TCPA and 10DLC SMS Compliance Review

The problem TCPA compliance audits solve

TCPA class actions are the highest financial exposure in DTC compliance. Five hundred dollars per violation becomes material fast when a campaign reaches a hundred thousand recipients and any fraction of them were on a list not properly consented. A willfulness finding trebles damages. The private right of action means you do not need a regulator to decide there is a case. Plaintiffs' firms have built specific practices around TCPA SMS litigation against DTC brands, and a single unclean list can generate a demand into seven or eight figures.

The underlying problem is that SMS programs grow incrementally while the compliance requirements do not. A brand starts with Attentive or Postscript and a checkout opt-in. Then it adds a popup with a coupon for a text subscription. Then it imports an older email list that had a "by signing up you also agree to receive SMS" line buried in footer copy. Then it runs a giveaway where entrants submit phone numbers. Then it runs a contest where partners share lists. By year three the SMS list contains subscribers whose consent capture no one can reconstruct and whose opt-in records no one can produce. That is the moment a plaintiffs' firm sends a litigation demand.

10DLC adds a carrier-level layer. The Campaign Registry requires every A2P SMS sender to register, and unregistered or misregistered traffic gets filtered or fined. Carriers have increased enforcement, and misrepresentation during registration such as declaring the wrong use case or understating volume can trigger suspension. Compliance with TCPA is the legal question. Compliance with 10DLC and CTIA short code handbook is the operational question. A brand needs both, and auditing both is the prudent posture.

Our approach

We run a three week TCPA and 10DLC compliance audit.

Step one is the consent capture audit. Every opt-in surface is reviewed: checkout checkbox, popups, landing pages, list imports, giveaway forms, partner lists, and any other source that has fed the SMS list. For each we review the consent language, the checkbox default state, the capture logging, the records retention, and the date coverage. Sources with gaps get flagged, and in severe cases we recommend pruning affected subscribers from the list.

Step two is the opt-out handling audit. We verify that STOP, UNSUBSCRIBE, CANCEL, END, QUIT, and HALT all trigger opt-out. We verify the opt-out confirmation message complies with carrier requirements. We verify there is no send after opt-out, including through sub-processors like attribution platforms or reviews solicitation. We verify HELP returns brand contact information.

Step three is the 10DLC and carrier compliance review. We verify The Campaign Registry registration matches actual use case and volume. We verify brand verification status. We verify the sample messages on file represent actual sends. We verify short code applications where short codes are in use match the CTIA handbook.

Step four is the content audit. Marketing message frequency, time-of-day windows, discount code representation, and claim substantiation all have TCPA and state-level implications. Florida's Telephone Solicitation Act is stricter than federal TCPA. Oklahoma's analogous law has state-specific provisions. We review the last six months of campaign content for findings.

Step five is the remediation roadmap. Findings are ranked by severity, remediation is documented per finding, and a monitoring plan is delivered so future campaigns go through a compliance gate before sending.

What you get

▸ Consent capture audit covering every opt-in surface with detailed findings per surface. ▸ List hygiene recommendation including specific subscriber pruning where consent records are insufficient. ▸ Opt-out handling verification across every required keyword and every sub-processor. ▸ 10DLC Campaign Registry registration review and recommended corrections. ▸ Short code handbook conformance review if applicable. ▸ Six month campaign content audit with TCPA and state-level findings. ▸ State-level overlay covering Florida, Oklahoma, Washington, and other jurisdictions with stricter rules. ▸ Remediation roadmap ranked by severity with assigned owners. ▸ Pre-send compliance checklist for future campaigns. ▸ Consent capture training session for the growth and retention teams. ▸ Documentation package suitable for demand letter response.

Timeline

Three weeks in three phases.

Week one is consent capture and list source review.

Week two is opt-out handling, 10DLC, and carrier compliance review.

Week three is the content audit, remediation roadmap, and training.

Mini case anatomy

A fashion brand in the ten to twenty million revenue range received a TCPA class action demand letter alleging non-consented SMS marketing to approximately eighty thousand recipients. The demand cited three specific campaign sends and a list import that had occurred eighteen months earlier. The brand's attorney needed to understand the full compliance posture before responding.

We ran the audit in two compressed weeks. The checkout opt-in was compliant. The popup opt-in was compliant. The giveaway form had been compliant but the giveaway list had been co-marketed with a partner whose own consent language was weaker. The eighteen month old list import had come from a legacy email platform and lacked SMS-specific consent. Approximately twenty-four thousand subscribers had consent records that would not survive challenge.

The brand pruned the affected subscribers, settled the demand at a fraction of the initial ask because subsequent campaigns had demonstrably improved compliance posture, and implemented the pre-send compliance checklist. Twelve months later no additional demands had arrived. Annual re-audit became standard practice. For adjacent compliance topics see our privacy compliance audit.

FAQs

See frequently asked questions below. SMS compliance sits alongside privacy and accessibility as a major DTC exposure. Pair this with our privacy compliance audit and WCAG accessibility audit. For the broader picture see our compliance audits hub and our claim substantiation leaf.