SMS is not a new form of communication. However, many jurisdictions are putting more specific checks and balances in place to ensure that brands engaging customers or leads via SMS are doing so with the privacy of their recipients in mind.
New SMS rules, especially Texas’ update effective September 1, 2025, show that states are moving closer to the TCPA’s strict standard. If you text U.S. customers, you now have to meet federal, state, and sometimes registration requirements, even if you’re not based in that state.
Here are some examples of recent legislation governing both registration and who and how your brand can market to via SMS. For global brands, this means that a wide compliance program is needed to ensure all of the necessary legislation is honoured.
United States
The Telephone Consumer Protection Act (TCPA) is the primary American federal law governing text message marketing, with the FCC overseeing compliance. The TCPA's implications for SMS are significant and quite strict. Senders must obtain consent prior to sending the message with a clear opt-in checkbox that is not pre-checked or a text-to-join program where the recipient initiates contact. Subscribers also need to be able to easily opt out at a later date and be able to clearly tell who the sender is. Transactional SMS, like an order confirmation or appointment reminder, generally has less stringent requirements than SMS for marketing purposes.
The TCPA's application to SMS has made it one of the riskiest marketing channels from a legal compliance perspective, but also one of the most effective when done properly. The penalty for a violation is $500 per text and up to $1,500 per violation if it is done knowingly. Some of the most common violations include sending SMS without proper consent, using pre-checked boxes for consent, failing to honour opt-out requests promptly, or texting numbers on the Do Not Call Registry. The TCPA is one of the most litigated consumer protection laws due to its strict liability provisions and private right of action.
In addition to the TCPA, the CAN-SPAM Act also has some protections for consumers. It requires many of the same parameters of the TCPA, including clearly identifying the message as an advertisement and opt out requirements. It adds additional requirements to avoid misleading practices. CAN-SPAM (FTC) mainly impacts commercial electronic messages and email-to-SMS gateways and is slightly different from FCC laws. Its core requirements are: don’t mislead, identify yourself, and honor opt-outs. Violations are typically up to $500 per text, or up to $1,500 for willful violations. It focuses on common failures like pre-checked boxes, no opt-out, ignoring DNC, texting without proof of consent.
Currently, 16 states have additional legislation that adds to or works in tandem with the TCPA and CAN-SPAM Act, including Florida, Texas, California, Connecticut, Virginia, Washington, and New York. National and global businesses must adhere to this legislation, even if they are not headquartered in the same state as the consumer. For this reason, it’s best to stay informed and regularly update your compliance program to ensure the privacy of your customers is top of mind.
Texas
The Texas Business and Commerce Code was recently expanded to apply to both phone calls, as it had previously, and text messages. The change in legislation came into effect on September 1, 2025. Due to this change, any businesses sending SMS to their customers may need to register their business with the Texas Secretary of State.
There are some institutions exempt from the registration requirement:
- Certain publicly traded companies and their subsidiaries
- Certain financial institutions
- Educational institutions
- 501(c)(3) nonprofits
- Businesses marketing the sale of food
- Retail sellers with brick and mortar locations if it has operated under the same name for the last two years and a majority of sales occur at retail locations
- Businesses contacting their current or former customers if that business has operated under the same business name for the last two years
You’ll need to check the specific language in the legislation to determine if any of these exemptions apply to your business.
Registering with the Texas Secretary of State entails:
- Filing a Form 3401
- An application fee of $200
- Posting a $10,000 security deposit in the form of a bond executed by a corporate security, an irrevocable letter of credit, and a certificate of deposit in a supervised financial institution. A Surety Bond or Certificate of Deposit are common ways to meet this requirement. Additional information regarding the form of any security can be found in Section 302.107 of the law.
The penalty for failing to register can be up to $5,000 per text message, so it’s important to ensure compliance if you’re sending SMS to residents of Texas. The registration is also required to be renewed each year.
Florida
As of July 1, 2021, the state of Florida introduced new legislation known as Florida’s “mini TCPA” (CS/SB 1120 more formally), which put in place some more strict measures to control SMS in tandem with the federal Telephone Consumer Protection Act (TCPA). Key impacts of this legislation include:
- Enforcing quiet hours between 8 pm and 8 am, meaning that SMS can only be sent from 8 am to 8 pm
- Limiting to 3 attempts to contact (call or text) in a rolling 24-hour period
- Forbidding hiding your ID or number
Penalties for failing to follow this legislation include a request for injunction from the recipient or
The request to recover their actual money damages or $500 (or $1,500 for willful violations), whichever is higher, plus attorney fees and costs
California
California's anti-spam statute in its Business & Professions Code prohibits sending unsolicited advertisements to mobile devices by SMS without the recipient's prior consent. The California Consumer Privacy Act (CCPA) also applies.
Requirements:
- Prior consent is required for commercial text messages
- Clear disclosure of how customer data is used
- Must stop texting consumers who opt out within 15 days of their opt-out request
- No communications before 8 AM or after 9 PM
In California, federal TCPA penalties apply, which are currently set at $500-$1,500 per violation.
New York
New York state law requires businesses to obtain prior express written consent from recipients before sending text messages, and the state's Do Not Call registry applies to both telemarketing calls and text messages.
Requirements:
- Prior express written consent is required
- Must honor Do Not Call registry
- Cannot contact numbers on the registry without prior express consent
In New York, federal TCPA penalties apply, which are currently set at $500-$1,500 per violation.
Connecticut
Connecticut passed a law in 2014 making it illegal to send unsolicited text messages to Connecticut residents. Connecticut has particularly stringent consent legislation and penalties for violations. Just one text message sent without receiving expressed consent is subject to an extraordinarily high penalty (likely $20,000, under Conn. Gen. Stat. § 42-288a, which is still pending final amendment as of November 2025).
Requirements:
- Connecticut is the only state requiring express written consent to receive commercial messages
- Connecticut's Public Act No. 14-53 requires businesses to obtain prior express written consent, with maximum fines reaching up to $20,000 per violation
- Cannot send texts to numbers on Connecticut's Do Not Call registry
Virginia
The Virginia Telephone Privacy Protection Act was amended in 2020 to protect consumers with non-Virginia area codes who reside in Virginia.
Requirements:
- The definition of telephone solicitation calls was expanded to include text messages, and it now covers customers with Virginia area codes and those with non-Virginia area codes which reside in the state
- SMS marketers must clearly and accurately identify themselves in text message communication
- Cannot text consumers on the Do Not Call Registry
- Texts can be sent between 8:00 a.m. and 9:00 p.m. local time
Penalties in Virginia are tiered with $500 fines for a first violation, $1,000 for a second, and $5,000 per additional violation.
Washington
Washington's Consumer Electronic Mail Act (CEMA) prohibits business marketers from sending commercial text messages without prior permission from recipients.
Requirements:
- Prior consent is required for all promotional text messages
- The liability extends to any individual or entity participating in the transmission process, including data brokers who knowingly sell databases of Washington contacts
In Washington, federal TCPA penalties apply, which are currently set at $500-$1,500 per violation.
A2P 10DLC Registration
Beyond federal and state legislation, businesses sending SMS must also comply with carrier-mandated registration through The Campaign Registry (TCR), a requirement that surprised many marketers when it became mandatory in 2021.
A2P 10DLC (Application-to-Person 10-Digit Long Code) registration functions as your SMS passport. All major U.S. carriers — AT&T, T-Mobile, and Verizon — require it before commercial messages can be sent using standard 10-digit numbers.
The process involves two steps:
- Brand registration: (usually $4 for most small businesses; enterprises up to $40)
- Campaign registration: for each specific messaging use case (about $15 per campaign)
Timelines: brand registration typically completes within 24–48 hours; campaign approval takes 1–7 business days depending on use case. Certain categories — financial services, healthcare, and political messaging — require extra vetting that can extend to 2–3 weeks.
Unregistered A2P traffic faces heavy throttling (1 message per minute vs. thousands for verified campaigns) and may be filtered or blocked entirely, even if you have proper TCPA consent.
Registration requires submitting your EIN/Tax ID, business website, sample message content, opt-in mechanism, and estimated monthly volume. Carriers and TCR partners periodically audit campaigns for compliance and violations can result in immediate suspension and cross-carrier blacklisting.
The Bottom Line - The New SMS Compliance Reality
SMS remains one of the most effective ways to reach customers, but it’s also becoming one of the most heavily regulated. Between federal law (TCPA, CAN-SPAM), expanding state statutes like those in Texas and Connecticut, and carrier-level requirements such as A2P 10DLC registration, marketers now operate in a layered compliance landscape.
In the US, federal and state legislation governing SMS, particularly for marketing purposes, have common requirements: Every text should have a documented opt-in, an easy opt-out, clear sender identification, and timestamps proving compliance.
Here are some best practices that take into account current legislation:
- Always obtain prior express written consent before sending commercial texts
- Provide clear opt-out mechanisms
- Honor opt-out requests promptly (within 48 hours is recommended)
- Maintain detailed records of consent with timestamps
- Respect quiet hours (generally no texts before 8 AM or after 9 PM local time)
- Identify your business in every message
- Check Do Not Call registries regularly and update your database
The main differences are registration requirements and penalties for violations.
Platforms like Dyspatch make that easier by helping teams standardize content, maintain compliant templates, and store consent data securely. With Dyspatch, compliance is built into your workflow. The platform allows teams to design and approve SMS and email content within a single governed environment, store proof of consent and audit trails, and ensure every outbound message meets TCPA, CAN-SPAM, and A2P 10DLC standards.
