The Cold SMS Compliance Checklist
Updated June 15, 2026
Compliant cold SMS requires A2P 10DLC registration, a defensible basis for contacting each recipient, immediate opt-out handling, respecting quiet hours (generally 8am–9pm local time), and keeping records of consent and opt-outs. The TCPA governs consent rules and the penalties are per-message, so compliance isn't optional polish — one violation can end the channel for your business.
SMS is regulated more tightly than any other outreach channel, and the penalties have real teeth — the TCPA assesses damages per message, which turns a sloppy campaign into a genuine liability. The upside is that compliance is a finite checklist, not a mystery.
Run every campaign against the items below before it sends. None of them are hard individually; the risk is in skipping one and finding out via a complaint or a lawsuit. This is general guidance, not legal advice — for your specific situation, confirm with counsel.
The non-negotiables
Register A2P 10DLC before sending — unregistered traffic is both filtered and a compliance flag. Have a defensible basis for contacting each recipient and understand that consent rules under the TCPA vary by use case; know which applies to yours. Honor opt-outs instantly and automatically — STOP must work the moment it's received, every time.
Respect quiet hours: generally no texts before 8am or after 9pm in the recipient's local time zone, which means you need their time zone, not yours. And keep records — proof of consent where required, and a clean log of opt-outs — because 'we honored it' is only a defense if you can show it.
Why one violation is so dangerous
The TCPA's per-message statutory damages are what make SMS uniquely risky. A campaign that violates consent or opt-out rules doesn't just draw one penalty — it multiplies across every message, which is how SMS compliance failures become existential rather than annoying.
Carriers add a second enforcement layer: violate their rules and they can shut down your campaign or number entirely, killing the channel regardless of any legal outcome. Between the regulators and the carriers, cold SMS is a channel where the downside of cutting corners dwarfs the upside.
Making compliance automatic
Compliance fails when it depends on a human remembering. Opt-outs honored manually get missed; quiet hours respected by hand get violated when someone schedules in the wrong time zone; consent records kept in a spreadsheet get lost. The reliable approach is to make each rule a property of the system, not a habit.
That means automatic STOP handling, time-zone-aware send windows, registration tied to the sending layer, and consent/opt-out logging that happens without anyone thinking about it. Compliance you can't forget is the only kind that survives contact with real volume — which is the case for running SMS on infrastructure that bakes it in.
Frequently asked
Is cold SMS legal?
It's regulated, not banned. Compliant cold SMS requires A2P 10DLC registration, an appropriate consent basis under the TCPA for your use case, immediate opt-out handling, and respect for quiet hours. Done within the rules it's a powerful channel; done outside them, the per-message penalties make it a serious liability.
What are SMS quiet hours?
Generally no messages before 8am or after 9pm in the recipient's local time zone. The key detail is 'their' time zone, not yours — which means your system needs each recipient's time zone to schedule sends compliantly. Texting someone at 6am their time is a common, avoidable violation.
What happens if someone texts STOP?
You must stop immediately and permanently, and you should keep a record that you did. Opt-out handling has to be automatic — relying on a human to process STOP messages is how violations happen. Carriers and regulators both treat ignored opt-outs as serious.
How risky is non-compliant SMS, really?
Very. TCPA damages are assessed per message, so a single non-compliant campaign multiplies into substantial liability, and carriers can independently shut down your number or campaign. The asymmetry — small effort to comply, large downside to not — is why SMS compliance is treated as non-negotiable.
The takeaway
Cold SMS compliance is a finite checklist with severe penalties for skipping it: register A2P 10DLC, have a defensible consent basis, honor opt-outs instantly, respect local-time quiet hours, and keep records. Because TCPA damages are per-message and carriers can pull your number, the only safe approach is to make each rule automatic in the system rather than a habit someone has to remember.