SMS Compliance Guide for Business Texting

Stay on the right side of the law when you text customers.

text compliance

Business text messaging is one of the most effective ways for you to reach your customers. But you need to comply with SMS regulations in order to continue to connect with them this way. Achieving SMS compliance is a lot easier if you know the basics. In this text message compliance resource page, you’ll learn:

  • What SMS compliance is
  • Key terms you need to know
  • The differences between SMS security and SMS compliance
  • How texts are regulated
  • Which SMS compliance laws you need to know about
  • Best practices for text compliance

New to business SMS? You may want to check out our business text messaging terminology page to review industry terms. Otherwise, let’s learn about SMS compliance.

*Compliance with legal frameworks, such as the TCPA and HIPAA, may be fact- and context-specific. The information contained on this resource page should not be relied upon as legal advice or to determine how the TCPA or other laws or standards apply to your use of SMS and our service. This SMS compliance information is provided “as is” and may be updated or changed without notice. You may use this guide for your internal reference purposes only.

What Is SMS Compliance,
and Why Does It Matter?

SMS compliance is a term for following applicable rules and regulations. It’s also called compliance for text messages or text compliance. Regulations you might need to follow include the TCPA and HIPAA. (More on those later.) Achieving SMS compliance is often a legal requirement. Sometimes, it’s just a best practice that will help you build trust with customers.

Team member checking shared inbox for incoming messages from customers

How has SMS compliance transformed business communications?

Business texting is an emerging industry, much like email and phone calls once were. As businesses started adopting it widely, SMS compliance evolved to ensure that customers maintain trust in the channel. It has made texting more pleasant for customers. For example, businesses can’t text people who don’t want to be reached, and they have to let customers control their data.

Hand searching the internet about text message compliance

SMS Compliance Definitions

A few SMS compliance terms you spot on this page might be new to you. Let’s briefly define them so you’ll have a better understanding of what we’re talking about.

A2P messaging

Application-to-person messaging (A2P messaging) refers to texts or messages sent from an application or software. For example, any messages you send through a secure text messaging platform are defined as A2P messaging.

In general, opting in means someone giving their consent to participate in something. Your customers have to opt in before you can text them. Usually, they opt in by texting specific keywords or by checking a box on a web form.

In general, opting out means someone withdrawing their consent to participate in something. You have to allow your customers to opt out at any time by texting in keywords. Your secure text messaging platform should automatically recognize and unsubscribe these customers.

Person-to-person messaging (P2P messaging) refers to texting between two people. For example, any texts you sent to friends or family recently would be considered P2P messaging.

Ten-digit long codes (10DLC) are typical phone numbers you see on your phone every day; they have 10 digits, including a local area code. (For example, 415-555-0101 is a 10DLC number.) Read the latest on 10DLC compliance requirements for businesses.

Is SMS Security the Same as SMS Compliance?

People often confuse SMS security vs SMS compliance. The two terms are similar, and are often used together in conversations, but they’re not the same. They are both incredibly important, though.

Team member looking at phone with lock on screen

What is SMS security?

SMS security is the state of your customer’s data being free from outside threats. SMS customer data can include contact information, customer history, and the customer messages themselves.

Comparing Security + Compliance

What is the difference between SMS security vs SMS compliance?

Just because you have achieved SMS compliance doesn’t mean you have also achieved SMS security. While adhering to regulations can help you secure your customer data better, it doesn’t automatically mean you have achieved optimal SMS security. In addition, just because you have achieved optimal SMS security doesn’t mean you are adhering to all of the pertinent regulations.

How Are Business Text Messages Regulated?

Governmental bodies regulate A2P messaging, which includes the texts between you and your customers. Their goal is always to protect customers from unwanted communications or data disclosure. Adhering to these regulations helps you ensure they’re having a good experience.

Federal Communications Commission


The Federal Communications Commission (FCC) regulates all communications in the U.S., from phone calls to messages. They were the masterminds behind the TCPA, which was originally created to protect Americans from spam calls. (We’ll get into TCPA specifics next.)

Logo for the U.S. Department of Health and Human Services


The main goal of the U.S. Department of Health and Human Services (HHS) is to foster effective health services and help advance science that affects medicine and other aspects of patient care. The HHS regulates patient communications through regulations like HIPAA to protect patients’ privacy.

SMS Compliance Laws

There are two text compliance laws that affect nearly every company using business text messaging. These are the TCPA and HIPAA. 

man texting using sms marketing compliance

Telephone Consumer Protection Act (TCPA)

The FCC created the TCPA to protect consumers from unwanted phone calls. But it helps protect them from spam emails and texts, too. Ultimately, it dictates how and when you can connect with consumers. 

What is TCPA compliance?

TCPA compliance requires three main things. First, you need to outline what signing up for your SMS service entails, like how many messages customers can expect to receive per month. Next, you must ask customers to opt in, explicitly giving permission for you to text them. Finally, you must allow customers to opt out whenever they’d like. 

Examples of TCPA violations

The most common TCPA violation is texting customers who have opted out of your services. Texting customers who never opted in to your SMS services is also a violation. Even texting phone numbers that have been reissued can be a violation.

Nurse texting on a HIPAA compliant platform

The Health Insurance Portability and Accountability Act (HIPAA)

HIPAA doesn’t necessarily apply to all businesses. (Though that shouldn’t stop you from achieving HIPAA compliance if you function outside of the healthcare industry.) But if your business is healthcare-adjacent, you need to avoid texting electronic protected health information (ePHI) like test results, diagnoses, treatment plans, and more.

GDPR Compliance for Businesses with EU Customers

If you work within the EU or have customers in the EU, the General Data Protection Regulation (GDPR) applies to you. Its seven key principles aim to prevent data theft and protect user privacy. When it comes to texting, it asks that you implement SMS security measures to ensure that data is private and safe—and that your customers know what you’re doing with it.

Multiple EU flags outside building

Application-to-Person 10-Digit Long Codes (A2P 10DLC)

A2P 10DLC is an emerging regulation for businesses who use the familiar 10-digit phone numbers with local area codes. With A2P 10DLC, telecom carriers aim to create better message deliverability, improve the customer experience, and reduce spam. Companies that use 10DLC numbers must register their businesses to access these new capabilities. However, the timeline and details for 10DLC compliance are still in flux. See this article for the most up-to-date information on A2P 10DLC requirements.

Woman texting using a 10 digit phone number, also known as a 10DLC

What Is SOC 2 Compliance?

Service Organization Control 2 (SOC 2) is a new guideline from the American Institute of Certified Public Accountants (AICPA). Achieving SMS compliance with SOC 2 is pretty involved. You have to ensure that your customer data processes and workflows are well-documented and secure. Then, they must be evaluated by a third-party provider.

Business person's hands checking off a checklist while texting on phone

SOC 2 compliance checklist

As we mentioned, SOC 2 compliance takes a lot of box-checking. We’ve made it easier with this quick checklist:

⃞ Ensure your systems and stored data are secure against unauthorized access or disclosure

⃞ Ensure your information and systems are readily available for use

⃞ Ensure your business’s confidential information is protected

⃞ Ensure your data processing workflow is complete, valid, accurate, timely, and authorized

⃞ Ensure personal information is collected, used, retained, disclosed, and disposed of as pre-stated policies request

Request an audit by a third-party organization

Close up of hands texting with SMS opt in

Opt In and Opt Out Regulations

The TCPA dictates opt in and opt out rules. It’s critical that you only text customers if they want you to. They also must be empowered to opt out of your services at any time they please.

How to stay compliant with proper opt ins

When you publicize your SMS services, let customers know what signing up means for them, and let them know how to do it. They should text in a keyword of your choice to opt in or click a box on a web form. To ensure they meant to sign up, you should send an opt-in confirmation that also provides clear opt-out instructions.

Customers must text in keywords to opt in. For example, you might ask customers to text a keyword START or YES or TEXT. Once they text in, you should send what we call an opt-in confirmation or a double opt-in text, just to make sure they meant to opt in. An opt-in confirmation might look like the following example:

Hi! You’ve opted into Shoe Superstore’s SMS services. Please reply with SUBSCRIBE to confirm. Text STOP to unsubscribe.

You should include opt-out instructions in every initial text you send customers. They should be able to text in a keyword of your choice to opt out. To ensure customers are opted out, use a secure SMS texting platform, which should automatically remove them from active SMS campaigns and add them to an unsubscribed list.

Customers must text in keywords to opt out. For example, you might let them know that they can text STOP or STOPALL to stop receiving texts. Send an opt-out confirmation to let them know you followed through. An opt-out confirmation might look like the following example:

You’ve opted out of our SMS services. You will not receive any additional texts. Have a great day!

Red pen checking boxes to show text message compliance

SMS Compliance Guide

You should connect with your legal guidance to make sure you’re truly compliant with the regulations relevant to your brand. But here’s our guide to SMS compliance for the TCPA, HIPAA, and more to get you started:

TCPA Compliance Tips

As we mentioned above, the TCPA protects consumers from receiving messages that they don’t want to receive. TCPA compliance focuses on ensuring customers actually want to receive your texts. You must:

⃞ Provide an accurate description of your business SMS program

⃞ Ensure customers opt in before texting them

⃞ Allow customers to opt out at any time with simple keyword

HIPAA protects sensitive patient data, so HIPAA compliance is all about protecting your customers’ personal data. It spans not only how you send customers messages, but how you store and protect their ePHI:

⃞ Choose a secure SMS platform that encrypts texts in storage and in transit

⃞ Never text about sensitive data, including test results or prescriptions

⃞ Only text administrative information, like appointment reminders

⃞ Ensure employees handling ePHI data attend security awareness training

⃞ Approve any devices you use to access ePHI data—both company and personal devices; devices also may be audited

⃞ Overwrite or destroy devices containing ePHI data before recycling them

Application-to-person 10DLC capabilities allow businesses to send higher volumes of texts through the familiar 10-digit numbers people use every day. Companies that use them must comply with carriers’ registration requirements. To register for 10DLC, most companies that use texting will have to provide:

Company name

Name and contact information for your main company contact

Businesses that send higher message volumes will have additional requirements to register.

Important note: New information about 10DLC requirements and deadlines continues to emerge. Find the most recent updates on 10DLC here.

Carrier Compliance

Some carriers also have their own compliance requirements. There’s a chance you might not be able to discuss certain topics—even if they’re relevant to customer service. For example, you may not be able to discuss drugs that are federally illegal or student loans. Be sure to check your carrier’s requirements and avoid their prohibited topics. 

Cellphone with prohibited sign over it

SMS Compliance Best Practices

While you’re striving for text message compliance, there are a few things you should do to ensure you’re being thorough. These best practices can also help you achieve compliance more easily. You should:
  • 1 Consult an attorney who is familiar with SMS regulations, since they’ll know the ins and outs of SMS compliance.
  • 2 Stay on the safe side, taking additional measures when you aren’t sure where the line of compliance lies.
  • 3 Keep the customer experience top-of-mind, ensuring that you’re implementing new measures in a way that’s beneficial to them and easy for them to understand.

Ensure Secure and Compliant Texting with Business SMS

Keep your texts encrypted in storage and in transit with Heymarket's SOC 2 Type 2, TCPA, and HIPAA compliant platform.