TCPA Compliance Checklist 2026: 15-Point SMS Audit
A $14,000 fine from a single text message. That is what a roofing company in Florida paid in 2025 after sending an unsolicited promotional text to just 10 people.
The owner thought he was compliant. He had a CRM full of phone numbers. What he did not have was proof that any of those contacts actually agreed to receive marketing texts.
This is not unusual. Of the businesses that onboard with OptInFix, 67% fail at least three of the fifteen items in this checklist. The gap is almost never intentional — it is a blind spot.
This checklist gives you a structured way to audit your SMS compliance in about 30 minutes. Each item maps to a specific legal requirement, tells you exactly what to build or fix, and explains how to verify you got it right.
How to Use This Checklist
Score yourself 1 point for each item you fully pass. Be honest — partial credit does not exist in a courtroom.
| Score | Risk Level | What It Means |
|---|---|---|
| 13–15 | Low risk | Strong compliance posture. Monitor quarterly. |
| 9–12 | Moderate risk | Gaps exist that a plaintiff's attorney will find. Fix within 30 days. |
| 5–8 | High risk | Multiple exposure points. Prioritize the consent and recordkeeping sections immediately. |
| 0–4 | Critical risk | Stop sending marketing texts until you close these gaps. You are one complaint away from a demand letter. |
Print this out, walk through each item with your team, and write down your score. Then fix the lowest-scoring section first.
The 15-Point TCPA SMS Compliance Checklist
Consent Collection (Points 1–4)
These four items determine whether you have legal permission to send marketing texts in the first place. Without them, everything else is irrelevant.
1. You obtain [prior express written consent](/glossary/express-written-consent) before sending marketing texts.
| Requirement | 47 CFR § 64.1200(f)(9) — signed agreement authorizing marketing messages |
|---|---|
| Implementation | An unchecked checkbox with consent language, separate from any terms-of-service acceptance |
| Verification | Pull 5 random contacts — can you produce a signed consent record for each? |
This is the foundational requirement of the TCPA (the federal law that limits business text messages). Every marketing text you send needs this. Informational texts — like appointment confirmations or delivery updates — need a lower tier of consent, but the moment you add a promotional sentence, you need written consent.
2. Consent is a separate, [unchecked checkbox](/blog/pre-checked-checkbox-tcpa-violation-2026) — never pre-checked or bundled.
| Requirement | FCC guidance + CTIA Messaging Principles |
|---|---|
| Implementation | Consent checkbox must be unchecked by default. SMS consent cannot be bundled with email opt-in, terms acceptance, or purchase agreement |
| Verification | Load your sign-up form in an incognito browser. Is the SMS checkbox unchecked? Is it separate from other agreements? |
Pre-checked boxes are the single most common consent-form mistake. Courts have consistently ruled that a pre-checked box does not constitute an affirmative action by the consumer.
3. Consent is not a condition of purchase or service.
| Requirement | 47 CFR § 64.1200(f)(9)(ii) |
|---|---|
| Implementation | A customer must be able to complete their purchase, book their appointment, or sign up for your service without opting into marketing texts |
| Verification | Complete a test purchase on your site without checking the SMS consent box. Does it work? |
If your checkout flow forces SMS consent to complete a purchase, every text you send under that consent is legally indefensible.
4. Lead-gen consent names your specific business — not a list of companies.
| Requirement | FCC One-to-One Consent Rule (effective January 2025, procedurally stayed but carriers enforce it) |
|---|---|
| Implementation | If you buy leads from a vendor, the consent form must name your business specifically. "By submitting, you agree to hear from our partners" is not sufficient |
| Verification | Request a screenshot of your lead vendor's consent form. Is your business name on it? |
Even after the 11th Circuit stayed the FCC's one-to-one rule in *IMC v. FCC*, carriers like AT&T and T-Mobile still require one-to-one consent for 10DLC campaign approval. This item is effectively mandatory.
Disclosure and Transparency (Points 5–7)
Your consent form can check all the boxes above and still fail if the disclosure language is incomplete.
5. Your consent form identifies your business by name and describes the type of messages you will send.
| Requirement | CTIA Messaging Principles and Best Practices |
|---|---|
| Implementation | Disclosure text must include your company name and whether messages are promotional, transactional, or both |
| Verification | Read your consent disclosure. Does it say who is sending and what kind of texts? |
Vague language like "you agree to receive communications" fails this test. Be specific: "You consent to receive marketing text messages from [Your Business Name] about promotions, offers, and updates."
6. You disclose message frequency and [message and data rates](/glossary/msg-data-rates).
| Requirement | CTIA Messaging Principles |
|---|---|
| Implementation | Include "Msg frequency varies" or a specific estimate. Include "Msg & data rates may apply" |
| Verification | Does your consent text include both a frequency statement and the rates disclosure? |
These two phrases are required by the wireless industry association (CTIA) that sets texting standards. Missing either one is grounds for carrier campaign rejection during 10DLC registration.
7. Your consent text includes opt-out instructions.
| Requirement | TCPA + CTIA |
|---|---|
| Implementation | Include "Reply STOP to unsubscribe" or equivalent |
| Verification | Is the opt-out instruction visible in the consent disclosure? Not buried in a linked terms page — visible on screen |
Opt-Out and Revocation (Points 8–10)
Collecting consent correctly means nothing if you ignore people who withdraw it.
8. The STOP keyword immediately suppresses the contact from all marketing messages.
| Requirement | TCPA — consent revocation must be honored |
|---|---|
| Implementation | STOP, UNSUBSCRIBE, QUIT, CANCEL, and END should all trigger suppression. Process within 10 business days (FCC standard), but aim for immediate |
| Verification | Text STOP to your business number from a test phone. How long until you are suppressed? |
9. You send an opt-out confirmation after suppression.
| Requirement | CTIA best practice + carrier requirement |
|---|---|
| Implementation | A single confirmation text: "You have been unsubscribed from [Business Name] texts. You will not receive further messages." No marketing in this message |
| Verification | After texting STOP, did you receive a confirmation? Was it free of any promotional content? |
10. Suppressed contacts are blocked from all campaigns — including automations and imported lists.
| Requirement | TCPA — revocation applies to all messaging from the sender |
|---|---|
| Implementation | Suppression must propagate to every system that can trigger a text: your CRM, your automation platform, your bulk sender, imported CSV lists |
| Verification | Suppress a test contact, then import a CSV that includes that number. Does the system block the suppressed number? |
This is where businesses get caught. They honor STOP in their main platform but then import a list into a different tool that does not check the suppression list. One text to a suppressed number is a violation.
Recordkeeping and Proof (Points 11–13)
This is the section where most businesses fail — and it is the section that matters most if you ever receive a demand letter.
11. Every consent record includes timestamp, IP address, user agent, and the exact disclosure text the consumer saw.
| Requirement | Evidentiary standard from TCPA case law |
|---|---|
| Implementation | Capture and store: UTC timestamp, IP address, browser user agent string, geolocation (if available), and the exact version of your consent form at the time of opt-in |
| Verification | Pull a consent record. Does it have all five data points? Can you reconstruct what the consumer saw? |
A CRM field that says "consented = true" with a date is not proof. Courts want to see the full audit trail — what was shown, when it was shown, and who was on the other end of the screen.
12. Consent records are stored for at least five years in a tamper-proof format.
| Requirement | TCPA statute of limitations is 4 years; 5-year retention provides a safety buffer |
|---|---|
| Implementation | Store records in an append-only system with cryptographic integrity (SHA-256 hashing). No one — including your own team — should be able to edit or delete a consent record |
| Verification | Try to edit a consent record in your system. Can you? If yes, your records are not tamper-proof |
This is the difference between a case that settles for $2,000 and one that settles for $200,000. If you can produce a tamper-proof, timestamped, independently verifiable consent record, most plaintiffs' attorneys will walk away. If you cannot, they will push for class certification.
Learn more: How to Collect Proof of SMS Consent
13. You can export a court-admissible consent proof package for any individual contact within 24 hours.
| Requirement | Practical litigation readiness |
|---|---|
| Implementation | Your system must generate a downloadable proof package — PDF or verifiable link — showing the consent record, metadata, and (ideally) a session replay of the opt-in interaction |
| Verification | Pick a random contact. Can you produce their complete consent proof in under 24 hours? In under 5 minutes? |
When a demand letter arrives, you typically have 30 days to respond. If you cannot produce proof quickly, your legal costs escalate while your team scrambles to reconstruct records from fragmented systems.
Registration and Infrastructure (Points 14–15)
These items cover the carrier-level requirements that exist alongside the legal requirements.
14. Your business is registered for 10DLC with a verified brand and approved campaign.
| Requirement | Carrier mandate (AT&T, T-Mobile, Verizon) via The Campaign Registry (TCR) |
|---|---|
| Implementation | Register your brand (legal entity name, EIN, address) and at least one campaign (use case, sample messages, opt-in URL) through your SMS provider's 10DLC portal |
| Verification | Log into your SMS provider. Is your brand status "Verified"? Is your campaign status "Approved"? |
10DLC (the carrier registration system for business texting) is not optional. Unregistered business texts are filtered or blocked by carriers. Even if your consent is perfect, your messages will not reach people without registration.
15. Your throughput tier matches your actual sending volume.
| Requirement | TCR campaign throughput allocation |
|---|---|
| Implementation | Review your approved message throughput (messages per second) against your actual sending volume. If you are hitting throughput limits, you need a higher trust score or campaign tier |
| Verification | Check your SMS provider's delivery reports. Are you seeing throttling or delayed delivery? |
Mismatched throughput creates deliverability problems that look like compliance problems. If messages are delayed hours after a customer opt-in confirmation, that erodes trust and can trigger complaints.
The 5 Checklist Items Businesses Fail Most
Based on the businesses that onboard with OptInFix, here are the items that fail most often — in order:
1. Item 11 — Incomplete consent metadata (failed by 67% of new customers). Most businesses store a date and a phone number. They do not store IP, user agent, or the consent text version. In a lawsuit, this is the same as having no record at all.
2. Item 12 — No tamper-proof storage (failed by 61%). Consent records sit in a CRM where any team member can edit the "consent date" field. A plaintiff's attorney will argue the records were fabricated.
3. Item 2 — Pre-checked checkbox still in use (failed by 44%). Many businesses do not realize their form builder defaults to a pre-checked state. Others intentionally pre-check to boost opt-in rates — a decision that creates legal liability for every text sent. See the full breakdown of pre-checked checkbox violations.
4. Item 6 — Missing frequency or rates disclosure (failed by 38%). The message-and-data-rates disclosure is a CTIA requirement that carriers check during 10DLC registration. Missing it means campaign rejection.
5. Item 10 — Suppression does not propagate across systems (failed by 31%). A contact texts STOP and gets suppressed in one platform. Then someone imports a lead list into a different tool without checking the suppression list. That single text triggers a violation worth $500 to $1,500.
Automate Your TCPA Audit With OptInFix
You can run through this checklist manually every quarter. Or you can set up a system that passes all 15 items automatically, every time a contact opts in.
Here is how each section maps to OptInFix:
| Checklist Section | What OptInFix Handles |
|---|---|
| Consent Collection (1–4) | Embeddable consent form with unchecked checkbox, separate from other agreements, CTIA-compliant disclosure auto-injected |
| Disclosure (5–7) | Pre-built disclosure templates that include business name, frequency, rates, and opt-out instructions |
| Opt-Out (8–10) | Webhook-based suppression that propagates across connected systems in real time |
| Recordkeeping (11–13) | Every consent record stores timestamp, IP, user agent, geolocation, form version, and a full session replay — all SHA-256 hashed and tamper-proof |
| Registration (14–15) | TCR submission toolkit with guided 10DLC campaign registration |
Stop Guessing Whether You Are Compliant — Know It
Most businesses discover their consent gaps after a demand letter arrives. OptInFix captures court-grade proof of consent for every opt-in, automatically.
Frequently Asked Questions
How often should I audit TCPA compliance?
Run a full 15-point audit at least once per quarter. Do a spot check whenever you change your consent form language, switch SMS platforms, or add a new messaging campaign. After any regulatory update — like a new state mini-TCPA law or FCC rule change — audit the affected checklist items within 30 days.
What is the most common TCPA violation in 2026?
Failing to keep adequate consent records. Most businesses collect some form of consent, but they store it in a CRM field with no timestamp, no IP address, and no record of what disclosure the consumer actually saw. When a demand letter arrives, they cannot prove what the consumer agreed to — and that is treated the same as having no consent at all.
Can I use this checklist for Canadian CASL compliance?
This checklist is built for US TCPA and 10DLC requirements. CASL (Canada's Anti-Spam Legislation) shares some concepts — like requiring express consent and honoring opt-outs — but has different rules around implied consent, mandatory sender identification, and consent expiration after 24 months of inactivity. You would need a separate CASL-specific audit.
Who is responsible for TCPA compliance — the business or the SMS platform?
The business sending the messages is always primarily liable. SMS platforms, CRMs, and marketing tools are technology providers — they give you the ability to send texts, but they do not take on your legal obligation to have consent. If your vendor's system sends a text without proper consent, the lawsuit names your business, not the software company.