Compliance for Text Messages: Standards and Terms

Compliance document on desk to indicate compliance for text messages

Compliance for text messages may be fact- and context-specific. The information contained in this blog post should not be relied upon as legal advice or to determine how these regulations apply to your use of SMS and our service. This information is provided “as is” and may be updated or changed without notice. You may use this blog post for your internal reference purposes only.

Addressing compliance for text messages can be overwhelming. Organizations release new standards frequently and new terms arise as a result. That’s why we’ve compiled a list of SMS compliance standards and terms, and their definitions. Let’s dive in. 

What Is Compliance for Text Messages?

Compliance for text messages, often called SMS compliance, is an industry term for following regulations and guidelines. You achieve SMS compliance by adhering to these regulations and guidelines.

Why Should You Achieve SMS Compliance?

In some cases, the law requires compliance for text messages, like with the TCPA. In other cases, professional guidelines suggest compliance, like with SOC 2. Either way, it’s important to achieve SMS compliance. These regulations and guidelines aim to help you protect your customers’ data, privacy, and well-being. Achieving SMS compliance will help you create a great customer experience. 

Common SMS Compliance Standards

There are plenty of SMS compliance standards out there, depending on where you live. But three North American SMS compliance standards are most likely to apply to your business. These are HIPAA, SOC 2, and the TCPA. 

The Health Insurance Portability and Accountability Act (HIPAA)

HIPAA is a household name. The standard affects all businesses that work with patients or patient data. Enforced by the Department of Health and Human Services’s Office for Civil Rights (OCR), it mandates that you protect sensitive patient data at all costs. HIPAA compliant texting includes ensuring that you don’t text patient test results, diagnoses, or anything else that can be considered sensitive information. It also involves developing privacy policies and practices within your business to ensure you don’t share electronic protected health information (ePHI), and that you anonymize any health-related data you intend to use for analytics purposes.

Service Organization Control 2 (SOC 2)

SOC 2 is a new guideline. It was created by the American Institute of Certified Public Accountants (AICPA), a well-respected group that regularly creates data-related guidelines.  SOC 2 reports review the effectiveness of your business’s data security measures and processes. They examine data encryption as well as items like code change management and review, internal tool access and approval processes, and disaster situation planning. Read more about SOC 2 here and understand the difference between Type 1 and Type 2.

The Telephone Consumer Protection Act (TCPA) 

The TCPA is one of the most well-known regulations in the business SMS industry. Monitored by the Federal Communications Commission (FCC), it mandates that you acquire legal consent from your customers before you start chats via SMS. It also requires you to provide transparency when promoting your SMS services. Read more about TCPA text message compliance here

SMS Compliance Terms

We use specific industry terms when we discuss SMS compliance. We’ve gathered up the most common terms here to help you navigate our SMS compliance articles with ease. 

A2P Messaging

Application-to-person messaging (A2P messaging) includes any messages sent from an application. Carriers in the United States and Canada define all messages that pass through messaging platforms like Heymarket as A2P. This includes one-on-one SMS customer service chats as well as automated appointment reminders, order notifications, and after-hours replies.  

Opt In

Opting in means giving consent to participate in something. In business text messaging, customers have to opt in through writing before you can text them. You can ask customers to text a keyword to your SMS number or click a box on a web form. Either process counts as opting in. 

Opt Out

Opting out means withdrawing consent to participate in something. In business text messaging, customers must be able to opt out of your SMS services at any time. They should be able to text a keyword to opt out. Your business text messaging platform should be able to immediately unsubscribe customers from automated drip campaigns and scheduled messages. (The best practice is to include opt-out instructions the first time you text customers and frequently thereafter.)

P2P Messaging

Person-to-person messaging (P2P messaging) includes messaging that involves two people. This would include the texts you recently sent to friends and family. Again, carriers in the United States and Canada consider all messages that pass through messaging application platforms like Heymarket to be A2P.


Ten-digit long codes (10DLC) are typical phone numbers you see on your phone every day; they have 10 digits and a local area code. (415-555-0101 is a 10DLC number.) Recently, carriers have upgraded businesses’ 10DLC capabilities, allowing them to send a higher volume of messages to customers. Businesses can use these numbers if they register the numbers and state why they’re using them. Because 10DLCs are versatile, they are expected to become the industry standard. They are subject to all standards and regulations. See this post for the most up-to-date information on how businesses can access 10DLC.


Want to learn more about compliance for text messages? Download our guide to SMS security and compliance.

Share via
Copy link