SMS opt-in compliance for agency operators in 2026

SMS in 2026 is the most regulated channel an agency operator touches, by a wide margin. The rules tightened in 2024, tightened again with state-level legislation in 2025, and the carrier enforcement layer became real in early 2026. An operator running SMS without a clean opt-in foundation isn't taking a marketing risk anymore — they're taking a "lose the ability to text from this brand forever" risk.

This post walks through the compliance stack that an agency operator needs in 2026 to run SMS at scale: A2P 10DLC registration, TCPA written consent, the express-consent disclosure language, the time-window enforcement, and the state-specific gotchas that have started to bite.

The two layers that matter

There are two separate compliance regimes operating on every SMS you send. They get conflated and they shouldn't.

Layer 1: Carrier compliance (A2P 10DLC). This is the technical layer. To send any application-to-person SMS to US numbers, you need a registered A2P 10DLC brand and campaign. Carriers (T-Mobile, AT&T, Verizon) check every message against the registered campaign. Unregistered messages don't get delivered. Period.

Layer 2: Legal compliance (TCPA + state laws). This is the legal layer. Even if your message technically delivers, if you didn't have proper opt-in consent, you can be sued under TCPA. Damages are $500-1,500 per text. Class actions get into seven figures fast.

You need to be clean on both. Being compliant on one and not the other doesn't reduce risk — it just changes which way you fail.

What proper opt-in actually looks like

Proper TCPA opt-in for marketing SMS requires four things, all documented:

1. Clear and conspicuous disclosure at the moment of consent — what you'll text about, how often, that message and data rates apply, that consent isn't required for purchase
2. Unambiguous affirmative consent — a checkbox the user actively ticks, or a keyword they actively reply with. Pre-checked checkboxes don't count.
3. Records of consent — timestamp, IP address, the exact disclosure language shown at the time of consent, the form or channel where consent was captured
4. Easy revocation — STOP and HELP keywords must work, and revocation must be honored permanently and across all your campaigns

The piece operators most often get wrong is the disclosure language. The phrase "we'll send you helpful updates" is not a TCPA-compliant disclosure. The phrase "I agree to receive marketing text messages from [Brand] at the number provided. Frequency varies. Msg & data rates may apply. Reply STOP to opt out, HELP for help. Consent is not a condition of purchase. See [link] for terms" is.

The webform flow that holds up

The opt-in flow that survives a TCPA challenge looks like this:

[Form fields: name, email, phone]

[ ] I agree to receive marketing text messages from {Brand}
    at the number above. Frequency varies. Msg & data rates may
    apply. Reply STOP to opt out, HELP for help. Consent is not
    a condition of purchase. See Terms and Privacy Policy.

[ Submit ]

The checkbox is not pre-checked. The disclosure is visible without scrolling. The brand name is a literal brand name, not a placeholder. The links to Terms and Privacy go to pages that explicitly cover SMS practices.

When the form submits, you log: the submitted phone, the timestamp, the IP, the user agent, and a hash of the disclosure language displayed at submission. That log is your TCPA defense.

The dual opt-in question

Some operators run dual opt-in (the user submits the form, then receives a "reply YES to confirm" SMS, and the campaign starts only after the YES). Some run single opt-in (form submission alone is consent).

Both are TCPA-compliant if the original disclosure was correct. Dual opt-in adds a layer of provability — you have an explicit reply from the number proving the user controls it — and it filters out junk submissions, which improves deliverability and reduces complaint rates.

The downside of dual opt-in is the drop-off. Industry-typical confirmation rates are 40-65% — meaning you lose 35-60% of opt-ins between form submit and the YES reply. For most operators, that's a worthwhile trade. For high-velocity, low-margin operators (mass-market consumer brands), single opt-in with bulletproof disclosure is the more common choice.

A2P 10DLC: the registration you can't skip

If you're texting US numbers in 2026, you need A2P 10DLC registration. The process:

1. Register a Brand with The Campaign Registry (TCR) — this is the entity sending. EIN required. Takes 1-3 business days, sometimes longer.
2. Register a Campaign for each use case — marketing, customer care, account notifications, etc. Each campaign gets a trust score that affects throughput.
3. Provision phone numbers tied to the registered campaign through your SMS provider.

The trust score is the part operators get blindsided by. Low trust scores cap your sending throughput at 10-30 messages per second across all numbers in the campaign. High trust scores get you 200+ MPS. The trust score is influenced by your brand vetting tier (basic/standard/enhanced), your campaign content category, and your historical complaint rate.

For agency operators, the practical implication: your client's brand registration affects their throughput. If you're trying to push 5,000 SMS/hour for a roofing client and they're on a basic vetting tier with a low-trust campaign, the carrier will throttle you to 36,000/hour theoretical max — and you'll hit complaint thresholds that drop the score further.

State-level traps that bite

Federal TCPA is the floor. Several states have stricter rules.

Florida (Florida TCPA / FTSA). Stricter than federal. Express written consent required for marketing texts to FL numbers. Statutory damages $500-$1,500 per violation. Class actions are common.

Washington. Charging policy: SMS and call senders must include identification of the caller in marketing messages. Penalties up to $500 per violation.

Oklahoma. Mini-TCPA enacted late 2024. Enhanced consent requirements for marketing texts.

California. While not a stricter mini-TCPA, the CCPA/CPRA layer adds privacy obligations on top — opt-in preferences are CCPA-protected information.

The operator implication: don't use a single national SMS template if your audience includes FL, WA, or OK numbers. Build state-specific opt-in flows or accept the elevated risk on traffic from those states.

STOP handling: the technical hygiene

Every inbound message that contains STOP, STOPALL, UNSUBSCRIBE, CANCEL, END, or QUIT (case-insensitive, with various punctuation patterns) must be honored within seconds. The honor must be:

• Immediate suppression of the number across all campaigns from your sender ID
• A confirmation reply ("You are unsubscribed. No more messages will be sent.")
• Permanent — re-adding the number requires a fresh, dated opt-in
• Auditable — log the inbound message, timestamp, and confirmation send

If your SMS platform doesn't handle this automatically, you have a critical gap. Most managed SMS platforms (including the one AcquireOS deploys) handle this at the platform layer. Custom Twilio integrations frequently get this wrong, especially around fuzzy matching ("STOP plz" should still trigger).

Time-window enforcement (TCPA quiet hours)

TCPA prohibits marketing calls and texts before 8am or after 9pm in the recipient's local time. Local time is determined by the recipient's location, not yours.

The compliant implementation: every outbound SMS checks the area code → timezone mapping for the recipient's number, and either delivers immediately if it's between 8am-9pm local, or queues for the next valid window. Hawaii and Alaska have edge cases. Mobile users in different timezones from their number are an unsolvable edge case (you go by the area code).

Where most operators fail

The single biggest failure mode in 2026: an operator collects opt-ins through a webform that uses generic disclosure language, then sends to those numbers from an A2P 10DLC campaign registered for "customer care," then runs a marketing SMS through the customer-care campaign because that's what the SMS provider accepted.

That fact pattern fails on every layer: insufficient disclosure (TCPA exposure), wrong campaign category (carrier compliance violation, score tanks), and the operator has no records to defend the opt-ins if challenged.

The fix is procedural, not technical. You need:

• One source of truth for disclosure language across all opt-in surfaces
• One A2P 10DLC campaign per use case, not multiplexed
• Auto-logged consent records with disclosure-language hashing
• Quarterly compliance audits to catch drift

Where AcquireOS handles this

Compliance is built into the platform layer at AcquireOS — see the compliance frameworks deep dive for the architecture. Every outbound SMS from a deployed agent goes through:

1. A2P 10DLC campaign registration (handled in onboarding)
2. Disclosure-language verification at opt-in time, with hashed records
3. STOP handler with fuzzy matching and instant suppression
4. Time-window enforcement using area-code-based timezone mapping
5. State-aware compliance overlays for FL, WA, OK

The operator doesn't have to remember any of this on each campaign. The compliance gates fire automatically before any campaign launches, and a non-compliant campaign throws a structured error rather than going out the door.

The principle: compliance in 2026 isn't a checklist you do once. It's an enforcement layer that fires on every send. If your stack doesn't have that layer, your stack is one disgruntled recipient away from a class action that ends the business.