Compliance 15 min read January 10, 2026

TCPA Compliance Guide: How to Avoid $500-$1,500 SMS Marketing Fines

The FCC issued $208 million in TCPA violation fines in 2024. The average penalty? $1,500 per text.

If you're using SMS for sales follow-up, you're sitting on a goldmine. SMS has a 98% open rate and 45% response rate - crushing email's 20% open rate.

But here's the problem: most sales reps are violating TCPA without knowing it.

One wrong text can cost you $500-$1,500 per message. Send 100 messages without proper consent? That's up to $150,000 in fines.

This isn't theory. I've seen companies get hit with six-figure settlements for simple compliance mistakes. Small businesses shut down. Sales teams sued personally.

The good news? TCPA compliance is straightforward once you understand the rules. This guide will show you exactly how to stay legal while scaling your SMS campaigns.

What is TCPA and Why Should You Care?

The Telephone Consumer Protection Act (TCPA) was passed in 1991 to protect consumers from unwanted telemarketing calls and texts.

Here's what it covers:

Automated text messages - Any SMS sent through automated systems (which includes CRMs, marketing tools, and SMS platforms)
Pre-recorded calls - Robocalls and automated voice messages
Fax marketing - Yes, this is still a thing apparently
Manual calls using autodialers - Any system that automatically dials from a list

If you're sending sales follow-up texts through any platform (Salesforce, HubSpot, or dedicated SMS tools like FollowUp AI), you're subject to TCPA.

Critical Point: TCPA applies to B2B sales too. Many reps think "I'm texting businesses, not consumers" - wrong. If you're texting a cell phone (even a business cell), TCPA applies. Period.

The Four Pillars of TCPA Compliance

TCPA compliance boils down to four non-negotiable requirements:

1. Prior Express Written Consent

This is the foundation. You MUST have documented consent before sending marketing texts.

What counts as valid consent:

Signed written agreement (physical or digital)
Online form submission with clear disclosure
Text-to-join keyword (e.g., "Text START to 12345 to receive updates")
Checkbox opt-in during purchase/signup (must be unchecked by default)

What DOESN'T count:

"I got their number from their website" - Nope
"They're an existing customer" - Still need SMS consent
"They gave me their business card" - Not sufficient
"They didn't say NOT to text them" - Absolutely not

The consent must be:

Clear and conspicuous - Not buried in fine print
Separate from other terms - Can't hide it in general T&Cs
Specific about what they're consenting to - "Agree to receive marketing texts from [Company Name]"
Include disclosure of message frequency - "Up to 4 msgs/month"
State message and data rates may apply - Standard disclosure
Explain how to opt-out - "Reply STOP to unsubscribe"

Here's a compliant consent example:

☑️ I agree to receive marketing text messages from FollowUp AI at the number provided. Message frequency varies. Message and data rates may apply. Reply STOP to unsubscribe at any time. Reply HELP for help. View our Privacy Policy and Terms of Service.

2. Maintain a Do Not Contact (DNC) List

You're legally required to maintain your own internal DNC list and honor it immediately.

Key requirements:

Honor opt-outs within 24 hours - Best practice is instant, but you have 24 hours legally
Maintain the list for 5 years minimum - Even after they're no longer a prospect
Share across your organization - If they opt out of sales texts, they're out of ALL texts
Check before EVERY campaign - Systems must automatically suppress DNC contacts

The FTC also maintains a National Do Not Call Registry. While this primarily applies to phone calls, best practice is to scrub your calling lists against it. You can register for access at donotcall.gov.

Pro Tip: Set up automatic opt-out keyword detection. Any variation of STOP, CANCEL, UNSUBSCRIBE, QUIT, END should immediately flag the contact in your system. Common variations include: STOPALL, UNSUBSCRIBE, CANCEL, OPT-OUT, REMOVE.

3. Include Required Disclosures

Every SMS campaign needs specific disclosures. Here's what must be included:

In your first message to a new subscriber:

Your company name/identity
Confirmation they're subscribed
Message frequency expectation
How to get help (HELP keyword)
How to opt-out (STOP keyword)
Message and data rates disclosure

Example welcome message:

Welcome to FollowUp AI! You'll receive sales tips and product updates (up to 4/month). Msg&data rates may apply. Reply HELP for help, STOP to cancel.

In your ongoing messages:

Include your company name or shortcode
Make it clear it's a marketing message
Don't mislead about the sender or purpose

4. Respect Quiet Hours

TCPA restricts when you can send marketing messages:

8 AM - 9 PM

Those are the only hours you can send marketing texts (recipient's local time). Sending at 7:59 AM or 9:01 PM? That's a violation.

Critical details:

Based on recipient's timezone, not yours
Applies to all days, including weekends
Applies to all messages, even transactional-ish ones
No exceptions for "urgent" sales outreach

Best practice? Limit to 9 AM - 8 PM to give yourself a buffer. You don't want a timezone calculation error costing you $1,500 per message.

Common TCPA Violations (And How to Avoid Them)

After reviewing hundreds of TCPA cases, these are the most common violations I see sales teams making:

Violation #1: Buying Phone Lists

The mistake: Purchasing lead lists with phone numbers and texting them.

Why it's illegal: You don't have express written consent from those individuals. The list vendor's consent doesn't transfer to you.

The fix: Only text numbers you've personally collected with proper consent. If you buy lists, use them for email only, or call manually (not with autodialers).

Violation #2: Pre-Checked Consent Boxes

The mistake: Having the SMS opt-in checkbox pre-checked on your forms.

Why it's illegal: Consent must be affirmative action by the user. Pre-checked boxes don't qualify.

The fix: All SMS consent checkboxes must be unchecked by default. User must actively check them.

Violation #3: Shared Consent

The mistake: "They opted into emails, so I can text them too."

Why it's illegal: Email consent and SMS consent are separate. You need explicit SMS permission.

The fix: Separate opt-ins for email and SMS. Never assume one grants the other.

Violation #4: Ignoring Carrier Requirements

The mistake: Only following TCPA rules and ignoring carrier-specific policies.

Why it's a problem: Carriers (AT&T, Verizon, T-Mobile) have additional requirements and can block your number or report you to the FCC.

The fix: Register for 10DLC (if sending from standard numbers) or use dedicated short codes. Follow CTIA guidelines for messaging.

Violation #5: No Opt-Out Mechanism

The mistake: Not monitoring for STOP requests or making opt-out difficult.

Why it's illegal: TCPA requires easy opt-out in every message.

The fix: Automatic keyword detection for STOP/UNSUBSCRIBE. Process immediately. Confirm unsubscribe with one final message.

Stay Compliant While Scaling Your SMS Campaigns

FollowUp AI handles consent management, DNC lists, quiet hours, and opt-out processing automatically - so you can focus on closing deals without compliance headaches.

Get Started →

Building a TCPA-Compliant SMS System

Here's your step-by-step framework for staying compliant while scaling SMS:

Step 1: Audit Your Current Process

Before sending another text, document:

How are you collecting phone numbers?
Where is consent language displayed?
How is consent documented and stored?
What's your opt-out process?
Do you have a DNC list? How is it maintained?
Are you checking recipient timezones?

Step 2: Implement Compliant Consent Collection

Create a consent workflow:

Update your forms - Add unchecked SMS opt-in with full disclosure
Document everything - Store timestamp, IP address, consent text shown, user response
Send confirmation - Welcome message confirming subscription with HELP/STOP info
Double opt-in (recommended) - Send "Reply Y to confirm" for extra protection

Step 3: Set Up Your DNC Management

Create a bulletproof opt-out system:

Automatic keyword detection - Monitor all replies for opt-out keywords
Instant suppression - Flag contacts immediately in your CRM/database
Confirmation message - Send one final text: "You've been unsubscribed. No more messages."
Cross-system sync - Ensure DNC status applies everywhere (email, phone, SMS)
Regular audits - Monthly review of DNC list and opt-out processing

Step 4: Configure Quiet Hours Protection

Never send outside 8 AM - 9 PM local time:

Collect timezone data - Use area code lookup or ask during signup
Schedule intelligently - Delay messages that would violate quiet hours
Buffer zones - Use 9 AM - 8 PM to avoid edge cases
Manual override protection - Even if someone manually schedules outside hours, system should block it

Step 5: Maintain Compliance Documentation

In a lawsuit, documentation is your defense. Store:

Consent records - Timestamp, IP, form version, consent text
Message logs - Every message sent, with timestamp and recipient timezone
Opt-out logs - When they unsubscribed, what keyword they used, confirmation sent
DNC list history - Dated snapshots of your suppression list
Policy versions - Every version of your consent language, dated

Retain everything for minimum 5 years. Some states require longer.

State-Specific Laws: It Gets More Complicated

TCPA is federal law. But many states have additional requirements:

California (CCPA/CPRA)

Right to know what data you've collected
Right to deletion of personal information
Right to opt-out of data sales
Enhanced consent requirements

Florida

Additional restrictions on automated calls
Enhanced caller ID requirements
Specific do-not-call provisions

Texas

Strict rules about caller ID spoofing
Additional DNC requirements

Best practice: Follow the strictest applicable law. If California is more restrictive than federal TCPA, use California's standards for everyone.

What Happens If You Violate TCPA?

TCPA violations are expensive and painful:

Financial penalties:

$500 per violation - Each unauthorized text is a separate violation
$1,500 for willful violations - If you knew the rules and ignored them
Class action lawsuits - Recipients can sue as a group
Legal fees - Defense costs even if you win

$208M

That's what the FCC collected in TCPA fines in 2024 alone.

Real examples:

A mortgage company paid $40 million for texting leads without consent
A solar installer paid $3 million for calling DNC numbers
A healthcare company paid $7.5 million for pre-recorded calls

Beyond money:

Carrier number blocking (your texts stop going through)
Reputation damage (news coverage of lawsuit)
Customer trust erosion
Sales team disruption during litigation

TCPA Compliance Checklist

Use this checklist before every SMS campaign:

☑️ Consent obtained? - Do you have documented express written consent?
☑️ Consent language compliant? - Clear, conspicuous, separate, specific?
☑️ DNC scrubbed? - Have you removed all opt-outs from this list?
☑️ Required disclosures included? - Company name, frequency, STOP instructions?
☑️ Quiet hours respected? - All sends between 8 AM - 9 PM recipient local time?
☑️ Opt-out monitored? - System watching for STOP keywords?
☑️ Documentation ready? - Consent records stored and accessible?
☑️ Carrier compliant? - Registered for 10DLC or using short code?

If you can't check every box, don't send until you can.

How to Get Compliant (If You're Not Already)

Already sending texts without proper compliance? Here's how to fix it:

Immediate Actions (Do Today)

Stop all automated SMS - Pause campaigns until you're compliant
Audit your consent - Review how you collected every number
Identify violations - Which contacts don't have proper consent?
Set up DNC monitoring - Ensure opt-outs are being processed

Week 1 Actions

Create compliant consent language - Update all forms, checkboxes, and disclosures
Build DNC infrastructure - Database table, API endpoints, monitoring system
Configure quiet hours - Implement timezone checking and send time restrictions
Document everything - Start logging consent, sends, opt-outs

Week 2-4 Actions

Re-consent existing contacts - Send one-time message asking them to opt-in properly
Register for 10DLC - If using standard phone numbers for business messaging
Train your team - Everyone sending texts needs compliance training
Set up monitoring - Track compliance metrics, opt-out rate, consent documentation

Ongoing Maintenance

Monthly DNC audits - Review opt-outs and suppression list
Quarterly consent audits - Verify consent collection is working properly
Annual legal review - Have attorney review your compliance program
Stay updated - TCPA rules evolve, follow industry news

Don't Want to Manage Compliance Manually?

FollowUp AI includes built-in TCPA compliance: automatic consent tracking, DNC management, quiet hours enforcement, and complete audit trails. Stay legal without the headache.

Book a Compliance Demo →

The Bottom Line: Compliance is Your Competitive Advantage

Here's what most sales teams don't understand: TCPA compliance isn't just about avoiding fines. It's about building trust.

When you:

Ask permission before texting
Respect quiet hours
Honor opt-outs immediately
Provide clear disclosure

You're showing respect for your prospects' time and privacy. That builds trust. Trust drives sales.

Meanwhile, your competitors who are cutting corners? They're either getting sued, getting blocked by carriers, or burning their reputation.

The formula for success:

Collect consent properly (clear opt-in with full disclosure)
Maintain strict DNC management (instant opt-out processing)
Include required disclosures (every message, every time)
Respect quiet hours (8 AM - 9 PM local time only)
Document everything (consent, sends, opt-outs)
Use compliant tools (platforms with built-in TCPA features)

Do this right, and SMS becomes your highest-ROI channel. Do it wrong, and you're gambling with $1,500 per message.

The choice is yours.

How to Double Your Sales Follow-Up Response Rate →

SMS vs Email for Sales: The Data-Driven Comparison →

← Back to Blog