SMS Agency TCPA Onboarding Checklist 2026 (9 Steps)
An SMS agency launched a loyalty campaign for a new restaurant client. The client provided a list of 4,000 contacts they had collected at a point-of-sale tablet over two years. The agency didn't ask what consent language was shown. They didn't ask if the list had been screened. They launched the campaign.
Six weeks later, both the restaurant and the agency were named in a TCPA class action. The class: every person on the list who had never seen a CTIA-compliant consent disclosure.
An agency that sends on behalf of a client assumes a share of the client's compliance risk. The only protection is a rigorous onboarding process that catches compliance problems before they become campaigns. Here is the complete 9-step checklist.
Why Agency Onboarding Is the Critical Compliance Gate
By the time you send the first message, the damage from a bad list is already done. You cannot fix non-consensual contacts after the send. Pre-send compliance work is the only compliance work that actually prevents violations.
The challenge is that most agencies are optimized for speed: get the client signed, get the campaign set up, get the first send out. TCPA compliance adds friction to that process. But the cost of a single class action naming your agency far exceeds the cost of the compliance steps below.
The 9-Step Onboarding Checklist
Step 1 — List Source Audit
Before accepting any contact list, understand where it came from. Ask the client:
- What is the source of every list segment you want to send to?
- Do you have the opt-in form URL where these contacts signed up?
- Were any contacts imported from a purchased list, lead aggregator, or third-party source?
- Were any contacts collected before January 2025 on a shared form listing multiple brands?
- Have you exported and re-imported this list between CRMs, which may have stripped metadata?
Red flags that require list rejection or re-consent:
- "We bought this list"
- "We imported it from our old CRM, I'm not sure where those contacts came from"
- "The form is gone, the site was redesigned"
- "These are contacts from a co-marketing campaign with another company"
Under the FCC's one-to-one consent rule effective January 2025, shared-form consent and purchased lists are not valid TCPA consent. Sending to these lists is a violation.
Step 2 — Consent Documentation Review
For lists the client claims are compliant, request documentation:
- The opt-in form URL (test that it's still live and shows compliant disclosure language)
- A sample consent record showing IP address, timestamp, and disclosure language
- The platform storing consent records (CRM, audit vault, or form submission log)
If the client cannot produce a single sample consent record with IP address, timestamp, and disclosure text, the list has inadequate documentation for TCPA defense purposes.
Step 3 — Per-Client Consent Form Setup
Set up a dedicated consent form for the client in OptInFix or your preferred consent capture platform. Requirements:
- Form disclosure names the client's legal business name
- Describes the SMS message types the client will send
- Includes accurate message frequency estimate
- Includes CTIA-required language: "Message and data rates may apply. Reply STOP to cancel. Reply HELP for info."
- Checkbox is unchecked by default
- Session replay is enabled
- Records write to the client's dedicated audit vault
Do not reuse consent forms across clients. Each client is a separate consent relationship.
Step 4 — CTIA Disclosure Language Approval
Before the form goes live, have the client review and approve the consent disclosure language in writing (email confirmation is sufficient). This creates a record that:
- The client saw and approved the disclosure language
- Any inaccuracy in the disclosure (wrong message frequency, missing program description) was the client's responsibility to catch
- The agency is not the author of potentially non-compliant language
Save the client's approval in your project file.
Step 5 — 10DLC Campaign Registration
Every client sending A2P SMS in the US needs:
Brand Registration: The client registers their legal business entity (name, EIN, business type, address) with The Campaign Registry. This must be in the client's name — not the agency's.
Campaign Registration: A campaign is registered for each use case (marketing, customer notifications, etc.). The registration requires:
- Opt-in form URL (use the URL from Step 3)
- Sample opt-in disclosure language
- Sample messages from the campaign
- Message volume estimates
If the client does not have 10DLC registration, do not send campaigns until registration is complete. Carriers have blocked 100% of unregistered A2P traffic since February 2025.
See the complete 10DLC registration guide →
Step 6 — Opt-Out Process Configuration
Configure the client's sending platform to process opt-outs correctly under the April 2025 FCC revocation rule:
- Enable all standard opt-out keywords: STOP, QUIT, CANCEL, UNSUBSCRIBE, END, REVOKE
- Configure broad keyword matching where available
- Set up a monitored inbox for the client's SMS reply number
- Create a documented process for non-keyword opt-out requests (email, phone, form)
- Configure the 10-business-day processing SLA
Test the opt-out process before launch: send a test message to a test number and reply STOP. Verify the number is suppressed and receives the confirmation message.
Step 7 — Suppression List Import
Ask the client for their existing suppression list — any contacts who have previously opted out, asked to be removed, or are on the Do Not Call Registry. Import this list into the sending platform before the first campaign.
Also check:
- National DNC Registry — scrub marketing campaign lists
- State DNC registries where applicable
- Internal complaint list from the client's customer service team
A contact on the DNC Registry who receives a promotional text is a TCPA violation regardless of any SMS-specific opt-in.
Step 8 — Session Replay Consent Capture for New Opt-Ins
Configure all new lead capture flows — landing pages, signup forms, website forms — to use the client's compliant consent form from Step 3. This ensures all future opt-ins are captured with session recording, not just form submission logs.
For clients using GoHighLevel, embed the OptInFix consent widget on key landing pages and configure the GHL workflow to trigger on successful form submission.
Step 9 — Contract Protections
Before launching, ensure your agency agreement with the client includes:
TCPA representation: Client represents that all lists provided have been collected under compliant one-to-one consent practices and have not been purchased from third parties.
Indemnification: Client indemnifies agency for any TCPA claims arising from lists or consent practices the client represented as compliant.
Agency opt-out right: Agency may decline to send to any list segment that agency determines, in its reasonable judgment, poses TCPA compliance risk.
Compliance cooperation: Client agrees to cooperate with any compliance audit, consent documentation request, or legal response related to the agency's campaigns.
These protections don't make you immune from litigation, but they change the financial dynamics significantly if a claim arises.
Ongoing Compliance Monitoring
Onboarding is not a one-time event. After launch, maintain:
Monthly: Review opt-out processing logs. Verify that opt-out requests from all channels were processed within 10 business days.
Quarterly: Audit the client's active opt-in forms. Verify disclosure language is still accurate, checkbox is still unchecked, and session recording is active.
Upon any form change: Any change to the client's opt-in form requires a review of whether the consent language is still CTIA-compliant and whether existing consents match the current form.
Upon any list addition: Any new list segment must go through the same source audit from Step 1 before being added to campaigns.
The agencies that survive TCPA litigation are the ones that made compliance a systematic process — not a one-time check. This checklist is your system.