Text Message Opt-In Laws 2026: Federal & State Rules
A gym in Orlando sent a "New Year Special" text to 500 contacts in January 2025. By March, they had a class action demand letter from a Florida plaintiff's attorney.
The gym had consent for all 500 contacts — or so they thought. Their opt-in form met the federal TCPA standard. But it did not meet Florida's Telephone Solicitation Act (FTSA), which requires stricter consent language and gives Florida residents the right to sue directly.
This is the trap. Most businesses learn one set of rules — the federal TCPA — and assume they are covered nationwide. They are not. Twelve states have their own text message laws that add requirements on top of the federal baseline.
The law that applies is not where your business is located. It is where your customer's phone is.
The Three Layers of Text Message Opt-In Law
Every business text message in the US is governed by three overlapping rule sets. When they conflict, the strictest rule wins.
Layer 1: Federal TCPA
The Telephone Consumer Protection Act (TCPA) is the federal law that limits business text messages. It was enacted in 1991 and updated multiple times since. For SMS marketing, the core requirements are:
- Prior express written consent before sending marketing texts — a signed agreement (electronic counts) with specific disclosures
- Consent cannot be a condition of purchase or service
- Consumers must be able to revoke consent at any time and you must honor it
- Records must prove consent existed at the time each message was sent
- Violations carry $500 per message in damages, or $1,500 per message for willful violations
The TCPA is enforced by the FCC and through private lawsuits. In 2025, TCPA class action settlements exceeded $2.1 billion.
Layer 2: CTIA Guidelines
The CTIA (the wireless industry association) publishes the Messaging Principles and Best Practices. These are not law — they are industry standards. But they are effectively mandatory because carriers (AT&T, T-Mobile, Verizon) enforce them through the 10DLC registration system.
If your consent form does not meet CTIA guidelines, your 10DLC campaign will be rejected. No campaign approval means your texts get filtered or blocked.
Key CTIA requirements for opt-in forms:
- Business name in the consent disclosure
- Message type and purpose
- Message frequency ("Msg frequency varies")
- Rates language ("Msg & data rates may apply")
- Opt-out instructions ("Reply STOP to unsubscribe")
- HELP keyword instructions
Layer 3: State Mini-TCPA Laws
This is where most businesses have a blind spot. Twelve states have enacted their own versions of the TCPA — often called mini-TCPAs — with additional or stricter requirements.
State-by-State: The 12 States With Stricter Text Message Laws
| State | Law | Key Addition Beyond Federal TCPA | Effective | Penalty |
|---|---|---|---|---|
| Florida | FTSA (Fla. Stat. § 501.059) | Private right of action; prior express written consent for all sales texts; 8 AM–8 PM restriction; treble damages for willful | 2021 (amended 2024) | $500/text + treble |
| Oklahoma | OTPA (47 O.S. § 5-19.1) | Consent storage mandate; specific consent language requirements | 2022 | $500/text |
| Washington | RCW 19.190.070 | Commercial text must include sender identity and opt-out; requires "clear and conspicuous" disclosure | 2019 (updated 2024) | CPA penalties + private action |
| Maryland | Md. Com. Law § 14-3201 | Requires explicit opt-in for marketing texts; restricts use of automated systems | 2024 | $500/violation |
| Connecticut | CUTPA (Conn. Gen. Stat. § 42-110a) | Unfair trade practice claim available for nonconsensual marketing texts | Ongoing | Actual damages + attorney fees |
| Illinois | ICFA (815 ILCS 505/2) | Consumer fraud claims for deceptive text marketing; class action friendly | Ongoing | $50,000/violation (AG action) |
| New York | NYGT (Gen. Bus. Law § 399-z) | Requires prior express consent for auto-dialed or prerecorded texts; AG enforcement | 2024 | $500-$20,000/violation |
| Texas | TDCA (Bus. & Com. Code § 305.053) | Requires identification of caller/sender; consent revocation must be processed in 5 days | 2023 | $1,000–$5,000/violation |
| California | CCPA/CPRA + existing telemarketing law | SMS consent data is "personal information" under CCPA; consumers can request deletion of consent records — creating a tension with TCPA retention requirements | 2020 | CCPA: $2,500/unintentional, $7,500/intentional |
| Georgia | GTSA (O.C.G.A. § 46-5-27) | Restricts commercial texts via automated systems without express consent | Ongoing | $10,000/violation + injunction |
| Michigan | MTPA (MCL 445.111b) | Requires affirmative consent; restricts text frequency in absence of stated frequency | 2024 | Consumer protection penalties |
| Virginia | VCDPA + Telephone Privacy Protection Act | SMS opt-in data treated as sensitive personal data; requires data protection assessment | 2023 | $7,500/violation (AG) |
Where Federal and State Laws Conflict
The strictest rule always applies. Here are the three most common conflicts that catch businesses:
1. Florida's FTSA vs. Federal TCPA: Who Can Sue?
Under the federal TCPA, both the FCC and individual consumers can file suit. Under Florida's FTSA, any Florida resident who receives a nonconsensual commercial text can sue directly — and recover treble damages for willful violations.
What this means for you: If even one of your contacts is a Florida resident, your consent form must meet FTSA standards, not just TCPA standards. The differences are subtle but material: FTSA requires the consent to specifically reference "telephonic sales calls" and restricts calling hours to 8 AM–8 PM in the consumer's local time zone.
2. Oklahoma's Storage Mandate vs. Standard Practice
Oklahoma's OTPA does not just require consent — it requires you to store consent records in a format that can be produced to the court on request. Most businesses technically store consent, but in a CRM field that would not survive a courtroom challenge.
What this means for you: If you text Oklahoma residents, your consent records need timestamps, IP addresses, and the exact disclosure text — stored in a format you can export and present as evidence.
3. California's CCPA Deletion Rights vs. TCPA Record Retention
California consumers can request deletion of their personal data under CCPA/CPRA. But TCPA compliance requires you to retain consent records for at least 4 years. If a California consumer requests deletion of their consent record, deleting it could expose you to a TCPA lawsuit where you can no longer prove you had consent.
What this means for you: You need a retention policy that distinguishes between marketing data (deletable under CCPA) and compliance evidence (retainable under TCPA). Consult with legal counsel on this specific conflict — it is the most legally unsettled area in SMS compliance.
How to Build a Form That Satisfies Every Jurisdiction
Instead of tracking 12 different state laws, build one opt-in form that meets the strictest requirement in every category:
Consent mechanism: Unchecked checkbox, separate from all other agreements, not a condition of purchase (meets TCPA + FTSA + Oklahoma + all states).
Disclosure language must include:
- Your business name (CTIA + all states)
- "Marketing text messages" or "promotional texts" (FTSA specificity requirement)
- Message frequency estimate (CTIA)
- "Msg & data rates may apply" (CTIA)
- "Reply STOP to unsubscribe" (TCPA + all states)
- "Consent is not a condition of purchase" (TCPA)
Timing restrictions: Do not send marketing texts outside 8 AM–8 PM in the recipient's local time zone (FTSA — strictest window).
Recordkeeping: Store every consent record with timestamp, IP, user agent, geolocation, exact disclosure version, and session replay. Retain for 5 years minimum. Use tamper-proof storage with SHA-256 hashing. This satisfies Oklahoma's storage mandate, TCPA evidence requirements, and positions you well for any state audit.
Opt-out processing: Honor STOP within 24 hours (aim for immediate). Propagate suppression across all systems. Send a confirmation with no promotional content.
What Happens When You Get It Wrong
The penalties stack. A single text to a Florida resident without FTSA-compliant consent could trigger:
- $500 federal TCPA per-message damages
- $500 Florida FTSA per-message damages (or $1,500 treble for willful)
- Attorney's fees for the plaintiff's lawyer
- Class certification if more contacts are affected
A 500-person text blast with defective consent could generate a six-figure demand letter. Class actions in this space routinely settle for $1M to $10M+.
The fix costs a fraction of the risk. A compliant opt-in form, proper disclosure language, and tamper-proof recordkeeping — the same things that prevent lawsuits — also improve your 10DLC campaign approval rates and carrier deliverability.
Build a 50-State Compliant Opt-In Form in 5 Minutes
OptInFix auto-injects CTIA-compliant disclosure language and captures tamper-proof consent records with timestamp, IP, session replay, and SHA-256 hashing — meeting the strictest state requirements automatically.
Frequently Asked Questions
Do opt-in laws apply to transactional texts like appointment reminders?
Transactional texts — appointment reminders, delivery updates, order confirmations — require a lower tier of consent called prior express consent. You get this when a customer voluntarily provides their phone number in a relevant context. But the moment you add promotional content to a transactional message, like "and check out our spring sale," it becomes a marketing text and requires prior express written consent.
Which state has the strictest text message laws in 2026?
Florida's Telephone Solicitation Act (FTSA) is widely considered the strictest in 2026. It added a private right of action for consumers, requires prior express written consent for all sales calls and texts to Florida residents, imposes strict time-of-day restrictions (8 AM to 8 PM local time), and allows treble damages for willful violations. Oklahoma's mini-TCPA is a close second with its consent storage mandate.
Can I use a single opt-in form for customers in all 50 states?
Yes, and you should. The smartest approach is to build one form that meets the strictest requirements across all jurisdictions. That means: unchecked checkbox, your business name in the disclosure, message frequency and data rates language, STOP opt-out instructions, not a condition of purchase, and tamper-proof recordkeeping. A form that satisfies Florida's FTSA and Oklahoma's storage rules will satisfy every other state and the federal TCPA.
How long must I keep SMS opt-in records?
The federal TCPA statute of limitations is 4 years, so keep records at least that long. Some state laws have longer windows — Florida's FTSA has a 4-year statute but courts have applied discovery rules that can extend the period. Best practice: retain consent records for 5 years minimum in a tamper-proof format.