SMS Compliance 101: TCPA, GDPR & Beyond

SMS compliance isn't sexy. But it's the foundation that everything else sits on. Get it wrong and you're looking at fines up to $1,500 per message, carrier filtering that tanks your deliverability, and—worst case—lawsuits that make the headlines for all the wrong reasons.

The good news: compliance isn't complicated. It's just specific. This guide breaks down what you need to know in plain English—no legalese, no panic. Just the practical stuff.

TCPA: The U.S. Baseline

The Telephone Consumer Protection Act (TCPA) is the primary federal law governing SMS marketing in the United States. It was written in 1991—before text messaging existed—but has been interpreted and expanded through FCC rulings and court decisions to cover SMS.

Here's what it requires:

Prior express written consent. Before you send a marketing text to someone, they must have explicitly opted in. This means a clear, unambiguous action—checking a box, submitting a form, texting a keyword. The consent must be documented and stored. Verbal consent isn't enough for marketing messages.

Clear disclosure at opt-in. When someone signs up, they need to know: what they're signing up for, how often you'll message them, that message and data rates may apply, and how to opt out. This is typically handled through your opt-in form language.

Easy opt-out mechanism. Subscribers must be able to text STOP (or similar keywords like QUIT, CANCEL, UNSUBSCRIBE) at any time to immediately stop receiving messages. You must honor opt-outs promptly—within minutes, not days.

Identification. Your messages must identify who's sending them. Include your brand name so recipients know who's texting.

Quiet hours. Don't send marketing messages before 8 AM or after 9 PM in the recipient's local time zone. Some states have narrower windows.

GDPR: If You Have European Subscribers

If any of your subscribers are in the EU or UK, the General Data Protection Regulation (GDPR) applies to your SMS program—regardless of where your business is based.

GDPR's requirements for SMS marketing include:

• Lawful basis for processing. For marketing, this is almost always consent. And GDPR consent is strict: it must be freely given, specific, informed, and unambiguous. Pre-checked boxes don't count. Bundled consent (where signing up for an account automatically opts them into marketing) doesn't count.
• Right to access and deletion. Subscribers can request a copy of all data you hold about them, and they can request that you delete it. You need processes to handle these requests within 30 days.
• Data minimization. Only collect and store the data you actually need. Phone number and consent record? Yes. Their mother's maiden name? No.
• Records of consent. You must be able to prove when and how each subscriber gave consent. This means storing timestamps, the specific form or keyword they used, and the language they agreed to.

GDPR fines can reach €20 million or 4% of global annual revenue, whichever is higher. Even if enforcement against small brands is rare, the reputational risk alone makes compliance essential.

Consent Best Practices

Consent is the single most important element of SMS compliance. Here's how to get it right:

1. Make it separate. Don't bundle SMS consent with email consent or terms of service. Each should be its own clear opt-in action.
2. Be specific about frequency. "We'll text you" is vague. "Up to 4 messages per month" sets clear expectations and protects you legally.
3. Use double opt-in for high-risk scenarios. After someone submits their phone number, send a confirmation text: "Reply YES to confirm you'd like texts from [Brand]." This creates an airtight consent record.
4. Timestamp and store everything. For every subscriber, record: the date and time of opt-in, the method (form, keyword, checkout), the exact language they agreed to, and their IP address (for web forms).
5. Never buy lists. Purchased phone number lists are the fastest path to TCPA lawsuits and carrier blacklisting. There are no shortcuts here.

Shymo handles consent documentation automatically. Every opt-in is timestamped and logged with the source, method, and disclosure language. If you ever need to prove consent, the records are there.

Opt-Out Mechanisms

Making it easy to unsubscribe isn't just legally required—it's good business. Subscribers who can't easily opt out will report your messages as spam, which damages your sender reputation with carriers and can lead to wholesale message filtering.

Required opt-out keywords that Shymo automatically handles:

• STOP — The universal opt-out. Must always work.
• HELP — Must return a help message with your brand name and contact info.
• Additional keywords: QUIT, CANCEL, UNSUBSCRIBE, END — all should trigger opt-out.

When someone opts out, you must:

• Send a single confirmation message ("You've been unsubscribed. Reply START to re-subscribe.")
• Stop all marketing messages immediately
• Not send any further messages unless they explicitly re-subscribe
• Maintain the opt-out record indefinitely

International Considerations

If you're sending to subscribers outside the U.S., you'll need to consider additional regulations:

Canada (CASL): Canada's Anti-Spam Legislation requires express consent for commercial messages, including SMS. Consent must include your identity, contact information, and a clear opt-out mechanism. Implied consent exists for existing customers but expires after 2 years of inactivity.

Australia (Spam Act 2003): Similar to CASL—requires consent, identification, and opt-out functionality. Notably, the Spam Act applies to messages with an "Australian link" (sent to, from, or via Australia).

UK (PECR + UK GDPR): Post-Brexit, the UK has its own version of GDPR plus the Privacy and Electronic Communications Regulations. Requirements are very similar to EU GDPR for SMS marketing.

Shymo's platform handles international compliance through region-specific sending rules, automatic quiet hours by time zone, and configurable consent flows that adapt to the subscriber's country.

Common Mistakes to Avoid

1. Assuming email consent covers SMS. It doesn't. Ever. Email and SMS require separate, explicit consent.
2. Sending to customers who only gave transactional consent. Someone who agreed to receive shipping notifications did not agree to receive promotional texts. These are legally distinct.
3. Ignoring quiet hours. Even if your subscriber is a night owl, sending marketing messages at 11 PM exposes you to TCPA liability. Stick to 8 AM – 9 PM local time.
4. Not honoring opt-outs instantly. "Processing your request" for days isn't acceptable. Opt-outs must be effective immediately.
5. Missing required disclosures. Every opt-in must include: brand name, message frequency, "msg & data rates may apply," and opt-out instructions. Skip any of these and your consent may be legally insufficient.
6. Sending from unregistered numbers. Carriers now require brand registration (A2P 10DLC in the U.S.) for commercial messaging. Unregistered numbers face aggressive filtering and potential blocking.

Compliance isn't a one-time setup—it's an ongoing practice. Regulations evolve, carrier requirements change, and best practices shift. Shymo's built-in compliance tools handle the heavy lifting (automatic opt-out processing, consent logging, quiet hours enforcement, A2P registration), but ultimately, you're responsible for how you collect consent and what you send.

When in doubt, the golden rule of SMS compliance is simple: only text people who want to hear from you, about things they agreed to hear about, at times they'd find reasonable. Follow that principle and you'll stay on the right side of every regulation.