The Telephone Consumer Protection Act (TCPA) is a U.S. federal law passed in 1991 that regulates telemarketing calls, auto-dialed calls, prerecorded calls, and text messages. It requires businesses to obtain prior express consent before sending marketing texts and provide easy opt-out mechanisms.

What is the TCPA fine for texting without consent?

TCPA violations carry statutory damages of $500 per text message sent without proper consent, tripled to $1,500 per text if the violation is willful or knowing. Since recipients often file class-action lawsuits, total penalties can reach millions of dollars.

What counts as prior express written consent for SMS marketing?

Prior express written consent requires a clear, conspicuous disclosure that the consumer will receive marketing texts, their signature or affirmative action (checkbox, keyword reply), and that consent cannot be a condition of purchase. You must also disclose the message frequency and that message and data rates may apply.

How do I document TCPA consent?

Document consent by storing the date, time, IP address, method (web form, keyword opt-in, paper signature), and exact disclosure language the contact agreed to. Retain these records for at least four years, which is the TCPA statute of limitations.

Is a STOP message enough to opt out?

Yes. TCPA requires that businesses honor opt-out requests via STOP, UNSUBSCRIBE, END, QUIT, CANCEL, or similar keywords. Opt-outs must be processed immediately and the sender must not text that number again for marketing purposes.

TCPA SMS Compliance Guide 2026: Rules, Penalties, Opt-In Requirements

If you send marketing text messages in the United States, the Telephone Consumer Protection Act (TCPA) is the single most important law you need to understand. Getting it wrong can cost your business hundreds of thousands of dollars in class-action settlements. Getting it right takes about an hour of setup and a handful of simple processes.

This guide covers exactly what TCPA requires, how to document consent properly, what opt-out language to use, and the real-world mistakes that land businesses in litigation.

What the TCPA Actually Regulates

The TCPA, passed in 1991 and repeatedly expanded by FCC rulings, governs how businesses can use automated systems to contact consumers. For SMS, it covers three areas:

Consent. You must have prior express written consent before sending marketing texts to any number in the U.S.
Opt-out. You must honor unsubscribe requests immediately through reply keywords like STOP or UNSUBSCRIBE.
Time-of-day restrictions. Marketing messages may only be sent between 8:00 AM and 9:00 PM in the recipient’s local time zone.

The penalty is no joke. TCPA violations carry statutory damages of $500 per text, tripled to $1,500 per text if the court finds the violation willful. A single class-action lawsuit involving 10,000 recipients can expose your business to $5 million or more in liability.

The Two Levels of Consent

Not all SMS traffic is treated the same under TCPA. The law distinguishes between informational messages (appointment reminders, shipping notifications, account alerts) and marketing messages (promotions, sales, offers). Each has its own consent standard.

Prior Express Consent (for informational texts)

This is the lower bar. It applies to non-marketing messages and simply requires that the consumer voluntarily provided their number to you in connection with the type of message being sent. For example, if a customer gives you their number while placing an order, you can text them shipping updates without needing a separate checkbox.

Prior Express Written Consent (for marketing texts)

This is the higher bar. Any message that promotes a product, service, or offer — even one embedded in an otherwise informational text — requires prior express written consent. The consent must:

Be in writing (a signed paper form, an electronic signature, or an affirmative action like a checked box or a reply keyword all count).
Clearly disclose that the consumer will receive marketing messages at the number provided.
Identify the company or brand that will be sending messages.
State that consent is not a condition of purchase.
Include standard language about message frequency (e.g., “Msg frequency varies”) and that “Msg & data rates may apply.”

What Compliant Opt-In Language Looks Like

Here is a standard web-form opt-in that satisfies TCPA requirements. It is short, specific, and unambiguous:

“By checking this box, I agree to receive recurring automated marketing text messages from ExampleCo at the mobile number provided. Consent is not a condition of purchase. Msg frequency varies. Msg & data rates may apply. Reply HELP for help, STOP to cancel.”

The key elements are the brand name, an affirmative action (the checkbox), the disclosure that consent is not required for purchase, frequency disclosure, cost disclosure, and opt-out instructions. Leave any of these out and your consent record may not hold up in court.

How to Document Consent (So It Holds Up)

Obtaining consent is only half the battle. The other half is proving it later if a recipient files a complaint or lawsuit. Courts have ruled against businesses that had consent but could not produce adequate records.

For every opt-in, store the following data points:

The date and time of consent (in UTC or with time zone).
The IP address of the device used.
The exact disclosure text the contact saw.
The source (e.g., “checkout form on example.com/signup”).
The method (checkbox, keyword reply, signed form).
The phone number provided.

Retain these records for a minimum of four years — the TCPA’s federal statute of limitations. Some state laws (like Florida’s FTSA) have their own retention requirements that may be longer.

Opt-Out: The Mistake That Sinks Most Cases

TCPA requires that recipients can opt out of future messages at any time, through any reasonable means. In practice, this means your platform must recognize and immediately suppress the following keywords:

STOP, UNSUBSCRIBE, END, QUIT, CANCEL, STOPALL, REVOKE, OPTOUT

The word does not need to be capitalized. The message can contain punctuation or additional text. If a reasonable person reading the reply would interpret it as an opt-out, you must honor it.

Once opted out, you cannot text that number for any marketing purpose — ever — unless the recipient re-opts in with a new prior express written consent. This is the single most common failure point we see: a contact texts STOP, the business’s opt-out list does not sync across platforms, and a follow-up campaign sends them another message a week later. That one text can trigger a $500–$1,500 claim.

Time-of-Day Restrictions

You may only send marketing texts between 8:00 AM and 9:00 PM in the recipient’s local time zone, not yours. If you are running a national campaign, your platform should automatically queue messages based on the area code of each recipient.

Some states have stricter windows. Florida’s FTSA prohibits marketing calls and texts before 8 AM or after 8 PM. Oklahoma requires a specific holiday exclusion list. Check local regulations if you send to specific states at scale.

State Laws Layered on Top of TCPA

Federal TCPA is not the only law you need to worry about. Several states have passed their own text messaging regulations that layer additional requirements on top of federal rules:

Florida Telephone Solicitation Act (FTSA). Requires express written consent similar to TCPA, with penalties of $500–$1,500 per violation. Has been a major class-action target since 2021.
Washington Consumer Protection Act. Prohibits commercial messages to Washington numbers unless the sender has a pre-existing business relationship or express consent.
Oklahoma Telephone Solicitation Act. Similar structure to Florida’s FTSA.
California BPC 17538.41. Requires specific opt-out language and record retention.

If your contact list includes numbers from these states, your consent process should meet the strictest applicable standard. In practice, this usually means using the same compliant opt-in language everywhere and honoring all state-specific time restrictions automatically.

How ReadySMS Builds TCPA Compliance Into Your Workflow

Compliance is not a one-time checkbox — it is a system. ReadySMS builds TCPA requirements directly into the sending platform so you cannot accidentally violate the law:

Every contact has a consent record attached: source, timestamp, IP, and disclosure language.
Opt-out keywords are auto-detected and suppress the number across every campaign in real time.
Time-zone-aware sending ensures marketing messages are only delivered during legal hours.
STOP/HELP responses are automatically included in 10DLC campaign registration, as carriers require.
Audit logs are retained for four years so you can produce consent records on demand.

Combined with our 10DLC registration and pay-per-use pricing, you get a platform that scales without creating legal liability.

The Bottom Line

TCPA compliance has three moving parts: proper opt-in, documented consent, and immediate opt-out. Build these correctly once, then let your platform enforce them on every outbound message. The businesses that get sued are almost always the ones that cut corners on documentation or failed to sync opt-outs across tools. Neither mistake is necessary, and neither is worth the seven-figure exposure.

TCPA SMS Compliance Guide: Rules, Penalties, and How to Stay Legal in 2026

What the TCPA Actually Regulates

The Two Levels of Consent

Prior Express Consent (for informational texts)

Prior Express Written Consent (for marketing texts)

What Compliant Opt-In Language Looks Like

How to Document Consent (So It Holds Up)

Opt-Out: The Mistake That Sinks Most Cases

Time-of-Day Restrictions

State Laws Layered on Top of TCPA

How ReadySMS Builds TCPA Compliance Into Your Workflow

The Bottom Line

TCPA-Compliant SMS, Built In