TCPA overview
The Telephone Consumer Protection Act (TCPA) is the primary federal law governing text messaging and telemarketing in the United States. Enacted in 1991 and updated multiple times, it applies to any message sent using an autodialer or prerecorded/artificial voice — which includes virtually all messages sent through the HoopAI platform.Key TCPA requirements
| Requirement | Details |
|---|---|
| Prior express consent | Required for informational/transactional messages |
| Prior express written consent | Required for marketing/promotional messages |
| Opt-out mechanism | Every message must include a way to opt out |
| Time restrictions | No messages before 8 AM or after 9 PM (recipient’s local time) |
| Identification | Messages must identify the sender |
| Record keeping | Maintain proof of consent for each contact |
Key TCPA principles
- Consent must be freely given — you cannot require SMS opt-in as a condition of purchase
- Consent must be channel-specific — email consent does not equal SMS consent
- Consent can be revoked at any time — and you must honor it immediately
- The burden of proof is on the sender — you must be able to demonstrate that consent was obtained
Consent types
Express consent vs express written consent
| Consent type | Required for | How to obtain |
|---|---|---|
| Express consent | Transactional messages (appointment reminders, order updates, account alerts) | Contact provides their phone number (verbally, web form, business card) |
| Express written consent | Marketing messages (promotions, sales, offers, newsletters) | Contact signs or checks a box agreeing to receive marketing texts with clear disclosure |
What qualifies as express written consent
The consent must include:- Clear disclosure that the person agrees to receive text messages
- Identity of the sender — your business name
- Description of messages — what type of texts they will receive
- Frequency disclosure — how often (e.g., “up to 4 messages per month”)
- Message and data rates — “Msg & data rates may apply”
- Opt-out instructions — “Reply STOP to unsubscribe”
- Consent is not a condition of purchase — must be stated explicitly
- Signature — physical signature, e-signature, or checkbox click (with timestamp)
By checking this box, you agree to receive marketing text messages from [Business Name] at the phone number provided. Consent is not a condition of purchase. Message frequency varies. Message and data rates may apply. Reply STOP to unsubscribe. Reply HELP for help. [Privacy Policy link] [Terms link]
Opt-in best practices
- Web forms
- Keyword opt-in
- Paper forms
- Double opt-in (recommended)
- Verbal consent
The most common and most defensible opt-in method:
- Add a separate, unchecked checkbox for SMS consent (do not bundle with email consent)
- Include full disclosure text near the checkbox
- Log the timestamp, IP address, and form URL for each opt-in
- Link to your privacy policy and terms of service
Opt-out requirements
Required opt-out keywords
The following keywords must be supported and honored immediately:| Keyword | Action |
|---|---|
| STOP | Opt out of all messages |
| CANCEL | Opt out of all messages |
| END | Opt out of all messages |
| QUIT | Opt out of all messages |
| UNSUBSCRIBE | Opt out of all messages |
Opt-out confirmation message
When a contact replies with an opt-out keyword, the platform automatically sends a confirmation:“You have been unsubscribed and will not receive any more messages from this number. Reply START to resubscribe.”
The HoopAI platform handles opt-out keyword processing automatically. When a contact replies STOP (or any opt-out keyword), they are added to the Do Not Disturb (DND) list and no further messages will be sent.
Including opt-out language in messages
Every marketing message must include opt-out instructions. Best practice is to include them in every message:“Reply STOP to unsubscribe”This can be placed at the end of the message. For recurring message programs, include it at least once per month even in transactional messages.
Required message elements
Every SMS you send should include the following:| Element | Example | Required? |
|---|---|---|
| Business identification | ”[Business Name]:” at the start | Yes — recipients must know who is texting them |
| Opt-out instructions | ”Reply STOP to unsubscribe” | Yes — in the first message and periodically thereafter |
| Message frequency disclosure | ”Up to 4 msgs/month” | Yes — at opt-in; recommended in periodic messages |
| Data rates notice | ”Msg & data rates may apply” | Yes — at opt-in and in the first message |
| Help instructions | ”Reply HELP for help” | Recommended — required by some carriers |
Do Not Disturb (DND) settings
The HoopAI platform includes built-in DND management:| Setting | Description |
|---|---|
| Contact-level DND | Individual contacts can be marked as DND for all channels or specific channels (SMS, email, call, GMB, FB) |
| Auto-DND on STOP | Contacts who reply STOP are automatically set to DND for SMS |
| DND import | Upload a DND list to bulk-add contacts |
| DND override protection | DND contacts cannot be messaged even through workflows — the system blocks it |
| DND logging | All DND changes are timestamped for compliance records |
Re-opt-in process
A contact who previously opted out can re-subscribe only through their own action:- The contact texts START, YES, or UNSTOP to your number
- The platform removes the SMS DND flag
- A confirmation message is sent
- The re-opt-in is logged with a timestamp
You cannot re-subscribe a contact manually or through a workflow. The contact must initiate the re-opt-in themselves by texting your number. Only remove DND manually if the contact has explicitly requested to resubscribe through another channel (email, phone call, in person) and you document it.
Quiet hours and sending windows
Configuring quiet hours
Go to Settings > Business Profile > Sending Windows to set quiet hours:- Default: 8:00 AM - 9:00 PM (recipient’s time zone)
- Custom: Set your own window (must be within TCPA limits)
- Messages scheduled during quiet hours are queued and sent when the window opens
States with stricter time restrictions
| State | Allowed window |
|---|---|
| Florida | 8 AM - 8 PM |
| Oklahoma | 8 AM - 8 PM |
| Washington | 8 AM - 8 PM |
SMS content guidelines
Prohibited content (SHAFT)
Carriers prohibit SHAFT content on standard messaging campaigns:| Category | Examples |
|---|---|
| S — Sex/sexual content | Adult content, dating services with explicit content |
| H — Hate/harassment | Discriminatory content, threats, harassment |
| A — Alcohol | Alcohol sales, promotions, or advertising |
| F — Firearms | Gun sales, ammunition, weapons |
| T — Tobacco/cannabis | Tobacco products, vape, cannabis, CBD |
Some SHAFT categories can be sent through special campaign types with age-gating and additional carrier approval, but standard A2P 10DLC campaigns cannot include this content.
Additional content rules
| Rule | Details |
|---|---|
| No deceptive content | Messages must be truthful and not misleading |
| No phishing | No impersonating banks, government agencies, or other companies |
| No loan/debt content | Payday loans, debt consolidation — heavily filtered |
| Link shorteners discouraged | Carriers filter messages with bit.ly, tinyurl, etc. — use your own domain |
| Include business name | Recipients must be able to identify who sent the message |
| No excessive caps | ALL CAPS messages trigger carrier spam filters |
Carrier filtering
Even with proper A2P registration and consent, carriers may still filter messages. Common triggers:| Trigger | Why it happens | How to avoid |
|---|---|---|
| URL shorteners (bit.ly) | Associated with spam and phishing | Use your branded domain for links |
| High-frequency sending | Sudden spikes look like spam | Ramp up gradually |
| Identical messages to many recipients | Pattern matches spam behavior | Personalize messages with contact fields |
| ALL CAPS | Spam signal | Use normal capitalization |
| Special characters / emojis overuse | Can trigger filters | Use sparingly |
| ”Free”, “Winner”, “Prize” | Spam keywords | Avoid or rephrase |
| Unregistered number | No A2P 10DLC | Complete registration |
| Shared short link domains | Flagged across many senders | Use your own custom tracking domain |
| High opt-out rates | Indicates unwanted messaging | Only message opted-in contacts; provide value |
Compliance by number type
| Requirement | 10DLC (local) | Toll-free | Shortcode |
|---|---|---|---|
| A2P registration | Required | Not required | Not required |
| Toll-free verification | Not required | Required | Not required |
| Shortcode application | Not required | Not required | Required |
| TCPA consent | Required | Required | Required |
| Opt-out handling | Required | Required | Required |
| Quiet hours | Required | Required | Required |
| Content restrictions | SHAFT prohibited | SHAFT prohibited | SHAFT prohibited |
| Throughput | Based on trust score | 3 MPS standard | 100+ MPS |
| MMS support | Yes | Limited | No |
Record-keeping requirements
Maintaining thorough consent records is your primary defense in a TCPA dispute. If you cannot prove consent existed, the law presumes it did not.| Record | Retention period | Details |
|---|---|---|
| Opt-in timestamp | 5+ years | When consent was given |
| Opt-in method | 5+ years | Web form, keyword, paper, verbal |
| Opt-in source URL / form | 5+ years | Which form, URL, or campaign |
| IP address (web forms) | 5+ years | For web-based opt-ins |
| Exact consent language | 5+ years | The disclosure text shown at time of opt-in |
| Opt-out timestamp | 5+ years | When they opted out |
| Message logs | 5+ years | Content and delivery status |
| Double opt-in confirmation | 5+ years | Timestamp of YES reply |
Penalties for non-compliance
TCPA fines
| Violation type | Penalty per message |
|---|---|
| Negligent violation (unintentional) | $500 |
| Willful or knowing violation | $1,500 |
FCC enforcement
The Federal Communications Commission (FCC) can:- Issue notices of apparent liability with fines in the millions
- Mandate compliance plans with ongoing monitoring
- Refer cases to the Department of Justice for criminal prosecution in extreme cases
Carrier-level penalties
| Penalty | Description |
|---|---|
| Message filtering | Silently blocking your messages with no notification |
| Number suspension | Disabling your phone number entirely |
| Campaign rejection | Refusing your A2P 10DLC campaign registration |
| Throughput reduction | Lowering your message-per-second limits |
| Brand ban | Blocking all numbers associated with your brand (severe cases) |
How HoopAI helps with compliance
The platform includes several built-in compliance features:| Feature | How it helps |
|---|---|
| Auto-DND on STOP | Contacts who reply STOP are automatically blocked from receiving further messages |
| Opt-out keyword processing | STOP, CANCEL, END, QUIT, UNSUBSCRIBE all processed automatically |
| Quiet hours enforcement | Messages outside the sending window are queued until the window opens |
| DND protection in workflows | Workflows automatically skip DND contacts — cannot be overridden |
| Consent tracking | Platform forms log opt-in timestamp, source, and IP address |
| A2P Trust Center | Built-in brand and campaign registration management |
| Message logs | Full audit trail of all sent and received messages with timestamps |
| Unsubscribe link in emails | Automatically included in marketing emails (CAN-SPAM compliance) |
| DND bulk import | Upload DND lists to ensure known opt-outs are respected |
Frequently asked questions
Can I text someone who gave me their business card?
Can I text someone who gave me their business card?
Having someone’s phone number does not equal SMS consent. A business card exchange gives you permission to call them (arguably), but not to send automated text messages. You need explicit opt-in for SMS, ideally in writing for marketing messages.
Do I need consent for appointment reminders?
Do I need consent for appointment reminders?
Yes, but only express consent (not written consent). When a contact provides their phone number during booking, that generally constitutes express consent for transactional messages like appointment reminders. However, you cannot use that same consent to send promotional messages. Always include opt-out instructions.
Can I text existing customers without opt-in?
Can I text existing customers without opt-in?
Having a customer relationship does not automatically grant SMS consent. You need at minimum express consent (they knowingly provided their phone number) for transactional messages, and express written consent for marketing. Obtain explicit opt-in from all contacts.
Can I buy a phone number list and text them?
Can I buy a phone number list and text them?
Absolutely not. Purchased lists have no consent whatsoever. Texting a purchased list is one of the most common and most expensive TCPA violations. There is no shortcut — you must build your own opted-in list.
What if a contact replies STOP and then wants to resubscribe?
What if a contact replies STOP and then wants to resubscribe?
They can text START, YES, or UNSTOP to your number to resubscribe. The platform will automatically remove the DND flag. You can also manually remove DND status from their contact record if they request resubscription through another channel — but document the request.
Are automated workflow messages subject to TCPA?
Are automated workflow messages subject to TCPA?
Yes. Every SMS sent from your business, whether manual or automated through workflows, is subject to TCPA. In fact, automated messages are more regulated because they are sent via an autodialer by definition. Ensure every workflow that sends SMS only targets contacts with valid consent.
Do these rules apply to messages sent through the mobile app?
Do these rules apply to messages sent through the mobile app?
Yes. Messages sent through the LeadConnector mobile app are sent through the same phone system and are subject to all the same compliance requirements.
What if a contact opts out by saying something other than STOP?
What if a contact opts out by saying something other than STOP?
The platform automatically handles standard opt-out keywords (STOP, UNSUBSCRIBE, CANCEL, END, QUIT). If a contact sends a non-standard message like “please don’t text me anymore,” the system may not catch it automatically. Train your team to manually apply DND status when they see any opt-out intent in conversations.
Is there a difference between SMS and MMS compliance?
Is there a difference between SMS and MMS compliance?
No. MMS (picture messages) are subject to the same TCPA, A2P, and carrier compliance requirements as SMS text messages.
What about text messages to Canadian numbers?
What about text messages to Canadian numbers?
Canada is governed by CASL (Canadian Anti-Spam Legislation), not TCPA. CASL has similar consent requirements but different enforcement. If you message Canadian contacts, research CASL requirements separately. Other countries have their own regulations (GDPR for the EU, PECR for the UK, etc.).
Can I send political campaign messages?
Can I send political campaign messages?
Political messages have some TCPA exemptions but still require consent and are subject to carrier filtering. A2P 10DLC has specific political campaign use cases. Consult a compliance attorney for political messaging.
How long is SMS consent valid?
How long is SMS consent valid?
TCPA does not specify an expiration for consent, but industry best practice is to consider consent stale after 18-24 months of no interaction. Re-confirm consent periodically for contacts who have not engaged.
Messaging ramp progress
When you register a new A2P 10DLC campaign or activate a new phone number, your messaging throughput starts at a lower limit and increases over time as your sender reputation builds.How ramp-up works
- New campaigns start with a base throughput limit (messages per second)
- As you send messages with low opt-out and complaint rates, your throughput increases
- The platform displays your current ramp progress in Settings > Phone System > A2P Trust Center
- Ramp-up typically takes 2-4 weeks to reach full throughput
Increasing your limits
- Maintain opt-out rates below 2%
- Keep complaint rates near zero
- Send consistently rather than in large bursts
- Ensure all contacts have valid opt-in consent
- If your throughput seems stuck, contact support with your campaign details
Opt-out and sender info compliance settings
Configure compliance settings for your messaging at Settings > Business Profile > Communication Preferences:- Auto opt-out message — customize the confirmation message sent when a contact replies STOP
- Auto opt-in message — customize the confirmation when a contact replies START
- HELP response — set the message sent when a contact replies HELP (include your business name, contact info, and opt-out instructions)
- Sender identification — ensure your business name appears in every first message to a new contact
- Opt-out footer — optionally append “Reply STOP to opt out” to all outgoing messages
Forbidden message categories (US/Canada)
In addition to SHAFT content, the following message categories are prohibited or heavily restricted on A2P messaging:| Category | Status | Notes |
|---|---|---|
| Phishing or fraud | Prohibited | Impersonating other businesses or government |
| Loan/debt collection | Restricted | Requires special campaign approval |
| Gambling | Restricted | Requires age-gating and special campaign |
| Cryptocurrency | Restricted | Subject to carrier filtering |
| Lead generation for third parties | Restricted | Must have direct consent from the end consumer |
| Political messaging | Restricted | Requires dedicated political campaign registration |
| High-risk financial services | Restricted | Payday loans, credit repair heavily filtered |
In Canada under CASL, marketing messages require express consent. Transactional messages (order confirmations, appointment reminders) require implied consent at minimum. Canadian carriers enforce additional content filtering beyond US rules.
Updated messaging guidelines (2024-2025)
Recent carrier and regulatory updates affecting SMS compliance:- FCC one-to-one consent rule (effective 2025): Consent must be specific to the sender. Consent given to a lead generator does not transfer to the buyer of the lead.
- Increased carrier filtering: Carriers are using AI to detect spam patterns. Messages with identical content sent to large lists are more likely to be filtered.
- Short link restrictions: Major carriers block common URL shorteners (bit.ly, tinyurl.com). Use your own branded domain for links.
- 10DLC throughput tiers: The Campaign Registry has updated trust scores and throughput limits. Higher trust scores are awarded to brands with verified identities and clean sending histories.