SMS Marketing Compliance in 2026: TCPA, GDPR & Global Opt-In Rules

What laws govern SMS marketing?

Every marketing text you send is regulated by the recipient's jurisdiction, not yours. The four regimes that cover most global traffic:

RegionLawConsent standardPenalty exposure
United StatesTCPA (+ CTIA carrier rules, state mini-TCPAs)Prior express written consent$500–$1,500 per message, uncapped
European UnionGDPR + ePrivacy DirectiveExplicit opt-in, easy withdrawalUp to €20M or 4% of global revenue
United KingdomUK GDPR + PECRExplicit opt-in (soft opt-in for existing customers)Up to £17.5M or 4% of revenue
CanadaCASLExpress or limited implied consentUp to CAD $10M per violation

TCPA litigation rose sharply again into 2026—filings are up roughly 27% year over year—and because damages are per message with no cap, a single non-compliant campaign to 50,000 numbers is a $25M–$75M theoretical exposure. Compliance isn't a legal nicety; it's survival math.

What changed in TCPA rules for 2026?

Three changes matter most for anyone texting U.S. numbers:

  1. Revocation by "any reasonable method" (effective April 2025). You must honor opt-outs expressed any way a reasonable person would—"stop", "quit", "cancel", "unsubscribe", "please don't text me", replies in other languages, email, phone calls, web forms. Keyword-only parsers are non-compliant.
  2. 10-business-day processing window. Opt-outs must be fully honored within 10 business days, down from 30. Best practice remains immediate automated suppression.
  3. One confirmation message allowed. After an opt-out you may send a single confirmation—promptly, and containing no marketing. Using it to ask "are you sure?" with an offer attached is a violation.

Note the one-to-one consent rule you may have read about in 2024 was struck down—the Eleventh Circuit vacated it in January 2025—so the pre-2023 definition of prior express written consent applies. But carriers and The Campaign Registry enforce their own rules on top of the law; registration is covered in our A2P 10DLC guide.

What counts as valid opt-in consent?

For U.S. marketing texts, prior express written consent requires a signature (electronic counts—checkbox, form submit, or keyword text-in), clear disclosure of what they're agreeing to, message frequency, "message and data rates may apply," and that consent isn't a condition of purchase. For the EU under GDPR, consent must be freely given, specific, informed, unambiguous, and as easy to withdraw as it was to give.

A compliant sign-up disclosure looks like:

☐ I agree to receive recurring marketing texts from Acme at the number
provided. Consent is not a condition of purchase. Msg frequency varies.
Msg & data rates may apply. Reply STOP to cancel, HELP for help.
Privacy policy: acme.com/privacy

Keep the consent record: timestamp, source (URL or keyword), IP, the exact disclosure shown, and the number. In a TCPA suit, the record is your entire defense.

The compliance checklist for every campaign

  1. Consent verified for every number on the list—purchased lists are radioactive in every jurisdiction.
  2. Sender identity in every message (brand name at the start).
  3. Opt-out instructions included ("Reply STOP to cancel")—and your system honors any reasonable revocation, not just STOP.
  4. Suppression list synced across all campaigns, brands, and sending platforms within 10 business days (ideally instantly).
  5. Quiet hours enforced by recipient timezone: 8am–9pm local under federal TCPA; stricter in some states (Florida 8am–8pm, Washington similar) and countries (France bans marketing SMS on Sundays/holidays).
  6. Content rules respected: regulated verticals (crypto, gambling, lending, cannabis/CBD) face additional carrier content policies—compliance with the law doesn't stop carriers filtering you, as covered in how to prevent SMS blocking.
  7. Records retained: consent logs, message logs, opt-out logs, kept for at least 4–5 years (the TCPA statute of limitations is 4).

How does compliance differ for high-risk verticals?

Crypto, trading, and iGaming senders face a double gate: the law and carrier acceptance policies. A message can be fully TCPA-compliant and still filtered because the carrier's content policy flags the vertical. That's an infrastructure problem, not a legal one—it's solved with providers whose routes accept the vertical, honest delivery reporting, and sender identities warmed for that traffic profile. Our high-risk SMS gateway guide and crypto SMS launch playbook go deep on this; the short version is: compliance keeps you out of court, infrastructure keeps you delivering, and you need both.

FAQ: SMS marketing compliance

What is required for TCPA-compliant SMS marketing in 2026?

Prior express written consent, clear sign-up disclosure, opt-outs honored by any reasonable method within 10 business days, quiet hours (8am–9pm recipient local time), and retained consent records. Damages run $500–$1,500 per message.

Can customers opt out with words other than STOP?

Yes—since April 2025 you must honor any reasonable revocation: "quit", "cancel", "unsubscribe", informal language, email, phone, or web form.

How fast must an SMS opt-out be honored?

Within 10 business days in the U.S.; one prompt, marketing-free confirmation message is permitted. Instant automated suppression is best practice.

What does GDPR require for marketing SMS?

Explicit, documented opt-in consent with withdrawal as easy as sign-up, a working opt-out in every message, and retrievable consent records. Fines reach 4% of global revenue.

What are SMS quiet hours?

Windows outside which marketing texts are prohibited—8am–9pm recipient local time federally in the U.S., stricter in some states, and country-specific rules abroad (e.g., France's Sunday/holiday ban). Always schedule by the recipient's timezone.

Conclusion: build compliance into the pipeline, not the campaign

Compliance fails when it lives in a checklist someone reads before hitting send. It works when it's infrastructure: consent captured and logged at entry, suppression applied automatically across every brand and platform, quiet hours enforced by the scheduler, and revocation parsed from natural language rather than a keyword whitelist. Set that up once and every campaign inherits it. Pair it with routing that actually delivers—compliant messages that die in carrier filters are still wasted spend—and you have the two halves of sustainable SMS marketing. For the delivery half, start with our deliverability monitoring playbook.

Dach SMS Lab

Dach SMS Lab