SMS Marketing Compliance: TCPA, CASL & PECR Explained
Explore this content with AI
SMS marketing is legal—but only if you follow the rules.
And those rules aren’t optional. TCPA, CASL, and PECR each define how you collect consent, what you include in messages, and how you handle opt-outs.
The challenge is that most businesses don’t realize where they’re non-compliant until it becomes a problem.
This guide breaks down what compliance actually looks like in practice, so you can avoid mistakes before they happen.
The three SMS principles that apply everywhere
SMS marketing laws vary by country, and we’ll cover each one in detail. But before getting into the specifics, three principles apply regardless of where you’re sending or who you’re reaching. Understanding these first makes everything that follows easier to navigate.
| Principle | What it means |
|---|---|
| Consent | The person receiving your message must have agreed to receive it before you send it. Giving you their phone number, making a purchase, or filling out an unrelated form does not count as consent for SMS marketing. |
| Identification | Every message you send must clearly state who is sending it. Recipients should never have to guess which brand is texting them. |
| Opt-out | Every message must give recipients a simple, clear way to stop receiving texts from you. When someone opts out, that request must be honored promptly—no follow-up campaigns, no exceptions. |
These three principles form the foundation of SMS compliance in the US, Canada, and the UK. The specific laws, timeframes, and penalty structures differ by country, but if your SMS program is built on these three foundations, you’re already ahead.
SMS marketing laws in the United States
In the US, SMS marketing is governed primarily by the Telephone Consumer Protection Act (TCPA) and enforced by the Federal Communications Commission. The TCPA is actively litigated and carries per-message penalties that add up fast.
For a broader look at running SMS campaigns in the US, check out our guide to SMS marketing in the USA, which covers strategy alongside compliance.
What the TCPA requires
| Requirement | What it means in practice |
|---|---|
| Prior express written consent | Recipients must explicitly agree to receive marketing texts before you send them. A phone number collected at checkout, on a contact form, or at an event does not count as SMS consent unless SMS marketing was specifically mentioned and agreed to. |
| Sending hours | No texts before 8 am or after 9 pm in the recipient’s local time zone. Several states, including Florida, Washington, Oklahoma, New Jersey, and Maryland, have extended quiet hours starting at 8 pm. Connecticut has the most restrictive quiet hours: before 9 am and after 8 pm. |
| Opt-out instructions | Every message must include a way to unsubscribe. For most number types, this means including a STOP keyword. |
| Honor opt-outs promptly | As of April 2025, the FCC requires businesses to honor opt-out requests within 10 business days and to accept revocations through any reasonable method—not just STOP replies. This includes email, phone calls, website forms, and in-person requests. |
| Identify your brand | Every message must make clear who is sending it. |
Consent specifics
A compliant opt-in must clearly state who is texting the subscriber, what type of messages they’ll receive, how often, that message and data rates may apply, and how to unsubscribe. Pre‑checked boxes don’t count. Bundling SMS consent with email consent in a single checkbox doesn’t count either.
If you’re sending business SMS in the US, you almost certainly need to register your number through the 10DLC (10‑digit long code) system. Major carriers increasingly filter or block unregistered numbers, making this process a carrier-level requirement, not just a legal one.
Registration can fail for three reasons: incomplete data, inaccurate or invalid information, or prohibited content. Carriers will reject registrations and block messages from brands sending content related to cannabis, crypto, payday loans, gambling, vaping, and other restricted categories. The full list is available in our content guide.
Mobile Text Alerts handles the technical side of this automatically—from keyword-based opt-in flows to instant opt-out processing, so businesses don’t have to manage compliance manually on every campaign.
Identification
Every message must make clear who is sending it. Recipients should never have to guess which brand is texting them.
Opt-out
The FCC’s updated rules, which took effect April 11, 2025, made a significant change to how opt‑outs work. Businesses can no longer require subscribers to use a specific keyword or channel to unsubscribe. If someone emails you asking to be removed from your SMS list, that counts as a valid opt‑out request and must be honored within 10 business days.
Common mistakes
The most frequent compliance failures in the US come down to two things: assuming a phone number collected in one context carries consent for SMS marketing, and failing to honor opt-outs that arrive through channels other than STOP. Carrier-level fines are also entirely separate from TCPA damages, meaning a single non-compliant campaign can trigger both simultaneously.
What it costs to send in the US
Beyond legal compliance, businesses also need to account for carrier fees on every message sent. Check our SMS/MMS carrier fee tracker to find out the current fees per message from major US carriers. These fees apply per message segment and are separate from your SMS platform costs. For high-volume senders, they add up quickly—which is another reason proper registration matters. Unregistered numbers face higher filtering rates, meaning you pay carrier fees on messages that never get delivered.
When a business owner on Reddit asked whether SMS marketing violations actually result in real legal consequences, the response from someone working on the vendor side of the industry was telling.
Two things stand out. First, the violations came from real businesses. Second, carrier‑level fines are entirely separate from TCPA damages, meaning a single non‑compliant campaign can trigger both simultaneously. T‑Mobile in particular actively enforces these penalties at the carrier level, on top of whatever legal exposure already exists.
For businesses already paying per‑message carrier fees, adding penalty fines on top makes the case for getting consent right from the start obvious.
SMS marketing laws in Canada
In Canada, SMS marketing is governed by CASL—Canada's Anti‑Spam Legislation—enforced primarily by the Canadian Radio‑television and Telecommunications Commission (CRTC) alongside other federal agencies. US-based businesses expanding into Canada often misinterpret CASL, assuming their existing compliance process applies. It doesn’t. CASL has its own consent framework, its timeframes, and its own penalties—and they’re steeper than most people expect.
What CASL requires
| Requirement | What it means in practice |
|---|---|
| Consent | You need either express or implied consent before sending any commercial electronic message, including SMS. The type of consent determines how long it’s valid and what documentation you need. |
| Identification | Every message must clearly identify the sender, including a valid mailing address or contact information. This is stricter than the US requirement. |
| Unsubscribe mechanism | Every message must include a clear and easy way to opt out. Opt-out requests must be honored within 10 business days. |
| Penalties | Up to $1 million per violation for individuals and up to $10 million per violation for businesses. |
Consent specifics
CASL distinguishes between two types of consent, and the difference has a direct impact on how long you can legally send to someone.
| Consent type | What qualifies | How long is it valid |
|---|---|---|
| Express consent | The subscriber actively opts in through a form, keyword, or checkbox that specifically mentions SMS. | Does not expire unless the person opts out. |
| Implied consent (existing customer) | A person made a purchase or entered into a business relationship with you. | Valid for 2 years from the date of the last transaction. |
| Implied consent (prospect) | A person gave you their contact information without making a purchase. | Valid for 6 months from the date they provided it. |
Get a Free 14-Day Trial with Mobile Text Alerts
The implied consent window is something US businesses frequently overlook. If a Canadian prospect downloaded a resource from your site six months ago and hasn’t engaged since, your implied consent to text them has expired—even if they never explicitly opted out.
Identification
Every message must clearly identify the sender, including a valid mailing address or contact information. This requirement is stricter than its US equivalent — a sender name alone is not sufficient.
Opt-out
Every message must include a clear and easy way to opt out. Opt-out requests must be honored within 10 business days. A compliant CASL setup tracks consent type, consent date, and consent source for every subscriber—that documentation is your defense if a complaint is ever filed.
Common mistakes
The most common mistake businesses make under CASL is treating implied consent as a permanent permission. It isn’t. Once the 2‑year or 6‑month window closes, you need express consent to continue sending—and if you haven’t been building that opt‑in relationship along the way, you’ve lost your legal basis to text that subscriber.
What it costs to send in Canada
Canadian carriers charge higher per‑message fees than their US counterparts. Check out the
SMS/MMS carrier fee tracker to know the current fees. Canadian carrier fees run roughly 2–3x higher per message than US rates, which makes proper consent management even more important; you don’t want to be paying to send messages to people whose implied consent has already lapsed.
SMS marketing laws in the United Kingdom
In the UK, SMS marketing is governed by two frameworks that work together: UK GDPR covers how you collect, store, and use personal data, like mobile numbers, while PECR — the Privacy and Electronic Communications Regulations specifically regulate sending electronic marketing messages, including texts. You must comply with both simultaneously to send lawful promotional SMS.
Getting PECR right without UK GDPR compliance or vice versa still leaves you exposed.
What PECR and UK GDPR require
| Requirement | What it means in practice |
|---|---|
| Consent for individuals | You must have specific, freely given, informed, and unambiguous consent before sending marketing texts to individuals. Pre-ticked boxes and bundled consent do not count. |
| Soft opt-in exception | Existing customers can be texted about similar products or services without new consent—but only if they were given a clear chance to opt out when their details were first collected and in every message since. |
| Identification | Every message must clearly state who is sending it. |
| Opt-out | Every message must include an easy way to unsubscribe—typically “Reply STOP.” Opt-outs must be honored promptly. |
| Penalties | Up to £500,000 under PECR and up to £17.5 million or 4% of global annual turnover under UK GDPR—whichever is higher. |
Consent specifics
Valid consent under UK PECR must be specific to SMS—consent for email doesn't automatically cover texts, and vice versa. You must ensure that the consent specifically covers receiving that particular type of electronic mail from you. Simply asking for consent for 'direct marketing' would not make it specific or informed enough.
Every consent record should document when consent was given, how it was given, and exactly what the subscriber agreed to.
For B2B, the rule differs meaningfully from both the US and Canada. You can send marketing emails or texts to companies. However, it is good practice to keep a “do not email or text” list of any companies that object.
The key distinction is subscriber type:
| Subscriber type | Rule |
|---|---|
| Individual (including sole traders and some partnerships) | Express consent or soft opt-in is required. |
| Corporate subscriber (limited companies, LLPs, government bodies) | No consent is required under PECR, but you must include an opt-out in every message and comply with UK GDPR. |
If you’re not certain whether a subscriber is an individual or a corporate subscriber, treat them as an individual. The risk of getting it wrong is not worth the shortcut.
Identification
Every message must clearly state who is sending it.
Opt-out
Every message must include an easy way to unsubscribe, typically "Reply STOP." Opt-outs must be honored promptly. Every consent record should document when consent was given, how it was given, and exactly what the subscriber agreed to; that documentation is your evidence if the ICO ever investigates.
Common mistakes
The soft opt-in is where most businesses trip up in UK SMS compliance. The idea is that if an individual bought something from you recently, gave you their details, and did not opt out of marketing messages, they are probably happy to receive marketing from you about similar products or services—even if they haven't specifically consented.
However, you must have given them a clear chance to opt out both when you first collected their details and in every message you send. The soft opt‑in is narrow.
Three conditions must all be met:
| Condition | What it requires |
|---|---|
| Details collected during a sale | Contact details must have been collected during a purchase or sale negotiation—not from a downloaded resource, competition entry, or enquiry form. |
| Similar products or services only | You can only market your own similar products—not third-party offers, not unrelated services. |
| Opt-out is offered every time | The subscriber must have been given a clear opt-out when their details were first collected and in every message since. |
If any one of these conditions isn’t met, the soft opt-in doesn’t apply, and you need express consent.
Key updates
On August 20, 2025, the Data Use and Access Act added the definition of "direct marketing" from the Data Protection Act to PECR. The ICO’s guidance is currently under review as a result. Businesses should monitor for updates, particularly around how direct marketing is defined and enforced going forward.
Your SMS compliance checklist
Here's everything covered above distilled into a checklist you can run before each campaign.
Before you send anything
Obtain explicit opt-in consent before adding anyone to your SMS list. Use unticked checkboxes—never pre-filled or bundled with other consents. Ensure your opt-in language states who is texting, what type of messages they'll receive, how often, and how to unsubscribe. Keep a consent record for every subscriber—date, method, and source of consent. Register your number through 10DLC if sending in the U.S. Check your content against the prohibited categories list before registering.
In every message you send
Identify your business clearly in every message. Include opt-out instructions in every message. Never send before 8 am or after 9 pm in the recipient’s local time zone. For Canada: include valid contact information or mailing address in every message.
When someone opts out
Honor opt-out requests within 10 business days. Accept opt-outs through any reasonable method—not just "STOP" replies. Never contact an opted-out subscriber again unless they re-consent. Maintain a suppression list and check new imports against it.
Ongoing compliance
Review implied consent expiry dates for Canadian subscribers—2 years for customers and 6 months for prospects. Monitor for regulatory updates, particularly FCC and ICO guidance changes. Audit your opt-in flows regularly to ensure consent language is still accurate. Keep documentation that can demonstrate compliance if a complaint is ever filed.
For a more detailed breakdown of each item, our SMS compliance checklist goes deeper into what each requirement looks like. A quick audit against this checklist before your next campaign takes minutes, and the alternative is considerably pricier.
SMS marketing is legal. Now make sure yours is
The rules vary by country, but the underlying logic remains consistent. Get consent properly. Identify yourself in every message. Honor opt-outs promptly. Know which rules apply to your subscribers based on their location. Document everything.
If you'd rather spend your time on the marketing itself, Mobile Text Alerts keeps the compliance risk off your plate, so a missed opt-out or an unregistered number doesn't turn a good campaign into a costly one.
Frequently asked questions
Get a complimentary strategy session
Explore weather Mobile Text Alerts is the right fit for your business.
