The 47-item GHL TCPA compliance checklist for 2026

If you run an agency on GoHighLevel, you have shared liability for every text your clients send. This 47-item checklist covers what to verify before, during, and after each client launch.

For broader context see our GHL compliance pillar, the GoHighLevel product hub, and the agency-scale 10DLC playbook. When you quote client SMS programs, pair this checklist with the 10DLC true-cost breakdown for 2026.

Section 1: Brand registration (8 items)

[ ] 1. Pulled fresh 147c letter for legal name verification
[ ] 2. Brand registered under client's legal entity (not agency)
[ ] 3. EIN matches IRS records exactly
[ ] 4. Commercial address (not PO Box or residential)
[ ] 5. DUNS number obtained for enhanced vetting (if scaling)
[ ] 6. Brand sub-type matches entity (Sole Prop, Public, Private, Non-Profit)
[ ] 7. Brand vetting score recorded for compliance file
[ ] 8. Brand expiration calendar reminder set

See brand registration glossary.

Section 2: Campaign registration (7 items)

[ ] 9. Use case matches actual traffic (Marketing vs Mixed vs Customer Care)
[ ] 10. Sample messages include brand name + STOP/HELP
[ ] 11. Opt-in URL is publicly accessible (no login wall)
[ ] 12. Privacy policy includes SMS clause
[ ] 13. Throughput tier matches realistic volume
[ ] 14. Embedded URLs use branded short domain
[ ] 15. Carrier attestations all checked

See campaign registration glossary.

Section 3: Consent capture (9 items)

[ ] 16. Consent disclosure includes brand name
[ ] 17. Disclosure mentions message frequency
[ ] 18. Disclosure mentions msg & data rates
[ ] 19. Disclosure mentions STOP/HELP keywords
[ ] 20. Disclosure mentions consent revocation
[ ] 21. Consent is unchecked by default (no pre-ticked boxes)
[ ] 22. Session replay recording active
[ ] 23. Consent record includes IP, user agent, timestamp
[ ] 24. Consent stored in tamper-evident format

Use the express written consent standard.

Section 4: Automations and triggers (6 items)

[ ] 25. No automation sends to leads without verified consent
[ ] 26. AI follow-up bots have explicit consent disclosure
[ ] 27. Workflow triggers respect suppression status in real-time
[ ] 28. Aged-lead reactivation requires fresh consent
[ ] 29. Cross-sub-account automations have isolation
[ ] 30. No automation runs outside FCC quiet hours (8am-9pm local)

Section 5: Suppression and revocation (5 items)

[ ] 31. STOP/UNSUBSCRIBE/QUIT/CANCEL all trigger suppression
[ ] 32. Suppression propagates across all sub-accounts (or per-tenant by design)
[ ] 33. Suppression list syncs every <60 seconds
[ ] 34. Suppression status logged with timestamp
[ ] 35. Suppression survives CRM imports/exports

Section 6: Evidence and audit (5 items)

[ ] 36. PDF certificate of consent generatable on demand
[ ] 37. JSON export available for discovery
[ ] 38. 13+ months retention for all consent records
[ ] 39. Hash chain or cryptographic integrity verified
[ ] 40. Reassigned Numbers Database checked before first text

Section 7: Agency operations (7 items)

[ ] 41. Master Services Agreement includes TCPA indemnification clauses
[ ] 42. Sub-account onboarding checklist enforced before activation
[ ] 43. Per-client compliance file maintained
[ ] 44. Quarterly compliance audit scheduled
[ ] 45. TCPA defense counsel retained or on-call
[ ] 46. E&O policy reviewed for TCPA exclusions
[ ] 47. Litigation hold process documented

Why each section matters

Brand and campaign registration

Most rejections trace to misregistration. See our GHL rejection fix guide.

Consent capture

Post-IMC, first-party consent naming the sender is the new floor. See OptInFix vs ActiveProspect.

Automations

GHL's strength (workflows) is also its TCPA risk. AI follow-up at scale requires explicit consent for "automated text messages and prerecorded voice."

Suppression

The single biggest litigation trigger in 2026 is the post-revocation message. Propagation latency under 60 seconds is the new standard.

Agency operations

Vicarious liability means an agency can be named in a client's TCPA suit. MSA terms and operational discipline determine whether you're indemnified.

Common GHL-specific gotchas

Default sample messages in templates don't include client brand name → carrier rejection
Master location mistakenly used as the brand for client traffic
Workflow re-runs after a contact replies STOP because suppression didn't propagate to the workflow trigger
AI booking bot sends without disclosure of automated nature
Webhook timeouts during TCR vetting cause silent failures

Quarterly audit cadence

Every quarter, run this 5-step audit:

Pull a random sample of 20 consent records per client
Verify each has a session replay
Spot-check 5 STOP-replied numbers across all sub-accounts
Confirm no messages sent post-STOP
Review TCR brand expirations in the next 90 days

Quick wins (do these this week)

If you can only do 5 things this week:

Verify every active opt-in URL is public (no login)
Add STOP/HELP to every sample message
Confirm suppression propagates across sub-accounts
Pull and store a 147c for every client brand
Install session replay on every consent funnel

Bottom line

GHL is the best growth platform for agencies, and the highest TCPA risk surface for the same reason. This checklist is the floor, not the ceiling.

GoHighLevel TCPA Compliance Checklist for 2026 (47 Items Every Agency Must Verify)