Text messaging compliance may be fact- and context-specific. The information contained in this blog post should not be relied upon as legal advice or to determine how these regulations apply to your use of SMS and our service. You may use this blog post for your internal reference purposes only. This information is provided “as is” and may be updated or changed without notice.
Nine out of ten consumers consider texting a trustworthy channel. Their trust is partly due to texting’s lack of spam compared to other channels; only 3% of texts are spam, while nearly half of emails are. So why does texting have relatively little spam? It’s all thanks to regulations and guidelines from the government, industry organizations, and carriers.
Being aware of the standards that apply to your business helps you keep your operations legally sound—and maintain texting’s status as a trusted channel. But there are a lot of standards out there. It can be hard to tell which ones apply to your business, and how to achieve compliance with them.
In this article, we’ll review four categories of standards:
- Those that apply to all businesses:
- Those that are voluntary but recommended for all businesses:
- Location-specific standards:
- Industry-specific standards:
For a deeper dive into text messaging standards, check out our complete text messaging compliance guide.
Standards that apply to all businesses
The TCPA and 10DLC apply to all businesses texting consumers via standard phone numbers. This is a good place to start your journey to text messaging compliance.
Telephone Consumer Protection Act (TCPA)
The TCPA dictates how and when businesses can connect with consumers. Because it’s applicable to any business that reaches customers through telecommunications (e.g., phone calls or messaging), it’s one of the most well-known compliance standards.
History
Enacted in 1991, the TCPA aimed to curb the many telemarketing calls consumers were receiving in the late 80s and early 90s. In 2012, after businesses started texting customers, the Federal Communications Commission (FCC) updated the regulation to apply to business text messaging. Today, the TCPA is a well-known and effective regulation; nearly 11% fewer TCPA cases were filed in 2022 compared to 2021, showing a steady decrease in spam on the channel.
Summary
The TCPA’s ultimate goal is to protect telecommunications customers from spam. It mandates that your business secure consent (opt-ins) from customers before texting them, and that you honor unsubscribe requests (opt-outs). It also requires that you be transparent when you advertise your texting services so customers know exactly what kinds of messages they’re opting into.
TCPA-compliant texting overview
The TCPA is a complex document well worth reviewing with your legal team. But to begin your compliance journey, your business will want to:
- Clearly describe your texting program with opt-in information
- Ensure customers opt in before you text them
- Send a confirmation text after customers opt in
- Use a texting platform that automatically removes customers who request to opt out
Benefits of TCPA compliance
TCPA SMS compliance is mandatory if you text customers in any way, whether you’re answering customer service questions or sharing promotional content. The TCPA is applicable no matter your industry or where your customers are located.
Additionally, the TCPA helps maintain texting’s reputation as a low-spam channel. Maintaining that reputation preserves your ability to connect with customers through one of the most efficient and direct channels.
10 Digit Long Code (10DLC) registration
Ten digit long codes (10DLCs) have been around since the beginning of texting. These are standard numbers like the ones you, your friends, and your family members text from. 10DLC registration is a new requirement that carriers created to further reduce spam.
Ten-digit long codes are becoming the new industry standard for business texting. That’s why we placed 10DLC registration under the mandatory category.
History
Shortly after texting was invented, companies could only text at scale through short codes, which are five- or six-digit phone numbers. As technology advanced, businesses could also text from long codes, which offer important benefits: customers recognize these numbers as standard, and can reply to them. In 2021, carriers began requiring businesses using 10DLCs to register so they could prevent spam.
Regulation summary
To register to use 10DLCs, your business must share key information with The Campaign Registry (TCR), a third-party site managing registration for most carriers. With your texting platform’s support, you will submit your business name and contact information. If your business sends a large volume of texts, you will submit additional details.
10DLC registration overview
Your business text messaging platform will guide you through 10DLC registration with TCR. Gather the information that TCR will need before getting started to speed up the process. The process will look like this:
- Identify whether or not you use or want to use a 10DLC number.
- Connect with your business texting provider to determine how to register with TCR.
- Collect the information required for registration:
- Tax documents and records (EIN and legal business name must match legal records for registration to be successful)
- Description of messaging use case (1-2 sentences)
- Sample message #1
- Sample message #2
- Validation of opt-in, opt-out, and help message workflows
Benefits of 10DLC registration
10DLC registration is required for all companies that text customers through 10-digit long codes—no matter whether you send mass texts or reply to customers through one-on-one chats.
Businesses who complete 10DLC registration may also avoid carrier filtering and increase deliverability since carriers have verified they are not sending unwanted messages.
Are 10DLCs really necessary?
Ten-digit long codes are becoming the new industry standard for business texting. That’s why we placed 10DLC registration under the mandatory category. If you don’t want to use a 10DLC, you might consider signing up for a verified toll-free number.
You can register with carriers for these non-local 10-digit numbers (often starting with 1-800) to get a relatively high daily message volume. They support voice calling in addition to texting, and work well for businesses who are not tied to one specific area code.
Recommended for all businesses
There’s only one standard in this category: SOC 2. Compliance with it is voluntary, but security industry experts recommend you achieve it.
Service Organization Control (SOC) 2
SOC 2 is a newer standard. It requires you to have strong data security and data-related processes with the goal of protecting your customers’ information. Being SOC 2 compliant demonstrates you have reached a high security standard and helps you build trust with other businesses and customers.
History
SOC 2 was launched in 2010 by the American Institute of Certified Public Accountants (AICPA). SOC 2 reports evaluate the effectiveness of businesses’ data security. There are two types of reports: a Type 1 report is a snapshot of a business’s data security performance. A Type 2 report is an in-depth review over a longer period of time.
Report summary
Achieving text message compliance with SOC 2 is an involved undertaking, requiring you to ensure that your data processes and workflows are well-documented and secure. SOC 2 reports evaluate five key areas: security, availability, confidentiality, processing integrity, and privacy. To achieve official compliance, you must have a third-party provider review and evaluate your business’s data management.
SOC 2-compliant texting overview
You’ll need to meet SOC 2 requirements in the five areas we mentioned above. While the reports are more extensive than what we list below—the third party completing the report will give you more details—here’s an overview of what they’re looking for:
- Security: Secure systems and data against unauthorized access or disclosure
- Availability: Make information and systems readily available for use
- Confidentiality: Protect confidential information
- Processing integrity: Ensure your data processing workflow is complete, valid, accurate, timely, and authorized
- Privacy: Collect, use, retain, disclose, and dispose of personal information as pre-stated policies request
Benefits of SOC 2 compliance
Data security is a concern for all businesses, especially those that are managing customer communications. The process of achieving SOC 2 compliance will help fill any gaps you might not have known were there.
In addition, being SOC 2 compliant serves as a badge of trust for other businesses and customers. It helps differentiate you from competitors.
Location-specific standards
Some standards are only applicable if your customers live in certain locations. We’ll review two regulations that affect large geographical areas: the GDPR and the CCPA/CCPRA.
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) will affect your business if you communicate with any customers in the European Union (EU). It aims to protect consumers’ data from modern internet technologies.
History
The GDPR was passed in 2016 and implemented in 2018. Individual countries within the EU have also created and maintained their own data regulations. Before leaving the EU in 2020, the UK amended the Privacy and Electronic Communications Regulations (PECR)—which affect business texting—to better complement the GDPR.
Regulation Summary
The GDPR requires you to protect EU citizen data. You must take measures to prevent data theft and protect user privacy while texting with customers and managing their contact information.
GDPR-compliant texting overview
Some requirements of the GDPR resemble those of the TCPA and SOC 2. Your business must do the following to achieve text messaging compliance:
- Only text customers who have specifically agreed to receive texts from you
- Immediately comply with opt-out requests
- Delete stored data after a set period of time
- Ensure data is accurate
- Give customers full data control
- Inform customers about policies
- Notify customers about policy changes
Benefits of GDPR compliance
If you communicate with customers in the EU, you have to comply with the GDPR. This is the case even if you are a business in the United States.
Even if you don’t have customers within the EU, complying with this standard can help you improve data security. Since some of the requirements are similar to the TCPA’s and SOC 2’s, GDPR compliance might be a good next step.
California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA)
The California Consumer Privacy Act (CCPA) is a new and relatively specific act, only affecting Californian consumers and the businesses that interact with them. The CPRA is an amendment of the original act.
History
Signed into law in 2018, the CCPA created consumer privacy rights and business requirements for the collection and sale of consumer data. The CPRA, which became operative in 2023, amends and expands the CCPA.
Summary
Similarly to the GDPR, the CCPA is concerned with regulating businesses’ handling of consumer data. It requires that you create and implement additional security procedures for consumer data protection.
The CCPA gives consumers the rights:
1. to know what personal information a businesses collects and how it is used
2. to delete collected personal information
3. to opt-out of the sale of personal information
4. to non-discrimination for exercising their rights
The CPRA creates two additional rights for consumers:
5. to correct inaccurate personal information
6. to limit use and disclosure of sensitive personal information
CCPA/CPRA-compliant texting overview:
Compliance with the CCPA is all about data protection. It also involves opt-out management, much like the TCPA. To achieve compliance, you must:
- Create a process for customers to submit data access requests, including, at a minimum, a toll-free telephone number
- Update official privacy policies with newly required information, including a description of California residents’ rights
- Avoid requesting opt-in consent for 12 months after a California resident opts out of your texting program
Benefits of CCPA/CPRA compliance
CCPA/CPRA compliance is mandatory if any of your customers live in California. Achieving compliance even if you don’t have Californian customers can help you further protect customers’ data—and keep building trust with them.
Industry-specific standards
We’re going to explore one industry-specific standard: HIPAA. This healthcare industry standard touches any business that engages with patients.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA is one of the most well-known regulations, even outside of the healthcare industry. It protects patient health-related and personal information.
History
Signed into law in 1996, HIPAA was originally meant to improve health insurance coverage for employees between jobs, as well as reduce waste and fraud in the industry. From there, it became a vehicle for the digitization of health records. Then, in 2000 and 2003 respectively, the Privacy and Security Rules added additional requirements to keep protected health information and electronic protected health information (ePHI) safe from misuse or disclosure.
Regulation summary
HIPAA compliance for text messages spans not only how businesses send messages, but how they store and protect ePHI. It requires that you never text personal information, and take particular care to keep patient information private. While HIPAA only applies to healthcare organizations and companies that work directly with ePHI, following these guidelines can help any business protect their customers’ personally identifiable information (PII).
HIPAA-compliant texting
Compliance with HIPAA is incredibly important if you work in the healthcare industry. Like all standards, you will absolutely need legal guidance to achieve text message compliance. Here’s an overview of some of the things your business will need to do:
- Use a texting platform that encrypts texts in storage and in transit (SMS is not encrypted when delivered by carriers to the recipient’s phone)
- Only message customers for administrative purposes (e.g., scheduling, appointment reminders, links to your secure health portal)
- Approve company-issued and personal devices used to access customer information
- Limit ePHI access to employees who need it for their jobs
Benefits of HIPAA compliance
If you’re a healthcare organization or a healthcare-adjacent organization that handles patient data, it’s the law. But HIPAA-compliant texting can be useful even if you’re not a healthcare company. Meeting the requirements simply makes your texting more secure for customers, no matter what industry you’re working in.
Achieving text messaging compliance
There are a lot of regulations that control business text messaging. But now you should have a good sense of which of them might apply to your business—and which of them might be worth complying with even if they don’t.
Our overviews above can point you in the right direction toward text message compliance. However, before you consider your business compliant, be sure to consult with your legal team. Texting regulations are complex, and compliance looks different for every business.
Thorough text message compliance is critical to staying on the right side of the law—and, most importantly, continuing to build trust with your customers.
Learn more about achieving text messaging compliance in our full guide.
