Compliance with legal frameworks, such as the TCPA, may be fact- and context-specific. The information contained in this blog post should not be relied upon as legal advice or to determine how the TCPA and other laws or standards apply to your use of messaging and our service. You may use this blog post for your internal reference purposes only. This information is provided “as is” and may be updated or changed without notice.
Whether you’re diving into the world of SMS compliance for the first time or as a refresher, the many acronyms and terms you encounter can be overwhelming. Even once you’re up to speed, new regulations might come up and existing ones might change. That’s why it’s important to regularly consult the most up-to-date compliance terminology.
In this article, we’ve compiled a list of critical terminology related to compliance for text messages. Knowing these SMS compliance standards, terms, and key players will help you develop a strong foundation if you’re new to business text messaging, and stay current if you need a review.
For a deeper dive into the standards below, check out our complete text messaging compliance guide.
What is compliance for text messages?
Compliance for text messages, also called SMS compliance, is an industry term for following messaging regulations and guidelines. You achieve SMS compliance by adhering to these rules.
Why should you achieve SMS compliance?
Some SMS regulations apply to all businesses, like the Telephone Consumer Protection Act (TCPA). Several regulations only apply if you do business in certain areas, like the California Consumer Privacy Act (CCPA) or the European Union’s General Data Protection Regulation (GDPR). In other cases, professional organizations recommend compliance with their guidelines, like SOC 2, but it’s not a legal requirement.
Whether it’s required by law or recommended by industry bodies, achieving compliance with all SMS regulations and requirements helps your business better protect your customers’ data, privacy, and well-being so you can build trust.
Common SMS compliance standards
Here are the rules, regulations, and standards most likely to apply to your business:
California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA)
Signed into law in 2018, the CCPA created consumer privacy rights and business requirements for the collection and sale of consumer data. The CPRA, which became operative in 2023, amends and expands the CCPA. If your business messages any Californian customers, these regulations apply to you.
General Data Protection Regulation (GDPR)
The GDPR was passed in 2016 and implemented in 2018. GDPR compliance is mandatory if you message customers in the EU. It requires you to protect EU citizen data, taking measures to prevent data theft and protect user privacy. Even if you don’t have customers within the EU, complying with this standard can help you improve data security.
The Health Insurance Portability and Accountability Act (HIPAA)
HIPAA affects all businesses that work with patients or patient data, mandating that you protect sensitive patient data at all costs. HIPAA-compliant texting means ensuring that you don’t text patient test results, diagnoses, or any other sensitive information. It also involves developing privacy policies and practices to ensure you don’t share electronic protected health information (ePHI), and anonymizing any health-related data you intend to use for analytics.
Service Organization Control 2 (SOC 2)
Launched in 2010, SOC 2 is a set of standards developed by the Association of International Certified Professional Accountants (AICPA). SOC 2 reports evaluate your data security. Complying with SOC 2 isn’t required by law, but recommended and even expected if your business works with customer data. Achieving text messaging compliance with SOC 2 requires you to ensure that your data processes and workflows are well-documented and secure. To achieve official compliance, you must have a third-party provider review and evaluate your data management. You can choose between two types of SOC 2 reports—a simple Type 1 report or a thorough Type 2 report.
The Telephone Consumer Protection Act (TCPA)
The TCPA is one of the most well-known regulations in the business SMS industry, and it applies to all businesses that text their customers. It mandates that you get consent from your customers before you text them, and make it easy for them to opt out. It also requires you to be transparent when promoting your SMS services. TCPA compliance is a legal requirement.
10 Digit Long Code (10DLC) registration
10DLC registration applies to all companies that text customers through a 10-digit long code—regardless of whether you send mass texts or reply to customers through one-on-one chats. To use these standard 10-digit phone numbers, you must register with telecom carriers. Registering businesses that text consumers helps the carriers prevent spam. Your business texting services should support you throughout the 10DLC registration process.
SMS compliance terms
When we talk about achieving compliance, we use specific industry terms. We’ve gathered up the most common terms here to help you better navigate SMS compliance articles:
Application-to-person messaging (A2P messaging) includes any messages sent from an application. Carriers in the United States and Canada define all messages that pass through messaging platforms like Heymarket as A2P. This includes one-on-one SMS customer service chats as well as automated appointment reminders, order notifications, and after-hours replies.
Electronic protected health information (ePHI)
ePHI refers to any information that may be used to identify a patient or that refers to the status of a patient’s health. This includes data like test results, diagnoses, care instructions, visit recaps, and more. Under HIPAA, it is illegal to text any of this information.
Opting in means giving consent to participate in something. In business text messaging, customers have to opt in before you can text them. You can ask customers to text a keyword to your SMS number or click a box on a web form. Either option allows you to capture their opt-in.
Opting out means withdrawing consent to participate in something. In business text messaging, customers must be able to opt out of your SMS services at any time by texting a keyword. Your business text messaging platform should be able to immediately capture the opt-out request and unsubscribe customers.
Peer-to-peer messaging (P2P messaging) refers to messages sent between two consumers. This would include the texts you recently sent to friends and family. Again, carriers in the United States and Canada consider all messages that pass through messaging application platforms (like Heymarket!) to be A2P.
Ten-digit long codes (10DLC) are typical phone numbers you see on your phone every day; they have 10 digits and a local area code. (415-555-0101 is a 10DLC number.) Recently, carriers have upgraded businesses’ 10DLC capabilities, allowing them to send a higher volume of messages to customers. Because 10DLCs are versatile, they are expected to become the industry standard.
Key players in compliance for text messages
Several organizations create, manage, and (in some cases) enforce SMS compliance standards. Here are the ones you’ll hear about most often:
American Institute of Certified Public Accountants (AICPA)
This national professional organization develops ethical standards for accountants as well as U.S. auditing standards for service organizations. Most recently, the AICPA created SOC 2 guidelines.
Cellular Telecommunications and Internet Association (CTIA)
This organization represents and advocates for the wireless telecommunications industry. It also offers guidance to businesses that text. For example, the CTIA provides advice about how to get opt-ins from customers.
Federal Communications Commission (FCC)
The FCC is a government organization that regulates communications in the U.S and the telecommunications industry. It creates and enforces laws, most notably the TCPA.
The U.S. Department of Health and Human Services (HHS)
The HHS is a government organization that oversees the health of Americans in the U.S. Their Office for Civil Rights oversees and enforces HIPAA.
The Campaign Registry (TCR)
TCR is a third-party business that manages the A2P 10DLC messaging registration process. It collaborates with brands, carriers, and business texting platforms to ensure that companies texting consumers register their 10DLC numbers.
Additional resources for achieving SMS compliance
Now that you’ve got a grasp on foundational terms, you can learn how to achieve compliance with the regulations that apply to your business. Here are some guides and articles to get you started:
- “Compliance for text messages: a guide to 3 critical regulations”
- “How to stay compliant with SMS opt ins and opt outs”
Remember: compliance standards and terms frequently change due to new and evolving regulations. In order to succeed, don’t think of compliance as a one-time checklist. Instead, think of it as an ongoing learning experience that will help your business build stronger relationships with customers.