Insights

Complete guide to SMS compliance: Laws and best practices

Image for Complete guide to SMS compliance: Laws and best practices

Everyone knows that SMS is the most powerful and accessible communication channel for engaging your customers. In fact, people are 35x more likely to read a text message than an email.

But even knowing all that, getting started with SMS can be challenging. SMS compliance rules and regulations, particularly in the U.S., can make your life difficult if you don’t understand them. Whether it’s laws like the Telephone Consumer Protection Act (TCPA) or requirements from industry regulators and wireless carriers, you need to know your stuff. These regulations and guidelines play a big part in protecting customer data and privacy and help create a better customer experience.

Now, we can’t give you legal advice – make sure to talk to your legal team to see how these regulations apply to your specific business. But we can break down the basics and give you an overview of the rules, what they mean, and how to handle them.

Who regulates text compliance?

First off, in the U.S. there are governmental regulations and policies in place documenting how to send SMS. There are also many different carrier-specific guidelines and, lest we forget, new codes of conduct which aren’t laws exactly, but must be followed. Ignore these codes of conduct at your peril! Your campaigns will either never launch or end up blocked in carrier or aggregator filters. There are the main frameworks you need to know:

  1. The Telephone Consumer Protection Act (TCPA): Passed in 1991, this act was instituted to stop unwanted telemarketing phone calls and applies to text messages, too. In a nutshell, companies can’t contact consumers without prior expressed consent.
  2. The Cellular Telecommunications and Internet Association (CTIA): The CTIA is pretty self-explanatory: it’s a trade association representing the U.S. wireless communications industry. It’s goal is to create and maintain the most positive experience possible for customers, and so they association publishes the Messaging Principles and Best Practices document. Follow these suggestions if you want your campaigns or messages to get to your target audience.
  3. The Mobile Marketing Association: The MMA is an industry group that promotes mobile marketing on a global level. The association uses peer-driven best practices to manage and develop ongoing mobile marketing industry initiatives.
  4. The Federal Communications Commission (FCC): The FCC, which reports directly to Congress, regulates interstate and international communications to make sure they are used safely and fairly.

SMS compliance terms to know

  • P2P: P2P is the regular texting most people do in their everyday lives – low volumes of wanted messages between two individual wireless subscribers or users of a messaging app. When you text a friend or family member, you’re engaging in P2P messaging.
  • A2P: The CTIA defines A2P traffic as “all messaging that falls outside the definition of P2P”, or “traffic that is not consistent with typical human operation”. That means marketing messages, appointment notifications, various alerts, customer support messages, sales…the whole works.
  • Short code (standard and free to end user): Short codes are 4-6 digit numbers with the highest throughput, highest delivery success rate, highly trusted routes, least spam, best delivery functionality for MMS and the cleanest compliance record.
  • Long code: Long codes, a.k.a. long numbers, 10DLC, local virtual number (LVN), Landlines, are refer to phone numbers with 10 digits. They have a shorter provisioning cycle and are all voice and MMS capable.
  • Toll-Free Numbers (TFN): Toll-free numbers are exactly that: toll-free for the end user since the receiving party pays the costs of the call. They can be used for SMS and MMS messaging and voice and are quick to market, able to be up and running in 3-5 days.

SMS compliance guidelines

If you take away one thing from this blog, remember the three most important aspects of compliant A2P messaging: consent, consent, consent! All these rules exist so that customers only receive the communications they want. To ensure this happens, the CTIA Messaging Guidelines say that all A2P messaging requires customer consent. Here’s a breakdown of the how’s and why’s of consent:

1. Require consent (a.ka. opt-in)

An opt-in is when you ask customers if you can message them, and they say yes. You need to be clear about what they can expect – as in the type of message do you intend to send, and for what purpose.

Note, you can’t repurpose an opt-in for one kind of communication for other kinds of communications. For example, a user who gives you consent to receive a one-time password (OTP) via text message is not consenting to marketing texts.

chart showing types of messaging content and required consent for SMS compliance
Types of consent needed for different types of content, whether it be for consumer-initiated, informational, or promotional SMS messages.

2. “What am I consenting to?”

You want to keep in mind five key questions from the customer’s perspective, and the answers should be clear:

  1. Who is the sender?
  2. What is the offer?
  3. Where can I learn more?
  4. When will this service contact me?
  5. How do I use the service, and how do I opt-out?

To make sure all these questions are answered, we recommend a strong call to action (CTA) for every campaign. A strong CTA is the springboard to a successful program, describing the program and instructing potential users how to participate. The required components for a successful CTA differ depending on the media it’s published in. However, there are certain aspects that carriers look for in all CTAs:

  • Company name
  • Program name
  • Description of offer
  • Where to find terms and conditions
  • Privacy policy location
  • Customer support information*
  • Opt-in instructions
  • Opt-out instructions (if recurring) **
  • Message and data rates disclaimer
  • Message frequency

Note: Although single-message programs aren’t required to display “HELP” and “STOP” keywords, they should still support HELP and STOP commands.

3. Confirm opt-ins

The best practice for confirming opt-ins is to document them all for a minimum of 90 days. It proves that you’ve received consent to message the destination number. Better safe than sorry!

Many companies use double opt-ins: sending a customer a message after the initial opt-in reminding them that they’ve signed up and asking them to respond and confirm their consent with a keyword (e.g., Y, Yes, OK, Begin, etc.). This isn’t an industry rule, but it is a best practice – and you want to be the best, don’t you?

A consumer’s opt-in must be confirmed in the first message sent to the consumer for all recurring programs. Brands must state explicitly to which program the consumer enrolled and provide clear opt-out instructions.

Here’s an example of a confirmation MT for a recurring program:

SMS compliance opt-in confirmation message example

4. Honor opt-outs

Even if a customer agrees to let you message them with an opt-in, they can always change their mind – and you need to make it easy for them to do just that.

The most common and minimum required opt-out method is to let consumers respond to an SMS with the text “STOP” – but there are other ways to do it. FCC states that customers must be able to opt out through “any reasonable means.” This could be a phone call, a text message, a web form, etc. – as long as it’s not too complicated for the user.

It needs to be very clear how the customer can opt out.

And you need to make sure you acknowledge that request.

SMS compliance opt-out text message example

5. Avoid public URL shorteners for TFN and 10DLC campaigns

Shortened URLs are a great way to make a message more concise, but there are some important rules and best practices you should follow to ensure successful message delivery and offer a good user experience.

When sending your 10DLC and TFN campaigns, never use shared public URL shorteners (e.g., free TinyUrl or Bitly links).

U.S. carrier policies strongly discourage using them and might filter or block messages containing this type of URLs because they’re often used for illegitimate purposes like spam, fraud, and more.

When sending SMS or MMS messages containing shortened URLs to users in the United States, use your own dedicated, branded domain.

6. Comply with time-of-day restrictions

TCPA compliance also requires that you recognize “quiet hours” in the recipients’ time zone. This means you are prohibited from any telephone solicitation anytime before 8 am and after 9 pm (note that certain states have more restrictive rules).

7. Keep it SHAFT-free

SHAFT is a handy acronym to help you remember types of content which are either forbidden or subject to special rules.

  • S: Sexually inappropriate content
  • H: Hate speech or profanity
  • A: Alcohol
  • F: Firearms, and depictions or endorsements of violence
  • T: Tobacco (including vaping), or endorsement of illegal or illicit drugs, including marijuana and cannabidiol

Note: Some of this content (such as “adult” businesses like nightclubs, bars that serve alcohol, and firearms or tobacco sales) may be allowed by certain carriers if a campaign is submitted and approved in advance and a functioning “age-gate” is in place.

Other tips and best practices

  • Limit message frequency. Don’t send your message recipients too many messages within a short time. One or two messages per day end up being five to eight per week which is too much and may risk that person opting out.
  • Clean up your database records. Also, don’t forget to cross check and clean up your database records against Carrier Deactivation Files. When a mobile subscriber switches operator or deactivates their mobile number, deactivated numbers generally go through an incubation period on the carrier’s network where they’re unassigned, recycled, and then re-assigned to new subscribers. Any messages sent to the new subscriber are technically unsolicited, since the opt-in was tied to the original owner of the number. To address this, U.S. wireless carriers publish a list of deactivated mobile phone numbers on a daily basis to avoid unsolicited messaging.

Conclusion

This may seem like a lot to digest, but the most important step to SMS compliance is knowing the rules. But to keep it simple, remember these main takeaways:

  1. Get consent
  2. Be clear what customers are consenting to
  3. Make it easy for them to opt out, and respect their wishes.
  4. Is your campaign SHAFT free?

And make sure to consult your legal team to see how SMS compliance laws and regulations affect your business specifically.

Learn more about the Sinch SMS API, or contact us to schedule a time to talk to a Sinch expert.

Related blogs