TCPA Compliance Guide for SMS Marketers (2026)
The Telephone Consumer Protection Act (TCPA) is the US federal law that governs marketing calls and texts. It carries statutory damages of $500 per violation — up to $1,500 if the violation is willful. With class-action plaintiff firms scanning every text campaign for missing consent, TCPA defense has become an operational necessity, not a legal afterthought. This guide explains exactly what compliant consent looks like, what evidence you need to keep, and how to defend against a TCPA demand letter.
What is TCPA?
The TCPA is a 1991 federal law (47 U.S.C. § 227) that restricts unsolicited marketing calls and text messages to mobile phones. It applies to any business sending marketing SMS to a US cell phone using an automated dialing system (ATDS) or a prerecorded voice.
The law gives consumers a private right of action — meaning anyone who receives a non-compliant marketing text can personally sue for $500–$1,500 per message. That's why TCPA is the most class-actioned statute in commercial communications.
Express written consent
For marketing SMS, the FCC requires "prior express written consent." That has a specific definition:
- A clear and conspicuous disclosure that the consumer is agreeing to receive marketing SMS from a specifically named business.
- An affirmative action by the consumer (typing their number into a form and ticking an unchecked checkbox — not pre-checked, not bundled with another consent).
- The disclosure must include that consent is not a condition of purchase and that message and data rates may apply.
- The record must be retained.
Bundling SMS consent with email opt-in, or auto-checking the SMS box, defeats the consent. Plaintiff firms specifically look for these patterns.
Evidence you must keep
When a demand letter arrives, you have to produce evidence that the recipient consented. Best-practice evidence includes:
- Timestamp of the opt-in (UTC, to the second).
- IP address and user agent of the device.
- Geolocation at consent time.
- Exact disclosure text the user saw (verbatim).
- Form snapshot or session replay showing the unchecked checkbox being ticked.
- SHA-256 hash of the consent record so you can prove it hasn't been altered.
- Public verification URL so opposing counsel can independently confirm.
Tools like OptInFix capture all of this automatically and produce a downloadable PDF certificate per consent.
Revocation & suppression
Consent can be revoked at any time, by any reasonable means — STOP, "unsubscribe", "cancel", a phone call, an email, or a social DM. Once revoked, you must:
- Stop sending marketing SMS to that number within a reasonable window (the FCC's 2024 rule says 10 business days max, with a strong industry expectation of immediate suppression).
- Add the number to a suppression list that's checked before every send.
- Honor revocation across all channels the user has opted into with that brand — you can't keep emailing if they opted out of SMS-and-email bundled consent.
Failure to honor revocation is the #2 source of TCPA judgments after missing initial consent.
Responding to a demand letter
If you receive a TCPA demand letter:
- Don't ignore it. Statutory damages stack quickly and most demand letters precede class action filings.
- Pull the consent record for the plaintiff's number immediately.
- Confirm the hash matches what you have on file.
- Send the verification URL to plaintiff's counsel — most demands settle or drop when court-grade evidence is produced.
- Loop in TCPA defense counsel before responding substantively.
The single best defense is a hash-locked, publicly verifiable consent record produced before the lawsuit was filed.
Frequently asked questions
What's the maximum TCPA fine per text?+
$500 per violation by default, $1,500 if the violation is willful or knowing. In a class action with 100,000 messages sent without proper consent, that scales to $50M–$150M in statutory exposure.
Does TCPA apply to my B2B texts?+
Yes, if you're texting a personal cell number — even if the recipient is a business contact. The TCPA targets the line, not the business relationship.
Is a checked-by-default consent box valid?+
No. The FCC and federal courts have repeatedly held that pre-checked boxes do not satisfy 'prior express written consent' for marketing SMS.
How long must I keep consent records?+
The TCPA statute of limitations is 4 years, so you must retain consent records for at least that long. Best practice is permanent retention with hashing.
Can I rely on lead-vendor consent?+
Only if the vendor produces an evidentiary-quality artifact (timestamped, IP-logged, hashed, verifiable). Otherwise, you inherit the lead vendor's TCPA risk.