What exactly does the one-to-one consent rule require?

Each individual business must obtain separate, express written consent from each consumer. A single opt-in form that names multiple companies, or consent sold or shared across brands, is no longer legally valid for TCPA purposes.

Does this rule apply to agencies that manage SMS on behalf of clients?

Yes. If your agency sends SMS from a client's brand, the consent must name that specific client. Your agency's consent form cannot double as consent for your client's messages. Each client needs their own form with their own disclosure language.

What should I do with existing lists collected before January 2025?

Lists collected before January 27, 2025 on shared forms need to be re-qualified. The safest path is a re-consent campaign: send a one-time message explaining the new opt-in, ask for confirmation, and only retain subscribers who respond affirmatively.

Does the one-to-one rule apply to 10DLC campaigns?

Yes. Carriers and TCR are increasingly aligned with FCC consent standards. Shared or third-party consent is a leading cause of 10DLC campaign rejection in 2026. Your campaign registration must reference a direct opt-in URL for the specific sending brand.

Can a parent company collect consent for all its subsidiaries on one form?

Not safely. The FCC rule requires consumers to specifically identify which company they are consenting to hear from. A form that mentions a parent company but not the subsidiary sending the messages creates a consent mismatch.

FCC One-to-One Consent Rule: SMS Agency Guide 2026

On January 27, 2025, the FCC's one-to-one consent rule took effect — and it quietly invalidated the consent strategy of thousands of SMS agencies, lead generation companies, and multi-brand businesses.

If you run an agency that manages SMS for multiple clients, this rule directly affects how you collect, store, and use consent. Here's what changed, who it hits hardest, and what your agency needs to do to comply.

What the One-to-One Consent Rule Says

The Federal Communications Commission finalized the one-to-one consent rule in December 2023, with enforcement beginning January 27, 2025. The rule amends the TCPA's consent requirements in two critical ways:

1. Consent must be one-to-one. A consumer's opt-in consent is only valid for the specific company named on the consent form at the time of sign-up. Consent collected on a shared form listing multiple businesses — or consent purchased from a lead aggregator — is no longer valid for any of the businesses listed.

2. The relationship must be logically and topically related. Even when a consumer consents to messages from one company, that company cannot share, sell, or transfer the consent to a related business — even a sister brand or subsidiary — unless the consumer specifically agreed to that.

The practical impact: the entire shared-consent lead generation model is dead. Forms that said "I consent to be contacted by [Business Name] and its partners" are now TCPA violations waiting to happen.

Who This Hits Hardest

SMS Agencies Managing Multiple Clients

This is the highest-risk category. An agency that uses a single intake form for multiple client campaigns — or that runs campaigns using leads collected by a third party — now has clients with legally unenforceable consent databases.

For example: An agency builds a landing page for Client A (an insurance company) and Client B (a mortgage broker). The opt-in form says "Consent to be contacted by our insurance and lending partners." Both clients run SMS campaigns to that list.

Under the one-to-one rule, neither client has valid consent. The consumer consented to generic "partners" — not to the specific company sending the text.

GoHighLevel Agencies

GoHighLevel agencies frequently build out client systems using shared funnel templates. If the same opt-in form is reused across client sub-accounts — or if a generic consent statement is applied to an entire snapshot — every client running SMS to that list is exposed.

Lead Generation Companies

Any business that generates leads for multiple buyers and sells consent downstream is operating outside the new rules. Lead buyers who purchased lists after January 27, 2025 cannot legally send marketing texts to those contacts.

What Agencies Must Change

1. Audit Every Client's Consent Source

Start by mapping how each client's SMS list was built:

Was the consent collected via a form the client owns directly?
Does the form disclosure name the specific client brand?
Were any contacts imported from a third-party list or purchased lead source?
Was the same consent form used for multiple clients?

Any "yes" to the last three questions is a compliance problem.

2. Build Per-Client Consent Forms

Every client that sends SMS marketing must have their own dedicated consent form that:

Explicitly names the client's business by legal business name
Describes the types of messages the consumer will receive
Includes CTIA-required disclosure language specific to that brand
Stores consent records tied to that client's account — not a shared pool

Using OptInFix with separate sub-accounts or workspaces per client achieves this automatically. Each client gets their own embeddable form, their own audit vault, and their own verification URL format.

3. Separate Consent Storage by Brand

Consent records must be traceable to a specific brand's opt-in event. If you're storing all client consent in a shared CRM table, that's a problem. Consent for Client A must be queryable independently, with the disclosure text and form version that was shown at signup — not a generic record that any client could theoretically claim.

4. Implement Re-Consent Campaigns for Affected Lists

For lists collected before January 2025 on shared forms, the safest path is re-consent:

Send one message per contact: "You previously signed up to hear from [Brand]. We're updating our consent records. Reply YES to continue receiving updates, or STOP to opt out."
Archive the re-consent interaction with a session recording
Suppress everyone who does not respond YES

Yes, you will lose contacts. The alternative is sending to a non-consented list and facing TCPA exposure.

5. Update Client Contracts and SLAs

Your agency agreement with clients should now include:

A representation that all lists provided by the client have been collected under one-to-one consent standards
Indemnification clauses for TCPA exposure arising from client-provided lists
A requirement that the client reviews and approves their consent form language before any campaign launches

This protects your agency when a client provides a dirty list.

The 10DLC Connection

The one-to-one consent rule has a direct impact on 10DLC campaign registration. The TCR (The Campaign Registry) and carriers have aligned their review criteria with FCC standards.

When you register a 10DLC campaign, you must provide:

The opt-in form URL where consumers sign up
Sample opt-in disclosure language
A description of how consent was collected

If your opt-in URL points to a shared landing page used for multiple brands, TCR reviewers will reject the campaign. Each campaign registration needs a dedicated consent form URL with brand-specific language.

See how to register a compliant 10DLC campaign with proper consent documentation →

What to Do Right Now

The one-to-one consent rule is not going away. The FCC has made enforcement a priority, and plaintiff attorneys are already building cases around shared-consent lists.

For a complete step-by-step agency onboarding process that covers this rule — including list source auditing, per-client form setup, 10DLC registration, opt-out configuration, and contract protections — see the full guide: SMS Agency TCPA Compliance: The 9-Step Client Onboarding Checklist.

Getting your agency's consent infrastructure right today is the only way to protect your clients — and yourself.

Build per-client consent forms with OptInFix →