TCPA and SMS for Small Businesses: What You Can and Can't Do

The Telephone Consumer Protection Act is a 1991 federal law that, in plain English, says: if you're going to send automated calls or texts to a U.S. consumer, you need their permission first, and you have to make it easy for them to stop.

The penalty for violating TCPA is $500 to $1,500 per message, with no cap on total damages (source). A single non-compliant campaign sent to 100,000 numbers can theoretically generate over $150 million in liability (source). That's not a typo. TCPA litigation is also actively increasing — class actions filed through mid-2025 were up nearly 95% year over year.

This is a real risk, not a theoretical one. Here's what small businesses need to know.

Disclaimer: This isn't legal advice. Consult a TCPA attorney before launching any SMS program.

The two consent levels

TCPA distinguishes between two kinds of consent depending on what kind of message you're sending:

Prior Express Consent — required for informational/transactional messages. Examples: appointment reminders, order confirmations, two-factor auth codes, account alerts. The bar is lower: if a customer voluntarily gave you their number for a reason, you generally have consent to send messages related to that reason.

Prior Express Written Consent (PEWC) — required for marketing/promotional messages. The bar is much higher: the customer has to affirmatively, explicitly, in writing (digital is fine), agree to receive marketing texts from you. The consent form has to clearly state:

• That they agree to receive automated marketing messages from your specific business
• The types of messages they'll receive
• That message/data rates may apply
• That they can revoke consent at any time
• That consent is not required to make a purchase

A pre-checked box doesn't count. Burying SMS consent inside a generic terms-of-service agreement doesn't count. Bundling SMS consent with email consent in a single checkbox doesn't count.

What you can do without explicit consent

If a customer:

• Books an appointment with you and gives you their phone number → you can send appointment reminders
• Buys a product and gives you their number → you can send order/shipping updates
• Calls your business and you missed the call → you can text back to follow up about that specific call

This is the territory most missed-call text-back services operate in, and it's reasonably safe. The customer initiated the contact; you're responding.

What you can't do

The most common compliance failures, in order of how much trouble they get businesses into:

1. Cold outreach to scraped numbers. Buying a list of mobile numbers and texting them is the fast lane to a TCPA suit. "B2B" framing does not exempt you — TCPA applies to texts sent to wireless numbers regardless of how you frame the recipient.
2. Treating one consent as covering many channels. A customer who consented to email marketing has not consented to SMS marketing. Each channel needs its own opt-in.
3. Treating transactional consent as marketing consent. A customer who gave you their number for appointment reminders did not consent to receive promotional offers about your new whitening treatment.
4. Missing or weak opt-in records. The TCPA statute of limitations is 4 years. If you can't produce records showing exactly when, where, and how the customer opted in, you have no defense.

STOP handling — the rules that actually matter

When a customer replies STOP (or QUIT, END, REVOKE, OPT OUT, CANCEL, UNSUBSCRIBE — these are all reasonable opt-outs and you must honor any of them):

1. Stop sending that customer messages immediately (in practice, within minutes; legally, within 10 business days)
2. You may send one confirmation message acknowledging the opt-out
3. The opt-out applies across your messaging — they STOP'd on one campaign, you cannot send them other campaigns
4. You cannot force a specific keyword (you can't require them to text "STOPALL" instead of "STOP")
5. If a customer asks via any other channel (email, phone, walk-in) to stop receiving texts, that also counts as a valid opt-out

The FCC has been increasingly strict on cross-channel opt-out enforcement. A customer who emails you "please stop texting me" is a valid opt-out request even if they didn't reply STOP to a text.

A2P 10DLC is separate and also required

Even if you have perfect TCPA consent, you need to register your business with The Campaign Registry for A2P 10DLC if you're sending any application-to-person SMS from a Twilio or similar number (source). Unregistered traffic gets filtered or blocked by carriers regardless of whether the recipient consented.

Low-Volume Standard registration costs about $4 for the brand + $15 per campaign + $1.50–$10/month and takes 10–15 days for campaign approval (source). Start the application before you write code, because the approval clock runs in parallel.

Practical compliance checklist

Before sending a single business SMS:

• A2P 10DLC brand registered
• A2P 10DLC campaign registered for the specific use case
• Opt-in form with clear PEWC language for marketing, or clear-purpose collection for transactional
• Opt-in records stored for at least 5 years with timestamps
• STOP handling automated — no manual review required
• Cross-channel opt-out registry that blocks all future sends across all campaigns
• Quiet hours enforced (8am–9pm in recipient's local time zone)
• Sending domain/sender ID clearly identifies your business in every message

What QotBot does about this

QotBot's missed-call text-back operates in the transactional space (customer called you first, you're responding). For broader SMS use cases, the platform includes A2P 10DLC support, automated STOP handling, opt-out registry, quiet-hours enforcement, and audit logs as standard. None of this replaces legal counsel for your specific situation.

Related: "HIPAA Compliant Software" Is Misleading — Here's What to Ask