Every small business running a text-message program today is operating inside three overlapping rule sets: TCPA (the federal statute Congress passed in 1991, still primary), CTIA (the wireless-carrier industry association's guidelines, enforced at the carrier level), and A2P 10DLC (the newer Application-to-Person 10-Digit Long Code registration system carriers now require for business messaging in the US).
Get any one wrong and something breaks. TCPA violation: $500 minimum per message, trebled for willful, plaintiff-bar class actions at scale. CTIA violation: carrier warnings and eventual traffic filtering. A2P 10DLC violation: your messages get blocked at the carrier level before they reach subscribers.
The SMS Compliance Audit scores the 11 signals that matter across all three layers.
The 11 signals
1. Explicit SMS opt-in checkbox plus phone field. TCPA requires "prior express written consent" for marketing texts. A phone field without an unchecked opt-in checkbox with consent language is a TCPA fail. Pre-checked boxes don't count.
2. "Msg & data rates may apply" disclosure. CTIA requires this exact phrase near the opt-in. Without it carriers can block your traffic under A2P 10DLC campaign-content review.
3. Message frequency disclosure. "Up to 4 msgs per month" or "Message frequency varies." Required for A2P 10DLC campaign registration.
4. STOP / HELP keyword language. "Reply STOP to unsubscribe, HELP for help." Required by CTIA, required on every campaign.
5. Privacy policy SMS clause. The Campaign Registry (TCR) requires your privacy policy to explicitly address SMS / mobile number handling AND contain the phrase "mobile information will not be shared with third parties or affiliates for marketing/promotional purposes" (or materially equivalent language). Privacy policies without this clause get campaign registrations rejected.
6. Terms of service SMS clause. Less strict than the privacy requirement but recommended. Publish /sms-terms/ covering program name, opt-in method, frequency, STOP/HELP, carriers.
7. Age gate for SHAFT content. SHAFT = Sex, Hate, Alcohol, Firearms, Tobacco (plus sweepstakes / gambling as related). Carriers restrict or outright block SHAFT traffic. If you sell any of these products, get written carrier approval and implement strict age verification on opt-in. Some SHAFT subcategories are effectively blocked on A2P 10DLC regardless of approval.
8. Double opt-in. Not strictly required for express written consent, but strongly recommended. Confirms the opt-in wasn't a mistyped number. Reduces TCPA exposure significantly.
9. SMS platform signal. Twilio, Klaviyo SMS, Attentive, Postscript, SimpleTexting, EZ Texting, Textedly, HeyMarket, Textline — all handle A2P 10DLC filings for you via their TCR integration. If you detect none, either it's loading after DOM-ready or no platform is configured.
10. Web unsubscribe page. Optional — STOP keyword is the required path. A web-based unsubscribe is defense-in-depth.
11. Footer link to messaging terms. Visitors who opted in three months ago should still be able to find the rules.
A2P 10DLC in practical terms
A2P 10DLC is not something you can skip by using a short code or a toll-free number. Carriers now require all US business SMS to be sent from a registered 10DLC campaign (unless you're using a CTIA-approved short code, which has its own separate registration process through the CTIA Short Code Monitoring Handbook). Toll-free SMS requires toll-free verification, which is a related but separate process.
The registration flow on the TCR (The Campaign Registry) is:
- Brand registration. Your business entity, EIN, industry, authorized representative.
- Campaign registration. Per use case — marketing, account notification, customer care, higher education, charity, public service announcement, etc. Each gets its own throughput rate (messages per second).
- Sample messages. Two to five sample texts that match your campaign use case.
- Opt-in URL and description. The public URL where the opt-in happens, plus a written description of how the opt-in works.
- Privacy policy URL and terms URL. TCR reviews these for compliance with the language requirements above.
Your SMS vendor handles the filing, but you provide the materials. Getting the privacy-policy language wrong is the #1 reason for rejected registrations.
The TCPA-exposure reality
Here's the math on the downside. A single violation is $500 minimum, $1,500 if willful. Class actions typically certify at class sizes of 10,000+ subscribers. A single non-compliant send to a 50,000-contact list can carry $25M to $75M in theoretical statutory exposure before settlement discount. Settlements commonly land in the $2M-$10M range.
This is why the plaintiff bar targets SMS aggressively. Discovery on an SMS class action can be run entirely from the defendant's own send logs — no witness interviews, no document review. The economics favor the plaintiff's side.
You're not going to eliminate this risk by running compliance perfectly. You mitigate it. Explicit express written consent, double opt-in, a clean privacy policy SMS clause, STOP keyword implementation verified, quarterly audits of the opt-in page — these together reduce the surface area by most of the way.
Platform-level compliance features vs your responsibility
Every major SMS platform has compliance features: Klaviyo's TCPA Consent field, Attentive's Compliance Center, Postscript's compliance-first opt-in flows, Twilio's A2P 10DLC self-serve registration. These do real work.
But platforms can only enforce what you give them. If you upload a contact list that includes numbers gathered without express written consent, the platform will happily send to that list and you'll carry the TCPA risk alone. Contract language on your side may indemnify the platform entirely.
Rule of thumb: the platform prevents carrier-level violations (unregistered campaigns, SHAFT content filtering, high-velocity blocking). You prevent the underlying consent-based violations (unauthorized contact, mislabeled marketing-vs-transactional, failure to honor STOP).
Quiet hours + business-hours compliance
Federal TCPA: no marketing calls or texts before 8 AM or after 9 PM in the recipient's local time zone. State mini-TCPAs (Florida, Washington, Oklahoma, Maryland) impose stricter windows — Florida allows until 8 PM, not 9 PM. Maryland requires double opt-in for certain categories. Washington carries its own damages.
If you're sending to all 50 states, the conservative rule is the narrowest window across all states you serve. Better: segment by state and send in each recipient's local time zone, with geographic-location logic tied to area code OR better yet, the subscriber's opt-in time-zone preference.
Related reading
- Email Compliance Footer — CAN-SPAM compliance for the other half of your outbound stack
- Merchant Category Code — payment-acceptance audit
- PCI SAQ-A — payment compliance tier assessment
- Transparency Page Trust — how pricing, careers, and privacy pages compound
- Email Infrastructure for Small Business — SPF/DKIM/DMARC
Fact-check notes and sources
- Telephone Consumer Protection Act, 47 U.S.C. § 227 — statutory damages $500-$1,500 per violation.
- Facebook Inc. v Duguid, 141 S. Ct. 1163 (2021) — narrowed ATDS definition.
- CTIA Short Code Monitoring Handbook (current version) — industry compliance guidelines.
- The Campaign Registry (campaignregistry.com) — A2P 10DLC registration documentation.
- AT&T Code of Conduct for Business Messaging (current version).
- T-Mobile Code of Conduct for A2P 10DLC (current version).
- Verizon A2P Messaging guidelines (current version).
- Florida Telephone Solicitation Act (2021) and amendments.
- Washington Consumer Protection Act (CEMA).
- Maryland Stop the Wrong Number Act (2022).
This post is informational, not legal or carrier-compliance advice. TCPA, state mini-TCPA statutes, CTIA handbook, The Campaign Registry policies, and individual carrier filtering rules evolve. Consult qualified counsel and your SMS platform's compliance team before running any messaging campaign. Mentions of Twilio, Attentive, Postscript, Klaviyo, SimpleTexting, EZ Texting, Textedly, HeyMarket, Textline, The Campaign Registry, AT&T, Verizon, T-Mobile, CTIA, Facebook v Duguid are nominative fair use. No affiliation is implied.
