SMS Marketing Compliance: TCPA, GDPR, and Best Practices for 2026

TCPA Compliance (United States)

The Telephone Consumer Protection Act governs SMS marketing in the US. Key requirements:

• Prior express written consent: You must obtain written consent before sending marketing SMS. A checkbox on a form ("I agree to receive texts from [Brand]") with an unchecked default qualifies. Pre-checked boxes do not.
• Consent cannot be bundled: From January 2025, the FCC clarified that consent for one brand cannot cover affiliated brands — each requires individual opt-in
• Identification: Every message must identify who is sending it
• Opt-out: Must honour STOP requests immediately and confirm opt-out in a single final message
• Time restrictions: No messages before 8am or after 9pm in the recipient's local time zone

GDPR Compliance (European Union / UK)

GDPR applies to any SMS marketing to EU or UK residents, regardless of where your business is based:

• Lawful basis: Marketing SMS requires explicit consent — soft opt-in (buying something) does not cover marketing texts in EU/UK
• Consent record: You must be able to prove when, how, and what someone consented to
• Right to withdraw: Opt-out requests must be processed without undue delay
• Data minimisation: Only collect the phone number and data necessary for the stated purpose

Australia (Spam Act) and APAC

Australia’s Spam Act 2003 requires consent (express or inferred), identification, and a functional unsubscribe mechanism in every commercial message. Inferred consent (reasonable to assume SMS is expected based on the business relationship) has a narrower application in practice than many marketers assume.

“Most TCPA class actions don’t begin with a company sending spam — they begin with a company that believed its consent was compliant and never had a lawyer verify it. The cost difference between a legal review and a class action settlement is about 1,000×.”

Recent Enforcement: Why the Stakes Are Real

TCPA enforcement has escalated sharply since 2020. High-profile settlements illustrate the exposure: Papa John’s paid $16.5 million, Healthy Advice Networks settled for $12 million, and numerous e-commerce brands have settled individually for $2–$8 million — all for violations that typically involved list purchases, bundled consent, or inadequate opt-out mechanisms.

The January 2025 FCC one-to-one consent rule is the most significant recent development. Previously, a single consent could cover multiple affiliated brands. The new rule requires individual consent for each company that will send marketing messages. Businesses that acquired consent through lead generation partners or consent aggregators must re-evaluate their lists against this standard — using consent that pre-dates or violates this rule creates actionable TCPA exposure on every message sent.

For GDPR, enforcement actions in the UK and EU for SMS violations specifically have been rarer but growing. The Spanish data protection authority (AEPD) has issued multiple fines against retailers and banks for SMS confirmation messages that were deemed to constitute marketing without valid consent. The threshold between transactional and marketing SMS is actively litigated and cannot be assumed.

Consent Capture: Getting the Details Right

The consent form is the most legally consequential element of an SMS programme. Errors here cannot be corrected retroactively. A compliant consent capture must include: an unchecked checkbox (not pre-checked, not embedded in general terms), a clear description of the types of messages the subscriber will receive, the brand name, estimated message frequency, a disclosure that message and data rates may apply, and a link to SMS terms and privacy policy.

What invalidates consent: opt-ins collected through third-party lead forms where SMS is not the primary stated purpose, consent obtained before the brand name was specified, checkbox language that bundles email and SMS in a single opt-in, and consent collected under a previous brand name after a merger or rebrand. If any of these apply to part of your list, segment those contacts and do not send to them until fresh consent is captured.

Building a Compliant SMS Programme

Compliance should be built into your SMS programme architecture from day one — retrofitting consent management after launch is expensive and sometimes legally insufficient:

• Use a dedicated SMS marketing platform (Klaviyo, Attentive, Postscript) that handles STOP/HELP keywords and compliance records automatically
• Store consent records with timestamps and source — you’ll need these if audited or sued
• Segment lists by jurisdiction and apply the strictest applicable standard to overlapping audiences
• Review your consent language with legal counsel before launch — not after the first complaint
• Test your opt-out flow monthly — it must work on the first STOP reply

SMS Compliance Pre-Launch Checklist

Before sending your first marketing SMS, confirm all of the following:

• Written consent form uses unchecked opt-in checkbox with clear description of SMS type and frequency
• Consent records system stores timestamp, IP address, and consent source for every subscriber
• STOP, HELP, and CANCEL keywords trigger automated responses and unsubscribe
• Final opt-out confirmation message configured (single message, no discount)
• Time restriction logic in place — no sends before 8am or after 9pm recipient local time
• Brand name included in every message
• Data processing agreement signed if handling EU/UK personal data
• Legal counsel has reviewed consent language and programme structure