Must-Know SMS Marketing Regulations in the U.S.

Nobody wants to be bothered by a spammy text — or do business with a brand that sends them. So while SMS marketing can be a powerful component of your growth strategy, as a responsible marketer, you need to make sure you’re set up for ongoing SMS compliance. 

Federal and state-level regulations are in place to protect individuals from receiving unwanted SMS messages. Stay in compliance while running successful campaigns by getting familiar with these must-know regulations for SMS marketing in the US, including TCPA, CTIA, ADA, and global protections.

Why Following SMS Marketing Regulations is a No-Brainer

Regulations are in place to protect people from unwanted texts and to keep the consumer in control of whether, how, and how much they receive SMS messages. These laws may make marketers’ work more complicated, but they also keep the SMS landscape safer and less intrusive — and deliver a better user experience for your customers. (Since most of us get notifications and alerts when we receive texts, unwelcome SMS messages tend to be way more disruptive and more difficult to ignore than a promotional email.)

SMS marketing is regulated like other automated channels, and usually falls under the same laws that govern telephone calls — but requirements vary depending on location, including global laws, national legislation, and state-specific regulations. 

It’s entirely within your best interest to follow SMS regulations. Abide by them to avoid consequences like:

• Annoying your audience
• Damaging your brand reputation
• Getting blacklisted by telecom providers
• Racking up fines 

When you understand the legal requirements and proper protocol, including how to obtain consent, you’ll be much less likely to unknowingly send unsolicited SMS messages. The last thing you want to do is spam your audience. 

You can use this short summary of the most important SMS marketing regulations to get started on your thought process for compliance, but be sure to consult with your legal team.

The Cornerstone of SMS Marketing Compliance: Getting Consent

While regulations vary across states and nations, consent is a near-universal component of compliance. So before we dig into the regional details, let’s get on the same page about what exactly constitutes SMS consent.

Consent is all about eliminating subscriber confusion. Anyone who receives promotional or marketing SMS messages should be aware of exactly when, how, and why they signed up to hear from a brand or organization. If subscribers are confused, they’ll opt out — which usually translates to lost revenue.

Smart SMS marketers need to take significant steps to educate the subscriber on precisely what they are getting themselves into when they consent to messaging. 

SMS consent must be explicit and detailed. Subscribers must grant consent to be opted-in to receive SMS messages from a business. As the marketer, you and your team must keep records of how the consent was gained, with message history and time stamps, and store this data securely.

When someone opts in to receive your texts, they must have access to legal documentation including privacy policies. Terms of service should be updated to include:

• How the subscriber’s mobile number will be stored and used
• Details on the types of messaging that the subscriber will receive
• Frequency of messaging and originating senders
• How to opt-out of messaging and how to get help

Remember, the consumer can revoke consent at any time, and it’s a best practice to include an opt-out opportunity with every message.

SMS Marketing Regulations in the United States

In the US, two primary acts control what you can and can’t do with SMS marketing.

1. The Telephone Consumer Protection Act (TCPA)
2. The Can-Spam Act

Each of these laws was created to protect the consumer from unwanted solicitation. The TCPA hones in on the consent needed to advertise to consumers via their telephone, including SMS. The Can-Spam Act helps protect consumers from receiving unwanted advertisements. Follow both to lay a solid foundation for respectful, compliant SMS marketing. 

The Telephone Consumer Protection Act (TCPA)

The Telephone Consumer Protection Act (TCPA) is a United States federal law that regulates telemarketing spam. It requires businesses to get expressed written consent from consumers using mobile devices before sending them marketing text messages. 

In order to stay compliant with TCPA, you have to clearly communicate to your potential SMS subscribers that they’re signing up to receive recurring automated text messages by joining your text program. You can’t hide this consent language at the bottom of your sign-up, on a landing page, or on a page that users have to click through to see. It needs to be clearly visible and close to the call to action.

The TCPA also includes other specific rules, such as not sending messages outside of “quiet hours” (9 pm- 8 am) in the recipient’s time zone, and regularly providing instructions for opting out of messages.

How to Get TCPA-Compliant Consent 

As consumers opt into SMS marketing campaigns, there must be clear, conspicuous disclosure of the messages they will receive. They must also agree to receive these messages on their mobile device in order to begin. 

Here are some TCPA-compliant ways to collect SMS marketing opt-ins: 

• Text a specific keyword: Consumers must text a keyword from their mobile device to join the database.
• Paper form: Consumers give consent on a paper form that clearly states they agree to receive text messages through their phone number from your business.
• Online form: An online form must explicitly state that the consumer subscribes to receive text messages through their phone number from your business.
• Website popups: Consumers can subscribe through a pop-up form on your website that shares the details of your SMS program and provides an opt-in option.

Just like with email marketing opt-in best practices, you’ll provide the best experience and bolster compliance by enabling SMS double opt-in and sending a welcome message to confirm a new subscriber’s enrollment. 

For example, if an ice cream company enrolled a new subscriber, they could automatically send a message stating, “Welcome to Emily’s Ice Cream newsfeed. Reply with a D for delicious to receive weekly notifications about new flavors and other tasty updates.”

Remember, setting clear expectations upfront will help avoid opt-outs later. It’s important to be transparent with your subscribers. Consider sending messages that cover: 

• A brief description of the type of content to which they’ve subscribed.
• The average number of messages they should expect to receive in a specific period.
• A link to your privacy policy in full detail.
• Instructions on how to opt out from receiving messages (STOP instructions) and how they can get help information (HELP instructions) with a simple link. 

TCPA Exceptions

You should always be careful about the subject matter and how you send your text messages, because marketing messages sent via SMS are regulated differently than other types of messages. That said, there are certain exceptions to the TCPA. 

Examples of TCPA text message exemptions include:

1. Prior relationships: If you are sending SMS messages to an existing customer, you’ve already established a relationship. This is defined by a consumer requesting information about your business within the past three months or if they’ve used your services within the past 18 months.
2. Specific types of businesses: You are exempt from requirements if business information is sent on behalf of someone covered under a specific healthcare plan, or your business is a non-profit that doesn’t sell goods or services.
3. Emergency purposes: If you’re using an automated text message for emergency purposes, it’s exempt from TCPA. 

State-Specific “Mini-TCPAs” 

After an April 2021 Supreme Court ruling significantly narrowed the definition of “auto-dialing” software, several states began to enact their own “mini-TCPAs”, or state-specific regulations around telemarketing and SMS marketing. 

These mini-TCPAs may sound adorable, but they’re serious business. Over a dozen states, including Arizona, California, Colorado, Florida, New Jersey, New York, Utah, Washington, and Wisconsin, now have state-specific legislation. These can include additional regulations like:

• More restrictive “quiet hours” windows
• Stricter requirements for disclosing your business name in every message
• Broader definitions of automatic telephone dialing systems (ATDS), impacting which messages are subject to regulation
• Additional fines and criminal penalties

To ensure you stay in compliance across every state where your customers live and receive your text messages, you’ll need to monitor these state-specific laws and adjust your SMS practices accordingly.

CAN-SPAM Act

The CAN-SPAM Act was first passed into law in 2003, and established the US’s first standards around commercial email. It reflects the rules in the TCPA and is the primary text spam law in the US — because even though it was designed before SMS existed, the Federal Communications Commission (FCC) extended the CAN-SPAM regulations to text messages.

Under the CAN-SPAM Act, the FCC regulates commercial text messages sent to mobile devices, making sending unwanted text messages (also known as robotexts) to cell phone numbers illegal. Similar to email (and similar to the standards set in the TCPA), under the CAN-SPAM Act, companies must provide clear information that easily allows consumers to unsubscribe to commercial text messages. And messages must be easily identifiable by the reader as an advertisement.

One caveat to note here: the CAN-SPAM Act applies to commercial messages (advertisements), not to transactional messages. Here’s what those terms mean:

• Commercial content advertises or promotes a commercial product or service, including content on a website operated for a commercial purpose.
• Transactional content facilitates an already agreed-upon transaction or updates a customer about an ongoing transaction such as an order confirmation, warranty or safety production information, account balances, employee benefits, or shipping information.

If the message you’re sending is purely commercial, it must comply with the requirements of CAN-SPAM.

Protecting Children With COPPA

Finally, while it’s not specific to SMS messaging, a third piece of US legislation is important for marketers to follow: the Children’s Online Privacy Protection Act (COPPA). This federal law helps parents stay in control over when, what, and how information is collected from their children online. 

COPPA requires website owners to include a clearly written privacy notice on their homepage and anywhere else on their site where user data is collected. Your privacy policy must outline who is collecting and maintaining the information supplied to the website, provide their contact information, explain how the information will be used, and state if it will be made available to third parties. In addition, COPPA requires you to get “verifiable parental consent” before collecting or using personal information from children. Even if parental consent has been granted once, you must seek consent again when you change any part of your privacy policies.

Exceptions to COPPA’s parental consent requirements are allowed when collecting personal contact information to seek consent, protect a child’s safety, or respond to a child’s one-time request (provided that the personal information is deleted immediately afterward).

According to the FTC, “Most companies that run websites directed to children under 13 are aware of their responsibilities under the COPPA Rule. But if you run a site directed to a general audience or operate an ad network, plug-in, or other third-party service used by kid-directed sites, you may have COPPA compliance obligations, too.”You’ll also want to be aware of best practices when using SMS marketing to communicate with parents about things such as kids’ products, as COPPA also applies.

SMS Marketing Regulations in Canada

Canada passed its anti-spam law, Canada Anti-Spam Legislation, known as the CASL, in 2014. The CASL is similar to the TCPA — under it, businesses that use electronic messages to communicate with consumers must obtain consent, provide identification information, and provide a way to unsubscribe.

Within the CASL, consent falls under two categories; implied and expressed. Implied refers to a consumer providing or disclosing their information to a business, implying consent. Expressed refers to a consumer explicitly agreeing to receive electronic communications from a business, including SMS marketing.

General SMS Best Practices To Remain Compliant

If you want to dive deeper into best practices for SMS marketing regulatory compliance in the US, the Cellular Telecommunications Industry Association (CTIA) has done a lot of heavy lifting. The CTIA developed guidelines with key industry stakeholders to align with TCPA rules. While their website will be careful to tell you the guidelines are not legally binding, the CTIA’s Messaging Principles and Best Practices provide a great foundation for staying compliant with your SMS marketing.

Like the TCPA, the CTIA’s guidelines call for explicit opt-in consent, and caution that privacy details can’t be hidden or buried on the site. Other recommendations include:

• All messages should convey a clear call to action.
• Users must understand precisely what they’re signing up to receive.
• Clearly labeled Terms & Conditions and Privacy Policy links must be displayed in the opt-in message.
• Once a subscriber joins your SMS program, you must send them a message that includes the description of the recurring program, the message frequency, a disclaimer that message and data rates may apply for each message, and information about getting help or opting out.
• Subscribers must be able to opt-out at any time by responding with language like: “stop,” “end,” “cancel,” “unsubscribe,” or “quit.”
• Subscribers should be able to get help by responding with the message “help,” which should automatically respond with the program name and information on getting help.
• All outgoing text messages must clearly include your business’s name.
• Content such as (but not limited to) hate speech, certain firearms, and violence cannot be promoted via SMS messaging.
• Programs must display opt-out instructions at regular intervals in SMS messages.
• Opt-out information must be clearly displayed in the message or within the Terms & Conditions.

SMS Marketing Regulations in EMEA, APAC, and CSA Regions

Unless you’ve been living under a marketing-free rock for the last ten years, you know it’s important to be aware of global privacy policies. (Thanks, GDPR.)

For most intents and purposes, the US rules on SMS messaging apply throughout most developed nations. But some regions have specific compliance requirements you’ll want to follow if you do business with their residents.

Regulations for SMS Marketing in EMEA

Several nations within Europe, the Middle East, and Africa adhere to additional e-communication rules beyond the scope of US regulation. The following examples will give you food for thought, but consult with your legal team for specific requirements in each country where you plan to implement SMS marketing.

The European Union’s General Data Protection Regulation (GDPR)

The GDPR requirements govern each member state of the European Union to create more consistent consumer and personal data protection across EU nations. Some of the critical requirements of the GDPR include:

• Requiring consent of subjects for data collection
• Making any data collected anonymous to protect privacy
• Providing data breach notifications
• Safely handling the transfer of data across borders
• Requiring companies to appoint a data protection officer to oversee GDPR compliance when applicable

The GDPR mandates a benchmark set of standards for companies that handle EU citizens’ data to safeguard citizens’ personal data processing and collection — including SMS messages. 

You already know this, but make sure to stay in compliance with GDPR. 

The UK’s Privacy and Electronic Communications Regulations (PECR) and Data Protection Act (DPA)

The UK has regulations that support and work with the GDPR, the Privacy and Electronic Communications Regulations (PECR) and the Data Protection Act (DPA). 

The PECR applies to electronic marketing methods including SMS messages, website tracking (such as cookies), security measures, and privacy rights.

The DPA is the UK’s implementation of the GDPR and regulates how businesses can store and use consumers’ personal data. Under this act, personal information must be used “fairly, lawfully and transparently.” Businesses can only use data when appropriate and can’t store the data any longer than deemed necessary.

Australia’s Spam Act & Anti-Spam Regulations

The Australian Communications and Media Authority (ACMA) oversees the regulation of broadcasting, internet, radio communications, and telecommunications — including anti-spam regulations for SMS marketing.

ACMA outlines two types of consent, express (like filling in a form or checking an opt-in box on a website) and inferred (when a recipient has knowingly given you their contact information and has an ongoing relationship with your business). Their online guidelines acknowledge inferred consent, but specify that “inferred consent is not as reliable as getting someone’s express consent”.

In addition to consent, ACMA requires you to:

• Identify yourself as the sender 
• Make it easy to unsubscribe
• Provide contact details

Regulations for SMS Marketing in APAC

In China and the Asian Pacific, country-specific laws govern SMS marketing, such as China’s Administrative Provisions on Short Message Services, Singapore’s Spam Control Act, and legislation from South Korea’s Communications Commission.

Monitor and confirm your compliance with regulations across each country. For example, Chinese telecommunications networks have strict restrictions around including URLs in messages or marketing for financial products. In Singapore, advertisements must be clearly identified with the letters “ADV” at the beginning of the message. And many APAC countries prohibit religious, political, or gambling-related content in promotional messages.

That said, continue to follow best SMS practices such as: 

• Get opt-in consent before sending marketing communications
• Observe local quiet hours
• Provide clear opt-out methods
• Identify your business as the sender of any message

Regulations for SMS Marketing in CSA (Central and South America) 

The regions of Central and South America (CSA) are generally still considered the wild west of SMS with little to no laws or enforcement of standard North American rules and best practices. However, in most CSA countries, the sending of religious or political content is prohibited — and some, like Brazil, do have specific regulations around sending messages outside of local daylight hours.

Be a smart marketer: when sending SMS messages in a region with few compliance regulations, like Latin America, follow the general best practices to ensure you are protected and providing a positive experience to consumers.

Complying with Regulations for SMS Marketing is Easy with Act-On

To recap, here are the general best practices to follow SMS guidelines:

• Gain written consent
• Keep thorough records of consent
• Observe quiet hours
• Clearly communicate opt-out and help options
• Post privacy policies in clear view for the consumer

SMS marketing regulations are designed to protect consumers across the globe and keep them in control of what they are subscribing to and confident that businesses are using their personal information respectfully and responsibly. So, as a respectful and responsible marketer, we know you want to stay on top of SMS compliance.

That’s where Act-On’s SMS marketing tool comes in. It’s easy to add proper opt-in to your forms and maintain recommended SMS best practices. With the right software, and an ongoing commitment to keep up with local guidelines, you’ll be successful in your SMS compliance. 

Remember, this article is not intended to provide legal advice. Much of the laws surrounding SMS marketing are muddled because of contradictory decisions made on the Federal Courts level. As the laws continue to be defined be sure to consult with your legal team or consult with a lawyer before launching your SMS marketing strategy.

For more information on designing and implementing SMS in your overall marketing efforts, check out Act-On’s SMS automation platform. We believe in being compliant with all regulations, understanding your business purpose, and aim to be a strategic partner in creating an effective and safe way to use SMS marketing automation.