SMS Messaging Regulations in the United States

Text messaging in the United States is governed by a combination of federal laws, FCC regulations, industry guidelines, and state-specific statutes. These rules cover both commercial (marketing/promotional) and transactional messaging, in both person-to-person (P2P) and application-to-person (A2P) contexts. The following report provides a detailed overview of the current SMS legal framework, recent changes as of 2025, and expectations for the future. It also outlines compliance obligations for various players (carriers, messaging platforms, etc.) and best practices to meet these requirements.

Telephone Consumer Protection Act (TCPA) – Federal Law

The TCPA (47 U.S.C. §227) is the cornerstone federal law regulating SMS/text messaging. The FCC's rules under the TCPA treat text messages as "calls" for regulatory purposes. In general, the TCPA prohibits sending text messages using an autodialer or prerecorded message to a mobile phone without the recipient's prior express consent. For telemarketing texts (those that advertise or promote products/services), prior express written consent is required, meaning the consumer must sign (even electronically) an agreement specifically authorizing that particular business to send marketing texts. Non-telemarketing, informational texts (e.g. appointment reminders or account alerts) require consent as well, but a simple "opt-in" (such as the consumer providing their phone number for a service) is generally sufficient under FCC rules.

Enforcement & Penalties

The TCPA is enforced through both FCC action and private lawsuits. Consumers can sue violators for $500 per violation or up to $1,500 per willful violation (per text message). These statutory damages have made SMS violations a frequent target of class action litigation. The FCC can also impose fines. For example, the FCC has noted that TCPA violations can lead to "fines ranging from $500 to $1,500 per message" in addition to potential shutdown of messaging services for egregious abuse.

FCC Rules and Orders

The FCC issues rules interpreting the TCPA. Notably, since 2012, FCC rules have required "prior express written consent" for autodialed telemarketing texts, closing an earlier loophole where an "established business relationship" could suffice. The FCC also maintains the National Do Not Call (DNC) Registry (in coordination with the FTC), and has made it clear that telemarketing text messages to numbers on the DNC list are prohibited unless an exception applies. (Political and charity messages are generally exempt from the DNC list rules, as are purely informational messages.) The FCC's rules also require telemarketers to honor consumer opt-out requests and internal "do-not-contact" requests. As of 2024, the FCC codified that texts are covered by DNC rules and strengthened consumers' rights to easily revoke consent by any reasonable means (including replying "STOP") – more on these changes in Section 5.

CTIA Guidelines – Industry Self-Regulation

In addition to laws, the U.S. wireless industry, through the CTIA (Cellular Telecommunications and Internet Association), enforces messaging best practices. The CTIA guidelines are not laws but voluntary industry standards that carriers require messaging services to follow. These include content rules, consent and opt-out best practices, and technical sending limits to differentiate P2P vs A2P messaging. Key principles from the CTIA Messaging Principles and Best Practices (latest update May 2023) include:

P2P vs A2P Definitions

The CTIA guidelines draw a clear line between P2P and A2P messaging. Person-to-Person (P2P) traffic is defined by characteristics of typical human conversation: it is low volume, usually between two individuals, and not automated. Application-to-Person (A2P) is any mass or automated messaging – "virtually all business SMS applications are considered A2P" under CTIA's definition. The CTIA Best Practices (2019/2023) enumerate thresholds: for example, a single phone number used in P2P should send no more than 15 messages per minute and around 1,000 messages per day, with a roughly 1:1 ratio of incoming to outgoing messages and no more than 100 unique recipients in a short timeframe. Exceeding these (for instance, using one number to blast a text to hundreds of recipients) is a sign of A2P traffic that should instead be run on sanctioned A2P channels. Snowshoe messaging – spreading A2P traffic over many numbers to evade detection – is explicitly forbidden, as are using "grey routes" (unauthorized or offshore pathways to deliver texts). Essentially, if a business tries to send high-volume messages from regular consumer numbers without registration, carriers will identify it as spam and may block or throttle those messages.

Other Federal Rules

While the TCPA is the primary law, two other federal regulations bear mention:

The Telemarketing Sales Rule (TSR) enforced by the FTC covers telemarketing practices. It applies primarily to calls, but many of its provisions (DNC list, calling hours, disclosure requirements) overlap with TCPA rules and have been mirrored for texts via FCC rules or state laws. The TSR, for example, sets the calling time restriction of 8 a.m. to 9 p.m. (recipient's local time) for telemarketing – by extension, marketing texts should also honor this window to avoid consumer harm (more on state-imposed timing restrictions in Section 2).

The CAN-SPAM Act (Controlling Assault of Non-Solicited Pornography and Marketing) primarily governs email, but it has a lesser-known provision about "mobile service commercial messages." CAN-SPAM prohibits sending unsolicited commercial e-mails to wireless devices (which would include SMS gateways) without clear opt-out instructions. In practice, CAN-SPAM is seldom invoked for SMS since the TCPA provides stronger consumer protections, but businesses should be aware that bulk "email-to-SMS" messages (sending text to an SMS via an email address) are regulated. In fact, the FCC in 2022-2023 has flagged the issue of spam texts originating from email domains and is encouraging carriers to make email-to-text messaging an opt-in feature to curb abuse.

In short, any entity sending text messages to U.S. consumers must navigate the TCPA's consent requirements and restrictions (and the hefty penalties for violations), follow FCC rules regarding DNC and opt-out, and adhere to industry best practices (CTIA) enforced by carriers. The goal of this framework is to protect consumers from unwanted or harmful texts (e.g. spam, scams, and inappropriate content) while permitting legitimate businesses to use SMS for useful communications.

In addition to federal law, many U.S. states have their own telemarketing and consumer protection laws that explicitly cover text messaging. States can impose tighter restrictions or higher penalties than federal law. We will focus on three major states – California, Florida, and New York – which have significant legislation affecting SMS, but note that other states (e.g. Connecticut, Oklahoma, Virginia, Washington, etc.) also have notable text marketing laws.

California

California law has long prohibited unsolicited commercial text messages. California's anti-spam statute (encapsulated in its Business & Professions Code) makes it unlawful to send "unsolicited advertisements" to mobile devices by SMS without the recipient's prior consent. In fact, California effectively bans text ads unless one of a few exceptions is met. The allowed cases are: (a) the message is sent by the cellular carrier or an affiliate offering messaging service and the subscriber has an ability to opt-out; (b) the message is from a business or political candidate with which the recipient has an existing relationship, and the recipient is given an opt-out option; or (c) the message is from an affiliate of a business with an existing relationship and the subscriber consented to messages from that affiliate.

In practical terms, this means cold-texting prospects in California is illegal; you can only text customers or contacts who have provided permission or with whom you already do business, and even then you must give them a way to stop further texts. California's enforcement of text spam falls under its consumer protection agencies (e.g. the Attorney General's office), and while specific statutory damages aren't as clearly defined as the TCPA, violations can be pursued as unlawful business practices.

Additionally, the California Consumer Privacy Act (CCPA) and its successor CPRA indirectly affect SMS marketing. Under CCPA/CPRA, if a text message involves personal data (which phone numbers are) for marketing, consumers have the right to know what data is collected and to opt out of the "sale" of personal information. For example, if a business shares a customer's phone number with a text-message marketing vendor, California law might require disclosure of that and allow the consumer to opt-out of such sharing. Moreover, California honors the general telemarketing rule of no communications before 8 AM or after 9 PM (adopting the federal standard).

Florida

Florida enacted an update to its telemarketing laws in July 2021 that has had major implications for text message campaigns. The Florida Telephone Solicitation Act (FTSA) (an amendment to the Florida Telemarketing Act, Fla. Stat. § 501.059) was revised to explicitly include SMS and MMS and to require prior express written consent for any automated telemarketing messages sent to Florida residents. In effect, Florida imported the TCPA's consent standard into state law but in some ways went further.

Notably, Florida's law does not use the narrower federal definition of an autodialer; it broadly covers messages sent using automated systems, which potentially closed a loophole left by recent federal court decisions. The law also set time-of-day restrictions: marketing calls or texts can only be sent between 8:00 AM and 8:00 PM (local time) in Florida, stricter than the federal 9 PM cutoff. It additionally limits the number of communications on the same subject to 3 in a 24-hour period – meaning a telemarketer can't barrage a consumer with dozens of texts in one day even if they have consent.

Florida also prohibits "spoofing" of caller ID for texts (sending messages from a fake or misleading originating number to disguise the sender). Enforcement of the Florida law is potent: it provides a private right of action, allowing consumers to sue and recover $500 per violation or $1,500 for willful violations (mirroring TCPA damages). This led to a surge of class-action lawsuits in Florida against businesses for texting without proper consent in 2021-2022.

New York

New York has modernized its telemarketing laws to include text messaging. In 2021, New York amended Section 399-z of its General Business Law (often referred to as the state's telemarketing statute) to add "electronic messaging text" to the definition of telemarketing. This means that any requirements that apply to telemarketing phone calls now also apply to text messages sent to New York residents for the purpose of inducing a sale of goods or services.

Under the New York law:

• Telemarketers must disclose their identity and purpose at the start of a call/text and offer the consumer the ability to be added to the company's do-not-call list on request. (New York's 2020 Nuisance Call Act had already required live callers to inform consumers of their right to be placed on an internal DNC list. Now a text message would presumably need to include instructions for opt-out as the functional equivalent.)
• If a consumer says stop or asks to be on the DNC list, the business must cease messaging that person. New York also bans the sharing or selling of a consumer's contact information to others without consent – telemarketers in NY must get express written agreement before distributing a lead's phone number or info.

New York's law carries penalties of up to $11,000 per violation for telemarketers who ignore the rules. Enforcement is typically by the New York Attorney General. The effective date for adding texts was August 12, 2021, so since then any marketing texts into NY must comply.

Other Notable State Laws

Many other states have followed suit in regulating SMS:

• Connecticut requires prior express written consent for commercial texts, with fines up to $20,000 per violation.
• Oklahoma (Telephone Solicitation Act of 2022) mirrors Florida by limiting texts to 3 per day on the same topic and imposing an 8 a.m.–8 p.m. time window.
• Virginia updated its Telephone Privacy Protection Act to include texts as "telephone solicitations," enforceable under state DNC rules and requiring identification of the caller in the message.
• Washington State treats unsolicited commercial texts as illegal, and uniquely even holds data brokers accountable if they sell lists of contacts that lead to unlawful texting.
• Arizona, Indiana, New Jersey, etc.: These states have laws explicitly adding texts to their do-not-call statutes or requiring specific opt-in consent for texts. For example, New Jersey mandates a clear consent that includes the consumer's number for any text ad subscription.

When planning SMS campaigns, businesses must review the laws of each state they operate in or message into. State laws can dictate additional consent, timing, and opt-out requirements above the federal baseline. Always consider the most restrictive applicable rule. For instance, Florida and Oklahoma's 8 p.m. cutoff is stricter than the federal 9 p.m., so adhering to the strictest timeframe (no marketing texts after 8 p.m. local time) is the safest approach nationally.

Consent is the cornerstone of SMS legality. Both federal and state rules make it clear that businesses must have consent before texting consumers, and consumers have the right to revoke that consent at any time. Here we outline the key consent requirements and DNC (Do Not Contact) obligations:

Prior Express Consent for Transactional Texts

For non-marketing communications (e.g. a bank fraud alert, an appointment reminder, a customer service notification), the sender needs at least the consumer's prior express consent. This could be implied by the consumer giving the company their number for that purpose. For example, if a customer provides their number to a pharmacy to receive prescription-ready alerts, that constitutes consent for those specific transactional texts. The TCPA doesn't require this consent to be in writing for informational messages – an oral agreement or a web form entry can suffice. However, best practice is to document consent regardless.

Prior Express Written Consent for Marketing Texts

Any text that contains an advertisement or solicitation for a product/service requires prior express written consent (PEWC) under the TCPA and many state laws. "Written" can include electronic forms of signature – commonly, this is obtained via a checkbox and agreement on a website or a text-in that is confirmed with a response. The consent request must clearly disclose that the person will receive marketing texts and agree to it. Typically it also must state that consent is not a condition of purchase (per FTC rules).

Do Not Call (DNC) Registry Compliance

The National Do Not Call Registry, while historically used for voice calls, now explicitly covers text messages as well. The FCC has codified that telemarketing texts to wireless numbers on the DNC list are forbidden. Any company engaging in telemarketing must scrub their contact lists against the National DNC registry (and applicable state DNC lists) and refrain from texting those numbers unless they have the person's prior express consent or an established business relationship exemption applies.

Internal Do-Not-Contact Lists

Beyond the national list, each organization must maintain its own internal DNC list of consumers who have directly requested no further contact. If a consumer replies "stop" or otherwise opts out of texts, the sender must add that number to an internal suppression list and honor that request indefinitely (or for at least 5 years per FCC rules). The recent FCC revocation rule changes (effective 2025) require that opt-out (stop) requests be honored "as soon as practicable, and no later than 10 business days" after the request is made.

Methods of Revoking Consent

Consumers must be allowed to revoke consent through any reasonable method. This was affirmed by the FCC – if a consumer sends a text saying "Stop", "Unsubscribe", "Cancel", "Quit", or even writes a message like "I no longer want texts," that should be treated as a valid opt-out. The universally recognized keyword "STOP" is the simplest and most expected way to handle text opt-outs, and CTIA guidelines stipulate that systems must recognize common variants (STOP, CANCEL, END, UNSUBSCRIBE, QUIT).

Time-of-Day Restrictions

Telemarketing texts should only be sent between 8 a.m. and 9 p.m. local time of the recipient (per federal rule). Some states have stricter windows (Florida/OK: 8 a.m. to 8 p.m.). While pure transactional texts (like fraud alerts) might not be subject to those telemarketing hour rules, it's still a good practice to avoid disturbing users with non-urgent texts at odd hours if possible.

When sending SMS in the U.S., businesses have several types of phone number origins they can use, each with its own rules and registration requirements. "Sender ID" or "CLI" (Calling Line Identification) refers to the identifier that shows up as the sender of the text – in the U.S., this is typically a phone number (or short code). Unlike some countries where an alphanumeric sender name can be used for SMS, in the U.S. you generally must use an approved number (long code, short code, or toll-free) to originate messages.

Short Codes

These are special 5- or 6-digit numbers (e.g. 12345 or 54321) used for high-volume A2P messaging. Short codes are leased from a national registry and require approval from carriers for specific use-cases. Companies often use short codes for mass marketing campaigns or important one-to-many alerts (e.g., two-factor authentication codes, emergency alerts) because short codes can handle very high throughput (hundreds of messages per second) and are pre-vetted by carriers for content.

To get a short code, a business must apply and describe the campaign (program) it will be used for – including sample message content, opt-in/out procedures, etc. This is reviewed under CTIA and carrier guidelines. Carriers individually approve or reject the campaign, and once approved, that short code is "activated" on all mobile operators' networks for that program. Short codes have strict rules: for instance, they must support the keywords STOP and HELP, and CTIA audits them for compliance with opt-in consent and content standards.

Toll-Free Numbers (TFN)

Toll-free phone numbers (the 8XX area codes like 800, 888, 877, etc.) can be enabled for SMS and MMS. Many businesses use toll-free SMS because it provides a single national number for voice and text and historically had decent throughput for A2P messaging. Toll-free texts were initially less regulated than short codes, but due to abuse by spammers, carriers and the industry implemented a verification system.

As of 2022–2023, all A2P messaging on toll-free numbers requires verification/registration with carriers. For example, major carriers announced that starting November 2023 unverified toll-free traffic would be blocked. In practice, businesses that want to use toll-free for texting must submit a verification request (typically through their SMS provider) describing who they are and what messages they'll send. Once approved (verified), the toll-free number is allowed higher throughput and lower filtering.

Local Long Codes (10DLC)

Traditionally, standard 10-digit phone numbers (the ones with area codes that look like regular phone lines) were intended for person-to-person texting and had very low throughput for automated sends. To solve this, U.S. carriers introduced A2P 10DLC (10-Digit Long Code) programs starting around 2019 and fully rolling out by 2021–2022.

A2P 10DLC allows businesses to use regular-looking phone numbers for A2P messaging, but requires registration of the business (brand) and the messaging campaign in a centralized system called The Campaign Registry (TCR). Essentially, 10DLC is now a gated system: you tell the registry who you are and what kind of messages you're sending; the registry and carriers vet this information and assign you a trust score or tier. Based on that, carriers allow a certain throughput and volume for your messages.

How 10DLC Registration Works

A business (or its messaging provider) submits a "Brand" registration (company name, industry, tax or business ID, etc.) to TCR. The brand may get a trust score via a vetting process. Then the business registers a "Campaign" for each type of messaging program (e.g. a marketing campaign, an account notifications campaign, a two-factor auth campaign, etc.). For each campaign, the business lists sample messages and declares if it will include any special content. Each campaign is assigned to use one or more specific phone numbers (the 10DLC numbers). Carriers review or automatically assign the campaign a throughput limit.

P2P vs A2P on 10DLC

Importantly, person-to-person texting on regular long codes (like between friends) does not require registration – it's exempt as "P2P" traffic. Carriers determine what's P2P vs A2P by volume and pattern as discussed (low-volume conversational traffic remains P2P). But any business or automated use of long codes is treated as A2P. The industry message is clear: if you're sending messages as a business or organization at scale, use the sanctioned 10DLC route or risk blocking.

No Alphanumeric Sender IDs

In the U.S., unlike some other countries, you cannot use a custom text string as the sender (e.g., "UPS" or "BankAlert" as the sender name) for SMS over the traditional cellular network. The only way to have a branded sender is to use a short code (which can be somewhat branded if it's a vanity number) or certain third-party app-based messaging. Standard SMS to U.S. phones will always come from a phone number or short code.

The period from 2021 through 2025 has seen significant changes in the SMS regulatory landscape. Regulators and industry bodies have moved to tighten rules around automated texts ("robotexts") in response to increasing spam and scam texts hitting consumers. Here we outline the major changes that are in effect by 2025:

FCC's 2023–2024 "Robotext" Rulemaking

In late 2023, the FCC adopted new rules to strengthen the TCPA in the face of modern texting practices. These were published in early 2024 and have phased effective dates in 2024 and early 2025. Key changes include:

Carrier Text-Blocking Mandate

Beginning July 2024, the FCC is requiring wireless providers to block texts from numbers that are clearly spoofed or illegal when notified by the FCC. This mirrors the robocall blocking mandate (STIR/SHAKEN for calls) but for texts. For example, if the FCC identifies a particular sender ID/number as a source of scam texts, they can order carriers to block all traffic from it.

Email-to-SMS Opt-in

The FCC "encouraged" carriers to make any email-to-text gateway (where someone can send an email that gets delivered as SMS) an opt-in feature for subscribers. They stopped short of requiring it, but signaled they might in the future if spam from email-to-SMS (which often comes from shadowy sources) isn't curtailed. By 2025, some carriers have indeed moved to require users to enable email-to-text or have filtering on those messages.

Opt-Out/Revocation Clarifications

In February 2024, the FCC released an order specifically addressing revocation of consent. This became effective April 11, 2025 (to give companies time to adapt). The three big changes are: (1) consumers can use any common words like STOP or CANCEL to revoke consent (codified); (2) businesses must honor revocations within 10 business days max; (3) if a consumer revokes via text, the sender may send a one-time confirmation within 5 minutes and no more marketing thereafter.

CTIA 2023 Messaging Principles & Best Practices Update

The CTIA released an updated version of its messaging guidelines in May 2023, the first major update since 2017. The 2023 CTIA guidelines:

• Formally acknowledge the newer landscape of A2P on all number types. The guidelines explicitly recognize toll-free and 10DLC as legitimate A2P channels alongside short codes.
• Provide more detail on obtaining and documenting consent. CTIA emphasizes that programs should have documented proof of opt-in and should be prepared to provide it if asked (carriers can audit).
• Emphasize the prohibition of snowshoeing and grey routes. The update calls out these tactics as harmful and states that such behavior may lead to blocking.
• Refine P2P vs A2P criteria: CTIA listed numerical thresholds for what counts as consumer P2P behavior (e.g., a true person likely won't send more than 1,000 messages/day or text hundreds of different people).

Carriers' Self-Regulation and Fees (2022–2025)

The carriers themselves (Verizon, AT&T, T-Mobile, US Cellular, etc.) have implemented a range of measures:

• A2P Fees and The Campaign Registry: By 2022, all major carriers introduced per-message fees for A2P 10DLC messages and required registration through TCR. They also impose fees for registration itself. This effectively monetizes A2P and funds additional monitoring.
• Non-Compliance Penalties: T-Mobile led with explicit fines effective Jan 1, 2024 for content violations. AT&T likewise has surcharges for unregistered traffic. These fees are communicated to aggregators and CPaaS platforms, who pass them to senders.
• Improved Spam Filtering Technology: Carriers have invested in more advanced SMS filtering systems (often using AI or pattern matching) to detect spam texts. By 2025, consumers on major networks benefit from some level of SMS spam blocking (similar to email spam filters).

Looking forward, several developments indicate that SMS regulation and industry practice will continue to evolve beyond 2025:

AI-Generated Messaging and New FCC Initiatives

The rise of AI in generating communications has not gone unnoticed by regulators. In mid-2024, the FCC issued a Notice of Proposed Rulemaking seeking comment on AI-generated robocalls and robotexts. They are considering rules to ensure transparency when AI is used (for instance, a requirement that mass calls/texts generated by AI disclose that fact to consumers). By 2026, we may see FCC rules defining and regulating AI-driven text campaigns, especially if used for fraud or manipulation.

Additionally, the FCC might move to make certain carrier practices mandatory – for example, if carriers don't adequately implement email-to-text opt-in or other anti-spoofing measures, the FCC could require it. We might also see expansion of STIR/SHAKEN (the call authentication protocol) concepts to messaging, though the technology for SMS is different; still, the idea of verifying sender identity cryptographically for messages could gain traction as a way to cut down on spoofed texts.

Increased Enforcement and Possibly Legislation

Enforcement of existing rules is expected to ramp up:

• The FCC's new rules (one-to-one consent, etc.) will likely lead to enforcement actions against entities that ignore them. We may see high-profile fines in late 2025 or 2026 as test cases, similar to how the FCC pursued big robocall violators.
• State attorneys general are increasingly forming coalitions to tackle telemarketing abuse (both calls and texts). They might pursue multi-state lawsuits against companies that spam texts without consent, using state laws.
• On the legislative front, if robotexts remain a major consumer complaint, Congress could consider further amendments to the TCPA or related statutes. One area could be raising penalties for text spam or giving consumers even more rights.

There's also discussion around whether political texts should face more regulation. Currently, political messages are generally exempt from DNC and sometimes treated as non-commercial (thus only needing consent if sent via autodialer). However, as voters complain about unsolicited campaign texts, lawmakers (at least at the state level) might introduce bills to require an opt-out mechanism for political texts or to include political texts explicitly in state DNC lists.

Evolution of RCS and Rich Messaging

Rich Communication Services (RCS), the successor to SMS/MMS being promoted by Google and carriers, could become more mainstream in 2025–2026. RCS allows verified sender identities (with branding), encryption, and more interactive features. If RCS business messaging grows, expect a similar regime of verification and rules to govern it. Indeed, the CCMI initiative (cross-carrier messaging initiative) and others have frameworks for RCS A2P, which likely will incorporate verified sender IDs (so users see a brand name with a verified badge) and strict opt-in requirements.

Continued State Activity

We might see more states passing mini-TCPA laws or strengthening existing ones. For example, a state that sees a lot of text fraud might implement mandatory call-back verification for certain high-risk texts or require a special prefix in marketing texts. States might also raise penalties further; New York already raised its max fine to $20,000 for telemarketing violations in 2023, so one can envision a tough stance where states make it very unattractive to spam their residents.

Industry Self-Regulation and Best Practices

By 2026, the industry might introduce:

• Universal STOP Database: An idea sometimes floated is a centralized database of phone numbers that opted out of messages, akin to the DNC list but for text messaging specifically. So if a consumer opts out from one shortcode or campaign, that preference might carry over to others.
• Better Consumer Controls: Perhaps mobile OS or carrier messaging apps will give users more control, like an easy "Report Spam" button for SMS. If usage of those features increases, it can feed into carrier blocking systems quickly.
• Enhanced Verification for High-Risk Campaigns: We might see carriers requiring more documentation for certain use cases. For instance, before a financial services company can run a 10DLC campaign offering loans, the carrier might ask for proof that the company is licensed or that the lead contacts are consented.

In essence, the trajectory is toward more verification and stricter oversight at every level. Businesses should anticipate that the bar for proof of consent will only get higher, and that unauthorized channels will get blocked faster. The best strategy is to stay ahead by engaging in industry forums, reading updates from the FCC and CTIA, and adjusting compliance programs proactively.

Compliance in SMS is a shared responsibility across all parties in the messaging delivery chain. Here we outline the obligations for each type of participant:

Mobile Carriers (Wireless Operators)

The carriers (Verizon, AT&T, T-Mobile, etc.) are the gatekeepers of their networks. They have a duty (partly regulatory, partly commercial) to prevent spam, fraud, and abuse on their messaging networks. Carriers must implement the FCC's rules such as blocking known illegal senders when informed. They also voluntarily enforce CTIA guidelines by filtering messages that violate content or consent rules.

Carriers are the ones who ultimately permit or deny access to A2P routes – they approve 10DLC campaigns, short code programs, and toll-free usage. They have established aggregator connections and the Campaign Registry to intake sender information. Carriers are obligated to protect subscriber privacy too, so they can't just share subscriber info with marketers without consent.

CPaaS Platforms and Aggregators

Communications Platform as a Service (CPaaS) providers and SMS aggregators connect businesses to the carrier networks. They take on significant compliance responsibilities:

• Campaign Registration and Vetting: These providers facilitate the 10DLC registration on behalf of their customers. They collect the necessary business info and ensure it's passed to TCR and carriers.
• Monitoring and Enforcement of AUP: CPaaS companies have Acceptable Use Policies that mirror the laws and carrier rules. They are on the front lines: if a client is sending spam or illegal content, the CPaaS must detect it and shut it down promptly.
• Automated STOP Handling: Many CPaaS platforms implement a default behavior where if a user texts "STOP" back, the platform will automatically prevent further messages to that user and send a confirmation reply.
• Record-Keeping: Aggregators may be called upon to produce evidence of compliance (like opt-in records or campaign details) if a carrier or regulator inquires.

Resellers and Software Providers

Many software companies (e.g., a marketing platform, a CRM system, or a small SMS marketing boutique) resell messaging services that are actually powered by an aggregator in the backend. These resellers must also enforce the rules:

• They need to educate their end-users on TCPA and required opt-ins.
• They might provide templated opt-in language or recommended campaign setups.
• Resellers also usually funnel their traffic through an aggregator's 10DLC registration process.
• Resellers must also maintain opt-out lists and ensure that if a consumer opts out from one brand, that brand doesn't accidentally upload the number again in a new campaign later.

Marketers/Businesses (Senders)

The sender (the business or entity initiating the text campaign) has the primary responsibility to comply with the laws. They must obtain and document consent, honor opt-outs, use the proper sending numbers (via the channels above), and ensure their message content is lawful and compliant. All the other parties enforce rules to make sure the sender does this, but ultimately if there's a violation, the sender is on the hook legally.

The U.S. SMS market is open to international senders – you do not need to be a U.S.-based company to text U.S. consumers. However, foreign companies face the same rules and some additional hurdles:

Compliance with U.S. Laws

Simply put, if you are texting a U.S. phone number, U.S. regulations apply, no matter where you are located. A common misconception is that being overseas provides immunity. While it's true that a foreign entity might be harder to sue or fine (jurisdiction issues), in practice any reputable messaging service will require you to follow U.S. rules for U.S. messaging.

Foreign companies should assume TCPA, FCC rules, etc., fully apply to their campaigns targeting U.S. users. For example, a European e-commerce company sending marketing texts to U.S. customers must have prior express written consent just as a U.S. company would, even though GDPR (Europe's privacy law) might not specifically mandate written consent for texts – the U.S. law still governs communications to U.S. numbers.

Entering Through the Front Door (No Grey Routes)

A foreign company can't circumvent the U.S. carrier controls by sending texts via an overseas telecom provider directly to U.S. phones. Practically, nearly all SMS to U.S. numbers will eventually hand off to the U.S. carriers, and they will filter unregistered international A2P traffic. International long codes (numbers from another country) generally are not allowed to send A2P SMS to U.S. users; those messages often get blocked as potential spam/grey route.

Therefore, a foreign sender should obtain a U.S.-based number (short code, 10DLC, or toll-free) and go through the normal registration processes. This can be done through a U.S. aggregator – many CPaaS providers have onboarding for international customers.

Navigating Time Zones and Language

Foreign companies may not be intimately familiar with U.S. time zones and holidays. They must ensure not to accidentally send messages in the middle of the night U.S. time. They also should be aware of U.S. cultural sensitivities and language – for instance, including Spanish opt-out wording for Spanish-speaking audiences is fine, but the word "STOP" in English must always be recognized.

Obtaining Short Codes as a Foreign Entity

It is possible, though sometimes requires a U.S. presence or partner. Often, foreign companies work with an agency or aggregator that effectively leases the short code on their behalf. The application will still need a contact address, customer support contact, etc., and often having those in the U.S. (or at least a local time zone contact) is recommended. Toll-free numbers are easier – any company can get a toll-free number through a provider without proving U.S. incorporation.

Exposure to Litigation

If a foreign company violates TCPA (e.g., spam texts without consent), can they be sued in U.S. courts? In many cases, yes. If they have any presence or assets in the U.S., they are at risk. Even if not, a default judgment could be entered and it might complicate future dealings. Also, the foreign company's U.S. aggregator might terminate service if they get complaints or legal notices about the foreign sender's practices.

In summary, foreign senders must essentially naturalize themselves into the U.S. system: get U.S. numbers, follow U.S. consent rules, use U.S.-based messaging pathways, and be mindful of the practical challenges (time zones, cultural expectations). The global nature of SMS doesn't exempt anyone from local rules – and the U.S. has some of the world's toughest SMS marketing rules.

Achieving and maintaining compliance in SMS messaging might seem daunting given the patchwork of laws and rules discussed. However, there are concrete strategies and best practices that can greatly simplify compliance and reduce risk:

Build Compliance into the Opt-In Process

Maintain Robust Opt-Out Mechanisms

• Automate STOP Processing: Every SMS program should be capable of instantly recognizing an opt-out keyword (STOP, etc.) and triggering an opt-out. Ideally this is automated at the platform level.
• Confirm Opt-Out to the User: Send a final message confirming the user is opted out: e.g., "You have been unsubscribed and will receive no further messages."
• Opt-Out List Management: Maintain a suppression list of all numbers that opted out, and honor it across your organization.

Adhere to Sending Best Practices

• Respect Quiet Hours: Implement scheduling in your messaging software to respect time zones. Never send telemarketing texts on Christmas or Thanksgiving.
• Frequency Capping: Even if a user agreed to frequent messages, consider if that's really necessary. Over-messaging leads to opt-outs.
• Monitor and React to Metrics: Keep an eye on delivery rates, opt-out rates, and complaint rates. If opt-out rates for a particular campaign exceed a threshold (CTIA has suggested thresholds like >3-5% opt-out is problematic), analyze what might be causing dissatisfaction.

Ensure Proper Number Management

• Use Appropriate Channels: Use short codes for high volume blasts; use 10DLC or verified toll-free for moderate messaging; do not try to game the system by using multiple unregistered numbers to send the same campaign (snowshoeing).
• Renew and Update Campaign Registrations: 10DLC campaigns often have an expiration or need renewal. If your business details change or you want to expand the use-case of your campaign, update the registration.

Content and Messaging Strategies

• Identify Yourself: While not explicitly required by TCPA, identifying the business in each message (especially the first in a sequence) is a best practice.
• Avoid Spammy Language and Formatting: Messages that look like spam (all caps, excessive use of symbols, URL that looks sketchy) may trigger carrier filtering.
• Provide Value and Don't Abuse Trust: If users see value in your texts, they are less likely to complain to carriers or regulators.

Train and Audit

• Employee Training: Ensure that any staff involved in SMS campaigns are trained on these regulations.
• Internal Audits and Testing: Periodically audit your own processes. Test your STOP mechanism to verify it's per guidelines.
• Legal Review of New Initiatives: If launching a new texting initiative, get legal counsel to review.

Finally, always remember the overarching principle: text consumers as you would want to be texted. If you maintain respect for users' consent and privacy, you'll inherently align with most regulations. Compliance is not a one-time task but an ongoing process of adaptation and vigilance as rules evolve.