Navigating US SMS Compliance. 10 min read

US SMS marketing operates under a layered regulatory framework. At the federal level, the Telephone Consumer Protection Act (TCPA) governs how businesses can send text messages. The CTIA (Cellular Telecommunications Industry Association) provides voluntary but widely enforced best practice guidelines. Individual carriers (AT&T, Verizon, T-Mobile) have their own content and sending policies. And state laws add additional requirements in some jurisdictions.

Non-compliance is expensive. TCPA violations carry statutory damages of $500 per unsolicited message, trebled to $1,500 for willful violations. A single campaign to 10,000 non-consented recipients could result in $5 million to $15 million in liability. Class action TCPA lawsuits regularly result in settlements exceeding $10 million. This isn't theoretical — TCPA litigation is one of the most active areas of consumer protection law in the US.

The TCPA requires prior express written consent before sending marketing text messages. This means:

The consumer must actively agree (opt in) to receive marketing texts. Pre-checked boxes, implied consent, and bundled consent (mixing SMS consent with terms of service) are not sufficient.

The consent must be in writing — electronic consent qualifies. The consumer's phone number submission through a web form, text-to-join keyword, or app interface counts as written consent if proper disclosures are present.

The consent language must clearly disclose: the identity of the business, that the consumer is agreeing to receive marketing messages via text, the approximate frequency of messages, that message and data rates may apply, and that consent is not required as a condition of purchase.

Informational and transactional messages (order confirmations, shipping updates, appointment reminders) require prior express consent — not necessarily written consent. The distinction matters: a customer who provides their phone number during a purchase has likely consented to transactional messages but NOT marketing messages unless separately opted in.

Maintain auditable consent records for every subscriber: timestamp, source (web form, keyword, API), exact consent language presented, and IP address or device identifier. These records are your primary defense in any compliance dispute.

CTIA guidelines and carrier policies add content-level requirements beyond TCPA:

Every marketing message must include your business name or brand identifier, opt-out instructions (REPLY STOP to unsubscribe), and a way to get help (REPLY HELP for assistance). STOP must always work — process opt-outs within 5 minutes.

Prohibited content varies by carrier but generally includes: SHAFT content (sex, hate, alcohol, firearms, tobacco) on shared short codes, illegal products or services, deceptive or misleading messages, and phishing or social engineering attempts.

Quiet hours: while not a TCPA requirement, CTIA guidelines and most carrier policies prohibit sending marketing messages before 8 AM or after 9 PM in the recipient's local timezone. Violating quiet hours increases complaint rates and carrier filtering.

Sending frequency: stick to the frequency you disclosed at opt-in. If you promised '2-4 messages per month,' sending 15 messages violates the consent scope even if the original opt-in was valid. Any material change in frequency requires re-consent.

10DLC (10-Digit Long Code) registration is required for A2P (Application-to-Person) messaging on long codes. Register your brand and campaigns with The Campaign Registry (TCR). Unregistered traffic is subject to heavy filtering and may be blocked entirely by carriers.

US carriers actively filter SMS traffic using content analysis, sender reputation, and volume patterns. Understanding how filtering works helps you maintain high deliverability while staying compliant.

Content filtering flags messages containing spam indicators: shortened URLs from public shorteners (use branded short domains instead), excessive capitalization, multiple dollar signs or percentage symbols, and language patterns common in spam. Carrier filters are trained on real spam data and update continuously.

Sender reputation is built at the phone number level. New numbers need to warm up gradually — start with low volume to verified opt-ins and increase over 2 to 4 weeks. Sudden volume spikes from new numbers trigger filtering.

Throughput limits vary by number type. Short codes support 100+ messages per second. Toll-free numbers support 10 to 25 MPS (messages per second) after verification. 10DLC throughput depends on your TCR trust score — higher trust scores (based on brand verification, use case, and sending history) enable higher throughput.

Monitor your filtering rate closely. If more than 3 to 5% of your messages are being filtered (delivered to the carrier but not to the handset), investigate content, sending patterns, and number reputation. Persistent high filtering rates suggest a compliance or content quality issue that needs resolution before it escalates to number suspension.