If you’re running SMS campaigns in the United States, you’re navigating two overlapping compliance frameworks: the Telephone Consumer Protection Act (TCPA), a federal law enforced by the FCC and through private litigation, and the CTIA Messaging Principles and Best Practices, a set of industry standards enforced by mobile carriers. Breaches of either—or both—put your organization at financial and operational risk.

This guide is for compliance and legal teams, privacy officers, and operations managers responsible for SMS programs. It covers the latest SMS regulation updates, the rules you need to know about, how they apply to different message types, what has changed in recent times, and how to build a program that will stand up to scrutiny.

1. The TCPA is?

The Telephone Consumer Protection Act of 1991 (TCPA) is a federal consumer protection law in the United States that was passed to decrease the number of unwanted telemarketing calls and protect consumer privacy. The law was enacted before SMS even existed, but the FCC (Federal Communications Commission) has long interpreted the statute to consider text messages to be “calls” under the TCPA, and thus all SMS and MMS communications are subject to the same core restrictions as voice calls.

The law also pertains to:

• Phone calls
• Robocalls and recorded voice messages
• Fax messages

The TCPA has been amended many times since it was enacted in 1991, and the pace of regulatory change has accelerated significantly since 2023. If you run an SMS program, staying current on SMS regulation news is no longer optional. The cost of non-compliance is too high to consider compliance as a periodic audit rather than as a continuous operational discipline.

2. SMS Regulation News: Major 2025–2026 Updates NEW

The last 18 months have been the most significant series of SMS regulatory changes since the enactment of the TCPA. So here’s a consolidated summary of what’s changing and when it goes into effect.

FCC Consent Revocation Rule IN FORCE – April 2025

Under this rule, businesses must honor opt-out requests made by any reasonable means — not only keyword replies like STOP or QUIT. Opt-outs sent via email, voicemail, written letter, or informal conversational language (i.e., “please stop texting me”) are now legally valid. Such requests shall be processed by businesses within 10 business days, but real-time processing is recognized as the industry best practice and highly recommended to mitigate litigation exposure.

One-to-One Consent Rule CURRENT — January 2026

This is the most significant piece of SMS regulation news structurally in years. The FCC’s new one-to-one consent rule closes the “lead-generator loophole” by banning consent from being shared across brands or sold to third parties. Each sender entity shall get affirmative consent directly from each consumer.

This rule has a direct impact on:

• Lead generation platforms—consent via comparison shopping sites or third-party lead forms is no longer valid for downstream brands
• Multi-brand organizations – consent given to one brand in a corporate family does not extend to sibling brands
• Affiliate marketing programs—any SMS outreach based on shared or purchased consent data must be reviewed immediately

FCC AI-Generated Voice Ruling GOES INTO EFFECT — Feb. 2024

In February 2024, the FCC issued a declaratory ruling that, under federal law, voices generated by artificial intelligence are “artificial voices.” This ruling was specifically about voice calls, but the FCC has signaled that the same consent and disclosure requirements would apply to AI-assisted SMS content. If a business is using AI tools to generate, personalize, or optimize SMS messages at scale, those workflows should be captured within its consent and registration framework.

10DLC Mandatory Registration IN EFFECT — February 2025

Since February 2025, U.S. carriers have been blocking unregistered A2P SMS traffic sent via 10-digit long codes. For the businesses that had not registered with the Campaign Registry (TCR) for brand and campaign registration by this date, message delivery failures were immediate. Registration is a must-have, not a nice-to-have after you launch, when you’re launching a new SMS program or adding a new use case.

Update of CTIA Messaging Principles October 2025

The latest update to CTIA’s Messaging Principles and Best Practices was issued in October 2025. Key changes bolstered requirements regarding URL handling, sender identification, and opt-in language specificity. Carriers like AT&T, Verizon, and T-Mobile use these new standards to score and route A2P traffic.

3. TCPA Enforcement and Litigation Risks

The FCC enforces the TCPA rules, but the law also allows private individuals to file lawsuits themselves — and they do, in great numbers. TCPA class action filings were up nearly 95% year-over-year through mid-2025, driven in part by increased plaintiff awareness, the growth of specialist plaintiff law firms, and the implementation of new consent rules that opened previously seemingly compliant programs up to new liability.

Important enforcement characteristics to know:

• There is no cap on aggregate liability—each message is a separate violation
• Treble damages ($1,500 per message) apply to willful or knowing violations
• Class actions are the main enforcement tool, not individual complaints to the FCC
• Courts have been very strict historically about “prior express written consent”—the quality of documentation is hugely important

4. The CTIA: Carrier-Based Standards

The CTIA Messaging Principles and Best Practices aren’t law, but if you don’t follow them, your carriers will filter or block your messages, which is a regulatory penalty in practice. The latest version was issued in October 2025.

The CTIA framework covers:

• Specification of Consent Language and Opt-In Flow
• Keyword processing for opt-out (STOP, QUIT, CANCEL, UNSUBSCRIBE, END)
• HELP keyword response requirements
• Sender identification in all messages
• Content restrictions (SHAFT categories – see Section 9)
• URL and link processing standards
• 10DLC Campaign Registration Compliance

These standards are used by carriers such as AT&T, Verizon, and T-Mobile to determine whether or not to deliver your traffic. A message can be TCPA-compliant and still be blocked if it violates CTIA content or formatting standards. We need to look at the two compliance layers simultaneously.

5. Mini-TCPA State Statutes

For multi-state businesses, one of the biggest pieces of SMS regulation news right now is the expansion of state-level consumer protection laws. A dozen or so states have passed SMS laws of their own, many of which are more restrictive than the federal TCPA. If the law of the state is more restrictive, the state law will preclude federal law for contacts within that state.

6. Consent: The Basis of Compliance

TCPA Consent Types

The TCPA has two different standards of consent depending on the type of message:

1. Prior Written Consent

Required for all marketing and promotional messages. That is

• An affirmative opt-in action by the consumer (a pre-checked box is not sufficient)
• Clear disclosure of what the consumer is consenting to, including that they may receive autodialed or pre-recorded messages
• Legal name sender identification
• A declaration that purchase does not require a consent
• A record of when, where and how consent was captured that can be documented and retrieved

2. Prior Express Consent (Oral or Written)

Fit for transactional and informational messages, when the consumer has provided their phone number in a context that directly relates to the communication — for example, a customer providing their number at checkout, and then later receiving shipping updates on their order.

Ways to Valid Opt-In

In all cases, the consumer must take an affirmative step, the consent must be specific to the sending entity, and the record must be stored and retrievable. Accepted methods are:

• Web forms with unclicked consent checkbox with clear disclosure language
• Keyword opt-ins (e.g., texting JOIN or YES to a short or long code)
• Handwritten signature paper forms
• Where recorded, verbal consent for transactional messaging

One-to-One Consent (January 2026) NEW

Under the FCC’s January 2026 rule, any consent obtained from a comparison shopping site, lead generation platform, or third-party intermediary can only be used by the specific brand clearly identified at the time of opt-in. If your SMS contact database was created using shared leads, co-registration programs, or purchased lists, it should be reviewed immediately from a legal perspective and will most likely need to be re-consented to be used for marketing.

7. Types of Messages & Rules Requirements

Promotional and Marketing Messages

These are primarily commercial messages for advertising, promotion, or selling—such as discount offers, product announcements, event invitations, loyalty program updates, etc. They shall be subject to prior express written consent and shall include:

• Sender to be clearly identified in each message
• An opt-out mechanism (e.g., “Reply STOP to unsubscribe”)
• Adherence to quiet hours: 8 am–9 pm at the recipient’s local time zone
• “Message and data rates may apply” disclosure in the first opt-in confirmation message of the program

Example marketing message in compliance:

Operational and Transactional Messages

These messages include information directly related to an existing relationship or transaction, such as order confirmations, delivery updates, appointment reminders, account alerts, two-factor authentication (2FA) codes, and similar. They require a lower bar for consent, but there’s one big caveat: No promotional materials.

If you add a discount, upsell, or any promotional element to a transactional message, it becomes a marketing message, and the higher consent standard applies. Your platform configuration must have transactional and promotional workflows completely separate.

Conforming transactional message:

Transactional message that does not comply (reclassified as marketing):

8. 10DLC Registration Requirements REQUIRED since Feb 2025

In the US, any business sending A2P (application-to-person) SMS messages using 10-digit long codes (10DLC) must register with The Campaign Registry (TCR). All the major carriers are blocking unregistered traffic since February 2025. This is not a phased rollout or a soft enforcement period—unregistered messages are not delivered.

Registration is a two-part process:

Step 1: Claim Your Brand

Registers your business entity. You will need:

• Legal business name (exactly as it appears in IRS records)
• EIN (Employer Identification Number)
• Business type (LLC, corporation, nonprofit, etc.)
• Business website, contact information

Step 2: Register Campaign

Logs every single use case (e.g., marketing, alerts, 2FA, customer care). Each campaign needs:

• An explanation of why the campaign is being sent and what recipients will receive
• Examples of messages (typically 2–3 examples)
• Documented opt-in process, including screenshots of web forms if applicable
• Clear handling of STOP and HELP keywords

Approval times: It normally takes 1–3 business days to register a brand. A normal registration time for a campaign is 2–7 business days, but more complex use cases may take longer.

Exclusions of Industries

Some industries aren’t able to register for 10DLC, and some can’t use long codes for A2P SMS at all. These include cannabis, certain categories of gun dealers, payday loans, short-term high-interest lending, and debt relief services. Those in these industries need to think about short codes or toll-free numbers with the right use-case vetting.

9. CTIA Content Rules and SHAFT Limitations

Types of SHAFT Content

The CTIA prohibits or restricts five types of content in A2P SMS campaigns, collectively known as SHAFT, regardless of consent:

Regardless of what you do to be compliant, any campaign in a SHAFT category is subject to further review in the 10DLC campaign registration process and can be filtered by carriers.

Managing URLs and Links

Public link shorteners like Bitly and TinyURL are often linked to spam traffic and will reliably trip carrier filters. Use branded or dedicated short domains for any link in an SMS message, wherever possible. Carriers incorporate link reputation into their automated message scoring, and a flagged URL can cause filtering of otherwise compliant traffic.

10. AI-Generated Messaging & the FCC Ruling 2024 2024 RULING

In a February 2024 declaratory ruling, the FCC reaffirmed that AI-generated voices are “artificial voices” for purposes of the TCPA. The ruling covers voice calls, but the FCC has emphasized that the same consent and disclosure requirements for AI-generated or AI-assisted SMS content apply as they do to other types of automated messaging.

For companies using AI tools to:

• Create SMS message copy at scale
• Dynamically personalize messages with customer data
• Automate when/what to send
• Run SMS bots conversationally

… the same prior express written consent requirements apply. Not even AI is an exception. Make sure AI-assisted sends are included in your consent framework and 10DLC campaign registration just like traditional automated sends. Include a record in your compliance audit trail of what systems are creating or personalizing content.

11. Compliance Checklists

Pre-Launch Campaigns

• Ensure you have prior express written consent from each recipient for a marketing send
• Maintain consent records and ensure that they are attributable to specific opt-in events and timestamps
• Confirm that this use case is approved for 10DLC brand and campaign registration
• Identification of sender in every message
• Ensure opt-out instructions are included in all marketing messages
• Confirm that sending hours are 8 am to 9 pm in the local time zone of each recipient
• Scrub the send list against the National Do Not Call (DNC) Registry
• Check whether any opt-outs have been made before
• Verify that the Reassigned Numbers Database (RND) has been checked for numbers where consent was obtained over 30 days ago
• If sending as a transactional message, make sure that the message does not contain promotional content
• Make sure your brand obtained the consent directly (not via a third party/affiliate as per the January 2026 one-to-one consent rule)

Present Operations

• Real-time (or within 10 business days or less) opt-out requests processed across all channels—email, phone
• Records of opt-outs with timestamps, retained as required by state (up to 10 years in Virginia)
• Confirmation message sent to opt-outs within 5 minutes of request, no promotional content
• The consent logs are auditable and tied to specific data capture events
• Regularly reviewed contact lists against Reassigned Numbers Database
• Updated 10DLC campaign registration information when message content/use case changes
• Rules that are unique to a state apply depending on where the recipient lives, not just the federal standard
• AI-generated or AI-personalised messages reviewed and captured within consent and registration framework
• Branded short domains are used in URLs in messages—no public shorteners
• Legal or privacy counsel reviews compliance logs at least quarterly

12. Quick Look at Penalties

No aggregate damages cap. If you don’t have the right consent, a campaign of 100,000 messages could result in liability of over $150 million in a class action situation.

Summary of Minimum Compliance Requirements by Message Type