SMS Compliance Checklist: TCPA, 10DLC, and the 2026 Rules

SMS is the highest intent channel a DTC brand has. Open rates north of 90 percent, click rates that embarrass email, and a direct line into a device the subscriber checks hundreds of times a day. That reach is exactly why the regulatory surface around it is so heavy. A single campaign sent to an unconsented list can generate a class action with statutory damages of 500 to 1,500 dollars per message. Multiply that by a list of even modest size and the math turns into an extinction event. This checklist exists to make sure you never find yourself in that spreadsheet.

Nothing on this page is legal advice. It is an operational checklist built from what carriers, aggregators, and platform onboarding teams ask for in 2026. If your use case is novel, if you operate in a regulated vertical like cannabis or firearms, or if you are rolling out SMS in multiple countries, talk to a lawyer who does telecommunications work. For the standard DTC skincare, apparel, supplements, or home goods brand, the items below map to the things that actually cause delivery failures, carrier filtering, and demand letters.

The stakes split into three layers. The federal layer is TCPA, which governs consent and opt-out. The carrier layer is 10DLC registration plus the Campaign Registry trust score, which governs whether your messages get delivered at all. The state layer has been growing, with Florida and Washington leading the charge on micro-consent and call time rules that go beyond federal requirements. You need all three working before the first campaign goes out. Miss any one of them and you either get sued, filtered, or both.

Consent capture

Every SMS program lives or dies on the consent record. Express written consent under TCPA means the subscriber actively agreed to receive marketing messages from you, and you can produce the timestamp, IP address, and exact language they saw. Pre-checked boxes do not count. Bundled consent, where SMS is rolled into a general terms acceptance, does not count. The consent must be specifically for SMS marketing from your brand.

The minimum disclosure block at every opt-in point includes four elements. First, the name of the brand sending messages. Second, the type of content, typically phrased as "marketing and promotional texts." Third, frequency, usually "up to 10 messages per month" or similar. Fourth, the stock disclaimers: "Msg and data rates may apply. Reply STOP to unsubscribe, HELP for help." This language is not optional decoration. It is the evidence you will hand to a defense attorney or a platform trust and safety reviewer.

Double opt-in is not required by TCPA, but it is required by most major carriers for marketing campaigns in 2026. After a user submits a phone number, send a confirmation message asking them to reply YES. Store the YES reply alongside the original form submission. This gives you a two-step audit trail that is almost impossible to challenge.

Pop-ups, checkout fields, keyword-to-join campaigns, and customer service forms all count as opt-in points, and each one needs the full disclosure. A common mistake is running a clean pop-up on the homepage but leaving a checkout-page phone field that collects numbers without any SMS consent language. Audit every place a phone number enters your system. If you cannot point to the consent disclosure that was visible at the moment of capture, that number is not marketable.

Email list and SMS list are not interchangeable. If a subscriber gave you their phone number to get order shipping updates, you do not have marketing consent. The email marketing stack covered under our email marketing service has its own consent model, and the two do not cross-pollinate. Treat SMS consent as a separate, stricter database.

Registration and platform setup

10DLC is the registration framework US carriers use to distinguish legitimate business senders from spam. Since 2022 it has been mandatory for application-to-person messaging on standard ten-digit numbers. In 2026 the enforcement is tighter than ever. Unregistered traffic is filtered aggressively, and in many cases simply dropped.

The registration has two tiers. Brand registration identifies your company to the Campaign Registry, with your EIN, legal name, and website. Campaign registration describes each use case you intend to run, such as marketing, account notifications, or two factor authentication. Each campaign gets a separate vetting score that influences throughput and deliverability.

When your platform asks for sample messages during campaign registration, give them real ones. Do not submit sanitized placeholder text. The carrier review teams compare submitted samples against actual traffic, and a mismatch flags your number for manual review. Include the brand name, a representative offer, and the mandatory STOP language. If you run multiple use cases, submit separate campaigns for each so that account flows do not get throttled when a marketing blast spikes.

Choose your platform deliberately. The three that dominate DTC in 2026 are Postscript, Attentive, and Klaviyo SMS. Each handles registration, consent capture, and opt-out plumbing slightly differently. Our breakdown of Postscript versus Attentive walks through the onboarding and compliance tooling tradeoffs in detail. Whatever provider you pick, confirm that they file the 10DLC paperwork on your behalf and that your trust score is visible in the dashboard.

Toll-free numbers are a separate track. They use a verification process rather than 10DLC and have higher throughput ceilings, which makes them attractive for high-volume marketing. The tradeoff is a longer verification window and stricter content rules. Short codes, the five or six digit dedicated numbers, remain the gold standard for enterprise but carry setup and monthly commitments that rarely pencil out until the list is well into six figures.

Message content rules

Carriers filter on content, not just origin. There is a prohibited content list known informally as SHAFT, covering sex, hate, alcohol, firearms, and tobacco. Even if your brand legally sells one of these categories, carriers will filter or block your traffic unless you have explicit age-gated carrier approval. Cannabis and CBD traffic is blocked by T-Mobile on the 10DLC network regardless of state legality. If your product touches any SHAFT category, route that conversation through your platform's trust and safety team before you register the campaign.

Every marketing message should identify the sender. "Flash sale: 20 percent off sitewide" with no brand name is both a compliance issue and a conversion killer. Put the brand name in the first 25 characters of the message. This is the same principle that makes branded sender names work for email, covered in our guide on SMS marketing for DTC in 2026.

Link shorteners are another filter trigger. Public shorteners like bit.ly and tinyurl trip spam filters because they are heavily abused by phishing. Use a branded short domain through your SMS platform. Postscript, Attentive, and Klaviyo all provide branded domain options. Configure it before your first send, not after.

Frequency has to match what you disclosed at opt-in. If your consent language said "up to 6 messages per month," sending 12 is both a TCPA exposure and a guarantee of complaint spikes. Build a cap into your platform settings and respect it even during peak seasons. Black Friday is not a legal excuse to double your send volume on an unchanged consent disclosure.

Quiet hours are federally defined as before 8am and after 9pm in the recipient's local time zone. Some states tighten the window further. Your platform should handle time zone routing automatically if you have accurate zip code or area code data. Verify this by sending a test to a number in a different region and confirming the delivery time. A surprising number of brands discover on audit that their platform was sending in the sender's time zone instead of the recipient's.

Opt-out handling

STOP must work on the first message, from every number, every time. This is not negotiable. The federal standard also recognizes CANCEL, END, QUIT, UNSUBSCRIBE, and STOPALL as opt-out keywords. Your platform should catch all of them, plus common misspellings. When a user opts out, send one confirmation message acknowledging the opt-out, and then no further marketing ever. The confirmation message itself must not contain promotional content.

Opt-out has to be honored across campaigns, not just the one that received the STOP. If a subscriber opts out of a promotional flow, they are out of all marketing flows, including abandoned cart, browse abandonment, and winback. The platforms handle this correctly by default but it is worth verifying in your account settings, especially if you have migrated from another provider and imported a suppression list.

HELP must return meaningful information. The standard response includes the brand name, a support email or URL, and the language "Reply STOP to unsubscribe. Msg and data rates may apply." A reply of just "Thanks for contacting us" is not compliant. The purpose of HELP is to give a confused recipient a path to understand what they signed up for and how to leave.

Transactional messages, like shipping notifications and two factor codes, have a narrower opt-out exemption, but only if the message is genuinely transactional. The moment a shipping update includes a "check out our new arrivals" promotional line, it becomes marketing and falls under the full consent and opt-out framework. Keep the transactional channel clean.

Keep the audit trail. For every opt-out you need a record of when it happened, which number, and which message triggered it. This lives in your platform by default but is one of the first things a compliance audit will request. If you ever run a full audit, our compliance audit service covers the exact evidence package that carriers and plaintiff counsel ask for.

Ongoing monitoring

Compliance is not a launch activity. The regulatory landscape shifts, your list ages, and subscriber behavior changes. Monthly monitoring catches drift before it turns into a filtering event or a demand letter.

Track the core health metrics weekly. Delivery rate should stay above 95 percent. Opt-out rate on any single campaign should stay below 1.5 percent, with a program-wide sustained rate under 0.5 percent. Complaint rate, which carriers calculate based on STOP replies and manual spam reports, is the leading indicator of trouble. A spike in opt-outs on a single send usually points to an audience or frequency issue. A sustained elevated complaint rate leads to carrier throttling and, eventually, campaign suspension.

Review state-specific rules quarterly. The Florida Telephone Solicitation Act and the Washington Commercial Electronic Mail Act both have provisions that differ from federal TCPA. Florida has a stricter micro-consent requirement, and Washington has rules around autodialer use that can surface unexpectedly. Other states are drafting similar laws. Your platform should maintain a state-rule matrix, but the responsibility for compliance sits with the sender, not the platform.

Audit your consent records once a quarter. Pick 20 random subscribers from the list and trace their opt-in. If you cannot produce the form, the timestamp, and the disclosure language they saw, remove them. It is better to have a smaller compliant list than a larger one with unknown exposure. This same discipline applies to list imports after acquisitions or platform migrations: never trust inherited consent without documentation.

Schedule a formal compliance review every quarter. Walk through this checklist, confirm each item still holds, and document the review. If something has drifted, fix it. If you are not sure whether something is compliant, ask. A quarterly hour of review time is dramatically cheaper than a single TCPA claim letter.

Rotate the content samples you have on file with the Campaign Registry when your messaging style changes significantly. If your brand voice evolved, if you launched a new product line, or if your frequency changed, update the samples so the registered campaign matches the traffic. A mismatch during a carrier audit is a common trigger for manual review.

Closing

-> Start with a clean consent capture, not a clean campaign calendar. -> Register 10DLC before the first send, not after the first delivery failure. -> Treat STOP and HELP as first-class features, not afterthoughts. -> Audit quarterly, because the compliance perimeter moves faster than your roadmap.