Every agency has a clean offboarding checklist for the stuff that's visible: hand back the ad accounts, transfer the domain, export the CRM, kill the recurring invoice. Almost nobody has a line in that checklist for the SMS subscriber list — and that's the one with actual legal teeth attached to it.

Full disclosure: I work for ReadySMS, so I think about consent records and 10DLC ownership more than a normal person should. But this isn't a pitch. The mess I'm describing happens on every platform, and I've watched agencies discover the problem at the worst possible moment — the week a client churns and asks for "all our data."

The short version: the phone numbers are portable. The consent is the hard part. And the 10DLC registration sitting underneath the whole thing determines who can legally keep texting those people. If your contract doesn't say who owns what, you're improvising during the most adversarial 30 days of the relationship.

The three things people lump together as "the list"

When a client says "we want our SMS list," they usually mean three separate assets that have wildly different portability:

  1. The phone numbers themselves. Easy. These are just contact records. Export the CSV, hand it over.
  2. The consent record — the proof that each number opted in, when, through what language, and to receive what kind of message. This is the asset that's worth something legally, and it's the one that's easiest to lose.
  3. The 10DLC brand and campaign registration — the carrier-level identity that the messages were actually sent under. This usually can't move at all, and most people don't even know it exists until they try.

A number with no consent record is a liability, not an asset. You can hand a client a list of 12,000 phone numbers, but if neither of you can produce when and how those people opted in, the first person who files a TCPA complaint turns that spreadsheet into a $500–$1,500-per-text problem. (More on the consent/litigator distinction in A Number Can Pass DNC and Still Sue You.)

What's actually portable — and what isn't

AssetPortable?Why
Phone numbers / contact recordsYesThey're just data. Export and transfer.
Consent timestamps + opt-in languageYes, if you captured itPortable only as well as it was recorded. No record = nothing to hand over.
Opt-out / STOP suppression listYes — and you're obligated toWhoever sends next must honor existing opt-outs. This has to travel.
10DLC brand registrationRarelyTied to the registering entity's EIN and the platform it was registered through.
10DLC campaign registrationNoCampaign use-case, sample messages, and throughput are platform- and brand-specific.
The sending phone numberSometimesNumber porting is possible but slow, and the new sender re-registers it under their own campaign anyway.

The two rows that surprise people: 10DLC brand and campaign. If you registered the brand under your agency's EIN — common, because it was faster than chasing the client for tax docs — then you own that registration, and the client can't take it with them. If you registered it under the client's EIN, they keep the brand but the campaign was still scoped to the way you were sending. Either way, the new sender re-registers. The numbers move; the carrier identity doesn't.

The consent record is only as good as how you captured it

Here's where agencies get burned. You can have 12,000 opted-in contacts and zero defensible consent records, because the opt-in lived in a form builder you no longer have access to, or in a workflow that recorded a checkbox but never logged the language the person agreed to.

Consent isn't a binary flag. It's: this number, on this date, agreed to this specific language describing this specific type of message. A person who opted in for appointment reminders did not necessarily opt in for promotions — that distinction is exactly the trap I wrote about in A Recall Text and a Promo Text Need Different Consent. If your records don't preserve the scope of consent, transferring them is half-useless. The new sender inherits numbers but not the right to send everything.

On ReadySMS, opt-in attestation is recorded for bulk and API sends, so there's an actual audit trail attached to the send — not just a CRM checkbox. That trail is what's worth handing over. Whatever platform you're on, the test is simple: can you produce, per number, the date and the exact opt-in language? If not, fix that before you have a client trying to leave.

The offboarding clause your contract is missing

Most agency MSAs cover data return in vague terms — "Agency will provide Client with reasonable access to Client data upon termination." That sentence does nothing for SMS, because it doesn't address consent scope, the suppression list, or 10DLC ownership. Spell it out:

  • Consent records transfer with the contacts. Define what "consent record" means: number, timestamp, opt-in source, and the verbatim opt-in language. State the format (CSV/export) and the deadline (e.g., 15 days post-termination).
  • The opt-out / suppression list transfers and must be honored. This isn't optional — whoever sends next is legally bound by prior STOPs. Make it explicit so nobody "loses" the suppression list in the handoff.
  • 10DLC ownership is named up front. Whose EIN is the brand under? If it's yours, say what happens at termination — typically the client re-registers under their own brand with their new provider, and you provide the contact and consent export to make that clean.
  • No "scorched earth" deletion before transfer. Both sides agree not to wipe consent data until the export is delivered and acknowledged.

Decide all of this when everyone's friendly. Negotiating it during a churn is how agencies end up either holding data hostage (bad look, possibly a contract breach) or handing over a liability with no consent trail (bad for everyone).

Why per-client isolation makes offboarding survivable

The practical nightmare is commingled data — one big sending identity where Client A's contacts, Client B's contacts, and your own house list all live under the same brand and campaign. When Client A leaves, you can't cleanly extract their consent records because nothing was scoped per-client to begin with.

This is the architectural reason I push agencies toward proper per-location separation. ReadySMS's GHL integration maps two-way messaging per location / sub-account, so each client's inbound, outbound, and consent records stay isolated. When a client leaves, you're exporting their slice — not untangling a shared blob and hoping you didn't grab someone else's opt-outs. If you're setting that up, the GHL SMS setup guide and the 2026 10DLC registration guide walk through the structure.

Isolation also keeps the margin conversation clean, which matters at offboarding too — if you've been rebilling SMS, the client may audit the line item on the way out. Transparent per-segment pricing means there's nothing weird to explain. (The margin mechanics are in The Markup Ceiling.)

A practical offboarding sequence

When the termination notice lands:

  1. Freeze, don't delete. Stop sending under that client's campaign. Preserve all consent and opt-out data.
  2. Export the full consent record — numbers, timestamps, opt-in language, source — and the suppression list, separately and clearly labeled.
  3. Clarify 10DLC ownership in writing. If the brand is under your EIN, tell the client they'll re-register with their new provider, and provide the exports they need.
  4. Deliver and get acknowledgment. Don't assume receipt. Get a "received, confirmed" so there's a record the handoff happened.
  5. Then decommission the campaign on your side.

It's a 30-minute process if your data was structured well, and a multi-week archaeology dig if it wasn't.

The takeaway

The numbers were never the asset. The consent — scoped, timestamped, with the opt-out list intact — is the thing that's legally meaningful and the thing most contracts forget to address. Decide who owns it before the relationship ends, capture it in a form that's actually exportable, and keep each client's data isolated so the handoff is a query, not an excavation.

If you want to see how per-location isolation and recorded opt-in attestation work in practice, the integrations page and pricing are the honest starting points — no contract, 20 free test sends to try it out, and a $25 credit when you register — so you can test the structure before you migrate anything real.