DoorDash, Carvana, and Bath Fitter—can you identify the common factor among these brands?

Recently, all of them were found violating the Telephone Consumer Protection Act (TCPA) by sending unsolicited telemarketing messages and texts without proper consumer consent. 

DoorDash sent over 566,000 unauthorized emails and 515,000 texts, resulting in a $2.01 million fine, while Carvana and Bath Fitter faced class action lawsuits for repeatedly contacting individuals on the National Do Not Call Registry and failing to provide clear opt-out mechanisms. 

Note that the TCPA allows for statutory damages ranging from $500 to $1,500 per violation. This can potentially expose non-compliant organizations to significant financial and legal repercussions. 

Besides, such escalations are often deeply damaging to the growth prospects of brands. 

Therefore, to avoid hefty fines and maintain a reputation, companies must prioritize SMS compliance. To help you get started, this blog post will walk you through everything you need about compliance guidelines and best practices.

Disclaimer:
This blog and the resources mentioned are for informational purposes only and do not constitute legal advice. Always consult a qualified legal expert.

Essential SMS marketing compliance guidelines 

In the US, rules around SMS compliance fall under the Federal Communications Commission (FCC), Federal Trade Commission (FTC), Cellular Telecommunications Industry Association (CTIA), state laws, etc. 

Some compliance guidelines are dynamically tailored to specific industry requirements and service provider protocols, with variations spanning financial services, healthcare, retail, and e-commerce sectors. These generally impose unique consent, privacy, and communication standards that extend beyond standard federal regulations.

Now, let’s quickly go over some laws and regulations you must be aware of:

TCPA (Telephone Consumer Protection Act)

The TCPA is a US federal law passed in 1991 to protect people from unwanted marketing calls, texts, and faxes. It applies to companies that use automated systems to send pre-recorded messages or SMS and lays down rules for businesses about how and when to contact consumers.

As noted before, companies that violate TCPA rules face a penalty of $500 to $1,500 for each non-compliant message. This number can quickly shoot up if violations happen frequently.

These penalties can quickly escalate, transforming a seemingly minor communication error into a multi-million-dollar legal challenge. For instance, ViSalus faced a staggering $925 million verdict for unauthorized robocalls, while AdaptHealth settled for at least $6 million for sending approximately 220,000 text messages after consumers requested to stop.

Beyond financial repercussions, TCPA violations can lead to significant reputational damage, loss of consumer trust, and potential long-term business disruption. The law's strict liability nature means that even unintentional violations can result in costly class-action lawsuits.

CTIA (Cellular Telecommunications Industry Association)

CTIA is a non-profit trade organization representing wireless communication sectors that establishes voluntary messaging guidelines to protect consumers from unwanted communications. 

While CTIA guidelines are not legally enforceable, they serve as industry best practices that mobile carriers, businesses, and service providers must follow to maintain ethical messaging standards. 

Non-compliance doesn't result in direct fines but can trigger carrier interventions like short code shutdowns, potential violations of other regulations like TCPA, and significant reputational damage. 

The primary purpose of CTIA is the following:  

• To ensure transparent, consent-based communication by setting clear rules around message content 
• Opt-in/opt-out processes and consumer protection ultimately maintain the integrity of mobile messaging ecosystems

Other important compliance laws

Businesses should also be aware of some other compliance laws, including: 

• CAN-SPAM Act: A U.S. law establishing rules for commercial email, giving recipients the right to stop emails and outlining penalties for violations.
• GDPR (General Data Protection Regulation): A comprehensive European Union data protection law that gives individuals control over their personal data and imposes strict rules on data handling and privacy.
• Privacy Act of 1974: A U.S. federal law governing the collection, maintenance, use, and dissemination of personally identifiable information by federal government agencies.
• Children's Online Privacy Protection Act (COPPA): A federal law protecting the privacy of children under 13 by regulating how online services can collect and use personal information from minors.

In addition to these, there are a few laws concerning business caller ID, state-specific laws, and more. 

Avoiding violation of SMS compliance rules

To avoid violating compliance rules, brands must take positive action. They should:

• Put the consumer first: Respect consumers’ privacy, preferences, and their right to choose what they want to receive
• Ensure accurate information: Always double-check the content of messages to ensure they are clear and truthful
• Implement strong data privacy measures:  Avoid sending unwanted texts or mishandling consumer data
• Engage in responsible marketing practices: Let consumers know about the brand and what you do, and avoid misleading them about promoted offers

• Employ anti-fraud measures in SMS messages: Monitor the performance of SMS campaigns to identify patterns that indicate fraud or abuse 

Best CTIA practices and guidelines for SMS marketing

According to CTIA’s Messaging Principles and Best Practices document published in May 2023, these are the four SMS marketing best practices companies should follow for SMS compliance:

1. Abide by legal messaging standards 

The CTIA outlines the following best practices to help businesses follow the legal messaging standards:

Secure consumer consent for messaging

Receive consent through a signed form or a digital opt-in. Gaining explicit, recorded permission to receive SMS messages is key.

Use clear, visible CTAs

Provide visible CTA buttons so consumers know what they’re opting into.

Provide opt-in and opt-out options

Set up simple ways for consumers to opt into SMS text. This could be through website forms, SMS keywords, or clicks from mobile devices. Consider customizing opt-ins for different campaigns, as it ensures people receive the content they want. 

Additionally, Always allow your audience to opt out easily, like unchecking a box or replying “STOP” to your SMS messages. Remember to remind them of this option regularly.

Maintain ethical practices

Avoid deceptive practices like using rented or shared opt-in lists. Maintain a clean subscriber list, update contact details regularly, and obtain such information ethically.

2. Prioritize privacy and security in messaging

Prioritizing privacy and security focuses on how businesses collect, store, and use consumer data. You need to make sure to:

Create and display a clear privacy policy

Provide a clear and accessible privacy policy that explains how you manage and utilize consumer information for SMS communications. Include links to your privacy policy on opt-in messages or forms.

Implement robust security measures and perform audits

Use encryption to protect personal information and minimize the risk of data breaches. Also, identify gaps in the systems and update security measures regularly to protect consumer data.

3. Ensure responsible and compliant messaging content 

You must follow other best practices, like avoiding spam, maintaining content transparency, and abiding by FCC guidelines, including additional legal frameworks. 

Prevent unlawful and deceptive content

Use systems that monitor messages that detect SMS messages with content that is harmful, abusive, or intended to deceive. 

Use clear and safe embedded website links

Any links in your messages should represent the sender and not redirect to misleading or harmful sites. Use URL shorteners carefully while ensuring all links lead to secure web addresses tied directly to your business.

Disclose embedded phone numbers

When including phone numbers, ensure they belong to a real person or business. Hidden or masked numbers are deceitful and can lead to potential legal issues.

Non-Consumer messaging best practices 

To manage telephone numbers and avoid deceptive messaging techniques, follow these strategies for non-consumer messaging:

Ensure appropriate use of numbers 

Only enable messaging for numbers directly assigned to you by a telecommunications provider. Misusing numbers leads to unwanted messaging, regulatory issues, and customer frustration.

Avoid certain messaging techniques

Do not resort to harmful techniques like snowshoe messaging, where content is spread across various phone numbers to avoid detection. Additionally, gray routes are another unauthorized messaging path that you must avoid.

Use numbers appropriately 

For high-volume messaging, use common short codes to have a more consumer-protected environment. In scenarios like ridesharing or delivery services, use proxy numbers to avoid revealing personal contact numbers.

How to uphold TCPA compliance standards

The TCPA emphasizes written consumer consent and fines and penalties for non-compliance. In addition to the guidelines already covered in CTIA, it lists various requirements for opting in and out of messages. 

To ensure you are meeting TCPA compliance standards, consider these aspects:

• Document consent acquisition and information: Maintain detailed records of every customer’s opt-in and opt-out status and update them regularly. 
• Maintain a DNC list: Also, keep a real-time, dynamically updated Do Not Call registry that integrates automated scrubbing technology to prevent unauthorized contact and minimize potential legal and financial risks.
• Be responsible for automated outreach: Send automated text messages only to those who have explicitly opted in. 
• Respect consumers’ boundaries: Respect time boundaries and do not message outside regular hours. 
• Consent above all: All outreach practices must comply with customer consent and TCPA regulations.

Ensure compliance with the new FCC rules

Notice how certain opt-in requests, forms, or prompts don’t mention the seller or company name from which you’ll receive SMS texts?

It is because the new FCC 23-107 rule closed the loophole that allowed companies to send SMS messages from multiple marketing partners based on a single consent. This completely changes how businesses collect and use consumer consent for marketing. 

Based on the new rule, here’s what you can do to be on the safe side:

• Adopt an omnichannel marketing approach to get proper consent from each customer for each company represented
• Receive direct, one-on-one permission for sales outreach to contact a customer
• Inform consumers about the automated texts they will receive from a specific seller
• Ensure content is related to consumers’ initial request for information
• Have a legally compliant record of consent 

To avoid violating this rule, mention the partners, sellers, or businesses the consumer will receive from upon opting in. For example, use phrases like, “I agree to receive promotional text messages from [Company Name].”

Moreover, you can include an option for customers to choose their preferences on the messages they want to receive. And as always, provide a straightforward way to opt out of SMS marketing messages.

Understanding GDPR guidelines for SMS marketing 

GDPR is a stringent European data privacy law with extraterritorial reach that applies to any US business collecting, processing, or storing the personal data of EU residents. The regulation mandates comprehensive data protection standards with significant financial consequences for non-compliance, including potential fines of up to €20 million (21.46 million USD) or 4% of global annual turnover, whichever is higher. 

These fines are enforced by the European Data Protection Board (EDPB) and apply regardless of the company's physical location if they handle EU resident data.

Key GDPR compliance guidelines for SMS and digital communications include: 

• Obtaining explicit consent: Before sending SMS messages, ensure that users provide explicit, informed consent. Explain how their data will be used, and give them the option to withdraw consent at any time.
• Providing opt-out options: Every SMS must include a clear, accessible way for recipients to opt out of future messages. Process opt-out requests immediately and update your contact lists.
• Data minimization: Collect only the data necessary to send SMS messages.
• Data security: Implement strong security measures to protect personal data used for SMS communications from unauthorized access, accidental loss, or disclosure. 
• Data transparency: Be transparent about how users’ data is used in SMS communications. 
• Data retention and deletion: Retain personal data used for SMS communications only as long as necessary.
  

Meet all your SMS compliance needs with Plivo CX

Plivo CX offers an end-to-end SMS marketing platform that enables businesses to create and manage personalized messaging campaigns. 

With this platform, you can segment your customer base depending on specific attributes, deliver SMS exactly when customers need it for maximum engagement, use the built-in AI-driven copywriter tool to generate and modify SMS at scale and monitor the impact of the campaigns. 

The best part is that the platform leverages Plivo’s premium carrier network that spans 220+ countries across the globe. This low latency network ensures companies can reduce their SMS marketing expenses by 70% while driving 3X ROI on campaigns.

Besides this, Plivo’s SMS API platform offers several features to assist businesses in maintaining SMS compliance:

• Built-in compliance management: The platform automatically handles regulatory and data compliance requirements, allowing businesses to scale their SMS operations.
• Automated opt-out processing: The system automatically handles customer opt-out messages like "Stop" and "Cancel" on long codes, ensuring compliance with messaging regulations.
• Smart rate limiting: Implements automatic controls to maintain compliance with messaging frequency and throughput regulations specific to each country's source numbers.
• Message security: SMS message content is never stored within message detail records, and all debug logs are automatically purged after 30 days.
• Sensitive data handling: Offers special features for healthcare and regulated industries, including the option to disable logging and phone number masking capabilities. 

Ready to take your SMS compliance and marketing efforts to the next level? 

Book your demo today!