This article outlines SMS compliance requirements and regulatory guidance for using text messaging in AMS+, including federal laws, carrier rules, consent standards, and content restrictions.
For more on SMS texting in AMS+, including training and related resources, see this feature overview.
Before you begin
To stay compliant when using SMS through AMS+, keep these foundational principles in mind:
- Collect separate, explicit SMS consent before sending marketing or informational texts.
- You may respond to customer-initiated messages, but only about the topic they contacted you about.
- Include clear opt-out instructions in your messages.
- Keep message content relevant and appropriate for the message type.
- Maintain records of all SMS opt-ins and opt-outs.
These principles guide the rest of the compliance requirements outlined below.
Compliance frameworks
The following frameworks outline the regulations that apply to SMS communication and the requirements your organization must follow.
Telephone Consumer Protection Act (TCPA) compliance
The TCPA protects consumers from unwanted communications. Refer to industry SMS compliance resources for additional detail.
To comply:
- Obtain prior express consent before sending any text messages.
- Provide a clear opt-out mechanism in every message (e.g., "Reply STOP to unsubscribe").
- Maintain records of consent for compliance tracking.
- Avoid messaging numbers on the National Do Not Call Registry unless an exception applies.
- Limit message frequency to prevent consumer complaints.
- Ensure messages are relevant and non-intrusive.
Failing to comply can result in fines of up to $1,500 per violation.
CAN-SPAM Act compliance
The CAN-SPAM Act regulates commercial messaging and applies to SMS marketing. Refer to industry SMS compliance resources for additional detail.
To comply:
- Clearly identify your business in every message.
- Provide clear opt-out instructions.
- Ensure recipients can reply to a valid phone number to request removal.
- Avoid misleading or deceptive content.
Failure to comply can lead to fines from the Federal Trade Commission (FTC).
10DLC (10-Digit Long Code) compliance
10DLC is the required messaging standard for businesses sending SMS using 10-digit long codes. For more details, refer to carrier and regulatory guidance resources. Refer to industry SMS compliance resources for additional detail.
To comply:
- Register your business and messaging campaigns with The Campaign Registry (TCR).
- Use approved messaging routes and content categories.
- Monitor delivery and opt-out rates to avoid being flagged as spam.
- Maintain high-quality messaging to reduce the risk of violations, filtering, or suspension.
Types of SMS messages
Text communications fall into three main categories. Each category has its own rules around consent and appropriate message content.
Marketing communications
Messages intended to sell, promote, or renew a product or service. This includes texting prospects before they become clients or reaching out to existing clients about additional products.
Requires explicit SMS opt-in.
Informational communications
Non-marketing updates, such as appointment reminders, coverage changes, or policy updates.
Requires explicit SMS opt-in.
Customer-initiated communications
If a customer texts you first, you have implied consent to reply only about that topic. If the conversation shifts into sales or promotions, explicit opt-in is required.
SMS consent requirements
Separate consent
SMS consent must be collected independently from email, phone, or other communication preferences. You may not bundle SMS consent into a general opt-in.
SMS opt-ins must be collected on their own and can’t be combined with email or phone communication opt-ins.
Explicit consent
The individual must take a clear action, such as:
- Checking an unchecked box
- Signing a form
- Verbally agreeing over the phone
- Sending the first text message (customer-initiated scenario)
Consent can’t be implied from form submission, and checkboxes may not be pre-checked. Be sure to retain documentation of all SMS opt-ins and opt-outs as part of your compliance records.
What your SMS opt-in must include
To be compliant, every SMS opt-in must include:
- Your organization name and purpose for texting
- Message frequency expectations
- Message and data rate disclosures
- A link to your terms and conditions
- A link to your privacy policy
- Opt-out instructions (STOP, HELP, etc.)
Example opt-in statement:
- "By checking this box and providing your phone number, you agree to receive text messages from [Your Agency Name]. Message and data rates may apply. Message frequency will vary. Reply STOP to unsubscribe or HELP for more information. View our Terms of Service and Privacy Policy at youragencyname.com."
Confirmation messaging
After opt-in, consider sending a confirmation text to set expectations:
- "You're signed up to receive text messages from [Your Agency Name]. We'll send up to 2 msgs/mo. Msg & data rates may apply. Text HELP for info or STOP to cancel. Terms & Privacy: youragencyname.com."
Frequency and content expectations
Carriers monitor message quality. To reduce blocking or filtering:
- Keep messages relevant to the message type.
- Avoid high-volume or rapid-fire messaging.
- Do not send unlawful, misleading, or high-risk content.
- Identify your business clearly.
Violations may result in filtering or flagging.
HIPAA considerations for SMS messaging
If your messages involve sensitive or health-related information, ensure your organization has a compliant process for handling protected health information (PHI) over SMS. Avoid including identifiable health details unless your internal policies allow it.
When appropriate, direct clients to a secure portal or invite them to contact your agency for more information. For additional details on HIPAA compliant texting and telehealth, see HIPAA Compliant Texting.
Forbidden message categories
Carriers prohibit specific message types. Messages containing the following content may be blocked or may trigger penalties:
- Phishing, smishing, or social engineering
- Illegal content (not legal federally and in all 50 states)
-
SHAFT content (sex, hate, alcohol, firearms, tobacco) that does not meet compliance or age-gating rules
Misleading or deceptive offers - Sensitive personal information, including unprotected PHI
Staying within allowed categories helps maintain deliverability. For more details, see Twilio’s article on forbidden message categories.
Potential fines and carrier enforcement
Carriers monitor SMS traffic to ensure compliance with their policies and applicable laws. Messaging that violates these requirements may be blocked or result in penalties.
T-Mobile and other carriers enforce structured A2P 10DLC penalties for prohibited content. These penalties are administered through messaging providers such as Twilio and billed to the sender. Current Severity-0 tiers include:
- $2,000 for phishing, smishing, or social engineering
- $1,000 for illegal content
- $500 for SHAFT or other high-risk content that does not meet compliance requirements
Repeated violations may result in suspension of messaging capabilities. Following opt-in rules and content guidelines reduces risk.
Managing opt-outs
Consumers may opt out anytime by replying STOP. Opt-out requests must be honored immediately, and future texts cannot be sent unless the consumer opts in again.