording, and an explicit statement that users do not need to sign up to marketing to make a purchase, are necessary for complying with the TCPA.
Keyword response (Text-to-Join)
Keyword responses, or the text-to-join approach is another good way to sign your users up to SMS marketing with their explicit consent. Text-to-join is also called text-to-subscribe. Your users can text a particular keyword to a phone number if they want to sign up to your SMS marketing. You should provide a clear and conspicuous disclosure at the point of sign-up.
For instance in this example from Walgreens you can see that you can text "JOINRX" to the number 21525.
This signs the phone number up to receive prescription alerts from Walgreens. You can see that in the Walgreens example, no marketing disclosure has been given. For SMS marketing you need to include a disclosure. You can see this in the example from Skims below:
The marketing disclosure in this example is very similar to the Jetride example in the web forms section above.
With text-to-join you can also divide users into different categories, depending on what keyword they text. For instance, they can text "JOINMARKETING" or "JOINNEWSLETTER", or other examples like "JOINVOLUNTEER" or "JOINUPDATES". This way, you can personalise the approach for what they want to receive, based on what keyword they sent.
Text-to-join is particularly good combined with the double opt-in process, which is described further below.
Checkboxes
Checkboxes on web forms or pop-ups on your website are a good way to get users signed up to SMS marketing quickly and easily, with a clear record of their agreement. Checkboxes must be unchecked and not pre-populated.
In this example from an Ed Sheeran fan website you can see the checkboxes ready for a user to tick them if they agree to marketing messages.
In the Ed Sheeran example, the checkboxes are unticked and unpopulated. This means the user has to actively check the box before they click submit, to be subscribed.
If you pre-populate your checkboxes or pre-tick them, this will not be enough for prior, express, written consent. This is because the customer has not made an "express" action of ticking the box, if you have pre-ticked it for them.
QR codes
QR codes are a popular way to help users sign up for SMS marketing through their smartphone. The user can scan the QR code, which opens a website with a web form that the user can fill out. You can also create dedicated SMS QR codes which display a pre-set SMS message to the recipient.
You can see in this example from Southwood Riviera Neighborhood Garage Sale below what a QR code sign-up would look like. For your business however, make sure you include appropriate consent and disclosure language below the QR code.
QR codes can also be combined with point-of-sale sign-ups, where users can scan a QR code in your store or on your website when they are purchasing an item. However, make sure that it's clear that the sale is not contingent on them scanning the code.
Point-of-sale sign ups
Point-of-sale sign-ups for SMS marketing are when you offer your user an opportunity to sign up to your marketing when they make a purchase. You can do this in your physical stores or online.
In physical stores, you can collect SMS consent at checkout through electronic signature pads, paper forms where customers write their phone number and sign, or QR code displays. When collecting consent in-store, make sure your staff explain what customers are signing up for, and that all required disclosures are visible before the customer provides their information.
Online, you can include SMS marketing during the checkout process by adding a checkbox with appropriate consent language. You can also present the opt-in on order confirmation pages, or show a sign-up form after the transaction is complete.
Regardless of whether sign-ups occur in-store or online, make sure disclosures are clearly visible, including message frequency, that message and data rates may apply, and instructions for opting out.
What is a double opt-in?
A "double opt-in" is when you send your customers a message confirming their sign-up, to get a second confirmation of their agreement. You send the message to the phone number that they used to sign up, and you gain an additional written confirmation of "YES". You can use the double opt-in for all of the above approaches.
Here's a few examples of what the double opt-in text message would look like:
- [Your business name]: Thanks for signing up! Reply YES if you want to subscribe to recurring automated marketing from [Your business name]. Msg & data rates may apply. Reply HELP for help or STOP to opt out.
- Thanks for subscribing! To confirm you want to receive marketing updates from [Your Business Name] once a month, reply YES to this message. Reply HELP for help or STOP to opt out.
- Nice to have you with us John! To confirm you want to be a member of the [Your Business Name] mailing list, sent out weekly, reply with YES. Reply HELP for help or STOP if you don't want to receive any further messages.
Double opt-in is not necessary, but it adds an additional layer of legal protection for your business and is highly recommended. This way, you can clearly show that you received express written consent.
CTIA's Messaging Principles and Best Practices recommend a confirmation message for recurring campaigns and outline what the confirmation should include (program name, help/opt-out, frequency, fees).
What consent language is required for the TCPA?
The TCPA requires clear and conspicuous language when you sign customers up for SMS marketing. This consent language should explain to the customer that they are signing up, that signing-up is not required, and provide further details about what they are signing up for (e.g. message content, frequency), and how to opt-out.
This is because the TCPA requires that when you get consent, you need to use specific language including a "clear and conspicuous" disclosure. This comes from 47 CFR § 64.1200(f)(9)(i):
You can see that you need a clear and conspicuous disclosure, that clearly informs the person that:
- They are subscribing to marketing text messages
- They are not required to sign up to marketing as a condition of purchase
| Consent Method | Valid for TCPA? | Why? |
| Pre-checked box | No | Consent must be an active step by the user. |
| "Purchase" button | No | Buying a product is not consent for marketing texts. |
| Unchecked box | Yes | The user actively checks it to agree. |
| Keyword ("JOIN") | Yes | The user initiates the action. |
| Verbal (Phone) | No | Marketing texts require written proof (digital counts). Verbal consent may support informational texts, but marketing robotexts generally require written consent that satisfies FCC rules (digital signature allowed). |
Here's an example from Tonies that shows appropriate disclosure language for TCPA purposes:
You can use a similar template text on your web forms or checkboxes such as:
"I agree to receive recurring automated marketing messages from [Your Business Name] by email or text messages at the email or phone number provided. Messages may be sent via an automated system. Message and data rates may apply; consent is not a condition of any purchase and can be withdrawn at any time. For text messages, Reply STOP to cancel, HELP for help."
There are also industry guidelines that can help you with the wording in your text messages. One example of best practices is the Cellular Telecommunications Industry Association (CTIA) guidelines.
What are the Cellular Telecommunications Industry Association (CTIA) guidelines?
The Cellular Telecommunications Industry Association (CTIA) guidelines are a set of voluntary best practices that can help you carry out SMS marketing legally, and in a way that aligns with consumer interests.
While these guidelines are not legal rules, they can also help you to send more compliant text messages that protect you from TCPA liability. In addition, carriers can suspend your messaging campaigns if you don't comply with CTIA guidelines.
When you are planning to send recurring messages, the CTIA suggests that you include:
- The program name or product description
- Customer care contact information (e.g., a toll-free number, 10-digit telephone number, or HELP command instructions)
- How to opt-out
- A disclosure that the messages are recurring and the frequency of the messaging
- Clear and conspicuous language about any associated fees or charges and how those charges will be billed.
The phrase "clear and conspicuous" is used in the CTIA's guidelines. It is also used in other laws and legal rulings, such as the FTC's Telemarketing Sales Rule (TSR), which can apply to you if you are also using calling for marketing purposes.
Follow the CTIA guidelines to make sure that the disclosure of your sign-up process is clear. In addition, make sure that your disclosures are conspicuous, i.e. not hidden on your web forms or somewhere obscure. Users must be able to easily see and distinguish the sign-up from product information.
In the TCPA "clear and conspicuous" has a specific meaning. Let's take a look at that now.
What does "clear and conspicuous" mean under the TCPA?
Clear and conspicuous under the TCPA means that your consent disclosure needs to be apparent to a reasonable consumer. It needs to be separate from your advertising text and not easily confused with it.
You can see this in TCPA section 47 CFR § 64.1200(f)(8) below, which states that clear and conspicuous "means a notice that would be apparent to the reasonable consumer, separate and distinguishable from the advertising copy or other disclosures":
You can also see in the FCC ruling below that clear and conspicuous disclosure is required when you sign customers up to SMS marketing.
This means it has to be obvious that the customer will receive future SMS marketing if they tick the box. You cannot hide or obscure your intentions, or make it unclear what customers are signing up to. The consent of the customer has to be "unambiguous".
In addition, you can see that the seller bears "the burden of demonstrating that a clear and conspicuous disclosure was provided and that unambiguous consent was obtained."
This means that you need to keep records and be able to show clearly that you provided the appropriate TCPA disclosures.
If you can't prove that you provided these things clearly and conspicuously, customers could succeed in any legal action against you.
How does the National Do-Not-Call Registry relate to the TCPA?
The TCPA includes rules for both the National Do-Not-Call Registry and company do-not-call lists. The National Do-Not-Call Registry (DNC List) is a database that marketers can search through, which includes numbers of people who do not want to be called. Companies have their own internal "Do-Not-Call" lists as well, where customers have told the company not to call them again. These lists also apply to SMS marketing.
Marketers need to compare their calling lists with the DNC List as well as their internal company do-not-call lists and make sure that there is no overlap.
These calling lists initially only applied to telephone calls within the TCPA, and did not apply to SMS marketing. However, the FCC clarified in 2023 that the DNC List's protections applied to SMS messages as well, as you can see below:
This means that if someone is on the DNC List or your internal company DNC list, you cannot market to them with SMS messages.
In any case, the TCPA requires you to get prior express written consent before marketing. If a customer gives you this consent, you can still contact them even if they are on the DNC list. However, if they have revoked consent or opted out of SMS marketing, you then need to stop.
How can customers revoke consent under the TCPA?
Customers can revoke consent under the TCPA by using any reasonable method to clearly express their desire to stop receiving SMS messages.
Your customers can text you with any obvious and reasonable wording, such as "stop", "quit", "opt-out", "cancel", "unsubscribe", or other similar wording.
You can see below the section of the TCPA that describes the process of opting out for customers.
The section states that prior express written consent can be revoked by using "any reasonable method" to "clearly express a desire not to receive further calls or text messages". The section itself provides a list of suitable wording.
You can see in the second half of the section below that once a customer uses such an approach to revoke consent, that consent is considered "definitively revoked". This means that you must stop sending SMS marketing messages to the customer.
The section also states that even if the customer doesn't use the words explicitly in the section, their revocation of consent can still be valid if a "reasonable person" would consider it to be a revocation of consent.
If consent is revoked you need to honor it "within a reasonable time". The section also states that you must not take longer than 10 business days to stop sending messages, after the person said they don't want SMS marketing messages anymore.
You can also see below that if you don't include methods for customers to opting-out by text, you need to provide specific disclosures and alternative methods of revoking consent:
You can use messages to show this on your web forms or checkboxes:
"I agree to receive recurring automated marketing messages from [Your Business Name] at the phone number provided. Two-way texting is not supported due to technical limitations. To opt-out, email unsubscribe@[yourbusiness].com or call [phone number]. Message and data rates may apply; consent is not a condition of any purchase."
Or, if a customer is using a keyword response or a QR code, you can also use messages like:
- "Thanks for signing up! We're glad you want to read the Daily Newsletter! Due to technical limitations, replies are not supported. To opt-out, email us at support@[yourbusiness].com or call 1-800-XXX-XXXX."
- "Special offer from [Your Business Name]! This number cannot receive replies. To stop messages, email optout@[yourbusiness].com or call [phone number] for assistance."
- "Check out our summer sale deals and get 10% off! Two-way texting unavailable. To cancel messages or get help, visit [yourbusiness].com/optout or call our customer service at 1-800-XXX-XXXX."
The important thing is that your message includes a clear statement that replies won't work due to technical limitations, and includes alternative opt-out methods such as email or phone, or a URL that a customer can visit. Make sure you include this disclosure on every message you send, as well as ideally before sign-up.
What consent documentation should you keep for your TCPA audit trail?
For your TCPA audit trail you should keep records of the consent you obtained, how you obtained it, what wording you used, and when or whether any particular customer opted out.
Since you can be liable for TCPA violations for several years after the fact, you should keep this information stored and organised. Keeping records of your consent process protects your business from liability if a customer says they didn't consent to SMS marketing.
Specifically, you should keep records of:
- When and how you got consent, with a clear explanation of how prior, written, explicit consent was gained
- The date and content of calls, texts and faxes
- Information on what "clear and conspicuous" wording you used to let your customers know they were signing up for communications, and how they could opt out of future communications
- Which version of the National Do Not Call Registry, state do-not-call registry (if one exists) and FCC Reassigned Numbers Database was used to figure out who could or couldn't be called
- Information on when and how any consumer opted out or revoked consent
You should store consent records for the TCPA for at least five years. The TCPA doesn't have a set limitation period for when customers can bring a claim for a violation. This means that the more general federal statute of limitations period applies, which is four years.
However, to be on the safe side, 7+ years is recommended as a storage period. This is because it is sometimes unclear when a violation has occurred, and from what date the start of the limitation period will begin. In addition, the fines for the TCPA can be very high, particularly if you're sending a lot of messages.
Keeping detailed records of consent helps to protect you in the case that someone sues you.
Summary
The TCPA requires you to get prior express written consent before you send SMS marketing messages. You can collect this consent through web forms, checkboxes, keyword responses, QR codes, or point-of-sale sign-ups, but consent must be clear, conspicuous, and documented.
Your consent language needs to let customers know that they're subscribing to marketing texts, that consent isn't required for purchase, and how to opt out. Make sure you follow the one-to-one consent rule, and also include a double opt-in where possible.
To stay compliant with the TCPA, keep detailed records of when and how you obtained consent, store these records for at least 5 years, and comply with opt-out requests within 10 business days. Include clear disclosures about message frequency and data rates, never pre-check consent boxes, and follow CTIA guidelines. Violations of the TCPA can cost you up to $1,500 per SMS, so following this approach can help to protect your business from significant liability.
The first step to compliance: A Privacy Policy.
Stay compliant with our agreements, policies, and consent banners — everything you need, all in one place.