Insights & Resources

How to Ensure Compliance With SMS Regulations

Strict regulations dictate how organizations can interact with end users via SMS, with significant penalties for getting it wrong.

Tarek Wiley
SMS Regulations_banner
We know that SMS is an effective way to engage with customers — it’s cost-effective and convenient, with an average open rate of 98%.
For these reasons, businesses are increasingly integrating texting into their communications strategies, from sending automated account notifications and alerts to using SMS for customer engagement and support.
There are strict regulations that dictate how organizations can interact with end users via text, with significant penalties for getting it wrong. So it’s more important than ever to understand what the rules are and how to comply with them.
Here are some tips to help you get the info you need.

Purpose of SMS Regulations

With the widespread use of SMS and the massive number of messages being sent out daily, it’s no surprise that legislation has been put into place to protect consumers from unwanted SMS. Additionally, since phone numbers are considered personally identifiable information (PII) consumer data protection laws limit what businesses can do with this information.
Violating these regulations is bad news for your business -- in addition to reputational damage, the fines can put your business in a tough spot financially -- the average cost of a Telephone Consumer Protection Act (TCPA) lawsuit $6.6 was million dollars in 2019.

Who makes SMS Rules?

SMS rules and regulations are built on a foundation laid out by the Cellular Telecommunications Industry Association (CTIA) and the Federal Communications Commission’s Telephone Consumer Protection Act (TCPA).
In general, the aim is to protect end users from receiving unsolicited or unwanted messages via SMS. The penalties for getting it wrong can include an immediate shutdown of service or fines ranging from $500 to $1,500 per message.
The first step to compliance is to read and understand the regulations set out by the CTIA and in the TCPA.


The General Data Protection Regulation, or GDPR, is the European Union’s set of consumer data protection laws. Fines are based on business revenue, and can be up to 20 million Euros or 4% of a business’s global revenue.
The GDPR is one of the strictest sets of data protection laws, and has three core principles: consumer consent, opt-out information, and customer data management.
Consumer Consent - Customer permission, preferably provided in writing, is necessary before you can contact them through any channel. Opt-Out Information - You must include opt-out links or key words in every piece of communication.
Customer Data Management - Sharing data with third parties and other companies is prohibited, unless consent has been given by the customer beforehand. While data encryption is not explicitly required, it’s a best practice because businesses can be held liable in the event of a data breach if measures weren’t taken to protect consumer data.


The Telephone Consumer Protection Act (TCPA) is enforced by the Federal Communications Commision, and it’s the U.S. equivalent of the GDPR. The Cellular Telecommunications Industry Association (CTIA) isn’t an enforcement agency, but gives guidance for businesses using SMS.
Each non-compliant call or text message counts as a violation, and fines can cost anywhere from $500 to $1500 per violation. Furthermore, class action lawsuits can be filed under the TCPA so businesses can be fined for multiple violations for every customer that may have been affected.
The main points of the TCPA are customer permission and identifying automated communication.
Customer Permission - Similar to the GDPR, the TCPA states that you must receive permission from customers before contacting them, and primarily emphasizes SMS, calls, and email.
Identify Automated Communication - It is required that you tell customers if you are contacting them through an automated system, so this must be specified when collecting consent.


The Personal Information Protection and Electronic Documents Act (PIPEDA) is the set of consumer data protection laws enforced by the Office of the Privacy Commissioner of Canada. Although similar to the GDPR and TCPA, PIPEDA has some unique requirements including identifying purposes and limiting collection and use.
Identifying Purposes - You must receive consent before contacting customers, and you must also explicitly explain why you are asking for a phone number or email address.
Limiting Collection and Use - You can only collect and store customer information necessary for a specific purpose.

SMS Compliant Numbers By Case

When it comes to business messaging, there are several number types available, each with its own set of rules. It’s important to be aware of these and choose the number type that’s right for your use case.
Long codes are 10-digit phone numbers designated by mobile operators for P2P communication. They are for non-marketing use only, so appropriate use cases include chat applications and customer service.
Short codes are five- or six-digit phone numbers that customers can lease from the Common Short Code Administration. Users need to opt into this type of message. Short codes are most commonly used for password resets and alerts.
Toll-Free SMS is used to send text messages from toll-free numbers (e.g., 800, 888, 877, etc.). Unlike short codes, toll-free numbers can support both phone calls and SMS, so customers can respond to an SMS alert by texting or calling the same number. Example use cases include appointment reminders, account notifications and emergency alerts.

SMS Messaging best practices

Here are some factors to consider that impact both compliance and customer experience:
  • Opt-in and opt-out requirements - Make sure you’re meeting the regulatory requirements and making processes user-friendly.
  • Terms and conditions - Be aware of what users need to know and when so they can easily access the information they need.
  • Consider timing - Don’t send messages at inappropriate times.
  • Identify yourself - Your customers should be clear on who’s messaging them.
If you’re using SMS as a tool for your business, it’s your responsibility to read up on the regulations and make sure you’re getting things right. It’s well worth the time investment if you are to fully realize the benefits of this popular and convenient communication channel.
Want to learn more about SMS compliance? Talk to an expert.
Share on Social

Get Started for Free!

Sign Up Today and Your First $10 is on Us.