SMS regulations and laws: Complete 2026 guide

SMS regulations can trigger penalties if you violate customer consent, opt-out, or messaging rules. 

Understanding sms marketing laws is essential for businesses sending text messages in the US and globally. You must collect documented opt-in consent, clearly identify your brand, and include a working STOP opt-out option in every message. If you fail, you risk fines and reduced deliverability.

In the US, sms marketing laws under the TCPA (enforced by the FCC) require prior express consent before sending marketing texts. Penalties are $500 per message, or up to $1,500 for willful violations.

Text message marketing laws also apply globally, including GDPR in the EU and CASL in Canada. Both require provable consent and have strict customer data usage rules. This guide breaks down SMS regulations and who enforces them. You’ll also learn how you can use automation to stay compliant in 2026.

SMS regulations in the US

If you plan on sending SMS messages to customers in the US, you’ll have to comply with SMS regulations like TCPA, CAN-SPAM, and CTIA. 

Start by understanding why these regulations exist and how they work. We’ll also break down SMS opt-in requirements and prohibited messaging rules under CTIA (SHAFT). 

TCPA (Telephone Consumer Protection Act) 

The TCPA was established in 1991 to protect consumers from unsolicited marketing texts. Under such SMS regulations, businesses must obtain documented consent before sending recurring messages.

This means that:

• You can only send text messages to customers who have opted in
• You must obtain express written consent before adding users to your marketing list
• Consent language must be clear in your messages and signup forms
• Your brand must explain how customer data will be used

People should never be forced to share their information, and they must be able to opt out at any time.

There are some exceptions. Emergency messages don’t require TCPA compliance. The same applies to nonprofits that don’t sell goods or services. In certain healthcare-related messaging scenarios, TCPA may not apply.

Most ecommerce brands must follow TCPA guidelines. Fail to do so, and fines can reach $500 – $1,500 per message, according to the FCC.

In fact, TCPA litigation filings rose 95% in 2025 (Parker Poe), largely due to unclear consent rules. For example, in Bradford v. Sovereign Pest Control of TX, Inc., the court ruled that consent may be oral or written — not strictly written.

However, the FCC still expects prior express written consent, such as checkbox agreements in signup forms. It has also clarified that an opt-out from one message type applies to all future calls and texts from that sender. These changes are delayed until January 2027: 

Opt-out rules may also expand beyond “STOP” to include terms like “quit” or “cancel,” increasing your responsibility to interpret user intent.

TCPA SMS rules and regulations include safe harbor protections in some cases. This means you may avoid penalties if you can prove valid consent records and proper opt-out handling.

Here are strategies to stay compliant with TCPA:

Opt-in forms 

Paper, digital, and website signup forms must clearly explain SMS consent. With tools like Omnisend, you can add a TCPA-compliant legal text block in signup forms stating that users will receive marketing texts and how their data will be used. Consent must not be a condition of purchase, and opt-out instructions must be clear:

In Omnisend, you’ll also find compliant email and SMS capture forms to build your list:

Keyword text 

Users can opt-in by replying “YES” or using text-to-join. For example: By texting ‘JOIN’, you consent to receive automated marketing text messages. This can be added to order confirmation emails to grow your SMS list:

Users must be able to opt out anytime by replying “STOP.” For recipients outside the US or Canada, include an unsubscribe link:

Consent messages 

Contacts must know why they’re being messaged and what they’ll receive. Double opt-in forms can also give users clearer control over consent for signups.

You should also include your privacy policy in your initial opt-in message: 

SMS opt-in requirements 

SMS regulations require clear permission before sending marketing texts, so users understand what they’re signing up for.

There are two main methods:

• Single opt-in: Users sign up once via a form and are immediately added to your SMS list
• Double opt-in: Users enter their number, then confirm by replying “YES” to a message you send before being added to your list

Double opt-in adds a confirmation step that helps reduce errors like incorrect numbers or accidental signups.

Under sms opt-in requirements, you must follow express written consent rules. Consent must be clearly given through checkboxes and cannot be hidden in terms or tied to a purchase.

Forms must state what users will receive (promotions, updates, or offers). You must also store proof of consent, including when and how users opted in, to stay compliant with SMS regulations.

CAN-SPAM Act

Like TCPA, the CAN-SPAM Act of 2003 protects consumers from unwanted commercial messages. Although it predates modern SMS marketing, it still applies to texts sent for commercial advertisements.

CAN-SPAM aims to prevent robotexts (automated messages) sent without consent, and deceptive or phishing messages designed to collect personal information.

To summarize the key rules of CAN-SPAM:

• You cannot use misleading or false information to trigger responses
• You must clearly include your business name
• Messages must be clearly identifiable as promotional, not personal

SMS regulations like CAN-SPAM apply only to unsolicited marketing messages. Meaning, texts sent without an existing customer relationship.

A simple way to classify messages is by context:

• Transactional messages: Orders, shipping updates, billing, or refunds
• Marketing messages: Sent to users with no prior purchase or engagement

If you’re unsure, treat the message as marketing and follow CAN-SPAM rules. This reduces the risk of violations, which can result in fines of up to $53,088, according to the FTC.

Complying with CAN-SPAM is straightforward. Like TCPA, use single or double with keyword consent (like “YES” or “JOIN”). You should also:

• Include an opt-out link in every text (like “Tap here to edit preferences”)
• Send a confirmation message after opt-in, such as a brief welcome text
• Allow users to update preferences outside SMS (like in their account settings or customer support channels)

CAN-SPAM also applies to marketing emails. If you’re running automated campaigns on Omnisend and want to remain compliant across all channels, you can check out our other resources here.

Understanding CTIA

There are also industry rules created by the Cellular Telecommunications Industry Association (CTIA). CTIA isn’t a law or government body—it’s a mobile industry group that sets best practices for sending text messages.

These guidelines are used alongside SMS regulations like TCPA and CAN-SPAM, but they focus on message delivery rather than legal penalties. CTIA rules cover consent, opt-outs, and message content. For example, requiring clear consent practices, avoiding rented lists, and immediately honoring opt-outs like “STOP.”

Mobile carriers such as AT&T and Verizon use these guidelines to decide whether to deliver or block messages. Even compliant messages can be filtered if they don’t follow CTIA best practices.

Prohibited items under SHAFT

The CTIA created a list of prohibited content that cannot be communicated via SMS. This includes Sex, Hate, Alcohol, Firearms, and Tobacco (SHAFT).

This acronym is used by marketers as a guideline for what not to include in messaging. You should follow the SHAFT rules to remain compliant with CTIA standards and maintain trust with consumers.

Consequences of SHAFT violations

The CTIA defines three violation levels (Level 0 to Level 2), based on potential consumer harm. SHAFT violations fall under Level 0, the most severe category, and can lead to permanent SMS program termination:

SHAFT also includes illegal or harmful products, such as CBD or vaping. If in doubt, refer to the latest CTIA Short Code Monitoring Handbook for clarification.

Most SMS marketing providers, including Omnisend, follow strict guidelines to make sure that our customers follow these messaging guidelines and best practices. Read up on how Omnisend approaches SHAFT. 

SMS marketing regulations news: 2025 – 2026 updates

SMS marketing regulations news today is focused on stricter enforcement against scam texts and clearer consent rules. We’ll break down FCC scam regulation updates, TCPA case examples, and state-level SMS regulations to help you avoid non-compliant messaging.

Title: Compliance checklist

– Users must give clear written consent before receiving SMS messages

– SMS messages must avoid restricted or harmful content (SHAFT-related categories)

– Messages cannot be sent during quiet hours (like Monday through Saturday from 9 p.m. to 9 a.m in Texas)

– Users must be able to opt out instantly using keywords like STOP

FCC scam prevention regulations

FCC Chairwoman Jessica Rosenworcel has led stronger action against illegal robocalls and robotexts under the FCC’s anti-scam initiative. The FCC treats calls and texts under the same enforcement framework under SMS regulations.

Key actions of the anti-scam initiative:

• Declaring AI-generated robocalls illegal under the Telephone Consumer Protection Act and developing detection tools
• Issuing cease-and-desist orders and large fines, including multimillion-dollar penalties for scam operations
• Removing non-compliant providers from the Robocall Mitigation Database and blocking their traffic

In 2025, the FCC ordered all mobile carriers to stop carrying traffic from 185 companies removed from the Robocall Mitigation Database:

This happened because of failed robocall mitigation filings that didn’t clearly show safeguards like caller ID authentication (STIR/SHAKEN ) or systems for tracing scam traffic. Additionally, new SMS regulations now require carriers to block illegal or suspicious texts before delivery. 

Do Not Call protections apply to SMS as well. In fact, the Do Not Call Registry has over 258 million registrations in 2026, but still recorded 2.6 million complaints in 2025. The FTC and FCC are sharing scam and complaint data with telecom providers to improve the blocking of scam traffic.

Recent TCPA enforcement actions

Some of the latest text marketing regulations news shows continued TCPA enforcement against illegal texts. For example, in Geaslin v. Colony Ridge Development LLC, consumers alleged they received marketing SMS without prior consent. The case ended in a $1,994,123 settlement in 2025 for affected users.

In another SMS regulations news case filed in 2026, Athena Bitcoin Inc. was accused of sending unsolicited promotional text messages. It agreed to a $4.5 million settlement to resolve the claims.

This shows that businesses will often choose to settle to avoid the cost, time, and risk of a full trial, where they could face even more serious damages under TCPA rules. However, they still face large financial settlements. 

State-level SMS regulations

SMS regulations also include state-level rules. In 2025, Texas introduced Senate Bill 140 (SB 140), expanding telemarketing laws to cover SMS, MMS, and text messages.

Businesses had to register with the Texas Secretary of State, pay a $200 annual fee, and post a $10,000 security deposit before sending marketing texts.

However, the law also applied to businesses with existing customer consent. This led the Ecommerce Innovation Alliance (EIA) to file a lawsuit, which was settled in November 2025.

Under the outcome, messages sent with prior consent are not treated as telemarketing.

Email and SMS marketing tools like Omnisend update compliance features to reflect the latest SMS regulations. This helps you stay compliant without manually tracking each legal change. 

How SMS regulations impact your business

Now we’ll break down how SMS regulations impact business costs. This includes compliance costs, consequences of non-compliance, and specific industry compliance requirements. 

Compliance costs and implementation timelines

SMS compliance costs come from software, legal reviews, training your employees, and documentation systems:

• Software: Tools for consent collection, opt-ins, opt-outs, and 10DLC (10-digit long code) registration. Platforms like Omnisend support this entire setup and start at $16/month.
• Legal review: Lawyers review express written consent, privacy policies, opt-out flows, and carrier compliance requirements. The average rate for lawyers is $349/hour, according to Clio.
• Staff training: Employees handle consent, opt-outs, and messaging rules like the FTC’s 8 a.m – 9 p.m guideline. Training costs range from $1,000 – $2,500 (Compliance Week). 
• Documentation systems: Storing consent records, opt-out logs, and message history to prove you comply with SMS regulations. Platforms like Omnisend have built-in compliance to help track and record consent and opt-outs. 

Implementation timelines vary. Setup and number verification can take one to five days, according to Omnisend. Employee training averages around 40 hours per year, according to Training. And, legal review depends on compliance complexity.

Consequences of non-compliance

In a 2025 case, Designer Brands Inc., a US retail company, was accused of sending marketing texts to users who had opted out. Under SMS marketing laws, businesses must stop messaging once consent is withdrawn. The company allegedly continued sending texts and later agreed to a $4.4 million settlement, while denying wrongdoing.

Beyond fines, poor SMS compliance leads to wider risks:

• Loss of customer trust
• Higher opt-outs, reducing list size
• Reputation damage from complaints or lawsuits
• Carrier filtering or blocking, reducing deliverability

Here’s a compliance comparison table:

Industry-specific compliance requirements

Some industries face stricter SMS regulations due to age-restricted or higher-risk content, including alcohol, gambling, cannabis, and adult content under SHAFT guidelines.

These sectors require stronger controls than standard ecommerce. Opt-in often includes age gating such as phone number entry, age confirmation (18+/21+), and/or date of birth.

Rules vary by industry:

• Alcohol: Allowed in the US with 21+ age verification
• Gambling: Allowed with approvals and compliance checks
• Cannabis/CBD/vaping: Often blocked under carrier or federal rules
• Adult content: Highly restricted under SMS regulations

For example, in Canada, age-gated SMS content may be blocked without carrier approval (Twilio) and can lead to number suspension. To avoid this, you need ongoing SMS compliance reviews. If you hire a compliance manager, it’ll cost around $123,428/year, according to Salary.com. 

However, with tools like Omnisend, you can automate SHAFT filtering, opt-ins, and quiet hour enforcement to ensure SMS compliance. 

SMS marketing rules and compliance guidelines

Based on CTIA, CAN-SPAM, and TCPA guidelines, here are some of the most important SMS regulations to follow in the US. 

Opt-in rules

Customers must give explicit opt-in consent before sending marketing messages, and consent must be documented.

For example, your messages must include approved compliance language like:

“I agree to receive recurring automated marketing text messages at the phone number provided. Consent is not a condition to purchase. Msg & data rates may apply. Msg frequency varies. Reply HELP for help and STOP to cancel. View our Terms of Service and Privacy Policy.”

With tools like Omnisend, you can create a complaint signup form in minutes. Simply go to Forms → Create Form or edit an existing form. Then, add a phone number field. Enable SMS opt-in, and add TCPA legal text block. Your signup form should look like this: 

Your privacy policy link in signup forms should also be visible: 

Omnisend automatically stores SMS consent details like signup time, source, and form data so you can prove user consent if needed.

Content restrictions

Under SMS regulations and CTIA messaging principles, you can’t send harmful, illegal, or misleading content. Carriers may restrict categories such as SMS marketing for the adult industry, hate speech, firearms, tobacco, cannabis, vaping, gambling, and alcohol. 

Messages must use clear language and links, clearly match the offer, and avoid deceptive claims. A legally registered business name must also be included so users know who is texting them. Add your sender name in Omnisend by going to Store settings → SMS → Sender’s name:

In Omnisend, restricted content can be automatically flagged or blocked when you’re editing or before sending your campaign. 

Timing requirements

In most cases, SMS messages must be sent during local daytime hours. Sending texts late at night or early in the morning can lead to complaints. For example, in Texas, SMS cannot be delivered Monday — Saturday from 9 p.m to 9 a.m, and on Sundays before 12 p.m. or after 9 p.m.

Tools like Omnisend can automatically enforce quiet hours based on recipient time zones. This reduces manual setup errors and improves SMS deliverability. 

Before sending SMS campaigns, you can verify and adjust timing settings. Go to Store Settings → SMS. Then Review SMS Quiet Hours:

Opt-out handling

SMS regulations require every message to include a clear way for users to opt out at any time. The standard command is “STOP”, and once a user sends it, they must be removed from future messages immediately. Here’s an example SMS workflow that includes clear opt-out instructions: 

Users can also send “HELP” to receive support details.

Opt-out handling should always be automatic. Manual removal increases the risk of errors and SMS compliance issues. 

With Omnisend, opt-outs are processed instantly across all campaigns, so users are unsubscribed the moment they reply STOP. Beyond simple keyword detection, Omnisend uses AI to identify natural language opt-out requests (like, “I want to stop receiving these”). 

Global SMS compliance: Regulations in major countries

As your business grows, so will your international audience. You’ll need global SMS compliance to meet different regional rules. To do this, you need an ESP that supports multiple regions. 

ESPs like Klaviyo limit SMS to the US, Canada, the UK, and Australia. However, Omnisend has global SMS marketing for all regions mentioned in this guide.

Many international SMS regulations follow FCC-style frameworks, but key differences exist across markets. Here’s a quick comparison table showing regional requirements and penalties: 

Canada

Message recipients in Canada are protected by Anti-Spam Legislation (CASL), which functions similarly to the TCPA. Businesses that send messages soliciting donations or commercial purchases must:

• Receive valid written consent before messaging customers
• Offer subscribe and unsubscribe features
• Maintain an accurate consent history

EMEA

Europe, the Middle East, and Africa follow the PECR (Privacy and Electronic Communications Regulations) and the Data Protection Act (DPA) to comply with GDPR standards.

These are very similar to US guidelines, with a few exceptions:

• Businesses must perform regular privacy and security checks
• Consumers can always access their data and remove it from use
• Companies must be able to explain why and how they are collecting data from consumers

There are additional rules to consider when sending messages to the Middle East. Businesses must only send SMS marketing messages between 7 a.m and 9 p.m. in the UAE. They’re also barred from advertising subjects related to mobile gambling, politics, and religion.

In South Africa, messages may only be sent during a recipient’s daylight hours. This means you’ll need to schedule messages according to user location.

APAC

There are three major SMS regulations used in China and the Asia Pacific: 

• The Administrative Provisions on Short Message Services 
• The Decision on Strengthening Online Information Protection
• The Law on the Protection of Consumer Rights and Interests (LPCRI)

User consent is also required in this region. And, you must comply with:

• Quiet hours — regions like China don’t mention SMS quiet-hour times in law, the standard is 8:00 p.m. to 8:00 a.m.
• Easily identifiable opt-out forms that are honored by the business
• Sender identification within the body of the SMS message

Religious, political, and money lending content is not allowed. Age-gated content, like gambling or adult themes, cannot be sent via SMS.

Australia

Messages sent to users in Australia must comply with the Australian Communications and Media Authority (ACMA).

Many of the rules are similar to those in the US. While quiet hours aren’t specified in laws, the default is often set to 8:00 p.m. to 8:00 a.m on SMS marketing platforms like Omnisend. 

Additional expectations include:

• Compliant opt-in forms
• Accessible opt-out forms
• Sender identification (alpha-numeric ID or text)

Australia recognizes two different types of consent — implied and expressed.

Implied consent comes from customers purchasing a good or service from your company. Expressed consent refers to opt-in forms that are explicitly signed off by consumers.

Be sure to ask for double opt-in consent from all of your Australian users — regardless of their recent transactions.

How Omnisend aids SMS regulation compliance

Omnisend is an expert-approved automation tool that includes built-in SMS compliance, so you don’t need to track consent, opt-ins, or opt-outs manually. For instance, when creating signup forms, you can add TCPA legal text blocks to collect consent. This ensures every subscriber is properly opted in according to SMS regulations: 

When customers sign up through opt-in forms or text-to-join, this consent is automatically stored in each contact’s profile. Along with their phone number, subscription status, and full opt-in history:

Once your customers have opted in, TCPA consent records, phone numbers, and subscription status will be added to their profiles: 

For global SMS marketing guidelines in 2026, Omnisend applies region-based rules in the SMS editor. US and Canada campaigns require opt-out instructions, while international formats can be customized and previewed before sending:

Omnisend also enforces SHAFT filtering and quiet hours to ensure messages comply with SMS regulations across time zones.

If you’re starting out, Omnisend offers 24/7 support even on the Free plan. You can chat with us online or connect with the help desk at [email protected]. Omnisend also integrates with Shopify, WooCommerce, Wix, and BigCommerce, and includes built-in SMS compliance. Omnisend users see an ROI of $79 per dollar spent. 

Conclusion

SMS regulations in 2026 require clear consent, honest messaging, and proper opt-out handling. In the US, SMS marketing laws such as TCPA and CAN-SPAM set requirements for prior consent and clear sender identification. CTIA guidelines also influence carrier delivery standards.

2025 — 2026 updates show stricter enforcement of SMS regulations, with the FCC increasing action against scam texts and non-compliant senders. TCPA cases continue to result in million-dollar settlements, showing the financial risk of poor SMS compliance. Opt-out rules are being reviewed, with potential changes beyond simple “STOP” commands.

To maintain SMS guidelines, you should use clear opt-in forms, store consent records, set quiet hours, and automate opt-outs. Regular legal reviews also help with adherence to SMS regulations. Tools like Omnisend provide built-in SMS compliance features, improving deliverability, trust, and long-term revenue.

*Please note that this content is for informational purposes only and does not constitute legal advice. SMS regulations in 2026 are subject to change, and requirements may vary by region and over time. For specific legal guidance, please consult a qualified legal professional.

FAQ