A single non-compliant text message can cost your business $1,500. Send 5,000 of them to people who never opted in, and you're staring down a $7.5 million class action — the exact amount Zales Jewelers settled for in 2025. Yet most small business owners running Klaviyo, Twilio, or EZ Texting campaigns think SMS marketing is "just email with phone numbers." It is not.
Text messaging is one of the most heavily regulated marketing channels in the United States. Between the federal Telephone Consumer Protection Act (TCPA), the carrier-mandated A2P 10DLC registration system, the CTIA's voluntary-but-enforced guidelines, and a fast-growing patchwork of state mini-TCPA laws, sending a promotional text in 2026 means juggling at least six overlapping compliance regimes — each with its own consent rules, penalty schedule, and audit trail.
This guide walks you through what actually matters for a small business running an SMS program: how A2P 10DLC registration works after carriers started blocking 100% of unregistered traffic in February 2025, what consent language the FCC requires now that the one-to-one rule has been vacated, which state laws will trip you up first, and how to build an audit-defensible paper trail that survives a demand letter from a serial plaintiff.
What Changed Between 2024 and 2026
If you set up your SMS program before 2025, the ground has shifted under your feet. Three big changes redrew the compliance map:
Mandatory A2P 10DLC registration. Since February 1, 2025, U.S. wireless carriers block 100% of unregistered Application-to-Person (A2P) traffic sent over 10-digit long codes. There is no soft filter, no warning period. Unregistered messages simply do not arrive. Every business sending automated, marketing, or transactional texts from a regular phone number must register a Brand and at least one Campaign through The Campaign Registry (TCR).
The FCC's one-to-one consent rule died. In January 2025, the Eleventh Circuit Court of Appeals vacated the FCC's controversial "one-to-one" consent rule on the eve of its effective date. The FCC formally eliminated the requirement in August 2025 and reinstated the pre-2024 "prior express written consent" standard. Lead generators and comparison shopping sites are no longer required to obtain a separate consent for every advertiser they share data with — but individual carriers, like AT&T and T-Mobile, have started setting their own one-to-one expectations through TCR campaign vetting.
State mini-TCPA laws keep multiplying. Texas joined the list on September 1, 2025, with SB 140, which introduced statutory damages up to $5,000 per violating text. Florida walked back parts of its FTSA in 2023, but the private right of action remains. Washington, Oklahoma, Maryland, and at least eight other states now have telemarketing rules that bind any business texting their residents — regardless of where the business is located.
A2P 10DLC: The Registration That Lets Your Texts Through
A2P 10DLC is the system that lets businesses send high-volume application-to-person messaging over standard 10-digit long codes (the regular phone numbers your customers see). It's run by The Campaign Registry, a centralized database that every U.S. wireless carrier checks before delivering your message.
Brand Registration
Your first step is registering your business as a "Brand." You provide:
- Legal business name and EIN (or your SSN if you're a sole proprietor)
- Business address, vertical, and website
- Stock exchange listing, if applicable
There are two tiers. Sole Proprietor Brand registration costs about $4 and unlocks lower throughput (typically capped at one message per second per carrier). Standard Brand registration costs around $4 for the brand itself plus $40 for one-time secondary vetting, and unlocks higher tiers based on a Trust Score assigned by an independent vetting partner.
A higher Trust Score means more messages per second, fewer carrier filtering issues, and better deliverability. Score is influenced by years in business, vertical risk, EIN match accuracy, and complaint history.
Campaign Registration
After your Brand is approved, you register each Campaign — a specific use case for messages. Examples:
- Marketing: Promotional offers, sales announcements, flash deals
- Account Notification: Order confirmations, shipping updates
- Customer Care: Support replies, appointment reminders
- 2FA / OTP: One-time passcodes for login
Each Campaign costs about $15 in one-time registration plus $1.50 to $10 per month. You must declare the use case, sample message content, opt-in flow, and call-to-action.
Per-Message Carrier Fees in 2026
After T-Mobile's January 2026 fee increase, per-message pass-through fees from the three major carriers stack up fast:
- AT&T: $0.002 per SMS, $0.0035 per MMS
- T-Mobile: $0.0025 per SMS (raised January 19, 2026)
- Verizon: $0.0025 per SMS, $0.005 per MMS
A small business sending 10,000 messages per month across the three networks now pays roughly $30 to $50 in carrier surcharges alone, on top of the platform's per-message rate from Twilio, Bandwidth, Klaviyo, or whichever provider you use.
TCPA Consent: What Counts as a Valid Opt-In
The TCPA requires prior express written consent before sending marketing or promotional text messages to a mobile number. Transactional or informational messages (order confirmations, appointment reminders) have a slightly lower bar — "prior express consent" — but in practice, most platforms require the same level of documentation for both.
A valid prior express written consent must be:
- In writing (a digital checkbox or signed form qualifies)
- Clear and conspicuous, with disclosure that the consumer is agreeing to receive automated marketing texts
- Not pre-checked — the consumer must take affirmative action
- Specific about who is sending, what kind of messages, and message frequency
- Not required as a condition of purchase — you cannot withhold a product unless someone agrees to be texted
A standard opt-in disclosure looks like this:
By providing your phone number and checking this box, you agree to receive recurring automated marketing text messages (e.g., promotions, cart reminders) from [Brand] at the number provided. Consent is not a condition of purchase. Msg & data rates may apply. Msg frequency varies. Reply HELP for help, STOP to cancel. View our Terms and Privacy Policy.
Skipping any of these elements — even just the "Msg & data rates" line — creates a vulnerability that demand-letter mills actively look for.
What "Prior Express Written Consent" Does Not Mean
Common mistakes that void consent:
- Pre-checked boxes
- Bundling SMS opt-in with email opt-in in a single checkbox
- Verbal consent during a phone call without follow-up confirmation
- "Implied consent" from a customer giving you their number on a contact form
- Consent obtained more than a few months ago without proof
- A purchased lead list, no matter what the seller promised
STOP, HELP, and the Real-Time Opt-Out Requirement
Both the TCPA and CTIA require that your platform recognize and honor stop keywords immediately. The mandatory keywords include:
- STOP, STOPALL, UNSUBSCRIBE, CANCEL, END, QUIT, OPT OUT, OPTOUT, OPT-OUT
- HELP, INFO for assistance requests
When a consumer texts any STOP variant, you must:
- Stop sending all marketing messages to that number within 24 hours (best practice: real-time)
- Send a single confirmation message acknowledging the opt-out
- Suppress that number across every campaign for that brand — not just the campaign they opted out of
Under the FCC's April 2025 rules, businesses have up to 10 business days to process opt-outs across all systems. In practice, most enforcement actions involve businesses that took weeks or never processed the opt-out at all because their multi-channel marketing platform didn't sync.
A HELP keyword reply must identify your brand, give contact information for support, and remind the consumer how to opt out.
SHAFT, Time Windows, and Other Content Rules
The CTIA's SHAFT guidelines restrict messaging content involving Sex, Hate, Alcohol, Firearms, and Tobacco — including vape, CBD, and cannabis products even where state-legal. Carriers actively scan campaign sample messages for these categories and will reject your campaign at registration or block messages mid-stream.
Federal and state quiet-hours rules require that texts be sent only between 8:00 a.m. and 9:00 p.m. in the recipient's local time zone. Florida's FTSA and Oklahoma's OTSA tighten this further to 8:00 a.m. to 8:00 p.m. Oklahoma also limits you to no more than three messages per 24-hour period, even with valid consent.
URL shorteners owned by free services (bit.ly, tinyurl) trigger carrier filtering nearly automatically. Use a branded short domain or your provider's link shortening service.
The State Mini-TCPA Patchwork
Federal TCPA is the floor, not the ceiling. State telemarketing laws — generally called "mini-TCPAs" — bind any business that contacts a resident of that state, regardless of where the business is headquartered. The most active jurisdictions in 2026:
- Florida (FTSA): $500 per violation, treble damages for willful violations, calls and texts between 8 a.m.–8 p.m. recipient time, private right of action
- Texas (SB 140, effective September 1, 2025): Up to $5,000 per violation, expanded "telephone solicitation" to include text and image messages, private right of action
- Oklahoma (OTSA): $500–$1,500 per violation, three-call daily cap even with consent, 8 a.m.–8 p.m. window, private right of action
- Washington (CEMA): $500 statutory penalty plus attorneys' fees, attorney-general enforcement, private right of action for "repeated" violations
- Maryland (MTCPA): Mirrors federal TCPA structure with state-level private right of action
The compliance challenge here is logistical: you have to know what state each phone number is registered in (which is no longer a reliable indicator of where the person actually lives, thanks to number portability), and you have to apply the strictest applicable rule to each message you send.
Reputable SMS platforms maintain time-zone databases and quiet-hours suppression logic, but you remain liable for ensuring those features are configured correctly for your campaigns.
Documenting Consent for the Audit Trail
Whether you face an FTC inquiry, a state attorney-general investigation, or a TCPA class action, the defense always comes back to one question: can you prove this person opted in?
A defensible consent log captures for every subscriber:
- Source URL of the form or page where consent was given
- Timestamp in UTC
- IP address of the device that submitted the form
- Exact text of the disclosure shown to the consumer at that moment
- Browser user-agent string, when feasible
- Method (web form, in-store iPad, paper card, etc.)
- Opt-out events with the same metadata
Most SMS platforms store some of this automatically, but the burden is on you to verify it's there and exportable. A class-action plaintiff's lawyer will ask for this log on day one of discovery. If you can't produce it within 30 days, every text you sent that person is presumed unauthorized.
Keeping consent records in plain-text, version-controlled formats — rather than buried in a proprietary CRM that you might migrate away from — is a quietly powerful compliance practice. If your CRM disappears, your defense disappears with it.
Tracking the Real Cost of Your SMS Program
Compliance costs are easy to underestimate. A realistic monthly budget for a small business SMS program includes:
| Line Item | Typical Range |
|---|---|
| Brand registration (one-time) | $4–$48 |
| Brand vetting (one-time, standard brand) | $40 |
| Campaign registration (one-time, per campaign) | $15 each |
| Monthly campaign fee | $1.50–$10 per campaign |
| Platform per-message fee (Twilio, Bandwidth) | $0.0075–$0.012 per SMS |
| Carrier surcharges (AT&T + T-Mobile + Verizon) | $0.002–$0.005 per SMS |
| Consent management & legal review | $200–$2,000/month |
| TCPA insurance rider (recommended) | $50–$500/month |
Tracking these expenses separately in your bookkeeping is essential — not just for budgeting, but because TCPA insurance carriers and your eventual class-action defense lawyer will both want to see them broken out. If you ever face a demand letter, the first question your lawyer will ask is whether the cost of compliance was budgeted as a real line item rather than buried in a generic "marketing software" bucket.
A Practical Compliance Checklist for 2026
Before sending your next text, walk through this list:
- Brand and campaign registered with TCR, with current Trust Score on file
- Opt-in form with unchecked box, full TCPA disclosure language, and "consent not required for purchase" language
- Separate SMS terms and conditions linked from the opt-in form, distinct from general website terms
- Consent log with timestamp, IP, user-agent, source URL, and disclosure text for every subscriber
- STOP / HELP keyword automation tested across every campaign with a live phone
- Time-zone suppression configured to honor 8 a.m.–8 p.m. local time (or 9 p.m. for federal-only campaigns)
- State suppression lists for Florida, Texas, Oklahoma, Washington, and Maryland with appropriate frequency caps
- SHAFT content review for every promotional message
- Link shortener using a branded or platform-provided domain — never bit.ly
- TCPA insurance rider on your general liability policy
- Quarterly compliance audit of opt-in flow, consent records, and platform logs
- Vendor due diligence confirming your CSP and ESP have current TCR and CTIA compliance certifications
Keep Your Compliance Records Audit-Ready
Running a compliant SMS marketing program means generating a paper trail that has to survive years of discovery requests, carrier audits, and state attorney-general inquiries. The data is high-stakes — consent timestamps, IP addresses, opt-out logs, and the financial records of every per-message fee — and it has to remain accessible long after you've switched platforms.
Beancount.io gives you plain-text accounting that's transparent, version-controlled with git, and easy to audit. When your TCPA insurance carrier or compliance counsel asks where your SMS program spending went last quarter, you can answer with a single grep — no vendor lock-in, no proprietary export format. Get started for free and see why developers and finance professionals are switching to plain-text accounting.