TCPA Compliance Checklist & Guide | Business Messaging
- What is TCPA? What Does TCPA Stand for?
- TCPA Compliance Guide
- TCPA Compliance Checklist
- TCPA Consent Standards
- Text Messaging Consent Standards
- Three Types of Consent
- TCPA Consent Exceptions
- Calls-to-Action (CTAs)
- Opt-in and Opt-out Requirements
- TCPA Violations
- CTIA SHAFT Guidelines
- Maintaining a Do Not Contact List
TCPA Compliance Checklist and Guide: Everything Your Business Should Know
Text messages are a highly effective way to communicate with customers and market your business’s products and services. In fact, 67% of customers would rather text than talk with a person at your business.
What many businesses may not know is how regulation applies to text messaging. It’s important you know that text messages sent from your business are subject to the same regulations and restrictions as telemarketing calls. TCPA litigation has become hot stuff since 2015, so we’re providing businesses with the knowledge they need to stay TCPA compliant.
TCPA stands for the telephone consumer protection act. The TCPA is a set of laws and regulations enacted in 1991 to protect consumers’ privacy and reduce abusive telecommunications. The TCPA outlines various violations and offers a guide to businesses on how to contact consumers.
There are several important things you and your business need to know about TCPA compliance before sending text messages or making phone calls:
- Get Express Written Consent. There are three types of consent based on the three different types of conversations typically had with contacts and customers. To send automated marketing or promotional messages you need express written consent. If you don’t have proper express written consent, then you must put contact phone number in your DNC (Do Not Contact) list.
- Keep Messages Conversational. Message delivery and response rates go up when you have personalized, thoughtful conversations. Don’t get spammy and talk like a robot - carriers, regulators and your contacts will appreciate it.
- Use Texting Services that Support Local 10-Digit Long Codes (10DLC). Older five and six-digit shortcodes are a thing of the past and many carriers like AT&T aren’t supporting them. These numbers and send pathways aren’t always verified and they only support one-way mass texting.
- Support “STOP” For Opt-out. The first message you send to new contacts must be an opt-in message that clearly states how to opt-out of future communication.
- Maintain Records for Opt-in and Opt-out with a DNC (Do Not Contact) list. To protect yourself from liability you need to maintain up-to-date records of who has and hasn’t opted in to communication with your business.
- Conversational messages require implied consent.
- Information messages require express consent.
- Promotional messages require express written consent.
- Don’t purchase lists of phone numbers containing contacts who haven’t opted in.
- Don’t use spammy technology like shortcodes, artificial voices or recordings.
- When possible use a business messaging service that offers local 10DLC messaging.
- Don’t text or call a contact before 8am or after 9pm, local time.
- Don’t text or call anyone on the National DNC Registry.
- Maintain a “Do Not Contact” list for all of your business contacts.
- List your business name, message frequency and applicable messaging rates when contacts opt-in.
- Provide contacts with an “opt-out” like “STOP”.
- If calling, disconnect if no one answers after 15 seconds or 4 rings, whichever comes first.
- Don’t send messages pertaining to alcohol to non age-verified numbers.
- Don’t send message with anything that’s graphic, hateful, violent or confidential.
- Stay aware of updates to messaging regulations.
Disclaimer: Please note that our advice is for informational purposes only. It’s not meant to substitute for advice from qualified legal counsel.
Bottomline: you need consent for your business to call and send text messages to customers. This isn’t negotiable. If you don’t get the right level of consent at the right time for the right kind of conversation, you could get into serious trouble with the law.
In short, unless a contact gives you prior express written consent, the TCPA and FCC rules ban both robocalls calls and robotexts with artificial or prerecoreded voice and/or messages from autodialers.
Consent varies based on the various types of conversations you have with your customers (Conversational, Informational, Promotional etc.) and on the nature of the conversation (Transactional or Promotional). Technology and automation also play an important factor. Getting the right kind of consent depends on the content of the message and who or what sends it first. Generally you need three things before you start texting your customers.
To Text Your Customers You Need 3 Things:
- General Customer Consent You need to obtain your customer’s consent to send them conversational, informational and transactional messages.
- Express Written Consent To send customers automated marketing and promotional messages you need their express written consent.
- Any-Time Opt-Out Your customers need to be able to revoke their consent, opt-out and stop receiving text messages from your business at any time they choose.
Conversational Text Messaging Consent:
Conversational text messaging is a one-on-one two-way conversation between you and your existing customers or known contacts with an existing business relationship.
If a customer texts your business first and you respond quickly with a single message, then it is likely conversational. As long as you respond with relevant information, then you don’t need verbal or written permission. This is called implied consent. It’s based on the already established relationship you have with your customer or contact.
Informational Text Messaging Consent:
Informational messaging takes place when a contact gives your business their phone number and asks to be contacted in the future.
Informational text messaging includes appointment reminders, welcome texts, and other alerts and notifications. These messages are all in this category because the message content fulfills your contacts’ original request.
For informational text messaging, your customer does need to agree to receive texts specifically for informational purposes. This is called express permission. Contacts may grant you this permission via text opt-in, on a form, on a website, verbally or with written permission.
Express consent may also be orally recorded for all non-commercial, informational texts from tax-exempt nonprofits, political campaigns, and other non-commercial entities.
Promotional Text Messaging Consent:
Promotional text messages are messages that directly promote, market and sell your business, product or service. Before your business sends any promotional text messages, you need express written consent.
Contacts may sign a form, check a box online, etc. to receive promotional text messages. The important part is that you have this consent in writing. If you already ask customers to sign forms or submit their contact information, then consider adding a field to account for this level of consent.
|Consent||First Message Sender||Conversation Type||Text Message Content|
|Conversational Text Messaging||Implied Consent||Contact or Customer||Two-way Conversation||Responses to a specific, inbound customer request|
|Informational Text Messaging||Express Consent (Oral or Written)||Contact, Customer or Business||One-way Alert or Two-Way Conversation||Inbound and outbound messages containing relevant customer information|
|Promotional Text Messaging||Express Written Consent||Business||Automated, One-way Campaign with Promotional Offer||Out-bound messages that promote your business, product or service Prompts customer to buy something, go somewhere or take some sort of action|
|Political Text Messaging||Express Consent (Oral or Written)||Political Group||One-way Alert or Two-Way Conversation||Inbound Content Related Expressly to Political Action|
|Tax Exempt Nonprofit Text Messaging||Express Consent (Oral or Written)||Nonprofit or Group Acting on Their Behalf||One-way Alert or Two-Way Conversation||Inbound Content Expressly Related to Organization|
Note: This table gives examples of the types of text message conversations and required consent. This does not qualify as legal advice. It isn’t a substitute for legal advice from qualified professionals.
At SnapDesk we have rules for importing contacts. Consent doesn’t just apply to new contacts. It applies to all of your contacts - even the ones you import. Before you import a list, make sure you’ve got the right form of consent from every contact.
If it’s “reasonable to believe” that you have permission to text a contact then you have implied consent. Think of implied consent as getting more casual or inferred permission whereas express consent is getting formal permission.
If a contact reaches out to your business and texts you first, then it’s reasonable to assume you have permission to text the contact back, but only specifically regarding their message.
The same holds true for email. If a contact emails your business, and their signature includes their phone number, then you can reasonably assume they’ve given you permission to call them.
Meeting someone in person and getting their business card also gives you permission to contact them by the means listed on their card. Keep in mind that this doesn’t grant you permission to send them promotional messages regarding your product, good or service. However, if the contact asked specifically for that information, then you have express consent.
The TCPA doesn’t specifically define express consent. It simply states that express consent is a written or oral agreement that clearly indicates consent to receive texts or calls at a particular phone number. Informational text messages fall into this category.
If a contact knowingly provides your business with a phone number as part of the normal course of business, then you have implied express consent to message them. But this only holds if the content of the message you send the contact relates to the original reason they gave your business their number.
If a contact gave you their number and they expect to receive a confirmation of their appointment or receive pertinent information regarding their account, then your business has the right to contact them via implied express consent. If you have a prior established business relationships with a contact, then in most cases you also have prior express consent.
Express Written Consent:
This is written, recorded permission that a contact gives your business either on paper or electronically. Your business will need express written consent from a contact if you plan on contacting them regarding anything that’s promotional. If the intent of your message is to sell or market your goods, product or service, you need express written consent.
The thing to remember is that express written consent isn’t implied or assumed. You risk violating the TCPA until you’ve got written proof that they agree to receive texts for promotional purposes.
In this case, “written consent” doesn’t have to mean written by hand. You just need a record of it. Digital agreements work great for express written consent since the FCC expanded the definition to include web forms, written verbal agreements, or opt-in in via text message keyword.
Finally, don’t bury written consent in a long web form full written in legalese. The recipient should clearly understand the terms of opting-in.
Prior Established Business Relationships (EBR)
Texting or talking with an existing customer mean your business has a prior established business relationship. If a contact asked for information regarding your business within the past 3 months or they’ve made a purchase or transaction with your business in the past 18 months, you have an established business relationship with that contact. An established business relationship with a contact gives your business prior express consent to call or text with them.
Tax Exempt Nonprofits
Tax exempt Nonprofits are non-commercial. They don’t sell goods or services. As long as their communications with contacts remains non-commercial, they can operate under the assumption of express consent to call and text contacts.
Health care messages sent on behalf of someone covered under a healthcare plan as defined by the HIPAA Privacy Rules are exempt from normal TCPA consent standards.
Calls and text messages for emergency purposes are for obvious reasons exempt from normal TCPA consent standards.
A “Call-to-Action” or CTA is a link or button you include in your text message asking your customer to do something. This could be an opt-in or opt-out to a text message campaign, a link to a website or web property, a link to a calendar, a link to go pay their open invoices and more.
The purpose of a CTA is to tell your customer what’s going on and to direct them. Specifically, an opt-in CTA ensures that your customer agrees to receive a text message and that they understand the terms and conditions associated with your text message policy.
No matter what, every CTA you use in your text messages needs to be clear. It should indicate to the customer what will happen if they click through. Calls-to-Action and other text messages coming from your company shouldn’t contain deceptive language. Don’t obscure opt-in and opt-out details in your terms and conditions.
Text Message Call-to-Action (CTA) Best Practices:
- Explain what your product or service is. Contacts need to know what they’re signing up for. Are they getting information or promotional offers? Specify what you’re offering so there aren’t any surprises regarding consent.
- Show the telephone number(s) or short code(s) your messages come from If you use a 10-digit long code, this can inform your contact where you’re sending messages from.
- Identify the name of your business, organization or firm. Your contact should know exactly who or what is sending them a message.
- Clarify how to opt-in and out of communications. It should be clear to your contact that they can opt-out by texting a keyword like “STOP”.
- Note the frequency of messages they’ll receive. Including the approximate number of messages the customer should expect to receive is a best practice. It sets expectations and prevents against complaints.
- Be transparent about fees or charges that result from messaging your business. Despite the popularity of unlimited texting, some users may have to pay a small fee to receive text messages. Your business needs to inform them of these potential charges.
- List any other applicable terms and conditions like contact information and privacy policies.
Business text messaging apps like SnapDesk already support the opt-in mechanisms you need to stay compliant with the TCPA. Messaging platforms like SnapDesk only allow you to send promotional texts after your contacts have opted-in to receive them.
Having the right opt-in procedures limits liability by reducing the chance that a contact receives an unwanted message. It also helps prevent messages from being sent to a phone number that doesn’t belong to the contact who provided that phone number.
How Contacts Can Opt-in to Your Text Messages:
- Enter their telephone number and agree to the terms of service on your website.
- Respond or send a keyword as a message from their mobile device.
- Start a text message conversation with your business.
- Sign up at a point-of-sale (POS) or other text message sender at your business.
- Saying “yes” and opting-in via interactive voice response (IVR) technology.
You need to offer your contacts the choice to opt out of communications with your business at any time. This message should state how and what words will opt a contact out of communication. Most every business text messaging platform uses the word “STOP” to opt contacts out. The wording for all opt-out instructions needs to be unambiguous and support normal language and variances like, stop, end, unsubscribe, cancel, quit, “please opt me out”, etc.
Contact Opt-out Best Practices:
- Contacts should be able to opt-out of your messages at any time.
- Opt-out via phone call, email, or text should be available.
- A contact’s opt-out request should generate one final opt-out confirmation message per campaign and notify the contact that they’ve successfully opted-out.
- Don’t send any messages after the opt-out confirmation message.
Texting URLs and Shortlinks with a URL Shortener
Links are an inherent part of how business communicates with contacts and customers. They’re great for when you want to ask a customer for a review, collect an open invoice, schedule an appointment, or provide customer service. However, texting a whole bunch of short links to large groups of people may prompt some red flags at the carrier or message provider level.
Shortened URLs like http://bit.ly/2aBiTav are a strong indicator to text message providers that the link may be spammy. With long URLs like https://snapdesk.app, contacts know exactly where the link will take them. With shortened links, a contact may not know where it’s sending them.
We don’t recommend sending shortened URLs to large groups of people. However, using shortened URLs for individual messages, like invoice collection, is ok. Bitly and Google’s Firebase Dynamic Links are great tools for shortening URLs and creating shortlinks. All invoice reminder text messages sent from SnapDesk populate automatically as shortlinks.
Damages associated with TCPA violations range from $500 to $1,500 per violation. Since 2015, it’s not uncommon to see federal courts award tens of millions of dollars throup class action settlements for TCPA violations.
In short, sending any unwanted texts or phone calls using a dialing system to your contacts’ cell phone is a TCPA violation. If your business doesn't have the right level of consent to send the right kind of message, then you’re violating the TCPA. Below is a list of TCPA violations.
1. Sending Unsolicited Texts or Making Unsolicited Calls to Residential Phone Numbers
For your business to call residential numbers, you need an “established business relationship” (EBR). If you haven’t done business with the contact in the last 3-18 months, then you don’t have an established business relationship. This makes texting and calling via automated campaigns where that contact hasn’t opted-in a TCPA violation.
2. Not Gaining the Proper Consent
Based on the content of your message, you will need prior implied, express or express written consent before your business calls or texts a contact. If a contact has not opted in and consented to messaging you are in violation of the TCPA.
3. Not Allowing Contacts to Opt-out
If you have received consent to message a contact, you still need a means for them to opt-out of all future messaging from your company. Most business messaging providers already have “STOP” keywords in place.
4. Calling People Listed on the National Do Not Call Registry
It’s illegal for your business to text or call anyone who has opted-out of communications, especially those registering on the federal Do Not Call Registry.
Things Your Business Can’t Text – SHAFT
Business communications are a regulated channel. Obviously, various types of content come with additional restrictions. In an effort to keep the messaging experience positive for everyone across all networks the CTIA (an association of mobile carriers and industry advocates) have put forth guidelines regarding sex, hate, alcohol, firearms, and tobacco (SHAFT).
The alcohol and legal cannabis/marijuana industries are of particular concern with SHAFT. If your business provides either of these goods or services you still need to comply with SHAFT standards. In most cases this means having robust age-gates and normal opt-in and opt-out capabilities.
- Content regarding controlled substances and adult content must be age-gated.
- You can’t disperse content with depictions or endorsements of violence or hate.
- Don’t send messages containing profanity or hate speech.
- Endorsements of illegal drugs are forbidden.
Group Text Messaging
Depending on the type of business text messaging service your business uses, group messaging might be possible. If you can send group text messages using your provider, keep in mind the following recommendations:
- Make sure the service has strong anti-abuse controls and mechanisms in place to accommodate sending many messages - most do.
- Check that the service specifically gives group members the ability to opt-out of the group at any time.
- Finally, make sure the messaging service has features that prevent contacts from getting caught in recursive or cyclical group messages that involve more than one group. Opting a contact out of one group may not opt them out of the other and so on.
It’s important that your business knows who they can and can’t call and text. To keep the record straight, you need a DNC or “Do Not Contact” list. Many business text messaging apps have systems in place to help you keep track of this. Documenting and saving opt-in and opt-out records with your messaging permissions helps if you’re ever faced with a complaint.