When starting to send SMS marketing and transactional messages, it’s vital to understand the compliance laws and regulations around it. The laws for text messaging vary by country and region/state. This guide focuses on US SMS compliance laws and regulations, and provides best practices for staying compliant with them.
IMPORTANT
This information is subject to change and doesn't constitute professional legal advice. To learn more, read our disclaimers. If you have questions about laws in your country or region outside of the US, we recommend contacting your legal counsel.
# In this article
# Risks of noncompliance when sending SMS
In the United States, the Federal Communications Commission (FCC) operates under the Telephone Consumer Protection Act (TCPA) to monitor for SPAM violations, data, and privacy laws for texts and phone calls.
Noncompliance can expose your organization to fines ranging anywhere from $500 to $1,500 for each recipient who received an unwanted message sent.
# SMS compliance basics
For successful SMS compliance, follow these guidelines:
- Obtain written, express consent before sending any messages.
- Clearly state the type of SMS (promotional vs. transactional) you're sending to prevent confusion.
- Don't send prohibited content.
- Provide an easy opt-out option, and remind recipients every 4-5 messages or at least once a month.
- Respect timing: avoid sending messages too early, too late, or too often.
- Always include your brand or company name in each message.
- Ensure compliance with all applicable local and federal laws in your sending regions.
When sending marketing content through Iterable, you are also responsible for ensuring content aligns with Iterable's Acceptable Use Policy and guidance for restricted SMS content.
IMPORTANT
Don't contact those on Do Not Call registers. Consider a third-party service that can scrub your list for you. Iterable and partner SMS providers don't suppress phone numbers from these lists.
# Understanding SMS consent
With SMS, it’s required to obtain written, express consent before sending any mobile message to anyone. This is mandated by the Telephone Consumer Protection Act (TCPA) and carrier requirements.
Consent is SMS-specific, meaning it’s not interchangeable with email or other channels.
Consent for marketing and transactional use cases must be separated.
Consent cannot be shared or sold, including through third-party list providers or affiliates.
To learn more about Iterable features that streamline SMS consent, see:
# Call-to-action (CTA) requirements
Consent obtained in a call-to-action (CTA) must provide explicit language that allows the recipient to have a clear understanding of the exact type of messages they are agreeing to receive and is not a condition of a purchase and is always optional. A CTA by default has to be in an inactive state (an unchecked checkbox that needs active selection by the recipient) so that the recipient can make the clear choice of consent by taking an obvious action to confirm opt-in.
A call-to-action (CTA) must include the following:
- Program name and/or a description of the messages that will be sent.
- Message frequency (like "Message frequency varies" or "Up to 4 msgs/month")
- Disclosure: "Message and data rates may apply".
- Customer support contact, such as a HELP keyword, support email, or phone number.
- Opt-out instructions: "Reply STOP to cancel".
- Links to your SMS Terms of Service and Privacy Policy.
- A standalone opt-in (not bundled with email, voice calls, or other channels).
- Required disclaimers on the same screen where the opt-in occurs—not hidden in a footer or behind a link.
Examples of what not to do:
- Don't use a single CTA for all marketing channels, which doesn't establish written, express SMS consent.
- Don't send cart abandonment messages without consent.
- Don't offer a single opt-in for multiple brands or organizations.
- Don't pre-check the SMS consent box on the opt-in form.
- Don't combine email and SMS consent into one checkbox.
- Don't obtain phone numbers from a third-party list or an affiliate.
- Don't collect a phone number for one purpose (like OTP authentication) and use it for another (like marketing).
- Don't forget to include opt-out instructions in your messages.
- Don't text anyone who has opted out (beyond sending a confirmation of their opt-out).
# Manage opt-outs and message content requirements
Recipients must always have a clear and simple way to opt out, and you need to honor opt-out requests immediately.
In Iterable SMS, carrier keywords such as STOP are handled automatically by SMS
providers and synced to Iterable unsubscribe status.
Each SMS message should:
- Include opt-out instructions in the recipient's language.
- Identify your brand or organization clearly.
- Clearly signal whether the message is promotional when applicable.
To configure and monitor this behavior in Iterable, see:
- SMS Unsubscribes and Resubscribes
- Managing SMS Opt-Outs by Message Type
- Customizing SMS Opt-Out Instructions
# Best practices for SMS compliance
# Observe quiet hours
Sending telephone solicitations, including SMS marketing messages, any time before 8:00 AM and after 9:00 PM in the recipient's time zone is prohibited by the TCPA. Many U.S. states, including Florida, Texas, Connecticut, Alabama, Louisiana, Maryland, Massachusetts, and Mississippi, require 8:00 AM–8:00 PM for compliant sending. Additionally, some individual states, such as Alabama, Rhode Island, Utah, South Dakota, Louisiana, and Mississippi, prohibit sending marketing messages on Sundays.
It’s best practice to avoid sending at nighttime, on holidays, and on Sundays.
Transactional and OTP (one-time password) messages are acceptable to send outside these times.
# Using Iterable's Quiet Hours feature for SMS campaigns
To help you send SMS campaigns at respectful times for a user's local time, Quiet Hours is on by default for all new SMS campaigns, including marketing and transactional campaigns. The default Quiet Hours window pauses SMS sends between 8:00 PM and 9:00 AM every day, Monday through Sunday, in each recipient's local time. Iterable's default window is a recommendation based on US regulations, including TCPA and state-level sending-time requirements.
Make sure to check with your legal counsel to verify the send times for your SMS marketing campaigns are within regional compliance expectations for your recipients.
You can adjust the hours to meet different legal requirements, or you can disable Quiet Hours as needed for campaigns that require immediate delivery (usually these are transactional).
Quiet Hours apply the same window every day and do not support pausing sends on specific days of the week or holidays. Iterable has flexible features that can help you meet your compliance requirements with additional delivery time constraints. Talk to your Iterable customer success manager to learn how to use Journeys to pause sends for specific days of the week or holidays.
# Limit your sending frequency
Just like with email, getting too many messages from a sender can be problematic as it can turn once welcomed messages into an annoyance. Limiting your sending frequency can prevent unnecessary opt-outs.
Iterable provides frequency management settings to help you manage how many messages you can send to a user in a given period of time.
# Monitor your sending activity
SMS delivery performance metrics are important to monitor to ensure your messages are being delivered successfully.
Carriers monitor your opt-out rates, bounce error rates, and abuse complaints, and can filter or completely block your messages based on them.
While Iterable and SMS provider aggregators monitor these metrics, it's important for you to regularly monitor your organization's sending activity and performance to understand when you need to adjust your sending practices.
To learn more about monitoring your SMS delivery performance metrics, read:
# Recommended benchmark metrics for SMS compliance
For a seven-day range, it's recommended that your opt-out rates be below 2%, your bounce error rates to be below 3%, and your abuse rates to be below .02%.
If your opt-out or bounce error rates spike above these benchmarks, review and correct your consent call-to-action, opt-out mechanisms, and sending practices.
# Use double opt-in for consent
In the majority of SMS instances, double opt-in is not required, but it is highly recommended.
While double opt-in adds the extra step of a recipient confirming their consent on their mobile device, it has many benefits:
- It protects your brand as a sender.
- It captures a full digital record of the consent.
- It prevents avoidable complaints.
- It prevents sending to the wrong number.
- It reduces the chance of a spam bot adding in numbers maliciously.
- It builds trust with your recipients.
To learn how to set up a double opt-in journey using Iterable, read Build a Welcome Sequence for New Subscribers.
# Requirements for sending abandoned cart messages in the US
Abandoned shopping cart reminders are considered marketing within SMS. In the US, they have the following mandatory requirements:
- Consent must use double opt-in.
- "Abandoned Cart" must be displayed in the consent call-to-action (CTA) and your Privacy Policy.
- Must be sent within 48 hours of the shopping event.
- Must only send one SMS per shopping event.
- Every abandoned cart message must contain opt-out instructions.
# Resources for staying compliant with SMS
- CTIA - Messaging Principles and Best Practices. The Cellular Telecommunications and Internet Association (CTIA) is a nonprofit organization representing the carriers, and monitors regulations, while developing best practices guides for the mobile industry within the US.
- FCC - Telephone Consumer Protection Act
- T-Mobile Code of Conduct
- AT&T Code of Conduct
- Twilio Regulatory Guidelines for SMS
- Telnyx Country Specific SMS Guidelines
- Florida’s "mini-TCPA” (CS/SB 1120)
# Disclaimers
The content in this article is provided for informational purposes only and doesn't constitute legal advice. Use this information at your own risk.
Iterable, Inc and any of its employees, contractors, or attorneys who participated in providing the information expressly disclaim any warranty: they aren't creating or entering into any Attorney-Client relationship by providing information to you.
Iterable cannot guarantee regulatory compliance. To ensure your use of SMS is compliant where applicable, seek legal counsel.
# Want to learn more?
For more information about some of the topics in this article, check out this Iterable Academy course. Iterable Academy is open to everyone—you don't need to be an Iterable customer!