Is a compliance certificate the same as a TrustedForm certificate?

TrustedForm is one type of compliance certificate, designed primarily for lead buyers verifying third-party leads. A compliance certificate generated by OptInFix is designed for businesses that own their own consent forms — it ties a specific consumer's interaction to your specific form and stores it in your audit vault with full session replay.

When do I need to produce a compliance certificate?

You may need to produce compliance certificates during: 10DLC campaign registration (as evidence of your opt-in process), TCPA litigation or pre-litigation demand letter response, regulatory investigation by state attorneys general or the FCC, and client reporting for agencies managing SMS on behalf of brands.

Can I generate a compliance certificate retroactively?

No. A compliance certificate must be generated at the moment of consent. Retroactive generation is meaningless from an evidentiary standpoint because there is no way to prove the record reflects what the consumer actually experienced at signup.

Who can see a compliance certificate?

The compliance certificate is stored in your audit vault (visible to you and your legal team) and linked to a public verification URL. The public URL shows the consent details — without personally identifiable information in the URL itself — so that any third party can verify consent authenticity.

Do compliance certificates expire?

The certificates themselves do not expire, but the consent they document may. Consent for SMS marketing is not indefinite — a consumer's opt-in from five years ago for a specific program may not cover a new program or a significantly changed message frequency. Active consent management matters alongside certificate storage.

SMS Consent Compliance Certificate: What It Contains

When a TCPA demand letter arrives, your defense attorney will ask for one thing first: the consent record for the disputed contact. What they actually need is a compliance certificate — a complete, verifiable proof document that shows exactly what the consumer agreed to, when they agreed to it, and what the agreement looked like.

Most businesses cannot produce this. They have a CRM field, a form submission log, or a spreadsheet. None of these is a compliance certificate.

This guide defines what a compliance certificate is and what it must contain. For how third-party certificate tools like TrustedForm and Jornaya compare to first-party certificates, see: TrustedForm vs Jornaya vs OptInFix: Which Consent Proof Wins in Court? For the general consent collection process, see: How to Collect Proof of SMS Consent.

Here's what a real SMS consent compliance certificate contains, when you need it, and how it changes your TCPA risk profile.

What Is an SMS Consent Compliance Certificate?

A compliance certificate is a structured proof document that ties a specific consumer's consent to a specific consent event — with enough detail and verification mechanisms to be useful in litigation, regulatory inquiry, or 10DLC campaign registration.

It is not:

A generic "we have consent" statement
A CRM export showing a consent field
A screenshot of a form

It is:

A tamper-proof record of a specific opt-in interaction
Cryptographically verifiable
Independently confirmable via a public URL
Rich enough to reconstruct exactly what the consumer was shown and what they did

What a Compliance Certificate Must Contain

A TCPA-defensible SMS compliance certificate includes these elements:

1. Consumer Identification

Phone number (hashed for privacy in the public view, full in the private audit record)
Opt-in date and time (UTC and local timezone)
IP address at time of opt-in
Geolocation derived from IP address

2. Form Identity

Form version ID — a unique identifier for the exact version of the form that was live at the time of opt-in
Form URL — the page where the opt-in occurred
Form name — your internal identifier for the form

This is critical for TCPA defense: if the plaintiff argues the disclosure language was non-compliant, you need to prove what the form said at the exact moment the consumer signed up. If your form has been updated since then, the version ID links back to the archived version.

3. Disclosure Language Snapshot

The exact text of the consent disclosure that was displayed to the consumer. This includes:

Business name as it appeared on the form
Description of message types
Message frequency language
TCPA-required disclosures (rates, opt-out instructions)
Links to terms and privacy policy that were live at the time

4. Consumer Interaction Record

Confirmation that the consent checkbox was in an unchecked state when the page loaded
Timestamp of the checkbox click event
Timestamp of the form submission event
Browser and device fingerprint
Session replay recording reference (or embedded replay for premium certificates)

5. Cryptographic Integrity Proof

SHA-256 hash of the complete record, generated at write time
Current hash status: does the stored record match the original hash?
Chain-of-custody notation: when the record was created, by which system component

6. Public Verification URL

A URL anyone can visit to verify the certificate's authenticity and current hash status. The URL displays:

Consent date and time
Form URL where consent was collected
Disclosure language (the text the consumer agreed to)
Hash verification status (valid / tampered)

This public URL is what you give to a plaintiff's attorney, a 10DLC reviewer, or a regulator. They can verify the record independently without trusting your word.

When You Need a Compliance Certificate

10DLC Campaign Registration

When registering a campaign with The Campaign Registry, you need to provide evidence of your opt-in process. Submitting a compliance certificate URL as part of your supporting documentation demonstrates:

You have an active, compliant opt-in form
Consent records are being captured and stored
The form produces verifiable records

This is increasingly expected by TCR reviewers in 2026 and is one of the best ways to avoid campaign rejection.

TCPA Demand Letter Response

When your attorney receives a demand letter, the first question is: can you document consent for this specific phone number? A compliance certificate with a session replay and public verification URL changes the litigation dynamics immediately. Plaintiff attorneys are much less likely to pursue (or demand high settlements from) defendants who can produce strong, independently verifiable consent records.

10DLC Rejection Appeals

If your 10DLC campaign is rejected for consent documentation reasons, a compliance certificate from an actual opt-in event — showing the form URL, disclosure language, and consumer interaction — is the strongest possible evidence for an appeal.

Agency Client Reporting

SMS agencies managing compliance on behalf of clients can provide clients with compliance certificate reports showing the consent quality of their list. This demonstrates compliance due diligence and supports the agency's claim that it has been managing consent responsibly.

Regulatory Investigation

State attorneys general and the FTC have increased TCPA enforcement activity in 2025-2026. If your business is the subject of a regulatory inquiry, compliance certificates showing your opt-in process and consent documentation practices are essential to demonstrating good faith compliance.

How OptInFix Generates Compliance Certificates

When a consumer completes an OptInFix consent form:

The session replay recording is compressed and stored in the audit vault
The complete consent record (all fields above) is written to append-only storage
A SHA-256 hash of the record is generated and stored
A public verification URL is generated: `optinfix.com/verify?id={consent_id}&hash={short_hash}`
The consent ID and verification URL are available in your dashboard and via API

You can search for any contact's compliance certificate by phone number, view the session replay, and share the public verification URL — all from the OptInFix dashboard.

What a Compliance Certificate Is Not a Substitute For

A compliance certificate documents that a consent event happened. It does not:

Replace ongoing consent management — Consent must be actively managed. Opt-outs must be processed. Lists must be kept clean. A certificate for an old opt-in doesn't help if the consumer has since opted out and you ignored it.

Fix retroactive consent problems — If contacts were collected without proper consent before you implemented certificates, those contacts are still unconsented. Certificates are prospective protection.

Guarantee you won't be sued — Compliance certificates dramatically reduce your risk and improve your defense position. They don't prevent anyone from filing a lawsuit. They change the outcome of that lawsuit.

The goal is to build a consent infrastructure where, for every contact on your SMS list, you can produce a compliance certificate that shows exactly what they agreed to, independently verified, with a session recording of the interaction. That is the TCPA defense position every SMS business should be working toward.

Generate compliance certificates for every opt-in with OptInFix →