Why This Actually Matters
For most local service business owners, compliance feels like paperwork until it isn't. Then it's a $50,000 class-action settlement that gutted the business. TCPA in particular has a private right of action — meaning any recipient of a non-compliant SMS can sue you personally, without involving the FCC. There's an entire plaintiffs' bar specializing in TCPA class actions.
The good news: compliance is not difficult. The rules are clear, the workflow is standard, and most violations come from cutting corners or ignorance rather than malice. A correctly set up SMS/email system handles 95% of the requirements automatically.
This guide walks through what you actually need to know. Not the legal-textbook version — the practical one.
TCPA — The SMS Rules
The Telephone Consumer Protection Act (TCPA, 47 U.S.C. § 227) is the federal law governing automated calls and text messages. For service businesses sending SMS, three things matter:
The two types of consent
Prior Express Consent (PEC) — the lower bar. The customer gave you their phone number in a context where it's reasonable to expect contact about the service. Examples:
- Customer fills out a "request a quote" form and provides their phone
- Customer books a job and provides their phone for scheduling
- Customer completes service and gets a review request tied to that job
This level of consent covers transactional messages: appointment confirmations, "we're on the way" updates, review requests after a completed job.
Prior Express Written Consent (PEWC) — the higher bar. Required for marketing messages — anything promoting a product or service. The consent must be:
- In writing (which includes electronic signatures, checked boxes online)
- Clear and conspicuous — not buried in a privacy policy
- Specific to the business sending the messages
- Discloses the type and frequency of messages
- States that consent is not a condition of purchase
Example PEWC checkbox language:
"By checking this box, I agree to receive marketing text messages from [Your Business] at the number provided. Frequency varies. Consent is not a condition of any purchase. Message and data rates may apply. Reply STOP to cancel."
The checkbox must be opt-in, not pre-checked. Bury this and a plaintiff's lawyer will find it.
Which messages need which consent?
| Message Type | Consent Required |
|---|---|
| Appointment confirmation / reminder | PEC (lower bar) |
| "Tech on the way" notification | PEC |
| Review request tied to completed job | PEC |
| Cross-sell promotion (HVAC tune-up → duct cleaning) | PEWC (higher bar) |
| Referral campaign asking customer to forward an offer | PEWC |
| Win-back campaign to lapsed customer | PEWC |
| Promotional drip to customer list | PEWC |
Opt-out — STOP and beyond
Recipients must be able to opt out at any time by reasonable means. The standard:
- Reply STOP (also QUIT, END, CANCEL, UNSUBSCRIBE, REVOKE)
- One confirmation message acknowledging the opt-out (within 5 minutes, no promotional content)
- No further marketing messages to that number, ever, unless they affirmatively opt back in
- Opt-out applies to the business as a whole, not just the specific campaign
You must process opt-outs immediately for SMS. Sending one more message after a STOP is a per-violation TCPA hit.
10DLC — The Carrier Layer
Since 2022, all business SMS in the US must use registered "10-Digit Long Code" (10DLC) numbers, registered through The Campaign Registry (TCR). The process:
- Register your brand with TCR (EIN-based, costs $4 + ongoing fees)
- Register each campaign describing the messages you'll send (one-time vendor fees)
- Provide sample messages and opt-in flow for review
- Get assigned throughput based on your verified brand quality
Without 10DLC registration, carriers will throttle (delivery rate drops) or block your messages entirely. Unregistered 10DLC sending has been effectively banned by US carriers since 2023.
If you're using a third-party SMS provider or a managed platform like Trailfire, they typically handle the 10DLC registration on your behalf. Confirm before sending.
Quiet Hours by State
TCPA federal rule: no calls/SMS before 8 AM or after 9 PM local time. Local = the recipient's location, not yours.
Several states impose stricter rules:
- Florida — 8 AM to 8 PM, no more than 3 commercial messages per day per recipient (FL Stat. § 501.059)
- Texas — limited stricter rules around Sunday and holiday messaging
- Oklahoma — slight Sunday restrictions
- Most other states — track federal default
The practical safe-harbor approach: send marketing SMS only 9 AM to 8 PM in the recipient's local timezone. This satisfies federal TCPA, Florida, Texas, and basically every state rule that exists. Trailfire uses this as the default.
National Do Not Call Registry
If you make outbound marketing calls (live agents or autodialers), you must scrub your call list against the FTC's National Do Not Call Registry at least every 31 days. Calling someone on the DNC list is a $50,000+ per-violation penalty.
SMS isn't currently subject to DNC the same way calls are, but the FCC has signaled it may extend coverage. Conservative best practice: scrub SMS lists against DNC anyway.
Recordkeeping — Your Legal Shield
The single most important compliance practice: document everything. If a TCPA lawsuit shows up, your defense rests entirely on what you can prove. You need:
- Source of every phone number — when it was collected, on what form, with what disclosure language
- Timestamp of every consent — exact date/time the customer clicked the checkbox or signed the form
- Exact consent language — what the customer saw when they consented (capture screenshot or HTML)
- IP address at time of consent (where applicable)
- Opt-out events — timestamp, message that triggered it, confirmation that further marketing stopped
- Send logs — every message sent, with recipient, timestamp, content, and delivery status
Retain records for at least 5 years. Some plaintiffs' lawyers go after older messages so longer retention isn't bad.
CAN-SPAM — The Email Rules
The Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM, 15 U.S.C. § 7701) is the federal email rule. It applies to all "commercial electronic mail messages" — meaning email whose primary purpose is to promote a product or service.
The seven rules
- Accurate "From" header. Sender identification must clearly identify your business.
- Non-deceptive subject line. Subject must accurately reflect message content.
- Identify the message as an ad (if it is). Doesn't need to be in the subject — a clear disclosure anywhere in the body suffices.
- Include your physical postal address in every email. PO Box is acceptable.
- Provide a clear opt-out mechanism. Usually a link. Must work for at least 30 days after the email was sent.
- Honor opt-outs within 10 business days. Faster is better; many systems do it immediately.
- Monitor what others do on your behalf. If a vendor sends emails for you, you're still liable.
Opt-in vs opt-out
Unlike TCPA, CAN-SPAM allows opt-out rather than opt-in for email marketing. You can email someone who hasn't expressly subscribed, provided:
- You stop immediately upon their opt-out request
- You're sending to a business contact (B2B), not a residential consumer in their personal capacity
- You're not violating any state-specific stricter rule (e.g., California's CCPA opt-out preferences)
That said: best practice is still opt-in. Engagement rates are dramatically higher and you avoid spam-trap and reputation issues.
State-Specific Rules That Matter
California (CCPA / CPRA)
If you market to California residents:
- Honor Global Privacy Control (GPC) signals
- Provide a "Do Not Sell or Share My Personal Information" link on your site
- Honor consumer requests to delete, access, or correct their data within 45 days
- Update your privacy policy to disclose data sharing
Florida
Florida Mini-TCPA (FL Stat. § 501.059) is stricter than federal:
- 8 AM to 8 PM only (1 hour tighter than federal)
- 3 commercial messages per day max per recipient
- Sunday/holiday restrictions
- Private right of action with $500-$1,500 per violation
Texas
Texas Telemarketing Disclosure and Privacy Act adds:
- Registration requirement for some sellers
- Sunday calling restrictions
- State-level DNC list
Colorado, Connecticut, Virginia
All have enacted CCPA-style privacy laws with consumer rights to access, delete, opt out of "sale or sharing", and require updated privacy policies and consent banners.
Penalties
The numbers that should make you take this seriously:
- TCPA: $500 per violation (negligent), $1,500 per violation (willful). Per violation = per message.
- TCPA class actions: Routinely settle for $1M-$10M+ for moderate-sized businesses. A few cases have exceeded $200M.
- CAN-SPAM: Up to $50,000+ per email in serious cases. FTC enforcement is real.
- Florida Mini-TCPA: $500-$1,500 per message. Florida is a hotbed for these lawsuits.
- State privacy law: $2,500-$7,500 per intentional violation (CCPA); higher for involving minors
A single TCPA class-action settlement can easily exceed the annual revenue of a mid-size local service business. The plaintiffs' bar specializes in this; it's not theoretical.
Practical Compliance Setup
If you're starting from scratch, here's the minimum viable compliance stack:
Step 1: Capture compliant consent
Add a checkbox to every form that collects a phone number, with the PEWC language from above. Capture the timestamp + IP + exact language shown.
Step 2: Get 10DLC registered
Through your SMS provider or platform. Without this, you cannot reliably send business SMS in the US.
Step 3: Build the opt-out flow
STOP keyword handling, confirmation message, suppression list write, no future marketing to that number.
Step 4: Quiet-hour enforcement
9 AM to 8 PM in the recipient's local timezone for all marketing SMS.
Step 5: Frequency caps
No more than 1 SMS per day, 3 per week, 8 per month per recipient. Florida-strict on top of that for FL recipients.
Step 6: Documentation
Logs of every consent, every send, every opt-out. 5-year retention minimum.
Step 7: Email compliance
Physical address in footer of every email, unsubscribe link, sender identification, honor opt-outs immediately.
Common Mistakes
- Buying or scraping phone lists. You don't have consent. TCPA exposure on every message sent.
- "You agreed to messages in our terms." Buried consent isn't valid. Must be clear, conspicuous, and specific to messaging.
- Marketing to customers who explicitly opted out. Honor immediately and forever.
- Same-message multi-channel. Sending the same promo via SMS and email doesn't count as different campaigns for consent purposes.
- Sending too many. Even consented recipients have rate-limit expectations. Over-messaging gets you marked as spam.
- Ignoring state rules. Florida and California are particularly aggressive. Don't assume federal is enough.
- Not documenting consent. If you can't prove they opted in, you didn't. Plaintiff wins.
Next Steps
- Audit your current consent capture — is your checkbox PEWC-compliant?
- Confirm your SMS provider has registered you under 10DLC (or do it yourself if you're sending directly through a carrier gateway)
- Implement 9 AM-8 PM local quiet hours if you haven't
- Set up systematic opt-out logging and suppression-list management
- Add your physical address and unsubscribe link to every email template
- Document everything for 5+ years
- Talk to a lawyer if you're sending at scale (10K+ messages/month) — the legal review is cheap insurance
Compliance feels like overhead until you need it. Most platforms (including Trailfire) handle 80%+ of the requirements automatically — 10DLC, quiet hours, opt-out logging, frequency caps. Your job is to make sure the front door (consent capture) is right and the side door (recordkeeping) is locked.