Don’t get penalized for security and compliance mishaps. Learn the ins and outs of SMS compliance in this all-encompassing guide.
SMS, a lucrative and engaging communication channel, is highly regulated to protect customers. Before sending your first business text message, learn the key laws and regulations to ensure your outreach is compliant.
In addition to general SMS compliance, many industries have rules that govern customer privacy. This means it’s also key to align your organization’s SMS strategy with those industry-specific regulations.
In this compliance hub, we’ll share Textline’s stand-out security offerings and how to ensure your text message strategy complies with the key regulations.
Above all, Textline prioritizes security and compliance. There’s a reason Textline:
Textline protects your information like it’s our own using encryption, monitoring, and team training. Plus, it’s jam-packed with security features like MFA, admin controls, and customizable data retention.
Textline keeps protected health information safe. It is the first truly HIPAA-compliant business texting software.
Textline is SOC 2 compliant, demonstrating our commitment to information security. We have the infrastructure, tools, and processes to protect against unauthorized access.
Federal Communications Commission. The FCC is the agency that oversees and enforces texting legislation in the U.S. It has the authority to add new rules and modify guidelines. The commission’s goal is to protect consumers from unsolicited communications.
The Cellular Telecommunications Industry Association. The CTIA is a national trade group representing the wireless communication industry. The group maintains principles and best practices for short-code and long-code texting. With these practices, the CTIA aims to maintain customer trust in business texting and the parties it represents.
The Federal Trade Commission. The FTC investigates text message fraud by businesses, bad actors, and more
The Campaign Registry. In response to the FCC cracking down on robocalls, mobile network operators like Verizon, AT&T, and T-Mobile created The Campaign Registry. TCR considers itself a reputation authority for business text messaging. The registry is a central repository where mobile carriers can reference information on who uses their networks and for what purpose. Businesses using application-to-person messaging campaigns must register their company to prevent message deliverability issues and spam complaints. The Campaign Registry aims to verify businesses and use cases to create more reliable and secure SMS messaging.
The Telephone Consumer Protection Act of 1991. The TCPA is the fundamental law that governs phone communication. It protects consumers from unwanted calls, texts, faxes, and more. To ensure TCPA compliance, follow these key rules:
Controlling the Assault of Non-Solicited Pornography And Marketing Act. The CAN-SPAM Act protects consumers from unwanted commercial messages. It applies mainly to email marketing messages but has since extended to marketing texts. Under the law, businesses sending commercial texts to mobile devices must make it clear that it’s an advertisement and provide a free way to opt out. Plus, companies have 10 days to honor opt-out requests.
Cellular Telecommunications Industry Association guidelines. The CTIA guidelines and best practices exist to supply industry standards to maintain customers’ trust in the telecom industry. The main goal is to ensure parties exchange wanted and compliant text messages as outlined in the TCPA.
The importance of opt-ins and opt-outs
Opt-outs are just as important and are required by law. Always provide a way for customers to stop receiving messages from your business. This includes unsubscribing contacts if they reply with words like STOP, END, or QUIT.
The levels of consent:
Double opt-in vs. single opt-in
The main difference between a double and single opt-in is whether or not a contact must confirm their SMS subscription choice a second time. A single opt-in means once a contact subscribes to SMS messages, they’ll begin receiving them. A double-opt-in means a user must provide express consent and confirm their subscription choice via text. See the following examples of a single vs. double opt-in.
While not required by law, it’s a best practice to use a double opt-in process to ensure your contact knows what text communication they’ll receive. It’s also highly recommended for companies that exchange protected information and marketing messages. As a result, Textline requires businesses that want to send promotional or HIPAA-protected information to use our double opt-in consent feature.
Do you want to get more opt-ins? Here are a few ways to generate SMS subscribers.
Capture more SMS signups by placing a clear and concise form fill on your website. You could create a pop-up ad or a landing page encouraging website visitors to enter their phone numbers.
If you’re using an online form, it’s a good idea to implement a double opt-in to confirm people’s choices and that they entered the right number.
If you have foot traffic in your store or office, consider using a paper form fill. Customers could check a box on a form you already use or write that they want you to contact them via SMS.
Remember, implementing a double-opt-in is an excellent idea to confirm people’s choices.
Text-to-join campaigns, often called text-to-subscribe or text-to-sign-up, encourage customers to text a keyword to your phone number to opt-in. You could advertise, share the keyword on your website, or promote it on social media bios. If you use this opt-in type, you’ll want to send a confirmation text immediately with terms and conditions, text frequency, and opt-out instructions.
To encourage more contacts to text your business first and gain implied consent, you could promote your business texting number on your website, social media profiles, or advertisements.
Here’s an example of an opt-in message with the required vocabulary:
<span class="chat-bubble">By signing up via text, you agree to receive recurring automated marketing text messages from Textline at this cell phone number. Consent is not a condition of purchase. Reply HELP for help or STOP to cancel. Message frequency varies. Message and data rates may apply. View our terms and privacy here: [link].</span>
Promotional messaging. These are your marketing and sales messages. To send SMS marketing messages, you’ll need to get express written consent from your contacts. Textline requires companies that want to use our platform for SMS marketing to get a double opt-in from customers. This is to protect your business and ensure compliance.
Informational messaging. Sometimes called transactional messages, these are non-promotional text messages that provide customers with important information. Some common examples include appointment reminders, welcome texts, order updates, and flight delay alerts.
These messages require prior express consent. Customers must know they agree to get informational messages and alerts from your business. While only express consent is needed, Textline recommends getting express written consent in these cases to protect your business and confirm the opt-in choice.
It’s important to note that the CTIA says that messages that contain any call-to-action can be considered promotional. As a result, if you’re including a CTA, make sure you have that express written consent.
Conversational messaging. This is defined as back-and-forth texting in real-time. For this message type, a customer must initiate a text conversation with your business, and you can ONLY reply with messages related to their inquiry. A great example is customer support via SMS. This messaging type only needs implied consent. That’s because customers expect to have a back-and-forth conversation about the topic. Please note that you can’t discuss unrelated topics or add these contacts to your SMS marketing lists in the future.
As of January 2023, there’s a new vetting requirement for 10-digit long code numbers. This requirement comes from the Direct Connect Aggregators, which act as an intermediary between SMS software like Textline and the mobile carriers like AT&T or Verizon. These SMS aggregators help direct SMS traffic to the right carrier and help enforce compliance regulations set by the CTIA, TCPA, and the carriers.
With the new vetting process, businesses wanting to use 10DLC numbers must submit their business name, phone number, and messaging use case for approval. No messaging can take place from this 10DLC until you’re approved. The goal of the process is to reduce spam messages. The vetting fee is $15. Getting approval for your texting campaign can take two to three weeks.
To get the approval you’ll need to prove your business is legitimate, share your message use case, and share how you’re getting opt-in from customers. You can submit your campaign for vetting in Textline. We have a form that will help you submit the necessary information.
The Campaign Registry is used by mobile network operators like Verizon, AT&T, and T-Mobile. The registry was created so the MNOs can verify that messages being sent to their users come from trusted businesses. Businesses using 10DLCs must register, or they will face message deliverability issues and fees for not registering.
To register, businesses need to submit data about their brand and what types of messages they’ll send.
The first step describes brand information. You’ll need to submit:
The second step is submitting information about how you will use each of your phone numbers. You’ll need to share:
If your business doesn’t want to use a 10DLC, a toll-free number remains a great option. Toll-free numbers still require a verification process but require less information and are quicker to implement.
Some topics are off-limit or heavily restricted in business texting. The topics fall under the acronym SHAFT, which stands for sex, hate, alcohol, firearms, or tobacco.
Businesses should generally avoid these topics. However, there are some exceptions around alcohol and tobacco. Those topics would be allowed only if your business meets age-gating requirements. Contact Textline before sending texts with these topics to ensure you are set up correctly.
There are also other forbidden topics for SMS messages: illegal substances (including cannabis), high-risk financial services, third-party lead generation services, debt collection, get-rich-quick schemes, prescription drugs, and deceptive marketing.
Violating the TCPA can result in fines of $500 to $1,500 per unsolicited text message. Some carriers will even levy fines of up to $10,000 for repeated violations. But remember that there’s no liability cap if a lawsuit is brought against your business. That’s why compliance is key and why Textline takes compliance seriously.
Carriers monitor and filter SMS traffic. Your text will not be delivered when your message gets flagged as objectionable or as a perceived violation from the carrier’s perspective. As a result, make sure that your texts are compliant.
Carriers, SMS aggregators, and SMS service providers can shut down your business texting number for repeated violations.
In summary, follow these eight essential steps to help stay compliant with SMS regulations.
While SMS compliance and security may seem daunting, it’s not when you choose the right SMS provider. Textline complies with the TCPA and international texting laws, follows CTIA regulations, and adheres to industry-specific laws like HIPAA. Plus, we’ll keep you informed on changing requirements.
To see how Textline works, schedule a demo today.
Disclaimer: Please note this compliance hub is for informational purposes only. It’s not intended to substitute legal advice from a qualified attorney.