The ins-and-opt-outs of SMS consent in the US

SMS remains one of the most effective ways for businesses to reach their customers, boasting open rates as high as 98%.  

However… Sending a message to the wrong person, at the wrong time, or without proper consent can lead to legal trouble, customer dissatisfaction, and reputational damage. 

Your phone number is arguably more personal and direct than say an email address, so it’s not hard to imagine that consumers will quickly feel fatigued by irrelevant or spammy messages, especially if they haven’t opted in to receive them.  

This article will help US-based businesses understand SMS consent and compliance in 2025. 

• Why SMS consent matters
• Understanding SMS consent
• 2025 SMS compliance updates: TCPA & CTIA
• P2P vs. A2P messaging: What’s the difference?
• Best practices for obtaining SMS consent
• Common pitfalls to avoid & tools for compliance

Why SMS consent matters

At its core, SMS compliance is about respect. Respecting your customers’ time, preferences, and privacy.

The Telephone Consumer Protection Act (TCPA) and CTIA guidelines exist to ensure that people only receive messages they actually want. Violating these rules can result in fines of up to $1,500 per message and long-term reputational harm.

Those high open rates won’t stay high for long if consumers are inundated with unwanted sales and marketing text messages.

Many messaging providers enforce these rules through their own policies, for example Twilio, which aligns with TCPA and CTIA standards. Because A2P 10DLC is used for business-to-consumer messaging, carriers and platforms like Twilio require that every message sent is backed by proper consumer consent.

Understanding SMS consent

Consent is the foundation of compliant messaging. It comes in several forms:

Implied consent: Based on an existing relationship (e.g., a customer who provided their number during a purchase).

Express consent: Verbal or written agreement to receive messages.

Express written consent: Required for promotional or marketing messages under TCPA.

Regardless of the type, consent must be clear, contextual, and timely. A customer who signs up for a holiday promotion isn’t automatically opting in for year-round marketing.. 

2025 SMS compliance updates: TCPA & CTIA

TCPA Overview

• Federal law regulating calls and texts.
• Requires prior express written consent for marketing messages.
• Violations can result in lawsuits and steep penalties.

CTIA Guidelines

• Industry best practices for Application-to-Person (A2P) messaging.
• Not legally binding, but enforced by carriers.
• Updated definitions now classify all business messaging as A2P, requiring stricter consent protocols.

Key 2025 updates to be aware of

1:1 Consent Rule: Each campaign must have its own opt-in.

Shared short codes banned: Each business must use its own dedicated number.

Enhanced opt-out enforcement: Businesses must honor opt-outs via any reasonable method.

P2P vs. A2P messaging: What’s the difference?

Person-to-Person (P2P) messaging

Definition: P2P messaging refers to the low-volume exchange of messages between two individuals, typically using mobile phones.

Key characteristics:

• Two-way communication between real people.
• Low message volume and frequency.
• No automation or minimal use of technology.

Examples: texting a friend, coordinating with a family member.

Compliance context:

• Less regulated because it’s considered natural human interaction.
• Not subject to the same consent and throughput rules as A2P.

Application-to-Person (A2P) messaging

Definition: A2P messaging is when a business or application sends messages to a person, often at scale and using automation.

Key characteristics:

• One-to-many or automated communication.
• High message volume and frequency.
• Sent via platforms or APIs (e.g., Twilio, Salesforce).

Examples: appointment reminders, marketing texts, 2FA codes, delivery updates.

Compliance context:

• Strictly regulated under TCPA and CTIA.
• Requires prior express consent (and written consent for marketing).
• Must support opt-out and HELP keywords.
• Subject to carrier filtering and audits.

Best practices for obtaining SMS consent

Clear Calls-to-Action

Always disclose: What messages will be sent, how often and how to opt out.

Opt-in methods

• Handset: Texting a keyword to a number (e.g., “Text JOIN to 73444”).
• Web/App Forms: Include a checkbox and clear language.
• IVR/Phone Trees: “Press 1 to receive updates via text.”
• Point-of-Sale (POS): Consent during checkout for receipts or loyalty programs.

Double opt-in

Recommended for all non-handset opt-ins. Example: Customer enters number on a website. They receive a confirmation text asking them to reply “YES” to confirm.

Documentation

Keep records of:

• When and how consent was given.
• The exact language used.
• Any follow-up confirmations.

Managing opt-outs and preferences

Opt-outs must be easy and honored immediately. Common keywords include:

STOP

UNSUBSCRIBE

CANCEL

Businesses must also respond to HELP requests with support information.

Common pitfalls to avoid & tools for compliance

One of the most critical missteps businesses can make is using shared short codes, which are now banned by major US carriers due to their association with spam and abuse. Each business must use its own dedicated number to ensure accountability and message traceability.

Another frequent error is sending messages without obtaining clear and verifiable opt-in consent from recipients. This not only violates compliance standards but also erodes customer trust. Ignoring opt-out requests is equally problematic; businesses are required to honor opt-outs promptly and through any reasonable means.

Lastly, failing to confirm number ownership, particularly in cases where phone numbers may have been recycled, can result in messages being sent to unintended recipients, increasing the risk of complaints and legal exposure.

Tools for SMS compliance

SMS platforms: Use providers like Twilio with built-in compliance features.

Consent Management Platforms: Track opt-ins and preferences at a granular level in sync with broader consents.

Audit trails: Maintain logs for legal protection and internal reviews.