Insight
SMS Compliance: The Ultimate Guide to Compliant Texting
SMS compliance is one of the most important things to get right in your business messaging strategy.
We’re here to help you do it, so you can beat competitors, create lovable customer experiences, and stay out of trouble. This guide covers text messaging compliance best practices, from general guidelines across all industries, to specific details about major regulators.
The term “text messaging” includes SMS, MMS, and more—but we refer to it as simply “SMS” in the title here for simplicity and search engine reasons.
This is the same compliance advice we give to our customers, but boiled down into one comprehensive guide for you.
Note: We are not lawyers, and this does not constitute as legal advice. Please get any final legal counsel from your designated specialist.
Can Business Text Messaging Actually Be Compliant?
Yes, but there are differences in regulations based on the industry you’re in. We’ll start by covering these five basics that apply to everyone.
5 SMS Compliance Components You Have to Get Right
1. Make sure contacts opt in.
Messaging only opt-in contacts is the biggest factor in keeping your texting compliant. It’s also something mobile carriers are increasingly cracking down on.
SMS opt-ins are contacts who have expressed a clear desire to be text messaged by your business. Contacts opt in by:
Texting you first
Establishing a business relationship with you (making a purchase or requesting a service)
Giving you their phone number via web or physical form
Expressing verbal or written consent for you to text them
If customers tell you that you can text them, then you can text them. But expressed written consent is always the best way to make sure you have your compliance bases covered. To make sure you’re covered, take these three simple steps:
Add a place for a phone number on your sign-up or contact forms
Include a disclaimer explaining what you will text message the customer for
Link to your website’s privacy policy to show you’re compliant
That way if a contact ever contends they didn’t give you permission to text them, you have the proof on hand.
For step-by-step instructions on getting opt-ins, view our How to Build a Powerful SMS Subscriber List guide.
2. Tell contacts how they can opt out.
Texts are only compliant if contacts have the option to opt out at any time. An “opt-out message” is a message that tells contacts how to opt out of receiving texts from you. For example, Text Request’s default is:
“Text STOP to opt out”
With Text Request, this message is automatically included at the end of the first text you send to a contact, so you don’t have to worry about this piece of compliance. Contacts will also be automatically opted out when they text any of the following words (none of which are case sensitive):
STOP
STOPALL
UNSUBSCRIBE
CANCEL
END
QUIT
REMOVE
The contacts who text these will receive a final message confirming they successfully opted out. You will no longer be able to text this contact unless they opt back in by texting an opt-in keyword, like START, YES, or UNSTOP, which they can do at any time.
If a contact tells you they want to opt out, but doesn’t actually text any of the opt-out words above, Text Request gives you the option to manually suppress them. That way you don’t accidentally message them again.
3. Keep a permanent and searchable record of all conversations.
If anything ever comes up, you need to know who said what to whom and when, and many regulators require that you keep these records for exactly that reason.
Text Request takes care of this for you by time stamping and permanently saving every message you send and receive. The platform even has a search bar you can use to browse your messages by username, contact name, phone number, date range, and more.
4. Use a secure text message platform.
You’ve got to protect customer data, including their text messages. Texting is not compliant on a personal cell phone, because you need a secure business text messaging platform that:
Encrypts data in transit to and from networks, as well as at rest within its databases
Passes annual and ongoing security audits by external third party auditors
A quality text messaging platform will meet these security standards and more. This ensures that even when employees leave, the data from those text messages stays with you. Text Request does all this for you, so you can focus on the important things.
5. Use your best judgment when messaging.
That means no texting people at 3 in the morning. No foul language or threats. And no spamming text after text.
You know—all the basic things that you wouldn’t want done to you. Text others as you’d like to be texted.
Now that we’ve covered these five compliance basics, let’s move on to industry-specific regulators.
SMS Compliance Under the Federal Communications Commission
The Federal Communications Commission (FCC) regulates interstate and international communications, including text messaging. They’re largely the ones responsible for enacting laws, like the ones below, and many of our recommendations come straight from them.
The Telephone Consumer Protection Act
People often bring up “TCPA” when talking about texting, but what is it?
The Telephone Consumer Protection Act (TCPA) originally restricted telemarketing calls, the use of automatic telephone dialing systems—or autodialers—and artificial or prerecorded voice messages.
Basically, it just meant that companies couldn’t run a software program that automatically called people and started playing a message when someone picked up. In 2013, TCPA was updated to regulate text messages in response to a growing problem with autodialers.
Most texting platforms—like Text Request—are far and away from being considered an autodialer, but the big takeaway is there needs to be a real person sending your texts, and you should 1,000% never use an autodialer.
SMS Compliance Under the Federal Trade Commission
The Federal Trade Commission (FTC) works together with the FCC to protect consumers from spam. They started regulating text messages in 2009, to crack down on debt collectors who were hounding consumers with texts.
The FTC particularly pays attention to whether or not you give contacts a way to opt out, as well as if you’re only texting those who have opted in to being messaged. If you follow those basic guidelines, and text people as you would want to be texted, you’ll stay off the FTC’s radar.
SMS Compliance Under the Cellular Telecommunications Industry Association
The Cellular Telecommunications Industry Association (CTIA) is a private association of more than 150 organizations in the telecommunications industry, such as mobile carriers. They determine how they want the industry to be run within the bounds of the law. The CTIA sometimes enforces additional regulations for the health of the market, including 10DLC registration, which is something we’ll talk about more later.
To sum it up, the CTIA don’t create the laws, but they control the free market, so their collective opinion matters quite a bit. You will not be able to message consumers if you break CTIA guidelines, because they essentially are the entities who deliver your texts in the first place. Following all the compliance best practices we covered above will keep you on their good side.
SMS Compliance Under the Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that required the creation of national standards to protect sensitive protected health information (PHI). The goal of HIPAA is to keep PHI from being disclosed without the patient’s consent or knowledge.
In order for a text messaging platform to be HIPAA compliant, it must follow these standards:
Optimal security to protect PHI when it is at rest and in transit
Controls in place to manage those who can access PHI
The compliance essentials listed at the top of this article
Text Request’s HIPAA compliant accounts meet these standards, so you avoid accidentally compromising someone’s PHI. The platform also meets other standards related to HIPAA, including those set by the:
The Health Information Technology for Economic and Clinical Health Act (HITECH)
The Privacy Rule
The Security Rule
The Omnibus Rule
That way you have total peace of mind whenever you send PHI.
SMS Compliance Under the Financial Industry Regulatory Authority
The Consumer Financial Protection Bureau (CFPB) is dedicated to making sure consumers are treated fairly by banks, lenders, and other financial institutions. In 2020, CFPB updated their standards to acknowledge text messaging as a communication tool debt collectors could use, with the caveat that:
The debt collector must clearly identify who they are and why they’re messaging the contact
The debt collector must not be from a third party (meaning, if your business is owed money, it should only be your business texting the contact instead of someone you hired)
There must be a clear way for the contact to opt out of messages
The debt collector must stop texting the contact after they opt out
Texts can only be sent from 8 am to 9 pm in the consumer’s location
Text Request will automatically add opt-out messages to protect your business from accidentally violating CFPB guidelines—but having your debt collectors properly introduce themselves is on you.
A final note: While the CFPB is okay with texting for collections purposes, the CTIA (see above) may put restrictions on your messaging. You contact us to learn more about these nuances.
Best Practices to Keep Your Texts from Getting Filtered by Carriers
1. Register your 10DLC.
As part of CTIA standards, your business needs to register your “10DLC.”
10DLC stands for 10-digit long code number. It’s a standard phone number, like 423-218-0111. You most likely already use a 10DLC to text your customers—unless you use a short code (like 55-555) or toll-free number instead.
Carriers want to prevent spammers from taking advantage of 10DLC, by having you verify the
use cases your business will text for. It’s all intended to keep text messaging a quality channel you and your customers enjoy using.
Text Request submits your use cases on behalf of you. Check out our full 10DLC Registration & Regulations guide to learn more.
2. Ramp up your messaging slowly.
Carriers consider it suspicious when businesses set up a new 10DLC number, only to then start blasting messages in the thousands. Instead, you want to slowly build trust with carriers—and your customers—by sending to smaller groups first. This will give you an idea of what engages people, so you can focus on the quality over the quantity of your texts.
Of course, this advice only applies if you are texting a mass audience.
3. Avoid these eight common spam indicators.
Below are eight common spam indicators that can cause carriers to raise their brows.
1. Links that haven’t been shortened correctly. — Shortened links trigger spam filters. It’s in your best interest to avoid them, unless you have a custom-branded short domain.
2. Links that are placed at the end of the text. — Carriers assume you’re taking your contacts somewhere dangerous, if links are placed at the end of the text without any information. Surround your links with an explanation of where you’re sending the customer.
3. Naked links. — A naked link is one without the “https://www.” Always include that first portion to avoid triggering spam filters.
4. ALL CAPS. — ALL CAPS are typical of spammers trying to get people’s attention. Avoid them in both your mass and individual messages.
5. Special characters. — Special characters—anything that isn’t a letter or number—and emojis can trigger spam filters when sent to large groups.
6. Messages that you’ve already sent multiple times. — Sending the same exact message to large groups over and over again will make carriers suspicious. Plan your messages in advance to prevent repetition and bad spacing.
7. Overly long messages. — If your text is the size of an email, carriers are going to stop you. Redirect the conversation to a link or scheduled phone call, if the information you need to share is super detailed.
8. Misspellings and bad grammar. — Atypical sentence structure, grammatical errors, and misspellings are the biggest indicator of spam. If your sentences are filled with typos, or sound like they were created by a wonky A.I., carriers will block you.
That’s a lot of different spam indicators to avoid, but Text Request has a spam scanner to help automatically catch them before you send mass text messages.
How to Get Contacts to Opt in to Text Messages
Ensuring all your contacts willingly opted in to be texted is a must for SMS compliance regulators.
So how do you make that happen?
1. Advertise keywords.
The quickest way to entice consumers to opt in is to promote a keyword—like SUBSCRIBE or DEALS—which people can text to learn more about your business or earn rewards.
Advertise these keywords on your website, social media, and digital and physical ads, along with a call-to-action like:
“Text DEALS to get exclusive SMS updates on our latest discounts!”
Clearly communicating the kinds of texts customers will receive, along with how often you’ll send them, will encourage people to text your keyword. Especially if you include how the texts will directly benefit them.
2. Display SMS Chat on your website.
People can’t opt in to your text messages, if they don’t know texting you is an option in the first place. SMS Chat displays your business’s texting capabilities across your entire website, by giving people the power to text you from any page.
Once the new contact enters their number into the widget, they’ve officially opted in for your texts by messaging you first. It’s an efficient way to generate leads while staying compliant.
3. Include an opt-in section on your contact forms.
Providing a place for contacts to enter their phone number is one the most tried and true ways to get opt-ins. Just be sure to include a disclaimer that tells contacts:
How you plan on using their phone number to text them
What kinds of messages you’ll send, as well as how often you’ll send them
This method also establishes early on that text messaging is your preferred method of communication.
3 Best Practices to Prevent Contacts from Opting Out
Here are our three big golden rules:
1. Maintain a reasonable message frequency. —This will differ depending on what you offer. For example, a retail store may text its new offers monthly, while a HVAC company may text tune-up reminders quarterly.
2. Only send relevant marketing messages and campaigns. — That also means only sending what you promised to send. For example, no promotions when you said you’d only send education content.
3. Respond when contacts reach out to you. — Quick responses are crucial to building trust, plus you’re texting to engage with your customers anyways. They’re only going to put in as much as you do.
In short, provide great experiences, genuine value, and make people feel appreciative for being a subscriber.
Want a Tour of Text Request’s Compliant Sms Platform?
Securing your data and providing the tools to stay compliant is foundational to everything we build. Schedule a demo to see how we can help you text with confidence that you’ll have one less thing to worry about.