SMS Marketing Compliance: What Sales Teams Need to Know in 2026

SMS marketing compliance in the US is the set of rules that govern how businesses can text leads and customers.

It comes down to three overlapping layers: TCPA (the federal law requiring consent), CTIA (the industry rules carriers enforce), and 10DLC (the registration that lets your number send business texts).

To stay compliant, you need written consent before texting anyone for marketing, your number properly registered, and a process for honoring opt-outs. Skip any of it and the penalties are real. TCPA fines start at $500 per message, $1,500 for willful violations, and US carriers now block unregistered traffic entirely.

This guide covers what actually matters for sales teams in 2026, including the five fixable issues behind 55% of 10DLC rejections, a copy-paste opt-in disclosure, and a checklist to run through before you send anything.

What Is SMS Marketing Compliance?

SMS compliance is the set of rules that govern how businesses can text leads and customers in the US. It's not one law. Instead, it's three overlapping layers that each do something different.

• TCPA: Federal law. Requires consent before you text anyone for marketing purposes.
• CTIA: Industry guidelines that mobile carriers enforce on their own.
• 10DLC: The registration system that gives your phone number permission to send business texts in the first place.

All three need to be right, and skipping any one of them creates problems. The consequences range from fines to carrier filtering to a full block that takes your whole program offline.

For sales teams, this applies to every kind of text you send, whether that's appointment reminders, follow-up texts after a demo, CRM-triggered messages, or two-way conversations with a lead. 

If your team texts a lead or customer, then compliance applies.

The Three Layers of SMS Compliance

Each layer covers something different. One's the law, one's the industry rulebook, and one's the infrastructure that makes sending possible at all. You need all three working together.

TCPA: The Legal Rules

The Telephone Consumer Protection Act is the federal law that covers business texting in the US. It was written for telemarketing calls in 1991 and has since been expanded to cover texts.

You need written consent before sending marketing texts. Fines start at $500 per message and rise to $1,500 for willful violations. Class action suits can multiply these amounts into the millions.

TCPA applies to marketing. Transactional texts like order confirmations and appointment reminders for existing customers get more flexibility, but they're not a free pass.

CTIA: The Carrier Rules

CTIA is the trade association for the US wireless industry, and they write the rules that mobile carriers enforce.

CTIA covers four main things:

• Message content. No SHAFT content, meaning sex, hate, alcohol, firearms, or tobacco.
• Opt-out language. STOP, UNSUBSCRIBE, QUIT all need to work.
• Quiet hours. No marketing texts before 8 AM or after 9 PM local time.
• Consent documentation. You have to be able to prove it.

Carriers enforce these rules with filtering. If your messages look non-compliant, or complaints start rolling in, carriers will throttle your traffic or block your number without a court order. 

You usually don't know it's happening until reply rates crater.

10DLC Registration: The Access Gate

10DLC stands for 10-Digit Long Code, and it's the registration system that gives your business phone number permission to send application-to-person messages at scale.

Since carrier enforcement kicked in on February 1, 2025, sending business texts from an unregistered number means your messages get filtered or blocked. Registration runs through The Campaign Registry and requires business verification documents, your campaign use case, and a sample of your messaging.

For most teams, 10DLC is step one. Without it, the other compliance work doesn't matter because your texts aren't getting through.

SMS Consent: What You Actually Need

Consent is where most compliance problems start, and getting it wrong exposes everything else in your program.

What Counts as Express Written Consent

TCPA requires prior express written consent for marketing texts, which means a specific, documented agreement before you send anything promotional. Consent needs to cover four things:

• A clear statement that the person agrees to receive automated text messages
• Name of the specific company sending them
• Confirmation that consent isn't required as a condition of purchase
• Instructions for opting out

Most teams capture this with a web form checkbox and disclosure language next to it. Here's a sample you can adapt.

Sample opt-in disclosure: "By checking this box, you agree to receive automated marketing text messages from [Company Name] at the phone number provided. Consent is not a condition of purchase. Message and data rates may apply. Reply STOP to unsubscribe."

The wording can flex, but those four elements can't. Verbal consent, implied consent, and pre-checked boxes all fail the TCPA standard for marketing messages.

Transactional vs. Marketing Messages

TCPA treats transactional and marketing messages differently, and the line between them matters.

Transactional messages include things like appointment reminders, order confirmations, shipping updates, password resets, and account alerts. Consent rules are lighter because they are tied to an existing relationship with the customer.

Marketing messages promote products, services, or offers, and they need the express written consent described above.

Here's where teams get tripped up. An appointment reminder that tacks on a promo ("See you tomorrow. Mention this text for 10% off") becomes a marketing message the second it includes promotional content. When in doubt, treat it as marketing and collect marketing-level consent.

The One-to-One Consent Rule Is Dead

A lot of SMS compliance articles still say the FCC's one-to-one consent rule requires separate consent for each seller. That guidance is out of date.

Here's what actually happened:

• December 2023: FCC adopted the rule to close the "lead generator loophole"
• January 27, 2025: Original effective date
• January 24, 2025: The 11th Circuit Court of Appeals threw it out in Insurance Marketing Coalition v. FCC, finding the FCC exceeded its authority under TCPA
• Late 2025: FCC formally eliminated the rule

As of 2026, one-to-one consent is no longer a requirement. A single opt-in can still cover multiple sellers under TCPA, as long as the consent is clear and express, which means you don't need a separate checkbox for every company a lead might hear from.

That doesn't mean consent rules got looser, though. They went back to what they were before the FCC tried to change them. You still need clear, express, written consent before texting anyone for marketing purposes, and generic "our partners may contact you" disclosures have always been risky. The rule just isn't what a lot of outdated articles still say it is.

Opt-Out Rules: How to Handle Unsubscribes

Every marketing text must give recipients a way to opt out of receiving messages, and this requirement comes from both the TCPA and CTIA.

The standard language is "Reply STOP to unsubscribe," and carriers automatically recognize STOP, UNSUBSCRIBE, QUIT, CANCEL, and END, along with a few other variations. When one comes in, it needs to be processed immediately.

Three things need to happen when someone opts out:

• Request is honored immediately, not in the next batch
• A confirmation message goes out, then nothing further
• Contact is suppressed across your entire system, not just the current campaign

That last one is where teams running SMS across multiple tools get into trouble. If someone opts out of your marketing broadcasts but their number is still active in a CRM workflow that fires follow-up texts, you're still violating TCPA. Opt-outs have to apply everywhere.

The same rule applies to one-on-one sales texts. If a prospect says, "Please stop texting me”, that preference needs to land across your team and your tools. 

A rep texting someone who already opted out, even once, exposes you to the same penalties as a broadcast violation.

10DLC Registration: Why Applications Get Rejected (and How to Fix It)

This is where most teams hit their first real compliance wall. A 10DLC registration gets rejected, messages start failing, and nobody on the team knows why.

Here's the good news. Salesmsg ran the numbers on 636 business profile submissions in the 2026 State of SMS Benchmark Report, and most rejections are fixable. They're not about anything wrong with your business, but about documentation issues that could have been caught before submission.

The Top 5 Rejection Reasons (55% of All Rejections)

Five specific issues cause more than half of all rejections:

• Business ID not verifiable (13.2%)
• Authorized representative unverifiable (12.7%)
• Business name and website mismatch (12.3%)
• EIN verification failed (9.3%)
• Address not verifiable (7.9%)

None of these requires you to change how your business operates. They just require the information you submit to match what the registries can actually verify.

Rejection Categories at a Glance

Grouped into categories, the breakdown looks like this:

• EIN and identity issues: 42.7%
• Website issues: 22.7%
• Authorized representative issues: 14.5%
• Address issues: 9.1%
• Other documentation issues: 10.9%

EIN/identity and website issues together account for two-thirds of every rejection, and both are paperwork problems rather than business problems.

The Most Common Fixable Issues

Here are the specific problems that cause most rejections and how to fix each one.

Run through that list before you submit. Most teams that hit rejections are making one or two of these mistakes, and fixing them costs nothing and usually takes under an hour.

How Concerned Should You Be? What the Data Shows

For most teams, compliance isn't as scary as it sounds. The benchmark report shows that 50% of businesses rate themselves at low concern for compliance, 21% at moderate concern, and 29% at high concern.

That means roughly 70% of businesses have their compliance situation under control, or believe they do. The 29% at high concern tend to be teams in regulated industries like healthcare, financial services, or legal, or teams running high-volume campaigns that draw more carrier scrutiny.

If you're a typical B2B sales team sending a moderate volume of texts to opted-in leads through a real platform, compliance is mostly a setup problem. 

You need to get 10DLC right, pick a tool that handles opt-outs automatically, and document your consent collection process. Most of the work happens once, at onboarding, not every day.

The teams that run into real trouble are the ones who skipped setup, sent from unregistered numbers, or assumed a generic opt-in disclosure would cover them. None of that is hard to avoid.

SMS Compliance Checklist for Sales, Marketing, and Customer Support Teams

Run through this before your team sends a single business text. Most of it is a one-time setup.

Before you start:

• Complete 10DLC registration through your SMS platform
• Submit EIN verification documents (SS-4 or 147C letter, not a W-9)
• Confirm your legal business name appears on your public website
• Make sure your website is publicly accessible without a login
• Register your messaging campaign use cases with The Campaign Registry

Consent and opt-in:

• Add compliant opt-in language to every web form that captures a phone number
• Name your specific company in the consent disclosure
• Include "Consent is not a condition of purchase" language
• Store timestamped consent records for every contact

Every message your team sends:

• Keep marketing and transactional messages separate when you can
• Include opt-out instructions in every broadcast
• Respect quiet hours (no marketing texts before 8 AM or after 9 PM local time)
• Check for state-specific rules in Florida, Texas, Oklahoma, and Washington
• Avoid SHAFT content (sex, hate, alcohol, firearms, tobacco)

Ongoing:

• Honor opt-out requests immediately and suppress across every tool
• Watch delivery rates for signs of carrier filtering
• Keep consent records for at least four years
• Review compliance setup annually or when regulations change

Most of this happens once at onboarding. The ongoing work is mostly making sure the platform you picked actually handles opt-outs and suppression across every workflow you run.

How Salesmsg Handles Compliance for You

Compliance is one of the main reasons teams switch to a dedicated SMS platform instead of texting from personal phones or piecing something together themselves.

Salesmsg is built so most compliance work happens during onboarding, and then stays out of your way.

10DLC registration is handled end-to-end 

Onboarding walks your team through brand registration and campaign submission, and our compliance team reviews submissions before they go to The Campaign Registry. That drops the rejection rate significantly compared to self-serve registration.

Automatic opt-out handling

When someone replies STOP or any recognized variant, Salesmsg processes it immediately and suppresses the contact across every inbox, workflow, and campaign. It works the same way for broadcasts and one-on-one sales texts.

Consent records tied to every contact 

Every opt-in is timestamped and stored with the contact record, so if a compliance question ever comes up, the documentation is right there.

CRM integration that keeps everything synced

Native HubSpot, Salesforce, and other CRM integrations automatically sync opt-out status to your CRM. Someone who opts out of Salesmsg won't end up back in a HubSpot email sequence that re-enrolls them in SMS.

Quiet hours and rate limits built in

Marketing broadcasts respect the 8 AM to 9 PM local time window automatically, and rate limits stop the send patterns that trigger carrier filtering in the first place.

The Bottom Line on SMS Compliance

SMS compliance sounds complicated, but most of it comes down to a handful of things you do once and then move on from. 

The teams that run into trouble aren't the ones that misunderstand the rules. They're the ones that skip setup, send from unregistered numbers, or assume a generic opt-in disclosure covers them. 

Avoiding that is mostly about picking a platform that builds compliance into the workflow instead of leaving it to your team to remember.

That's what Salesmsg does. 10DLC registration, opt-out handling, consent records, and CRM sync all run in the background, so your team can focus on the actual work of texting leads and closing deals.

Start a 14-day free trial of Salesmsg and see what compliant SMS looks like when the platform does the heavy lifting for you.

SMS Marketing Compliance FAQ

Do I need written consent to text my customers?

Yes. TCPA requires express written consent before sending marketing texts.

The consent has to be specific, clearly name your company, and be collected before the first text goes out. Web form checkboxes with the right disclosure language are the most common way to handle it, while verbal consent and implied consent don't meet the standard for marketing messages.

What happens if I send texts without proper consent?

TCPA fines run $500 per message for unintentional violations and up to $1,500 per message for willful ones, and class action suits stack those numbers fast.

Beyond the legal risk, carriers will filter or block your number if they spot non-compliant messaging patterns, which kills deliverability even if nothing ever ends up in court.

What is 10DLC and do I need it?

10DLC is the registration system that lets businesses send application-to-person text messages over standard phone numbers in the US. If you're sending business texts to US phone numbers, you need it.

Since carrier enforcement began on February 1, 2025, unregistered traffic has been heavily filtered or blocked. Salesmsg handles the registration process during onboarding.

Why did my 10DLC registration get rejected?

Most rejections are paperwork problems, not business problems.

Based on our analysis of 636 submissions, the top three causes are business identity not verifiable at 13.2%, authorized representative unverifiable at 12.7%, and business name not matching the website at 12.3%. All of these are fixable before you resubmit, and the most common fix is just adding your legal business name to your public website, usually in the footer.

What are SMS quiet hours?

Quiet hours are the time windows when marketing texts shouldn't go out. Under TCPA, no promotional messages should go out before 8 AM or after 9 PM in the recipient's local time zone.

A few states are stricter than federal rules. Florida, Oklahoma, and Washington require 8 AM to 8 PM, while Texas runs 9 AM to 9 PM Monday through Saturday and noon to 9 PM on Sundays. Transactional messages like appointment reminders can be more flexible, but the best practice is to respect the same window unless the message is genuinely time-sensitive.

Can I share SMS consent across multiple brands?

Sometimes, depending on how the consent was collected.

The FCC's one-to-one consent rule was vacated by the 11th Circuit in January 2025 and formally eliminated by the FCC in late 2025. Under current TCPA rules, a single opt-in can cover multiple sellers if the disclosure clearly names them, though generic "our partners may contact you" language has always been risky and still is. The safest bet is to name your specific company in the consent disclosure, even though one-to-one isn't legally required anymore.

What's the difference between TCPA and CTIA compliance?

TCPA is a federal law with legal penalties, while CTIA is an industry standard enforced by mobile carriers. You need both.

TCPA violations mean fines and lawsuits, and CTIA violations mean carriers filter or block your messages, which kills deliverability even if you're technically legal. Most reputable SMS platforms handle both automatically during setup.