Ins and Outs of Text Messaging Opt-in and Opt-out Laws in the U.S.


Mogli USA text messaging  laws and regulations blog post

Legalities, best practices, and possibilities of text message marketing

This article explains the major U.S. national regulations regarding text messaging communications, including both SMS and WhatsApp. It gives examples of best practices and how you can use Mogli in Salesforce to navigate this regulatory territory. Be sure to read about Canada's (here) and the European Union (here) text messaging policies. 

Click this image to demo Mogli and see how Mogli makes following text messaging opt-in laws easy.

If there are so many text messaging regulations, why make it a pillar of digital communications?

Text messaging is a practical, relatively low-cost way to reach stakeholders across various industries, from financial services and education to commerce and nonprofits. Its efficacy comes not only from the convenience of cell phones and reaching people anywhere they go but from the variety of communications needs a text message can fulfill.

Mogli, for example, can:

  • conduct branching surveys for feedback and data collection
  • send personalized bulk (one-to-many) or one-to-one messages
  • collect payments via a true text-to-pay solution called MogliPay
  • run complex Salesforce Flow or Process Builder automation that creates elegant workflows connecting teams and communications channels, and automated conversations

These texts, of course, can include alerts, transactional updates, and announcements of events like your brand’s sales, but the possibilities with Mogli are so much more robust than traditional text marketing.

Furthermore, text messaging is the preferred and most popular communication channel amongst consumers due to stringent regulatory requirements that save them from spam text messages. These laws keep the channel clean and help preserve its advantages over other digital communications. Yet, companies who use text messaging must be diligent about compliance to avoid expensive penalties.

The Legalities of SMS and WhatsApp Compliance in the United States

Federal laws and regulations state that businesses cannot intentionally or unwittingly text unsolicited spam text messages containing irrelevant marketing information, products, services, or other offers. Nor may businesses collect personal data for any purpose other than to engage and provide value to those recipients.

Below is an overview of the governing laws and the resource to align with best practices.

The FCC (Federal Communications Commission) created The TCPA, Telephone Consumer Protection Act, in the 1990s, initially as protection against phone calls and robocall solicitations.

It quickly evolved to include text messaging, as well. The TCPA is still the primary law in the USA. It sets limits on telephone solicitations and the use of automated equipment requiring businesses to obtain explicit documented written consent before sending text messages. Even if a company already has a relationship with (or the phone number of) an intended recipient, it may only text message if it has opt-in consent. The only exception is a real emergency.

The takeaway: don't hit send on a text message to ask for opt-in. It's illegal. You can land fines between $500-$1500 for each infraction. This range depends on if you send the message knowingly or to what extent you abused information. An unsolicited text or call (yes, each call or text message) counts as a violation of the law, which can quickly amount to millions of dollars in penalty fines. In 2013, Domino’s Pizza famously paid close to $10 million for unsolicited text messages. 

The CAN-SPAM Act protects consumers from commercial text messages from companies with which they don’t already have a relationship.

For example, if your car insurance company sends you a transactional text message, that could be fine. It’s illegal, however, for a car insurance company with which you don’t have any relationship to solicit one over text message without your explicit written consent, as discussed above. 

Additionally, CAN-SPAM requires that any commercial message be readily identifiable as an advertisement by the text message recipient. Consumers must also be able to unsubscribe from text messages whenever they please.

The CTIA, Cellular Telecommunications and Internet Association, promotes voluntary best practices

while protecting consumers from unwanted messages. In addition to encouraging a clear call-to-action, requiring proper-opt-in and double-opt-in, easily accessible placement of policies, and the ability to easily opt-out, the CTIA also urges one opt-in per campaign. This way, consumers don’t get added to irrelevant or excessive text messaging campaigns. Similarly, the organization speaks to the downfalls of sharing or selling data.

The California Consumer Privacy Act or CCPA, instated on July 1, 2020, provides California residents with more control over their personal information that businesses collect.

The law governs both US-based and international countries and includes the following new privacy rights:

  • The right to know what personal data is being collected and how it is used
  • The right to request businesses to delete personal data.
  • The right to easily opt-out of the sale of personal data to other businesses, as well as request a full list of 3rd party data users. 
  • The right to non-discrimination because you have exercised your rights under CCPA.
  • The right to sue companies if their data guidelines are violated.

The CCPA applies to all for-profit businesses serving California residents with at least $25 million in annual revenue or personal data on at least 50,000 people. Additionally, if businesses collect more than half of their revenue from the sale of personal data, they must be CCPA compliant. However, if your organization is not defined by these two characteristics or you are a part of a nonprofit organization, then the CCPA does not apply to you. 

To comply with CCPA, businesses must provide a clear opt-in and opt-out process for their clients and provide them with a “notice of collection." The notice of collection must disclose the type of personal information the business is collecting and how it is planned to be used. If the business sells personal data, the notice must contain a Do Not Sell link and a link to the business's privacy policy. If a company does not comply with CCPA, it can incur a fine of up to $7,500 per record.

As of August 14, 2020, there have been modifications to the CCPA.

The changes provide a more concise description of the regulations and clarify the shorthand language previously used. The following summarizes the updates made: 

“Do Not Sell My Personal Info” shorthand removed. 

  •   When presenting users with the option to opt-out of selling personal data, the correct language is “Do Not Sell My Personal Information” vs. “Do Not Sell My Info.” 

    Obtaining explicit consent is no longer required. 

  • Instead of obtaining explicit consent, use the privacy policy to explain how your business or organization uses data.

    Businesses no longer have to provide consumers with an easy opt-out method with minimum steps. 

  • Simply put, you do not have to worry about having a straightforward opt-out method for your consumer. However, keep in mind that it is unclear whether multi-step opt-out processes will still be problematic.

    Modified requirements around “written permissions.”

  • Businesses can now deny the request from a third-party business to use personal data if they do not have the authorization to act on the consumer’s behalf.

Opt-in Matters: How to Obtain it

First, ask for consent. This consent to receive text messages on a mobile device can be collected wherever you gather information. Create TCPA-compliant paper, online, email, or website forms, or have your target audience text in a keyword to your organization over SMS or WhatsApp

For any of these consent forms to be valid, organizations must clearly and prominently disclose a few pieces of information: 

  • the number of messages recipients should expect to receive
  • the details of your privacy policy
  • how to opt-out (a process that should be easy)
  • how to get help

For example, one of your web forms could read, “Check this box to subscribe to text messages from us,” and provide hyperlinks to all the necessary disclosures. Additionally, if you plan on selling the personal data you have collected, CCPA requires that a separate opt-in checkbox is used titled “Check to permit sale of information." 

Inbound Text Message Opt-In

Mogli highly recommends the keyword query form (or another data collection methodology) delivered over text message, as we’ve seen our clients ease administrative burdens and painfully low conversion rates of analog or online methods. Keyword queries are inbound marketing at its best. You can create a call to action on your website or other digital and traditional channels, including advertisements, inviting people to text in a keyword to your organization’s phone number. 

For example, “Text in the word INFO to 555-555-5555 for more information about our loan / MBA / membership program.” When someone texts in, that’s the first opt-in. If you want to cover your bases (and we encourage you to), obtain double-opt-in by responding with something like, “We would like to send you one to four SMS messages from us per month. Is this okay with you? Please respond with YES or NO.”

If the person answers “YES,” this constitutes a double opt-in. Additionally, this active consent or relationship expires every 18 months. Use Mogli automation on Salesforce to regain opt-in 18 months from the initial day each user subscribes to your text messages. 

What if the person doesn’t respond to your double opt-in request? Consider that an opt-out and read on.

What About Opt-outs?

No matter how amazing your product, service, or marketing is, there will always be someone who doesn’t want to receive commercial text messages. If you offered an opt-in or double-opt-in and the customer hasn’t responded, consider that an opt-out. It’s safest not to reach out to customers unless they are expecting it.

Your recipients can also opt-out of receiving text messages from you at any time by texting in words “STOP,” “QUIT,” “UNSUBSCRIBE,” “OPT-OUT,” or “CANCEL.” It’s important to make opt-out easy. The message carrier will see these messages and stop any messages from going out to that customer.

Mogli has an opt-out backup using standard Salesforce automation. This automation checks a box on Contact, Lead, or any other Object Record called the Mogli Opt-Out Checkbox, effectively blocking any text messages in Salesforce from being sent to that Contact, Lead, or other Object. For a more in-depth explanation and step-by-step instructions of the Mogli Opt-out automation, see our User Guide.

Click this image watch a Mogli demo and learn how Mogli automations help you follow text messaging opt-in and opt-out laws.

What’s up with WhatsApp?

If your recipients live within the United States, just as with SMS, you need to comply with TCPA, CAN-SPAM, and state-specific laws. WhatsApp allows you to initiate text conversations only by sending transactional messages using pre-approved templates. If a recipient replies or starts a conversation with you, this “Customer Service Window” is a 24-hour window in which you may continue the conversation. 

During this time, you’re able to deploy automated Mogli conversations you’ve configured within Salesforce. You still must clearly state how someone can access a human agent for further assistance. If 24 hours pass without receiving a text message from that recipient, you must return to your message templates to reopen communication.

Mogli helps clients with the template approval process and WhatsApp configurations, with the ability to customize automation that suits your Salesforce use case.

Where to start?

SMS compliance can be scary because mistakes can be expensive. If you start with the basic checklist below, you’re sure to add value to your customers.

What Y.O.U. Need to Know About E.U. Text Messaging Laws




Facebook for Canada CASL mogli sms and whatsapp blog

All About Canada's CASL: Text Messaging Laws and Regulations



If you still have questions about compliance, feel free to reach out to us.

The Recap:

  1. Gain consent with opt-in via keyword query.
  2. Confirm consent with double-opt-in via automated Mogli conversation
  3. Allow people to easily opt-out with Mogli auto opt-out. Consider no response to an opt-in request or confirmation as a gesture to opt-out.
  4. Make it easy for recipients to get live help by configuring Mogli notifications, creating automation that escalates the chatbot conversation to a real agent.
  5. Maintain integrity and add value by only sending campaign and interest-specific messaging.
  6. Use Mogli to automatically ask for re-opt-in every 18 months.
  7. Never share or sell recipient data unless the recipient has agreed to those terms.


Please note that the following recommendations are for informational purposes only and are neither intended nor should be substituted for consultation with appropriate legal counsel and your organization's regulatory compliance team. The information provided is "as is" and may be updated or changed without notice.

Schedule a demo to see how Mogli's SMS automation makes following text messaging opt-in laws easy.


Ready to Rock Mobile Messaging?

Discover 5 Top Tips for Successful SMS Communication

Get the SCOOP!

Young woman using the laptop in the meeting