TCPA Compliance for SMS Lead Reactivation: What Every Business Owner Must Know in 2026
TCPA Compliance for SMS Lead Reactivation: What Every Business Owner Must Know in 2026
SMS lead reactivation is legal. Done right, with properly consented leads and registered messaging infrastructure, it is one of the most compliant outreach channels available to a business. The problem is that "done right" has specific requirements, the rules have changed significantly in the past 18 months, and most businesses running reactivation campaigns have no idea.
A single non-compliant text message can cost between $500 and
The good news: compliance is not complicated if you understand the basics. This guide covers everything you need to know before running a reactivation campaign on your CRM.
TL;DR
- SMS reactivation is legal when leads have given prior express written consent specific to your business
- TCPA violations cost $500-
,500 per message; FCC carrier enforcement can reach 0,000 per violation
- Since February 2025, unregistered 10DLC traffic is blocked entirely by all major carriers
- Since April 2025, opt-outs must be honored through any reasonable method, not just "STOP" replies
- Consent must be in writing, documented, and tied to your specific business, not shared across brands
- AudienceIntent verifies lead compliance and handles all registration and opt-out processing before a campaign launches
What Is TCPA and Why Does It Apply to Your CRM?
The Telephone Consumer Protection Act is a federal law passed in 1991 and enforced by the FCC. It governs any business that uses automated systems to contact consumers by phone or text. If your messages go out through a CRM, a messaging platform, or any software that sends texts automatically rather than you typing each one on a personal phone, the TCPA applies to you.
The FCC extended the law to cover SMS and MMS, treating them the same as calls. That means the same consent requirements that apply to robocalls also apply to automated text campaigns, including SMS lead reactivation campaigns reaching old CRM contacts.
What "Prior Express Written Consent" Actually Means
For marketing and promotional messages, the TCPA requires prior express written consent (PEWC). This is the higher standard, and it has six specific requirements:
- The consumer must take an affirmative action to opt in. A pre-checked box does not count.
- The consent must be in writing, which includes web forms, digital checkboxes, and text keyword opt-ins.
- The disclosure must identify your business by name as the sender.
- It must state what types of messages the consumer will receive.
- It must include a notice that message and data rates may apply.
- Consent cannot be a condition of purchase. The opt-in must be separate and optional.
The FCC also requires that consent be documented, meaning you need a record of when, where, and how each person opted in. If you can't produce that documentation, you can't prove consent, and in a lawsuit, the burden of proof is on you.
The statute of limitations for TCPA claims is four years. Best practice is to retain consent records for at least five years.
The 3 Rule Changes That Matter Most in 2025-2026
The compliance landscape shifted significantly in the past 18 months. Three changes in particular affect every business running or considering an SMS reactivation campaign.
1\. A2P 10DLC Enforcement (February 2025)
Starting February 1, 2025, AT&T, Verizon, and T-Mobile moved from throttling unregistered 10DLC traffic to blocking it entirely. This is not a gray area. Unregistered messages simply do not arrive. Beyond the deliverability problem, carriers can levy fines of up to
What this means for reactivation campaigns: If your SMS provider hasn't registered your brand and campaign with The Campaign Registry (TCR), your messages are going nowhere. Every carrier in the U.S. enforces this now.
2\. Consent Revocation Expansion (April 2025)
Effective April 11, 2025, the FCC strengthened how businesses must handle opt-out requests. Consumers now have the right to revoke consent through "any reasonable method," not just by replying "STOP." An opt-out communicated by email, voicemail, or even informal language in a reply must be honored.
Businesses are required to process revocation requests within 10 business days, though real-time processing is the practical standard. A one-time confirmation text is allowed after revocation if clarification is needed. Anything beyond that is a violation.
3\. Reinstated Consent Standards (August 2025)
In 2023, the FCC proposed a strict one-to-one consent rule requiring each business to obtain its own separate consent. That rule was vacated by the Eleventh Circuit in January 2025. In August 2025, the FCC reinstated its prior standard for prior express written consent, which still carries a critical requirement: consent must be in writing, include the consumer's signature (including digital), and contain clear disclosures identifying the sender.
The practical implication is unchanged. Consent obtained through a shared lead-gen form or purchased from a third party does not satisfy PEWC requirements if the disclosure language didn't specifically name your business as the sender. Shared lists and purchased leads remain high-risk.
Key takeaway: The rules have tightened on every front. Deliverability, opt-out handling, and consent documentation are all under active enforcement. Businesses that haven't reviewed their SMS infrastructure since 2023 are operating on outdated assumptions.
What Counts as a "TCPA Compliant Opt-In Lead"?
When AudienceIntent's pricing page states that TCPA Compliant Opt-In Leads are required, this is what it means in practice.
A compliant lead has three things: an affirmative opt-in, a consent record that names your business specifically, and documentation of when and how that consent was captured. Without all three, the lead is not safe to message in a marketing campaign.
Compliant vs. Non-Compliant: A Direct Comparison
| Criteria | Compliant Lead | Non-Compliant Lead |
|---|---|---|
| Opt-in method | Checked a box, submitted a form, or texted a keyword | Pre-checked box, verbal-only, or no opt-in recorded |
| Disclosure | Named your business as the sender | Generic "marketing partners" language or no disclosure |
| Documentation | Timestamp, source, and consent language on file | No record, or records older than 5 years |
| Source | Direct from your own lead-gen or customer intake | Purchased list, shared lead-gen form, or third-party broker |
| Opt-out status | No STOP or revocation on record | Prior opt-out not cleared |
The Purchased List Problem
Purchased leads are almost never TCPA compliant for marketing SMS. The business that sold you the list obtained consent for their communications, not yours. Unless the original opt-in form specifically named your business and the consumer agreed to receive messages from you, sending that contact a marketing text is a TCPA violation.
The same logic applies to shared lead-gen forms. If a consumer filled out a form on a comparison shopping site and that form's disclosure said "you may be contacted by our partners," that consent does not satisfy PEWC requirements for your business. The disclosure must name the sender.
What to do with old CRM data: For every number in your database, you need to answer three questions before messaging: When did this person opt in? How did they opt in? What did the disclosure language say? If you can't answer all three, that contact needs to be held until you can re-establish consent through a compliant channel.
The A2P 10DLC Registration Requirement: What It Is and Why It's Non-Negotiable
10DLC stands for 10-digit long code, which is the standard 10-digit phone number format used for business SMS. A2P stands for Application-to-Person, meaning messages sent from software to a consumer rather than person-to-person. If your reactivation campaign sends texts from a platform or CRM rather than someone's personal phone, it is A2P traffic and registration is mandatory.
Registration happens through The Campaign Registry (TCR), the industry body established to manage A2P messaging in the U.S. All major carriers, including AT&T, Verizon, and T-Mobile, use TCR to vet business senders before allowing their messages to reach consumers.
What the Registration Process Involves
Registration is a two-step process:
Step 1: Brand Registration Registers your business entity. You'll need your legal business name (matching IRS records exactly), your EIN, business type, website, and contact information. Approval typically takes 1-3 business days.
Step 2: Campaign Registration Registers each distinct messaging use case. For a reactivation campaign, this means submitting a description of what messages you'll send, sample messages, documentation of your opt-in process, and how you handle opt-outs and HELP requests. Approval takes 2-7 business days.
What Happens If You Skip It
Since February 2025, the answer is simple: your messages don't arrive. All three major carriers block 100% of unregistered A2P 10DLC traffic. There is no workaround. Attempting to rotate numbers to evade detection ("snowshoe messaging") is explicitly prohibited and triggers immediate blocking.
Beyond deliverability, non-compliance with carrier registration standards can result in fines of up to
One additional requirement: Carriers use AI to match your live messages against the sample messages you submitted during campaign registration. If your actual messages drift significantly from your registered samples, your traffic can be filtered even if your registration is current. This is especially relevant for AI-generated message content.
The 7 Compliance Mistakes That Get Businesses Fined
TCPA lawsuits don't usually target businesses that made an honest effort to comply. They target businesses that cut corners, assumed old rules still applied, or simply didn't think the law applied to them. These are the seven patterns that show up repeatedly in enforcement actions and class-action complaints.
1\. Using purchased or shared lead-gen lists This is the most common mistake and the hardest to fix after the fact. Consent obtained by a third party for their purposes does not transfer to your business. If the original opt-in form didn't name you as the sender, the lead is not compliant for your campaign. Period.
2\. Assuming old CRM data is automatically compliant A lead who opted in three years ago may have done so under disclosure language that no longer meets current standards, or through a process that didn't document consent properly. Age alone doesn't make a list non-compliant, but it does mean the documentation needs to be verified before messaging.
3\. No documented opt-out handling When a consumer opts out, that request must be processed immediately and the number suppressed from all future marketing sends. If your system batches opt-out processing or requires manual review, you're a compliance risk. Every message sent to a number after a valid opt-out is a separate violation.
4\. Sending outside quiet hours The TCPA restricts marketing texts to 8 a.m. to 9 p.m. in the recipient's local time zone, not yours. A business in Florida sending a campaign at 8 a.m. ET is texting California contacts at 5 a.m. That is a violation. Quiet hours must be enforced based on where each recipient is located.
5\. AI message content drifting from registered campaign samples If you're using AI to generate or personalize message content, carriers compare your live messages against the samples you submitted during campaign registration. Messages that diverge significantly from those samples can be filtered, even if your 10DLC registration is current. Audit AI output regularly against your registered samples.
6\. Ignoring state-specific rules Federal TCPA compliance is the floor, not the ceiling. Texas SB 140 (effective September 2025) expanded the definition of "telephone solicitation" to include texts and tied violations to the Texas DTPA, which allows treble damages. Virginia SB 1339 (effective January 2026) requires businesses to honor text opt-outs for 10 years. If your customers are in these states, you need to comply with state law as well.
7\. Not monitoring deliverability and opt-out rates Carriers use automated systems to flag senders with high opt-out rates or unusual traffic patterns. Elevated opt-out rates trigger automatic filtering that can suppress your entire campaign, even for compliant messages. Deliverability monitoring isn't optional; it's how you know your campaign is performing and your number reputation is intact.
How AudienceIntent Handles Compliance So You Don't Have To
This is the part most business owners actually want to know: what do you have to handle yourself, and what does a specialist take off your plate?
The short answer is that AudienceIntent manages the entire compliance infrastructure. The requirement for TCPA Compliant Opt-In Leads is not a bureaucratic checkbox. It's a pre-launch verification step. Before any database reactivation campaign goes live, the lead list is reviewed to confirm the contacts meet the consent standard. Lists that don't pass don't get messaged.
What's Built Into Every Campaign
| Compliance Requirement | How AudienceIntent Handles It |
|---|---|
| A2P 10DLC registration | Registered brand and campaign with TCR before launch |
| Consent verification | Lead list reviewed against TCPA compliance requirements |
| Opt-out processing | Real-time suppression; opt-outs honored immediately |
| Quiet hours enforcement | Sends scheduled to 8 a.m.-9 p.m. in each recipient's time zone |
| Message-to-sample alignment | AI output audited against registered campaign samples |
| Number reputation monitoring | Deliverability and opt-out rates tracked throughout campaign |
| State-specific requirements | Campaign parameters account for TX, VA, and other state rules |
Why DIY Is the Higher-Risk Option
Running your own SMS reactivation campaign without this infrastructure isn't just more work. It's a different risk profile entirely. A single missed opt-out, a message sent at 7:45 a.m. to a California number, or a list that includes purchased leads creates liability that starts at $500 per message and has no cap on total exposure.
The reason businesses hire a specialist for reactivation isn't because compliance is impossible to manage on your own. It's because the cost of getting it wrong, in fines, in litigation, and in carrier blacklisting, is far higher than the cost of doing it right with a team that has built the infrastructure already.
AudienceIntent's model is performance-based. We don't get paid unless your campaign generates revenue. That alignment means compliance isn't just a legal requirement on our end; it's how we protect the campaigns that pay us.
Your 2026 SMS Compliance Checklist
Before launching any SMS reactivation campaign, work through this checklist. Every item represents a real exposure point under current TCPA and carrier enforcement standards.
- Consent documentation verified. For every number on your list, you can confirm when, where, and how the person opted in, and what disclosure language they saw.
- Consent names your business specifically. The opt-in disclosure identified your company as the sender, not "marketing partners" or a third-party aggregator.
- No purchased or shared leads in the campaign. Every contact on the list opted in directly to receive communications from your business.
- Prior opt-outs suppressed. All numbers with a prior STOP reply or revocation request have been removed from the send list before the campaign launches.
- A2P 10DLC brand and campaign registered with TCR. Registration is approved and current. Approval status has been confirmed with your messaging provider.
- Registered campaign samples match your planned message content. If you're using AI to generate or personalize messages, the output has been reviewed against your registered samples.
- Sending hours enforced by recipient time zone. Your platform is configured to send only between 8 a.m. and 9 p.m. in each recipient's local time zone, not your business's time zone.
- Real-time opt-out processing in place. Your system suppresses opt-outs immediately upon receipt, not in a batch process.
- State-specific requirements accounted for. If your list includes contacts in Texas or Virginia, campaign parameters reflect the additional requirements of those states.
- Deliverability and opt-out rate monitoring active. You have a process to track these metrics and respond if rates spike.
- Consent records retained for at least five years. Documentation is stored in a format you can retrieve and produce if needed.
Note: This checklist covers the primary compliance requirements for SMS marketing campaigns as of mid-2026. It is not legal advice. If you have questions about your specific situation, consult a qualified attorney who specializes in TCPA compliance.
Frequently Asked Questions
Is SMS lead reactivation legal?
Yes. SMS lead reactivation is legal when conducted with leads who have given prior express written consent to receive marketing messages from your specific business, and when messages are sent through a registered A2P 10DLC number. The key requirements are documented consent, proper carrier registration, and compliant opt-out handling. Without these, any SMS marketing campaign creates TCPA exposure.
What is TCPA compliance for SMS?
TCPA compliance for SMS means meeting the consent, disclosure, opt-out, and timing requirements of the Telephone Consumer Protection Act before sending automated text messages to consumers. For marketing messages, this requires prior express written consent: an affirmative opt-in, a written disclosure naming your business, documentation of when and how consent was captured, and real-time opt-out processing. Violations carry statutory damages of $500 to
Do I need to register for A2P 10DLC?
Yes. Any business sending automated text messages through a 10-digit long code in the U.S. must register with The Campaign Registry (TCR). Since February 2025, AT&T, Verizon, and T-Mobile block 100% of unregistered A2P 10DLC traffic. Registration requires a two-step process: brand registration (your business entity) and campaign registration (your specific use case and message samples). Unregistered messages do not arrive.
What happens if I send SMS to non-compliant leads?
Sending marketing texts to leads who have not given prior express written consent to your business is a TCPA violation. Statutory damages are $500 per message for standard violations and
How do I know if my CRM leads are TCPA compliant?
For each number in your database, you need to answer three questions: When did this person opt in? How did they opt in? What disclosure language did they see at the time? If you can answer all three and the disclosure named your business specifically, the lead is likely compliant. If you can't answer all three, or if the leads were purchased or came from a shared lead-gen form, they should not be messaged until compliance is verified. AudienceIntent reviews your lead list as part of the pre-launch process for every reactivation campaign.
Now that you know the rules, the question shifts from "is this legal?" to "how much revenue is sitting in my compliant database?"
If you have a list of leads who opted in through your own intake process, your website, or your sales funnel, and those contacts haven't been followed up with in the past 12 to 36 months, that list is likely your highest-return marketing asset. The compliance infrastructure is already handled on our end. What we need from you is the list.
Use the lost revenue calculator to estimate what a reactivation campaign on your database could generate. It takes about 60 seconds and gives you a concrete number to work with before we talk.
If you want to understand the full process before committing to anything, the complete guide to SMS lead reactivation covers how campaigns are built, what results look like, and what questions to ask before handing over your CRM.
The revenue is already in there. The compliance is already handled. The only thing left is the decision to go get it.
Recover What's Yours. Own What's Next.
Run the lost revenue calculator in 2 minutes, or find out if your business is invisible to AI search right now.