SMS Compliance for eCommerce: TCPA, CTIA, and Not Getting Sued

Let me start with a number that should scare you: $1,500.

That's the fine. Per text message. Per violation. Under the TCPA (Telephone Consumer Protection Act), if you send a promotional text to someone who didn't explicitly opt in, you're looking at $500 to $1,500 per message. Send that text to 10,000 people? You do the math. I'll wait.

Still want to wing your SMS compliance? Didn't think so.

Here's the thing though. SMS marketing is phenomenal for eCommerce. Open rates above 95%. Click-through rates that make email look like a fax machine. Revenue per recipient that crushes every other channel. We've seen SMS flows at GOSH Digital generate $2-4 per recipient sent. That's not a typo.

But you have to do it right. Not because you're a good person (though that helps), but because the fines will end your business faster than a bad product launch.

Let me walk you through everything you need to know.

The Three Laws You Need to Care About

There are three main regulatory frameworks that govern SMS marketing in the US and Canada. You need to comply with all three. Not one. Not two. All three.

1. TCPA (Telephone Consumer Protection Act)

This is the big one. Federal law. Been around since 1991 but it's been updated to specifically address text marketing. Here's what it requires:

Prior Express Written Consent. Before you send anyone a promotional text, they need to give you written consent. "Written" in 2025 includes digital — checking a box on a form counts. But it has to be clear, unambiguous, and separate from your terms of service.

What counts as valid consent:

• A standalone checkbox (not pre-checked) that says something like "I agree to receive promotional text messages from Brand Name at the number provided. Message and data rates may apply. Reply STOP to unsubscribe."
• A keyword opt-in (customer texts "JOIN" to your short code)
• A double opt-in via text (customer enters number, receives confirmation text, replies YES)

What does NOT count:

• A buried sentence in your terms of service
• Implied consent from a purchase
• A pre-checked checkbox
• Verbal agreement (hard to prove)
• Consent given to a different brand (even your parent company)

2. CTIA Guidelines

The CTIA (Cellular Telecommunications Industry Association) isn't technically law. They're an industry group. But here's why you care: your SMS provider (Klaviyo, Postscript, Attentive, whoever) is required to follow CTIA guidelines. If you violate them, your provider will shut down your sending capability. No trial. No appeal. Just... off.

CTIA requirements include:

• Clear disclosure at opt-in of message frequency, message and data rates, and how to opt out
• Immediate confirmation message after opt-in that includes the brand name, opt-out instructions, and a help keyword
• Honoring STOP requests within the same session (not within 24 hours — immediately)
• Quiet hours — no texts before 8 AM or after 9 PM in the recipient's local time zone
• Message frequency caps that match what you disclosed at opt-in

3. CAN-SPAM (Yes, It Applies to SMS Too)

Most people think CAN-SPAM only covers email. Nope. The FTC has confirmed it applies to commercial text messages too. The requirements overlap with TCPA but add a few things:

• Messages must be identified as commercial (your brand name)
• Physical address must be available (usually via a link)
• Opt-out mechanism must work for at least 30 days after you send the message

Building a Compliant Opt-In Flow

Now that you know the rules, let me show you how we build opt-in flows that are both compliant and convert like crazy.

The Pop-Up

Your website pop-up for SMS collection needs specific language. Here's a template that's been reviewed by compliance teams and still converts at 3-5%:

The pop-up should include: your brand name, what they're signing up for (promotional text messages), approximate frequency (e.g., "up to 8 messages per month"), message and data rates disclosure, a link to your privacy policy, STOP and HELP instructions, and a clear submit button.

The phone number field should be separate from email. Don't bundle them into one consent form unless each channel has its own explicit opt-in checkbox.

The Welcome Text

Within 5 minutes of opt-in, send a confirmation text. This isn't optional — CTIA requires it. Make it count:

The message should confirm their subscription, remind them of the brand name, state the message frequency, tell them to reply STOP to unsubscribe and HELP for help, and ideally include the incentive you promised (discount code, free shipping, whatever).

The Keyword Opt-In

If you're collecting numbers in-store, at events, or through other channels, use a keyword opt-in flow. Customer texts a keyword (like "DEALS") to your short code. They receive an auto-reply asking them to confirm. They reply YES. Then they get the welcome message.

This creates a clear, documented chain of consent that holds up if anyone ever challenges it.

What Gets Brands in Trouble

I've seen brands get their SMS programs shut down or face legal action for these common mistakes:

Buying or Renting Lists

Never. Ever. Buy. A phone number list. I don't care if the list broker swears every number is opted-in. They're not opted into YOUR brand. TCPA consent is brand-specific. Buying a list and texting it is the fastest way to a class-action lawsuit.

The "We Got Their Number from a Purchase" Trap

A customer bought from you and entered their phone number for shipping updates. That's transactional consent. It does NOT give you permission to send promotional texts. You need separate, explicit consent for marketing messages.

Ignoring Time Zones

Sending a text at 10 PM Eastern is 7 PM Pacific — fine. But it's also 10 PM for your Eastern customers. If you send at midnight because you forgot about time zones, you're violating quiet hours for someone. Your SMS platform should handle this automatically, but verify it.

Not Honoring STOP

When someone texts STOP, they're out. Immediately. Not "after this campaign finishes." Not "after a 24-hour processing period." Right now. If your system sends even one more promotional message after a STOP request, you're in violation.

Frequency Creep

You told customers they'd get "up to 4 messages per month." Then Black Friday hits and you send 12. That's a compliance problem. If you need to increase frequency for a seasonal push, you need to notify subscribers and give them a chance to opt out of the increased volume.

Setting Up Compliant Flows in Your Platform

Whether you're using Klaviyo, Postscript, Attentive, or another platform, here's how to make sure your automated flows stay compliant.

Every Flow Needs an Entry Filter

Before any SMS flow sends, it should check: Is this person opted into SMS? Has this person been suppressed? Is it within quiet hours? Have we exceeded the frequency cap?

If any answer is no, the message doesn't send. Period.

Transactional vs. Promotional

Transactional messages (order confirmation, shipping updates, delivery notifications) have different rules. You don't need marketing consent for transactional messages. But — and this is important — you can NOT include promotional content in a transactional message. No upsells. No discount codes. No "check out our new collection." The moment you add promotional content, the entire message becomes promotional and requires marketing consent.

The Double Opt-In Question

Should you use double opt-in for SMS? From a pure compliance standpoint, it's the gold standard. From a conversion standpoint, it reduces your list size by 15-25%. Our recommendation: use double opt-in if you're in a heavily regulated industry (health, finance, cannabis) or if you've had compliance issues before. For most eCommerce brands, a clear single opt-in with a confirmation message is sufficient and legally defensible.

SMS Compliance Checklist

Before you launch (or relaunch) your SMS program, go through this checklist:

Opt-In Flow:

• Standalone consent language (not buried in terms)
• Brand name clearly identified
• Message frequency disclosed
• "Msg and data rates may apply" included
• STOP and HELP instructions visible
• Link to privacy policy
• Checkbox is NOT pre-checked

Welcome Message:

• Sent within 5 minutes of opt-in
• Includes brand name
• Confirms subscription
• States frequency
• Includes STOP and HELP instructions

Ongoing Compliance:

• Quiet hours enforced (8 AM - 9 PM local time)
• STOP requests honored immediately
• Frequency matches disclosure
• No purchased or rented lists
• Transactional and promotional messages separated
• Consent records stored and retrievable
• Opt-out rate monitored (above 5% = problem)

Documentation:

• Screenshots of all opt-in points
• Records of consent for every subscriber
• Date and method of consent stored
• Opt-out logs maintained

What Happens If You Get It Wrong

Let me be blunt about the consequences:

TCPA lawsuits are one of the most common class-action categories in the US. Plaintiff attorneys actively look for brands sending non-compliant texts. They sign up for your SMS list, document the violation, and file suit. A single class-action TCPA case can settle for $5-50 million. Even a small claim can cost $50,000-500,000 in legal fees.

Carrier filtering means your messages don't get delivered. The major carriers (AT&T, Verizon, T-Mobile) all filter messages from non-compliant senders. If your messages start getting filtered, your delivery rate drops from 98% to 40% or lower. Rebuilding carrier trust takes months.

Platform suspension means your SMS provider shuts you down. They don't want the liability. Restarting with a new provider means re-registering your number, potentially losing your short code, and rebuilding sender reputation from scratch.

The Bottom Line

SMS compliance isn't optional, and it's not something you "figure out later." It's table stakes for running an SMS program that generates revenue long-term. The brands that take compliance seriously from day one are the ones that build SMS into a six and seven-figure channel. The ones that cut corners end up in courtrooms or with dead SMS programs.

We set up compliant SMS programs for eCommerce brands every week at GOSH Digital. If you're not sure your current setup passes the sniff test, or you're building from scratch and want to do it right the first time, book a call and let's take a look.

Get it right. Keep it right. Make money from it.