Foundgrove
← All posts

Conversion · 9 min read

Texting Leads Without a TCPA Lawsuit: The 2026 Rules

Summary

Texting leads works — until a demand letter shows up. TCPA damages start at $500 per message. Here is the consent, STOP, and 10DLC setup that holds.

By Hyder Shah, Founder & CEO · Published July 13, 2026 · Updated July 13, 2026

Every conversion article tells you to text your leads. Almost none of them mentions that the Telephone Consumer Protection Act assesses statutory damages per message, that no actual harm has to be proven, and that a specialist plaintiff's bar exists to farm exactly this pattern.

That is not a reason to skip SMS. Texting is still the fastest way to catch a lead while they still care — see our breakdown of why response time decides service-business conversion. It is a reason to build the program correctly the first time, because retrofitting consent onto a list you already texted is not possible.

This is written for owners, not lawyers. It is not legal advice, and the numbers below come straight from the statute, the FCC's rules, and the carrier requirements. Before you launch an SMS program, run it past counsel who actually does TCPA work.

Can you text a lead who just filled out your form?

Usually yes — a prompt, one-to-one reply to a person who just contacted you is the lowest-risk text you will ever send. CTIA's Messaging Principles and Best Practices (May 2023) classifies this as conversational messaging: 'If the Consumer initiates the conversation and the Non-Consumer simply responds, then no additional permission is expected.'

The risk is not the first reply. The risk is what you bolt onto it. The moment that thread turns into a scheduled drip, a promotion, or a re-engagement blast three months later, you have left conversational territory and you need the consent that category demands.

So the practical rule for a service business: answer inbound leads by text all day long. Do not quietly slide those numbers into a marketing list because the form did not say you would.

What is the difference between a transactional text and a marketing text?

The FCC draws the line at content, not at your intent: an autodialed text to a cell phone needs prior express consent, but a text that 'includes or introduces an advertisement or constitutes telemarketing' needs prior express written consent (47 C.F.R. § 64.1200(a)(1) and (a)(2)). The FCC's consumer guide puts it in plain English: 'Commercial texts require written consent; for informational texts, your consent may be oral.'

CTIA's May 2023 guidance splits the same idea into three tiers. This is the single most useful table in SMS compliance, and almost no agency shows it to clients:

Message typeExampleWho texts firstConsent expected
ConversationalReply to a lead who just texted or submitted your formThe customerImplied — no extra permission expected
InformationalAppointment reminder, tech-on-the-way alert, quote follow-up they asked forEither sideExpress consent (may be oral, on a form, or on a website)
Promotional'Spring tune-up, $89 this week'YouExpress written consent

Watch the trap in the promotional column. CTIA says adding a call-to-action — a coupon code, a discount — to an otherwise informational text 'may place the message in the promotional category.' Your appointment reminder is safe. Your appointment reminder with a $50-off line at the bottom is a marketing message, and it now needs written consent you probably never collected.

What does express written consent actually have to say on your form?

The FCC defines it precisely in 47 C.F.R. § 64.1200(f)(9): a written agreement, bearing the signature of the person called, that clearly authorizes you to deliver advertising or telemarketing messages using an autodialer or prerecorded voice, and that names the phone number the person is authorizing you to text.

The agreement must carry a clear and conspicuous disclosure telling the signer two things. One: that by signing, they authorize you to send telemarketing messages using an automatic telephone dialing system. Two — and this is the clause most agency-built forms miss — that 'the person is not required to sign the agreement (directly or indirectly), or agree to enter into such an agreement as a condition of purchasing any property, goods, or services.'

The rule also says a signature 'shall include an electronic or digital form of signature.' A checked box on a web form counts, provided the disclosure above it is real. A pre-checked box is not consent. Neither is a phone field with a tiny 'by submitting you agree to our terms' line that hides the SMS authorization inside a terms page.

One more thing worth knowing, because your competitors' blog posts are still wrong about it. In January 2025 the Eleventh Circuit vacated the FCC's one-to-one consent rule in Insurance Marketing Coalition Ltd. v. FCC (No. 24-10277), striking down both the requirement to consent to one seller at a time and the requirement that the message be 'logically and topically associated' with the interaction that prompted consent. The 2012 written-consent rule above was not touched and still binds you. Only the 2023 add-ons are gone.

What consent record do you need to be able to produce?

Consent is an affirmative defense, which means the burden lands on you: if you cannot produce the record, you did not have consent. Store one row per phone number with the fields below, and keep it for at least four years — the TCPA's federal statute of limitations is four years.

  • The phone number, exactly as submitted
  • The full text of the disclosure that was on screen at that moment — not a link to your current one, the version they saw
  • Timestamp, IP address, and the page URL where consent was given
  • Which box was checked, and proof it was not pre-checked
  • The revocation log: what they sent, when it arrived, when you suppressed the number

Most CRMs store a boolean 'sms_opt_in: true' and nothing else. That is worthless in a demand letter — it proves you flipped a flag, not that a human agreed to a specific disclosure on a specific day. Version your consent language and stamp the version ID on every record. If your form is being rebuilt anyway, get the capture and the storage designed together; that is part of what we do on a conversion-focused website build.

What is A2P 10DLC, and why do your texts get filtered without it?

A2P 10DLC is the US carrier registration system for business texting from a normal 10-digit number, and it is mandatory: per Twilio's US messaging guidelines, if you send SMS or MMS to US numbers using long-code numbers, you must register. Skip it and your messages get filtered before they reach a phone — this is a deliverability problem, not just a legal one.

Registration has two steps — a Brand (your business, tied to your EIN) and a Campaign (the specific use case you are texting for). Twilio states campaign registration currently takes about seven business days for standard use cases. Plan around that; do not discover it the week you launch.

Brand typeTax ID neededVolume ceilingWho it fits
Sole ProprietorNo EINUp to 3,000 messages to the US, on a hard limit of 1,000 per day to T-MobileSolo operators without a registered entity
Low Volume StandardEIN requiredUnder 6,000 segments per dayMost single-location service businesses
StandardEIN requiredOver 6,000 segments per dayMulti-location and franchise groups

The carriers enforce this with money, not warnings. Twilio's US guidelines list T-Mobile's pass-through fees: $1,000 for 10DLC program evasion such as snowshoeing or unauthorized number recycling, and $10,000 per unique instance of a content violation after a prior warning. That is on top of any TCPA exposure. Registering is cheap by comparison.

One structural warning: 'Lead Generation' sits on Twilio's forbidden use-case list for US long codes and toll-free. If your plan is to buy leads and text them, the carriers will shut you down before a lawyer ever finds you.

How do you handle STOP, and what happens if you get it wrong?

You must honor a revocation within a reasonable time not to exceed ten business days from receipt, per 47 C.F.R. § 64.1200(a)(10) — and the smart operating standard is immediately, because every message you send after a valid STOP is another $500 exposure.

The rule is broader than the word STOP. Seven words are per se valid revocations: stop, quit, end, revoke, opt out, cancel, and unsubscribe. Beyond those, the rule says you 'must treat that reply text as a valid revocation request if a reasonable person would understand those words to have conveyed a request to revoke consent.' Someone replying 'please leave me alone' has revoked. Your keyword matcher will miss it. A human needs to read the inbox.

You also may not designate an exclusive means to revoke. A footer that says 'reply STOP' does not free you from honoring an opt-out someone emails or phones in. The FCC's consumer guide is blunt: 'You may opt out of any robocall or robotext at any time and in any reasonable manner, even if you previously gave consent for such calls.'

The one message you are allowed to send after a STOP: a single confirmation. Under 47 C.F.R. § 64.1200(a)(12) a one-time text confirming the revocation is fine as long as it carries no marketing content and is the only message sent afterward — and if it goes out within five minutes of receipt, it is presumed to fall within the rule. Putting a 'we're sorry to see you go, here's 10% off' line in that confirmation converts your compliance message into a violation.

What does a defensible SMS follow-up program look like end to end?

Five moving parts, and all five have to hold. Miss one and the program is a liability with a conversion rate attached.

  • Separate the checkboxes. One unchecked box for service and appointment texts, a second unchecked box for promotional texts, with the § 64.1200(f)(9) disclosure language — including the 'not required to sign as a condition of purchase' clause — visible next to it, not buried in a terms link.
  • Log the consent artifact, not a flag. Disclosure version, timestamp, IP, page URL, retained four years.
  • Register A2P 10DLC before launch. Brand plus campaign, roughly seven business days for standard use cases.
  • Suppress on revocation, instantly and globally. Any reasonable wording, any channel, one clean confirmation message, and the number is dead across every tool you own — CRM, dialer, and email platform included.
  • Keep the marketing out of the transactional lane. A reminder with an offer in it is a promotional message. Send those from the list that actually opted in.

Sequence it right and text becomes the cheapest lead channel you have: inbound replies with no extra permission needed, informational follow-up on express consent, and a small, genuinely opted-in promotional list for the offers. If you want a lower-risk channel to carry the promotional load while your SMS consent list is still small, email is the obvious place to start.

If you are not sure whether your current forms would survive a look — most agency-built ones do not have the § 64.1200(f)(9) disclosure anywhere on the page — we will check the lead-capture path as part of a free audit, and tell you what we would change before you send another text.

Where does this fit in your stack?

If you're running a US service business, the playbook in this post pairs with our full services lineup and applies cleanly across our supported industries and US locations. If you want help implementing it, book a free strategy call — we'll review your current setup and prioritize the next three moves.

For the deeper engagement details, see our website design service. New to the terminology here? Our SEO & marketing glossary defines every acronym in this post.

Want this built for your vertical? See SEO for HVAC Companies, SEO for Plumbing Companies, SEO for Law Firms, SEO for Med Spas.

What are the most common questions about this topic?

Common questions readers send us about this topic.

Can I text someone who submitted my contact form?

For a prompt, direct reply to their inquiry, yes. CTIA's May 2023 Messaging Principles treat this as conversational messaging: if the consumer starts the exchange and you simply respond with relevant information, no additional permission is expected. What that reply does not authorize is a marketing drip. Once you start sending promotions to that number, you need express written consent captured at the form, not implied consent inferred from the fact they contacted you.

What are TCPA statutory damages per text message?

Under 47 U.S.C. § 227(b)(3), a person can bring an action to recover their actual monetary loss or $500 in damages for each violation, whichever is greater. If the court finds the defendant willfully or knowingly violated the statute, it may increase the award to as much as three times that amount. Damages attach per message, so a single bad send to a modest list can compound quickly. No actual injury needs to be proven.

Do I need express written consent to text a lead?

It depends on the content of the text. Under 47 C.F.R. § 64.1200, an autodialed text to a cell phone requires prior express consent, but a text that includes or introduces an advertisement or constitutes telemarketing requires prior express written consent. The FCC's consumer guide states it plainly: commercial texts require written consent, while for informational texts consent may be oral. Appointment reminders and quote follow-ups sit in the informational tier; promotions do not.

What is A2P 10DLC registration and do I need it?

A2P 10DLC is the US carrier registration system that lets businesses send application-to-person messages from standard 10-digit numbers. Per Twilio's guidelines, if you send SMS or MMS to US numbers using long-code numbers, registration is required. Unregistered traffic gets filtered by carriers, so it is a deliverability issue as much as a compliance one. You register a Brand tied to your EIN, then a Campaign for your use case, which Twilio says takes about seven business days for standard cases.

How quickly do I have to honor a STOP request?

47 C.F.R. § 64.1200(a)(10) requires that revocation requests made in any reasonable manner be honored within a reasonable time not to exceed ten business days from receipt. Ten business days is the outer legal limit, not a target. Suppress the number immediately, because every message sent after a valid revocation is a separate potential violation. You also cannot designate an exclusive means of revocation, so an opt-out by email or phone call counts just as much as a reply of STOP.

Does the TCPA apply to a one-off reply from my own cell phone?

The TCPA's core prohibition in 47 C.F.R. § 64.1200(a)(1) targets calls and texts made using an automatic telephone dialing system or an artificial or prerecorded voice. A genuinely manual, individually typed reply from a person's own phone is a different fact pattern from an automated platform send. But do not build a compliance strategy on that distinction: the moment the message goes through software, the analysis changes, and courts have parsed what counts as an autodialer for years. Get counsel.

Is a checkbox on my form enough for SMS consent?

An unchecked box can be, because 47 C.F.R. § 64.1200(f)(9) says a signature includes an electronic or digital form of signature. What makes it valid is the disclosure next to it: the person must be told that they are authorizing telemarketing messages sent with an autodialer, and that they are not required to agree as a condition of purchasing any goods or services. A pre-checked box, or a consent line hidden inside a terms-of-service page, will not hold up.

Was the FCC's one-to-one consent rule ever put into effect?

No. On January 24, 2025, in Insurance Marketing Coalition Ltd. v. FCC (No. 24-10277), the Eleventh Circuit vacated Part III.D of the FCC's 2023 Order, which would have required consumers to consent to one seller at a time and limited consented-to messages to subjects logically and topically associated with the interaction that prompted consent. Anything you read that still describes those requirements as live rules is out of date. The 2012 written-consent requirement remains fully in force.

About the author

Hyder Shah

Founder & CEO, Foundgrove

Hyder Shah is the founder of Foundgrove, an SEO and GEO agency for US service businesses. See our editorial policy for how these guides are researched and reviewed.

Want help applying this to your business?

Book a free 30-minute call. We'll review your current acquisition stack and show you the three highest-leverage moves for your industry and state. Or read how our website design service works.

Free SEO & AI visibility auditGet my free audit