One non-compliant text campaign can cost more than your company makes in a year.
Business texting is now a core workflow. Service teams, field operations, customer support, and internal coordination all run on SMS. And as more communication moves to text, IT ends up responsible for the governance, identity controls, and compliance rules that determine what gets delivered and what gets blocked.
As the regulatory environment continues to mature, business texting compliance is no longer optional.
Carriers require 10DLC registration for every business sending A2P SMS. The TCPA imposes penalties of $500 to $1,500 per unlawful text, with no cap on total liability. Enforcement is accelerating, too. TCPA class actions rose 112% year-over-year in Q1 2025, with nearly 80% of all TCPA lawsuits filed as class actions. By March 2026, filings hit an all-time monthly record of 220 class actions.
Organizations that treat business texting compliance as an IT governance discipline, not a marketing checkbox, avoid the delivery failures, carrier blocks, and legal exposure that catch most teams off guard.
Here are 15 compliance responsibilities every IT leader should understand before scaling compliant business texting.
1. Get 10DLC registration right the first time
10DLC registration is required for any business sending application-to-person (A2P) SMS in the United States.
Carriers use it to verify senders, reduce spam, and control message throughput. Without it, your messages get throttled, blocked, or fined. Since February 2025, unregistered 10DLC messages have not been delivered at all.
Registration includes two parts:
- Brand registration: Legal entity details, EIN, address, and website. This verifies your organization is a real business.
- Campaign registration: Why you send messages, how recipients opted in, and sample messages. This tells carriers what traffic to expect.
Carriers check these details closely. If opt-in language, use-case descriptions, or sample content are inconsistent, messages get throttled or blocked. Most approval delays happen because registration forms were submitted with mismatched information.
What matters after registration is your trust score. Carriers assign scores based on your brand verification and campaign details. Scores between 75 and 100 allow up to 225 messages per second, while lower scores can reduce throughput to as few as 12 messages per second. A low score means your campaign is technically live but practically throttled.
Carrier fines are separate from TCPA penalties. T-Mobile fines up to $10,000 per violation for non-compliant 10DLC traffic. AT&T and other carriers have their own penalty structures. That means a single non-compliant campaign can trigger both carrier fines and TCPA damages at the same time.
2. Know the difference between transactional and marketing consent
| Transactional messages | Marketing messages | |
| Consent required | Express consent | Prior express written consent (higher bar) |
| Examples | Order confirmations, appointment reminders, shipping updates, account alerts | Promotions, product offers, loyalty campaigns, upsell messages |
| Key risk | Must be related to the original transaction | Cannot rely on consent given for a different purpose |
3. Treat consent and opt-outs as non-negotiable compliance controls
SMS compliance starts with permission. CTIA, TCPA, and carrier rules all require businesses to prove how a recipient opted in, honor opt-outs immediately, and maintain a complete record of those changes. Any gap exposes the organization to fines, delivery issues, or legal challenges.
What the FCC changed in 2025
The FCC’s updated consent revocation rules took effect in April 2025. Three changes matter most for IT teams managing business texting compliance:
- Any reasonable means: Consumers can now revoke consent through any reasonable method, not just by replying STOP. That includes email, phone calls, website forms, or even a verbal request. If the intent to stop receiving messages is clear, it counts.
- 10 business days: Organizations must process revocation requests within 10 business days. The previous 30-day window is gone. Any system that does not process opt-outs close to real time is a compliance risk.
- One confirmation message: After receiving an opt-out, businesses are allowed to send a single confirmation text. It cannot contain marketing content.
What is coming in 2027
A broader provision, sometimes called “revoke-all,” would require a single opt-out to apply across all message types from the same sender. If a customer opts out of marketing texts, that revocation would also cover transactional and informational messages. The FCC delayed this requirement to January 2027, but organizations should start preparing their systems now.
Separately, the FCC’s proposed one-to-one consent rule, which would have required seller-specific consent, was vacated by the 11th Circuit in January 2025. The existing TCPA consent requirements remain fully in effect, but the narrower one-to-one standard is no longer law.
4. Respect quiet hours and state-level sending restrictions [NEW]
The TCPA restricts marketing texts to between 8 AM and 9 PM in the recipient’s local time zone. But several states have set stricter limits. Florida and Oklahoma cut off sending at 8 PM. Texas SB 140, which took effect in September 2025, sets the permitted window to start at 9 AM and imposes treble damages for timing violations. That means a time-of-day mistake in Texas triggers three times the standard TCPA compliance penalty, plus mandatory attorney’s fees.
This is not a theoretical risk. In March 2025, a single South Florida law firm filed over 100 TCPA lawsuits alleging time-of-day text message violations. For IT teams managing multi-state SMS programs, the safest operational window is 9 AM to 8 PM in the recipient’s local time zone.
5. Track state laws that go beyond federal TCPA requirements
At least 15 states have their own SMS compliance laws governing how businesses can text consumers. Several go well beyond what the federal TCPA requires. For enterprises texting across state lines, compliance means following the most restrictive rule that applies to each recipient’s location.
- Florida (FTSA): Broader autodialer definition than federal TCPA. Consent expires after 18 months. Limits contact attempts to 3 per 24 hours. Restricts sending to 8 a.m. to 8 p.m. Prohibits texting on Sundays.
- Oklahoma (OTSA): Mirrors much of Florida’s framework. Expanded autodialer definition. Caps commercial solicitation at 3 attempts per 24 hours. Private right of action for violations.
- Virginia: Requires honoring opt-outs for 10 years, double the federal standard. A consumer who opts out in 2026 must remain suppressed until at least 2036.
- Texas (SB 140): Effective September 2025. Restricts automated messages to 9 a.m. to 9 p.m. Treble damages plus mandatory attorney’s fees for violations.
- California (CCPA): Grants consumers data privacy rights over phone numbers collected for SMS campaigns. Businesses must provide transparent privacy notices and honor data deletion requests.
This is not a comprehensive list, and state laws change through legislation, court rulings, and regulatory action. Organizations texting at scale should consult qualified legal counsel for the specific states in their footprint.
6. Understand how AI-generated messages are treated under TCPA
The FCC’s February 2024 declaratory ruling confirmed that AI-generated voices qualify as “artificial voices” under the TCPA. The same consent and disclosure requirements that apply to traditional automated calls and texts also apply to AI-generated or AI-assisted messages.
For organizations using AI tools to draft, personalize, or auto-respond to business SMS content, this means those messages must be captured within the same consent and registration framework as any other automated send. AI does not create a carve-out or a different compliance standard. It raises the same obligations.
This matters especially as AI-powered messaging platforms become more common. Any platform that uses AI to generate responses, suggest reply content, or automate conversations on behalf of your business is subject to these rules.
7. Manage reassigned phone number risk
The FCC estimates that approximately 35 to 37 million phone numbers in the United States are reassigned to new subscribers each year. When a number is reassigned, the previous owner’s consent does not transfer to the new subscriber. Texting that number means you are contacting someone who never agreed to hear from you. That is a TCPA violation.
This is a growing litigation driver. Reassigned number cases are straightforward for plaintiffs to prove and difficult for businesses to defend. The FCC operates a Reassigned Numbers Database that provides a safe harbor for businesses that check it before sending. Regularly validating contact databases against reassigned number records, purging inactive numbers, and monitoring bounce and error rates are practical steps IT teams can take to reduce exposure.
8. Keep identity under IT control with centralized authentication
Unmanaged texting tools create identity gaps that IT cannot track or secure. When employees use personal phones or standalone SMS apps, there is no reliable way to enforce MFA, apply conditional access, control permissions, or remove access when someone leaves the company. This is one of the biggest compliance and security risks in business SMS.
Centralized authentication fixes that by tying SMS access to the identity systems your organization already governs:
- Microsoft Entra ID for identity and access management
- Existing MFA and conditional access policies
- Automatic deprovisioning when accounts are disabled
- SSO across collaboration and messaging platforms
No extra logins, separate credentials, or unmanaged devices sending customer-facing messages. IT stays in full control of who can text, when they can text, and which systems enforce the rules.
9. Use role-based permissions to control access and visibility
SMS gets messy when teams share logins, manage conversations from personal devices, or have broad access they do not actually need. This creates compliance gaps, complicates audits, and increases the risk of sensitive information reaching the wrong people.
Role-based permissions give IT the structure needed to control access and enforce proper separation of duties. Each user should be assigned the level of access appropriate for their role: members handling day-to-day conversations, managers overseeing queues and workload distribution, admins configuring routing and system behavior, and workspace owners maintaining full visibility and technical governance.
A structured permission model eliminates the shadow workflows that form when teams rely on shared numbers or generic login credentials. Every action is tied to a verified user, whi
10. Align SMS records with enterprise retention, archiving, and eDiscovery
SMS cannot sit outside your compliance and data governance policies. Regulators expect organizations to retain message history, document consent, and produce records during audits or investigations. Without an archiving strategy, SMS becomes a blind spot that creates risk the moment a customer dispute or regulatory request comes in.
Enterprise archiving integration should give IT the ability to:
- Apply long-term retention rules: Message data follows the same policies as email, chat, and voice.
- Capture full message history: Including media, timestamps, and sender identity.
- Preserve consent events: Every opt-in, opt-out, and consent change is logged and retrievable.
- Support legal holds and eDiscovery: Records can be placed on hold and searched during investigations.
Platforms like Microsoft Purview, Smarsh, and Global Relay handle this for email and voice. SMS should follow the same path. When text messages are stored alongside compliance call recordings and chat logs within a single retention framework, eDiscovery becomes straightforward.
11. Centralize business texting inside your collaboration stack
Enterprise texting becomes much easier to govern when it lives inside the platforms your organization already uses and secures. Running texting through personal devices or standalone tools fragments identity, scatters records, and creates compliance gaps. Bringing SMS into Microsoft Teams or Webex through a platform like Teams-native texting fixes that.
- One policy engine: Security, compliance, and retention rules already in place apply automatically to SMS.
- One identity system: SSO, MFA, and conditional access stay consistent across calling, chat, and texting.
- One onboarding and offboarding process: New hires get access through standard provisioning. Access shuts off when accounts are disabled.
- Reduced shadow IT: No more personal numbers used for business communication.
When SMS sits inside your collaboration ecosystem alongside Teams Phone and voice, governance becomes simpler and more predictable. Teams send messages from the tools they already use, and IT maintains full oversight across channels. RCS (Rich Communication Services) is also emerging as a richer messaging format that supports branded sender profiles, read receipts, and media. Platforms that support both SMS and RCS from within your collaboration stack will simplify the transition as carrier adoption grows.
12. Follow carrier content rules to avoid filtering and blocked messages
Even with proper 10DLC registration, carriers still evaluate the content of every message. They use CTIA guidelines and internal filtering systems to flag traffic that resembles spam, fraud, or high-risk categories. This is one of the most common reasons compliant organizations see business SMS messages silently fail.
High-risk or restricted content includes:
- SHAFT categories: Sex, hate, alcohol, firearms, and tobacco.
- Financial content: Payday loans, unlicensed financial offers, or debt relief services.
- Misleading promotions: Unclear “free” claims, excessive urgency, or legal-sounding threats.
- URL issues: Masked or misleading URLs, or links to unverified domains.
- Sweepstakes language: Contest or giveaway messaging without proper disclosures.
Carriers can block or throttle a campaign if these patterns appear, even once. For IT teams, this means compliance covers both registration and ensuring day-to-day messages stay within acceptable guidelines. Organizations running contact center workflows over SMS should build content review into their agent training and quality assurance processes.
13. Watch messaging frequency and behavioral patterns that affect reputation
Carriers do not just score content. They also score sender behavior. Even legitimate businesses can trigger spam controls when their sending patterns resemble automated abuse.
Risky patterns include spikes in volume with no sending history, high bounce or error rates, high opt-out rates after campaign launches, repetitive or near-identical outbound messages, and bulk sends without confirmed opt-in. These behaviors degrade your sender reputation and can lower throughput or cause campaigns to be suspended. This often happens quietly, leaving IT teams troubleshooting delivery issues that stem from reputation decay rather than technical failure.
Consistent, predictable sending patterns help maintain strong deliverability across all carriers. Routing traffic through approved, compliant 10DLC campaigns that carriers trust is the foundation.
14. Use trusted URLs and domains to avoid carrier phishing blocks
URL reputation is a major filter point for A2P SMS. Carriers automatically inspect URLs inside messages and score them based on historical behavior, age, redirects, and known spam associations.
Risk factors include:
- Public link shorteners: Services like bit.ly and tinyurl are frequently associated with spam traffic.
- Redirect chains or masked domains: Multiple redirects before reaching the final destination raise filtering flags.
- Newly created domains: Domains with no sending history are treated as higher risk.
- Domains tied to past spam reports: Historical reputation follows a domain, even under new ownership.
Even if your content is clean, a risky URL can lead to filtering or complete blocking of your SMS traffic. Using branded domains and consistent, reputable landing pages improves trust and reduces carrier intervention.
15. Include required disclosures for regulated or sensitive campaign types
Certain SMS use cases require specific disclosures or message structures to stay compliant. Missing one of these details can result in carriers downgrading your campaign or rejecting messages outright.
Here are a few use cases where a disclosure is often required:
- Promotional content: May require recurring opt-out reminders in the message body.
- Franchise or multi-location brands: Must clearly identify the brand in each message to avoid misleading recipients.
- Data-rate disclosures: Some opt-in flows require language like “Msg & data rates may apply.”
- Authentication and OTP campaigns: Must follow strict formatting and cannot include marketing content in the same message.
- Informational services: Must match the exact use case submitted in 10DLC registration. Any deviation risks carrier rejection.
These rules exist to protect consumers from misleading or unclear communication. For IT teams, they often go unnoticed until a carrier flags a campaign. Ensuring disclosures match carrier expectations keeps traffic compliant and predictable.
How to build a compliant business texting program that scales
SMS compliance is unforgiving. Carrier rules shift, state laws expand, federal enforcement accelerates, and one mistake can hurt deliverability or expose your organization to significant legal risk.
The 15 responsibilities above are not one-time checkboxes. They are ongoing operational requirements that need the same governance, visibility, and accountability you apply to every other communication channel.
Momentum Messaging, powered by Clerk Chat, brings AI-powered business texting to Microsoft Teams and Webex, aligned with the compliance, security, and authentication models IT already manages. Registration is handled end-to-end. Consent management, opt-out enforcement, and archiving are built in. Identity stays centralized through Microsoft Entra ID and existing conditional access policies. And every message runs through approved, compliant 10DLC campaigns that carriers trust.
Let Momentum manage the complexity so your IT teams can focus on scaling compliant business texting with confidence.
Talk to a Momentum SMS expert today about building a compliant, fully registered business texting program inside Microsoft Teams and Webex.
FAQs
What is 10DLC, and why does it matter for business texting?
10DLC is the registration system US carriers use to verify businesses sending A2P SMS through standard 10-digit phone numbers. It requires both brand registration (legal entity details) and campaign registration (use case, opt-in method, sample messages). Without registration, messages are blocked, throttled, or subject to carrier fines. Registration is not optional. It directly determines whether your texts reach recipients at all.
Does TCPA apply to B2B text messages?
The TCPA primarily protects consumers in B2C contexts. But if you text a business contact’s personal cell phone using an autodialer or automated system, TCPA rules can apply. State laws may add further protections. The safest practice is to obtain documented consent regardless of whether the recipient is a consumer or a business contact.
What is the penalty for non-compliant business texting?
TCPA penalties range from $500 per unsolicited text to $1,500 for willful violations, with no cap on total liability. Carrier-level fines are separate. T-Mobile can fine up to $10,000 per 10DLC violation. Both can apply to the same campaign simultaneously. Nearly 80% of TCPA lawsuits are filed as class actions, meaning exposure scales quickly.
How long should businesses retain SMS records?
There is no single federal retention period, but the TCPA statute of limitations is four years. Storing consent records and message history for at least five years is standard practice. Industry-specific regulations like HIPAA, FINRA, and PCI may require longer retention. Virginia state law requires honoring opt-outs for 10 years, which creates its own long-tail data management obligation.
