SMS Compliance for DTC: A 10DLC and TCPA Guide for 2026

SMS is the fastest channel for a DTC brand to break compliance in

Email has decades of filter history behind it and the enforcement is mostly private. SMS is different. In the US, SMS compliance sits at the intersection of federal law (TCPA, CAN-SPAM for messages with links to web content), state laws (notably Florida's FTSA and Washington's CEMA), and carrier requirements enforced through The Campaign Registry (TCR) and the 10DLC framework.

A mistake in email costs deliverability. A mistake in SMS can produce class-action exposure and immediate carrier blocking. This guide is the compliance layer we walk every client through before a single marketing SMS goes out.

TL;DR ▸ Register brand and campaign with The Campaign Registry before sending. ▸ Consent must be explicit, in writing, and separate from purchase. ▸ Quiet hours, HELP, and STOP are non-negotiable. The platform handles most of this if configured correctly. ▸ State laws (FL, WA) add teeth. Do not treat TCPA as the only standard.

Step 1: Understand the 10DLC framework

10DLC stands for 10-digit long code. It is the carrier-sanctioned framework for sending application-to-person (A2P) SMS from standard phone numbers in the US. Every major carrier routes A2P traffic through The Campaign Registry's database. Traffic from unregistered numbers is either filtered, rate-limited, or outright blocked.

The core concepts:

▸ Brand: your legal entity, registered once. Vetting can be Standard or Enhanced. ▸ Campaign: a specific use case, registered per purpose (marketing, account notifications, 2FA, etc.). ▸ Trust score: a number from 0 to 100 assigned to the brand. Higher score means higher throughput and fewer carrier filters. ▸ Throughput: messages per second the carriers will accept. Tied to trust score.

For most DTC brands, one brand and one marketing campaign covers the primary use case. If you also send order status updates and shipping notifications, register a transactional campaign separately so marketing-related filtering does not apply to operational messages.

Step 2: Registration logistics

Your SMS platform (Klaviyo, Attentive, Postscript, etc.) will walk you through registration, but the data you need to prepare ahead of time:

▸ Legal business name matching the EIN record. ▸ EIN or equivalent tax ID. ▸ Registered business address. ▸ Website URL with a visible privacy policy and terms. ▸ Sample message copy for the campaign. ▸ Description of the signup flow and consent language. ▸ Opt-in screenshot or recording.

Carriers reject registrations that do not match the company's public legal filings. If your EIN is in one state and your address is in another, make sure both are current with the IRS and Secretary of State.

Standard vetting is sufficient for most brands. Enhanced vetting costs more but yields higher throughput and a better trust score, which matters for Black Friday or large launch pushes. Decide based on expected peak volume, not average volume.

Step 3: TCPA consent basics

The Telephone Consumer Protection Act (TCPA) governs marketing SMS in the US. The standard it applies is "prior express written consent" for marketing messages sent using an automated dialing system, which in practice covers essentially all bulk SMS platforms.

Prior express written consent requires:

▸ A clear written disclosure that the consumer is agreeing to receive marketing messages from the specific brand. ▸ Identification of the sender by name. ▸ Disclosure that consent is not required as a condition of purchase. ▸ Disclosure of message frequency ("recurring messages", "up to 10 per month"). ▸ Message and data rates disclosure. ▸ HELP and STOP keyword instructions. ▸ Link to terms of service and privacy policy.

The consent language should live next to the phone input on any signup form, with a checkbox that is NOT pre-checked. Pre-checked consent is a common violation. The checkbox must be an affirmative action.

Step 4: The compliance disclosure template

A clean disclosure reads something like:

"By entering your phone number and checking this box, you agree to receive recurring marketing text messages from [Brand Name] at the number provided, including messages sent by autodialer. Consent is not a condition of purchase. Message and data rates may apply. Message frequency varies. Reply HELP for help and STOP to cancel. See our Privacy Policy and Terms of Service."

Every word of that template exists because of an enforcement action or a carrier requirement. Do not shorten it. Do not move the privacy and terms links to a distant footer. Do not remove the "consent is not a condition of purchase" line.

Step 5: State laws add real teeth

Two state laws deserve specific attention:

Florida Telephone Solicitation Act (FTSA): amended in 2023 but still more restrictive than federal TCPA in several respects. Provides a private right of action and allows statutory damages. Opt-in must be unambiguous. Do not send to Florida numbers without a clear, documented consent trail.

Washington CEMA: requires that commercial messages identify the sender in the first words and comply with specific opt-out formats.

Several other states (California, New York, Massachusetts) have additional consumer-protection statutes that can be invoked in SMS class actions. The practical outcome: design the consent flow to the strictest standard, not the weakest, and the rest takes care of itself.

Pixeltree's retention marketing service includes an SMS compliance review as part of onboarding because the cost of getting it wrong is asymmetric to the cost of getting it right.

Step 6: Quiet hours and sending rules

Federal TCPA limits marketing calls (and by extension SMS) to the hours of 8am to 9pm in the recipient's local time zone. Some states narrow the window further.

Your platform should be configured to respect the recipient's time zone, not the sender's. Verify this in the platform settings before the first send. A single bulk send at 9:30pm Pacific that reaches Eastern recipients at 12:30am is a compliance violation even if you did not intend it.

Also configure:

▸ HELP response with brand name, opt-out instructions, and support contact. ▸ STOP response confirming opt-out and ceasing future messages to that number. ▸ UNSTOP or START response to re-enable (standard but often forgotten).

The CLEAR framework for every SMS campaign

Before any SMS campaign sends, run CLEAR:

▸ Consent: every recipient has a documented opt-in from a compliant form. ▸ Local time: send window respects recipient time zone. ▸ Escape: STOP works, HELP works, and both are easy to find. ▸ Attribution: brand name appears in the message. ▸ Registration: the campaign is active in TCR and not in review.

If any of these five is uncertain, the campaign does not send.

Record keeping

Every opt-in must be logged with timestamp, IP address, the form URL, the consent language shown, and the checkbox state at submission. Your SMS platform likely stores most of this automatically, but verify the logs can be exported in a format that would survive a legal request.

Opt-outs are forever unless the consumer re-opts-in through a new, compliant flow. Do not import a historical list of phone numbers and send to them even if they bought from you three years ago. Buyer relationships do not equal SMS consent.

Layering with the rest of the program

SMS compliance lives alongside email compliance and the broader retention program. See our SMS marketing for DTC 2026 guide for the strategic side and email deliverability for Shopify for the adjacent email authentication work.

For the flow architecture that pairs with compliant SMS, see the SMS flow welcome cart winback breakdown. Our customer experience service and email marketing service engagements typically cover SMS compliance as part of scope.

What to do this week

▸ Confirm your brand and marketing campaign are registered in The Campaign Registry. ▸ Audit the signup form disclosure against the template in step 4. Fix any missing element. ▸ Verify the HELP and STOP auto-responses are set and include brand name. ▸ Check that quiet hours are enforced in the recipient's time zone. ▸ Export a sample of recent opt-in logs and confirm timestamp, IP, form URL, and consent language are all present. ▸ Add "consent is not a condition of purchase" language if it is missing anywhere. ▸ Review SMS flow welcome cart winback for the flow mechanics to run on top of a compliant foundation.