Email & SMS marketing so good, it’s boring

You’ve got enough exciting stuff to worry about. Let us be the reliable platform you can depend on. Make an average $73* for every $1 you spend. So boring.

Start free Cancel any time | No credit card required

Drive sales on autopilot with ecommerce-focused features

See Features

SMS regulations 101: What you need to know

Reading Time: 9 minutes

Text marketing benefits any business. But like everything else in the world of commerce, you need to remain compliant to stay in everyone’s good graces — including your customers.

If you fail to follow guidelines and industry requirements, you could find yourself in serious legal trouble. This includes hefty fines and even blacklisting, both of which negatively impact your brand and bottom line.

Beyond the legalities, spamming customers with low effort messages is simply bad practice. It’s important to develop quality SMS marketing campaigns that engage your audience without violating nationwide regulations.

Let’s take a closer look at the critical SMS compliance considerations you need to know, as well as the best practices you can implement in all your texting campaigns.

SMS regulations in the US

If you plan on sending SMS messages to customers in the US, you’ll have two major regulations to consider: TCPA and CAN-SPAM.

Remaining compliant with each begins with a healthy understanding of why they were established and how they work.

TCPA

The Telephone Consumer Protection Act (TCPA) was established in 1991 to protect consumers from unsolicited marketing texts. This law requires that businesses receive documented consent before sending customers regular messages.

Specifically, this means that:

  • You can only send text messages to customers who have opted-in to receive them.
  • You need to obtain express written consent from customers before adding them to your marketing list.
  • You must post obvious consent language within the body of your text and signup forms.

Your brand must inform visitors about what it will do with their information — in this case, send SMS messages. People should never be forced to provide information to your business, and if they don’t want your texts anymore, they must be able to opt out as well.

There are some exceptions. Emergency messages do not require TCPA compliance. The same is true for nonprofits that don’t sell goods or services. And if you are sending a text on behalf of someone on a specific healthcare plan, TCPA will not apply at all.

Again, these are rare exceptions. The vast majority of ecommerce brands are expected to adhere to TCPA guidelines. Fail to do so, and you may be fined $500 per text message. If you break the law intentionally, your fine may be tripled to $1,500 per message.

There are several strategies you can use to stay compliant with TCPA:

Opt-in forms 

Paper, digital, and website signups must explain what SMS consent will mean for your customer.

opt-in form for collecting phone numbers
An example of Omnisend’s TCPA-compliant email & SMS popups

Within Omnisend, you’ll easily find a collection of email & SMS capture forms that make it easy to not only collect SMS subscribers, but also to ensure you’re compliant:

email and sms capture forms

Find out more about Omnisend’s TCPA-compliant signup forms.

Keyword text 

Contacts can reply ‘YES’ to opt into your campaign or stop receiving messages with a keyword like ‘STOP.’

At Omnisend, for example, people can text the word “join” to join your mailing list. 

Example of a short text "join" to join the mailing list

If they want to stop receiving messages from you, they can simple text “STOP” (if sending to a recipient outside of the United States or Canada, insert an unsubscribe link).

Example of a short text "stop" to unsubscribe from mailing list
An example from Omnisend customer Runway Rogue with an opt-out message

Consent messages 

Your contacts should always know why your company is contacting them and what messages they can expect to receive.

It can be helpful to use double opt-in forms to empower customers with a greater amount of choice. You might also want to include your privacy policy in your initial opt-in message.

Another example of Omnisend’s TCPA-compliant SMS capture popups, including a link to the privacy policy

CAN-SPAM

Like TCPA, the CAN-SPAM Act of 2003 also protects consumers from unwanted commercial messages. This regulation predates the wide use of SMS for marketing purposes, but the law still applies to texts sent for commercial advertisements.

CAN-SPAM was designed to prevent robotexts (automated messages) from reaching consumers who haven’t yet provided consent. It also cracks down on emails or phishing scams designed to steal personal information.

To summarize the major points of CAN-SPAM:

  • You can’t use misleading information in your text. This includes fake or inaccurate content in order to prompt a reply.
  • You must include your business name within the body of the text.
  • You must make your marketing messages as identifiable as possible. There should never be confusion between a personal text message and an SMS campaign.

Keep in mind that CAN-SPAM only applies to unsolicited marketing messages. These are texts sent to recipients that don’t yet have an established relationship with your brand.

A good rule of thumb is to check the context of your text. If it’s related to a recent order, shipment, bill, or refund, it can be categorized as a transactional message. If it’s sent to a customer that has never purchased anything from your brand before, it’s probably a marketing message.

If you’re unsure if your text qualifies as a marketing message, it may be best to err on the side of caution. Going against CAN-SPAM can result in $46,517 worth of fines.

Complying with CAN-SPAM is relatively straightforward. Like TCPA, you’ll want to offer double opt-in forms and keyword consent. You may also want to:

  • Include an opt-out link in every text (AKA, ‘Tap Here To Edit Preferences’). Make the links as clear and direct as possible, and stay away from unusual jargon or confusing lingo.
  • Send a confirmation message after someone opts into your campaign. A brief ‘welcome’ text is a great way to do this.
  • Make it easy for contacts to update their messaging preferences outside of their mobile devices. Ensure that visitors can request to be removed from your list via user dashboards, live chat, or other help desk functions.

Don’t forget that CAN-SPAM applies to marketing emails as well. If you’re running automated campaigns on Omnisend and want to remain compliant across all channels, you can check out our other resources here.

Understanding CTIA

SMS compliance can be tricky — especially for newer businesses. Thankfully, there are a wealth of resources that can guard your brand against accidental infractions.

The Cellular Telecommunications Industry Association (CTIA) is one such resource that has established guidelines for the ethical use of SMS marketing messages. Their Short Code Monitoring Handbook and Messaging Best Practices are widely used, although compliance is not required by law.

You won’t be fined, jailed, or blacklisted for ignoring CTIA guidelines. However, this may leave your business vulnerable to noncompliance, and there are consequences for CTIA violations. A legal dispute could put you in hot water fast — which is why following best practices is critical to your ongoing success.

Prohibited items under SHAFT

The CTIA created a list of prohibited content that cannot be communicated in any form via SMS — Sex, Hate, Alcohol, Firearms, and Tobacco, or SHAFT in short. 

This acronym is used by SMS marketers as a guideline on what not to include in their text messages. SHAFT guidelines should be taken seriously in your SMS marketing to be compliant with CTIA and build stronger relationships with your consumers. 

Consequences of SHAFT violations

The CTIA has three levels of severity for guideline violations, ranging from Level 0 to Level 2. Each level is graded by the potential harm to the consumer. 

SHAFT violations are the only violation rated under a level 0 violation and can permanently terminate your program.

three levels of severity for guideline violations

It’s also important to note that SHAFT currently includes CBD, vaping, marijuana/cannabis, and any content relating to these topics. If you’re in doubt, please refer to the CTIA Short Code Monitoring Handbook for more information on SHAFT. 

Virtually all SMS marketing providers, including Omnisend, follow strict guidelines to make sure that our customers follow these messaging guidelines and best practices. 

Read up on how Omnisend approaches SHAFT

Best practices for SMS compliance

Based on CTIA, CAN-SPAM, and TCPA guidelines, here are some best practices for SMS regulations in the United States.

  1. Your messages must have a clear call to action. Use simple language and text links to help recipients understand the intent of your SMS.
  2. Consumers must have the ability to opt in, opt out, and adjust their message preferences at any time.
  3. You must have written documentation of consent before sending messages to your contacts. Keep in mind that subscribing to your SMS channel is not enough to imply consent.
  4. You must include approved compliance language that says: “I agree to receive recurring automated marketing text messages (e.g., cart reminders) at the phone number provided. Consent is not a condition to purchase. Msg & data rates may apply. Msg frequency varies. Reply HELP for help and STOP to cancel. View our Terms of Service and Privacy Policy.”
  5. Collect detailed information about your recipient’s opt-in status by recording the time, keyword, campaign, IP address, and acquisition medium used to imply legal consent. Omnisend allows you to do this automatically with signup forms.
  6. Every campaign must have its own opt-in message. This does not apply if you have a recent relationship with a customer, such as a transaction or a request to learn more.
  7. Have a strong privacy policy that is updated on a regular basis. This policy must be public and readable by anyone — including your message recipients. It’s a good idea to include a link to your privacy policy in your initial opt-in message.
  8. Your SMS messages must not be related to obscene, violent, or illicit content, including SHAFT content. This also applies to products that do not meet age gating requirements (gambling, alcohol, etc.).
  9. Subscribers should be able to get help at any time by submitting ‘HELP’ to the message thread. This should be automated to save time for both parties.
  10. Your business name must be included in all outgoing text messages. Note that this must be your legally registered name to prevent confusion.

You can read the full list of Messaging Principles and Best Practices on the CTIA website.

SMS regulations in major countries

As your business continues to grow, so too will its international audience. It’s likely that your campaigns will eventually reach phones outside of US jurisdiction.

For example, unlike other ESPs that limit SMS to a few countries, Omnisend allows merchants to send text messages to subscribers in any country. In these countries, you may be subject to different SMS regulations.

Many SMS regulations in other countries are similar to those established by the FCC (the US agency that regulates communication by various channels. However, there are some key differences to keep in mind.

Canada

Message recipients in Canada are protected by Anti-Spam Legislation (CASL), which functions similarly to the TCPA.

Businesses that send messages soliciting donations or commercial purchases must:

  • Receive valid written consent before messaging customers
  • Offer subscribe and unsubscribe features
  • Maintain an accurate consent history

EMEA

Europe, the Middle East, and Africa follow the PECR (Privacy and Electronic Communications Regulations) and the Data Protection Act (DPA) to comply with GDPR standards.

These are very similar to US guidelines, with a few caveats:

  • Businesses must perform regular privacy and security checks
  • Consumers can always access their data and remove it from use
  • Companies must be able to explain why and how they are collecting data from consumers

There are additional rules to consider when sending messages to the Middle East. Businesses must respect ‘quiet hours’ between 9 PM and 7 AM in the United Arab Emirates (UAE). They are also barred from advertising subjects related to mobile gambling, politics, and religion.

In South Africa, messages may only be sent during a recipient’s daylight hours. This means you’ll need to schedule messages according to user location rather than your current time zone.

APAC

There are three major SMS regulations used in China and the Asian Pacific: the Administrative Provisions on Short Message Services, the Decision on Strengthening Online Information Protection, and the Consumer Rights Protection Law.

Unlike many other global laws, user consent is not required in this region. However, businesses must still comply with:

  • Quiet hours between 8 PM and 9 AM (depending on the region)
  • Easily identifiable opt-out forms that are honored by the business
  • Sender identification within the body of the SMS message

Please note that religious, political, and money lending content is not allowed. Age gated content like gambling or adult themes cannot be sent via SMS.

Australia

Messages sent to users in Australia must comply with guidelines set forth by the Australian Communications and Media Authority (ACMA).

Many of the rules are similar to the US, with the addition of quiet hours observed between 8 PM and 9 AM.

Additional expectations include:

  • Compliant opt-in forms
  • Accessible opt-out forms
  • Sender identification (alpha-numeric ID or text)

You should know that Australia recognizes two different types of consent: implied and expressed.

Implied consent comes from customers purchasing a good or service from your company. On the other hand, expressed consent refers to opt-in forms that are explicitly signed off by consumers.

In either case, redundancy is always the best approach to avoid accidental noncompliance. Be sure to ask for double opt-in consent from all of your Australian users — regardless of their recent transactions.

How Omnisend aids SMS regulation compliance

SMS regulations are far less demanding than they might seem. By asking for opt-in consent and maintaining good records, you can rest assured that your SMS campaigns will be compliant in any global market.

Omnisend has helped thousands of brands manage SMS compliance with ease. Our platform enables you to offer double opt-in consent, maintain a detailed history for every contact, and schedule messages in advance to comply with quiet hours in different time zones.

You can also collect TCPA consent records using our pre-built signup forms, which are accessible from each of our pricing tiers. We also provide keywords like STOP and HELP to remain in-line with CTIA guidelines.

If you have any questions about SMS compliance or concerns about your SMS channel, don’t hesitate to chat with us online or connect with the help desk at [email protected]

*Please note that this is not intended to be taken as legal advice in any way. Many of the laws and regulations surrounding SMS marketing are in constant flux and change on a yearly basis. If you have any questions about your legal compliance before launching a new campaign, it would be wise to consult with your legal team. 

Bernard Meyer
Article by

Bernard is the Sr. Director of Communications & Creative at Omnisend, with a passion for good research, helping ecommerce businesses with their marketing automation needs, and beating absolutely everyone in Mario Kart 64.