Textline’s security and SMS compliance hub

Don’t get penalized for security and compliance mishaps. Learn the ins and outs of SMS compliance in this all-encompassing guide.

Overview

SMS, a lucrative and engaging communication channel, is highly regulated to protect customers. Before sending your first business text message, learn the key laws and regulations to ensure your outreach is compliant. 

In addition to general SMS compliance, many industries have rules that govern customer privacy. This means it’s also key to align your organization’s SMS strategy with those industry-specific regulations.

In this compliance hub, we’ll share Textline’s stand-out security offerings and how to ensure your text message strategy complies with the key regulations.

The Textline difference

Above all, Textline prioritizes security and compliance. There’s a reason Textline:

  • Is the most secure business texting platform 
  • Was the first to be truly HIPAA compliant
  • Earned a patent for its messaging consent feature

Textline’s unmatched security

Textline is compliant with TCPA, CCPA.

Textline’s security features to know

Customizable data retention
Sensitive data redaction
Admin controls
Automatic sign-out
Multi-factor authentication
SAML
Customer consent
Whitelisted IPs
Domain claiming
Configurable user roles

Textline’s comprehensive SMS compliance guide

The rule makers to know

Federal Communications Commission. The FCC is the agency that oversees and enforces texting legislation in the U.S. It has the authority to add new rules and modify guidelines. The commission’s goal is to protect consumers from unsolicited communications. 

The Cellular Telecommunications Industry Association. The CTIA is a national trade group representing the wireless communication industry. The group maintains principles and best practices for short-code and long-code texting. With these practices, the CTIA aims to maintain customer trust in business texting and the parties it represents.

The Federal Trade Commission. The FTC investigates text message fraud by businesses, bad actors, and more

The Campaign Registry. In response to the FCC cracking down on robocalls, mobile network operators like Verizon, AT&T, and T-Mobile created The Campaign Registry. TCR considers itself a reputation authority for business text messaging. The registry is a central repository where mobile carriers can reference information on who uses their networks and for what purpose. Businesses using application-to-person messaging campaigns must register their company to prevent message deliverability issues and spam complaints. The Campaign Registry aims to verify businesses and use cases to create more reliable and secure SMS messaging. 

The key texting compliance laws, regulations, and guidelines to know

The Telephone Consumer Protection Act of 1991. The TCPA is the fundamental law that governs phone communication. It protects consumers from unwanted calls, texts, faxes, and more. To ensure TCPA compliance, follow these key rules:

  • Always ensure customers opt into texts
  • Provide a way to opt out
  • Don’t contact customers on the do-not-call list
  • Don’t send marketing-related messages before 8am or after 9pm

Controlling the Assault of Non-Solicited Pornography And Marketing Act. The CAN-SPAM Act protects consumers from unwanted commercial messages. It applies mainly to email marketing messages but has since extended to marketing texts. Under the law, businesses sending commercial texts to mobile devices must make it clear that it’s an advertisement and provide a free way to opt out. Plus, companies have 10 days to honor opt-out requests. 

Cellular Telecommunications Industry Association guidelines. The CTIA guidelines and best practices exist to supply industry standards to maintain customers’ trust in the telecom industry. The main goal is to ensure parties exchange wanted and compliant text messages as outlined in the TCPA.

What to know about SMS opt-ins and opt-outs

The importance of opt-ins and opt-outs

An SMS opt-in means your customer permits you to text them. Business texting without this consent is against the law. In other words, don’t cold text your customers. 

Opt-outs are just as important and are required by law. Always provide a way for customers to stop receiving messages from your business. This includes unsubscribing contacts if they reply with words like STOP, END, or QUIT.

The levels of consent:

Double opt-in vs. single opt-in

The main difference between a double and single opt-in is whether or not a contact must confirm their SMS subscription choice a second time. A single opt-in means once a contact subscribes to SMS messages, they’ll begin receiving them. A double-opt-in means a user must provide express consent and confirm their subscription choice via text. See the following examples of a single vs. double opt-in. 

While not required by law, it’s a best practice to use a double opt-in process to ensure your contact knows what text communication they’ll receive. It’s also highly recommended for companies that exchange protected information and marketing messages. As a result, Textline requires businesses that want to send promotional or HIPAA-protected information to use our double opt-in consent feature.

How to encourage more opt-ins

Do you want to get more opt-ins? Here are a few ways to generate SMS subscribers.

Online forms

Capture more SMS signups by placing a clear and concise form fill on your website. You could create a pop-up ad or a landing page encouraging website visitors to enter their phone numbers.

If you’re using an online form, it’s a good idea to implement a double opt-in to confirm people’s choices and that they entered the right number.

Physical forms

If you have foot traffic in your store or office, consider using a paper form fill. Customers could check a box on a form you already use or write that they want you to contact them via SMS.

Remember, implementing a double-opt-in is an excellent idea to confirm people’s choices.

Text-to-join campaigns

Text-to-join campaigns, often called text-to-subscribe or text-to-sign-up, encourage customers to text a keyword to your phone number to opt-in. You could advertise, share the keyword on your website, or promote it on social media bios. If you use this opt-in type, you’ll want to send a confirmation text immediately with terms and conditions, text frequency, and opt-out instructions.

Promote your texting number

To encourage more contacts to text your business first and gain implied consent, you could promote your business texting number on your website, social media profiles, or advertisements.

What to include in your opt-in message for express written consent
  • Business name
  • Message type (ex: marketing, informational, automated)
  • Message frequency
  • Opt-out instructions
  • Help instructions
  • Links to privacy and terms/conditions
  • Message data and frequency disclosure
  • Acknowledge that opt-in is not a condition of purchase (for marketing texts)

Here’s an example of an opt-in message with the required vocabulary:

<span class="chat-bubble">By signing up via text, you agree to receive recurring automated marketing text messages from Textline at this cell phone number. Consent is not a condition of purchase. Reply HELP for help or STOP to cancel. Message frequency varies. Message and data rates may apply. View our terms and privacy here: [link].</span>

Message use case considerations

Promotional messaging. These are your marketing and sales messages. To send SMS marketing messages, you’ll need to get express written consent from your contacts. Textline requires companies that want to use our platform for SMS marketing to get a double opt-in from customers. This is to protect your business and ensure compliance.

Informational messaging. Sometimes called transactional messages, these are non-promotional text messages that provide customers with important information. Some common examples include appointment reminders, welcome texts, order updates, and flight delay alerts.

These messages require prior express consent. Customers must know they agree to get informational messages and alerts from your business. While only express consent is needed, Textline recommends getting express written consent in these cases to protect your business and confirm the opt-in choice.

It’s important to note that the CTIA says that messages that contain any call-to-action can be considered promotional. As a result, if you’re including a CTA, make sure you have that express written consent.

Conversational messaging. This is defined as back-and-forth texting in real-time. For this message type, a customer must initiate a text conversation with your business, and you can ONLY reply with messages related to their inquiry. A great example is customer support via SMS. This messaging type only needs implied consent. That’s because customers expect to have a back-and-forth conversation about the topic. Please note that you can’t discuss unrelated topics or add these contacts to your SMS marketing lists in the future.

New vetting requirements for 10DLCs

As of January 2023, there’s a new vetting requirement for 10-digit long code numbers. This requirement comes from the Direct Connect Aggregators, which act as an intermediary between SMS software like Textline and the mobile carriers like AT&T or Verizon. These SMS aggregators help direct SMS traffic to the right carrier and help enforce compliance regulations set by the CTIA, TCPA, and the carriers. 

With the new vetting process, businesses wanting to use 10DLC numbers must submit their business name, phone number, and messaging use case for approval. No messaging can take place from this 10DLC until you’re approved. The goal of the process is to reduce spam messages. The vetting fee is $15. Getting approval for your texting campaign can take two to three weeks.

To get the approval you’ll need to prove your business is legitimate, share your message use case, and share how you’re getting opt-in from customers. You can submit your campaign for vetting in Textline. We have a form that will help you submit the necessary information.

Campaign Registry requirements

The Campaign Registry is used by mobile network operators like Verizon, AT&T, and T-Mobile. The registry was created so the MNOs can verify that messages being sent to their users come from trusted businesses. Businesses using 10DLCs must register, or they will face message deliverability issues and fees for not registering.

To register, businesses need to submit data about their brand and what types of messages they’ll send. 

The first step describes brand information. You’ll need to submit:

  • Legal company name
  • Doing business as name (if applicable)
  • Country of operation
  • What type of legal form is the organization?
  • Tax number/ID/EIN
  • Full address
  • Website
  • Stock symbol (if a publicly-traded company)
  • Stock exchange
  • Vertical or industry
  • Company size
  • Support e-mail
  • Support phone number
  • Support contact name (first and last)

The second step is submitting information about how you will use each of your phone numbers. You’ll need to share:

  • Use case
  • Vertical/industry
  • Message content and attributes
  • Two example messages
  • How you’re gaining consent to text (with examples)

If your business doesn’t want to use a 10DLC, a toll-free number remains a great option. Toll-free numbers still require a verification process but require less information and are often a bit quicker to implement.

Off-limit and highly restricted topics

Some topics are off-limit or heavily restricted in business texting. The topics fall under the acronym SHAFT, which stands for sex, hate, alcohol, firearms, or tobacco. 

Businesses should generally avoid these topics. There are some exceptions for alcohol if your business meets age-gating requirements, but you should contact Textline before sending texts to ensure you are set up correctly.

There are also other forbidden topics for SMS messages: illegal substances (including cannabis), high-risk financial services, third-party lead generation services, debt collection, get-rich-quick schemes, prescription drugs, and deceptive marketing.

Compliance violations and penalties

The cost of violations

Violating the TCPA can result in fines of $500 to $1,500 per unsolicited text message. Some carriers will even levy fines of up to $10,000 for repeated violations. But remember that there’s no liability cap if a lawsuit is brought against your business. That’s why compliance is key and why Textline takes compliance seriously.

Carrier violations

Carriers monitor and filter SMS traffic. Your text will not be delivered when your message gets flagged as objectionable or as a perceived violation from the carrier’s perspective. As a result, make sure that your texts are compliant.

Number shutdowns

Carriers, SMS aggregators, and SMS service providers can shut down your business texting number for repeated violations.

A quick compliance checklist

In summary, follow these eight essential steps to help stay compliant with SMS regulations.

  1. Create an opt-in procedure
  2. Always allow opt-outs
  3. Keep industry-specific regulations, like HIPAA, top of mind
  4. Share terms, conditions, and privacy policy
  5. Ensure you use required verbiage like text frequency and message type upon opt-in
  6. Pay attention to time zone
  7. Stay away from off-limit topics
  8. Register your business and number(s) with the necessary parties

View an in-depth checklist here.

The bottom line

While SMS compliance and security may seem daunting, it’s not when you choose the right SMS provider. Textline complies with the TCPA and international texting laws, follows CTIA regulations, and adheres to industry-specific laws like HIPAA. Plus, we’ll keep you informed on changing requirements.

To see how Textline works, schedule a demo today.

Disclaimer: Please note this compliance hub is for informational purposes only. It’s not intended to substitute legal advice from a qualified attorney.

Start texting now.

Sign up for a free 14-day trial today. No credit card required.

Sign up now
No credit card required

Questions? Text us: +1 415-849-4349 or contact us here.