A guide to global SMS compliance laws

SMS compliance is one of the most important considerations for any business using text messaging to reach customers globally. Staying compliant is crucial, but it’s not straightforward. Each country and state may have its own laws, and the complex web of mobile carrier rules adds another layer of difficulty. While achieving 100% compliance might seem impossible, the risks of non-compliance are too significant to ignore: blocked messages, reputational damage, lost business, and fines.

To help you stay informed, we’ll start this guide by summarizing the most common aspects of A2P SMS compliance globally, and then move on to specific regions.

A summary of global SMS rules

Opt-in and opt-out: In most countries you can only send SMS messages to customers that have explicitly opted in. Most markets now distinguish between prior express consent (PEC), required for informational or transactional messages, and prior express written consent (PEWC), required for promotional messages, which must be documented and verifiable. Implied opt-in is no longer acceptable. Opt-out allows customers to stop receiving messages by replying ‘STOP’.

Sender ID: A Sender ID refers to the name of the sender in the recipient’s inbox. In some markets, you can use alphanumeric senders, meaning you can send SMS using your own brand name rather than an unrecognized number. This option is not available everywhere, and you might need to pre-register your Sender ID to prevent duplication and SMS fraud.

Message content: Most countries differentiate between transactional and marketing messages and apply different restrictions. Even where promotional SMS is allowed, there are usually additional restrictions on gambling, drugs and alcohol, adult-themed products, and political and religious topics.

Message length: It is commonly accepted that 160 characters is the limit for SMS messages, though this can be less in some countries. It is up to individual carriers whether to support truncation (concatenated messages). Some carriers will only send the first 160 characters, discarding the rest.

Sending time and do-not-contact registries: In many countries, you are only allowed to message customers during certain hours (such as 8am to 8pm), and sending is restricted on certain days in some markets, for example on Sundays in France. Many countries also maintain do-not-contact or do-not-disturb registries that consumers can sign up to. Ignoring either runs the risk of service suspensions or fines.

SMS regulations in the US

These are the most important elements of SMS compliance in the United States.

Registration required: In the US all messaging programs must be registered. Unregistered traffic is not allowed. Businesses must register with mobile carriers to ensure compliance with legal and carrier-specific guidelines.

Content restrictions: Certain types of content (gambling, drugs, alcohol, firearms, and adult content) are prohibited. Promotion of some financial products, such as certain loans, debt relief, and credit repair, is also prohibited. Lead-generation campaigns involving third-party data sharing are disallowed.

Opt-in requirement: Both marketing and transactional messaging are allowed, but only to subscribers who have opted to receive them.

Consent types: The TCPA distinguishes between prior express consent (PEC), required for informational or transactional messages and which can be given verbally, on a form, or via a website, and prior express written consent (PEWC), required for all promotional or marketing messages. PEWC must be in writing, include a clear disclosure of what the subscriber is agreeing to, confirm that consent is not required for purchase, and include opt-out instructions. Consent records must be retained for at least four years, including the timestamp, the exact consent language shown, and how consent was obtained.

Two-way messaging: All commercial text messages must be two-way, enabling customers to opt out of receiving further messages and obtain support by texting “HELP”.

Multiple sender types: Businesses can use short codes, 10-digit long codes (10DLC), or text-enabled toll-free numbers. Each has different registration requirements. All must be registered through The Campaign Registry (TCR) before sending.

Legislation: The key legislation is the Telephone Consumer Protection Act (TCPA). The CTIA lays out additional guidelines in its Short Code Monitoring Handbook. Each carrier network is privately owned and may approve, reject, or disable any campaign on their network.

The Federal Communications Commission (FCC) plays an active role in regulating SMS in the United States and reports directly to Congress. The FCC enforces compliance to protect consumers from fraudulent and unwanted text messages.

Key 2025–2026 TCPA updates

One-to-one consent rule: vacated. The FCC introduced a rule requiring separate individual consent for each seller listed in a lead form. On January 24, 2025, the Eleventh Circuit Court struck it down in Insurance Marketing Coalition v. FCC, finding the FCC had exceeded its authority. The PEWC standard is reinstated: consent must be in writing with the consumer’s signature and clear disclosures.

Consent revocation: stricter since April 2025. As of April 11, 2025, consumers can revoke SMS consent at any time using any reasonable method, not only by texting “STOP.” Businesses must honor and process all revocation requests within 10 business days. A broader universal cross-channel revocation requirement, originally set for April 2026, has been delayed to January 31, 2027.

State-level rules. States including Florida, Connecticut, and Oklahoma have introduced stricter local rules on message timing, frequency, and opt-out requirements. Texas (TTSA) extends state telemarketing law to SMS and requires some businesses to register and post a bond. California’s CCPA/CPRA adds data privacy obligations for consumer information collected during SMS opt-in. Always check state-level requirements in addition to federal rules.

Enforcement is intensifying. TCPA class action filings have surged in recent years, with verdicts reaching hundreds of millions of dollars. Fines can reach $1,500 per message. Consent records should be retained for at least four years.

SMS compliance penalties in the US

Because fines are assessed per message, a single non-compliant campaign sent to thousands of recipients can quickly generate multi-million dollar liability. Class action lawsuits are common, with recent verdicts reaching into the hundreds of millions of dollars.

Beyond fines, carriers can filter or block your messages before they reach recipients, suspend your sending capability, or blacklist your numbers entirely. Watch for sudden drops in delivery rates, recipients reporting undelivered messages, or repeated opt-out requests as early warning signs of carrier filtering.

SMS compliance checklist for the US

Before diving into the specific steps, it’s crucial to understand the distinction between legal requirements and carrier guidelines in the United States.

With that explained, here are the steps you need to take to keep your SMS program compliant in the US:

Additional information about SMS compliance in the US

The following is a summary of a 45-minute live session we at Infobip organized for marketing platforms and agencies on the topic of SMS and MMS compliance. A panel of mobile messaging experts answered the questions.

1. Shared short codes no longer allowed

Shared short codes are no longer permitted in the US. Each brand must have a dedicated short code. All messaging on a short code must be controlled by a single entity and dedicated to a specific brand. Even if your front-end customer is the sole user of a short code, it may still be considered shared if they share it with other brands or clients.

2. The Campaign Registry (TCR) and 10DLC registration

All 10DLC messaging requires brand and campaign registration through The Campaign Registry (TCR) before traffic is sent. Unregistered 10DLC traffic is subject to filtering and blocking by all major carriers. Registration includes providing your business details, EIN, and a description of the specific campaign type and content.

3. Why we insist on CTA compliance

The CTIA established CTA guidelines agreed upon by all mobile carriers. Specific elements within a CTA ensure best practices, transparency, and inform subscribers about what they’re signing up for. To get your campaign approved as Infobip’s customer, including all necessary elements in your CTA is crucial.

4. Third-party data sharing is strictly prohibited

Lead generation and affiliate marketing campaigns are prohibited as they involve third-party data sharing and can lead to spam. This also applies to customer requests to use 10DLC numbers for collecting opt-in and forwarding to lead generation agencies.

5. Requirements for specific use cases

Donation campaigns: These have additional requirements and must conform to the CTIA Messaging Principles and Best Practices.

Abandoned cart reminders: Carriers have specific requirements for abandoned cart reminders. The program name must explicitly state that customers are signing up for cart reminders. The program name, description, T&C, and cart reminders should all align. Use a double opt-in process, explain how information is captured (e.g. via cookies or webhooks) in the privacy policy, and ensure cart reminders are mentioned in your T&C. Missing information may lead to campaign rejection.

Fraud alerts: There is a TCPA exception for fraud alerts with an implied opt-in, but approval is at the carrier’s discretion and there are additional requirements.

CBD messaging: CBD is not federally legal. Any messaging must meet federal laws. Even though many states have legalized cannabis, it is not legal at the federal level, so carrier networks have disallowed this messaging content.

You can find more info about messaging use cases in the US here.

6. TCPA compliance does not guarantee approval

TCPA requirements are the bare minimum. Programs must also meet CTIA and carrier guidelines. Carriers are privately owned and operated networks and can approve or deny any program.

7. Why stop menus are no longer used

Stop menus are only necessary when a short code is being shared, but shared short codes are no longer permitted. If a customer requests to opt-out of a short code program, they must be completely removed from receiving messages from that short code. No further message can be sent unless another opt-in occurs. This includes short codes with multiple use cases for the same brand.

SMS regulations in Canada

Canada’s Anti-Spam Legislation (CASL) is one of the strictest frameworks for commercial electronic messaging in the world, comparable in many respects to GDPR. CASL applies to any commercial electronic message, including SMS, sent to or from Canada.

Core requirements: You must have valid recipient consent before messaging, provide a functioning unsubscribe mechanism, clearly identify your business in every message, and ensure messages are not false or misleading.

Consent types: CASL requires express consent as the default for SMS. Recipients must take a positive action to provide it; a pre-checked box does not qualify, and express consent does not expire. Implied consent is permitted only for a limited period: up to two years after a customer’s most recent purchase, or six months after a prospect provides contact information. Consent is also channel-specific, meaning consent given for email does not extend to SMS.

Opt-out: Recipients can opt out by texting STOP, END, QUIT, or UNSUBSCRIBE. Businesses must process opt-out requests within 10 business days.

2025 update: From March 2025, new Canadian long code numbers must be registered for A2P messaging, bringing Canada in line with registration requirements seen in other major markets.

Penalties: Fines reach up to $1 million CAD per violation for individuals and $10 million CAD per violation for businesses.

SMS regulations in Europe

There are 27 countries in the European Union and a further 3 countries in the European Economic Area (EEA) that are also covered by European rules that apply to privacy and electronic communication (Norway, Lichtenstein, and Iceland).

GDPR is the mostly widely recognized Europe-wide legislation, but there are others like the E-privacy Directive. The GDPR protects consumer data privacy, requiring explicit consent for data use, while the E-privacy Directive focuses specifically on electronic communications, including SMS, ensuring messages are sent legally and ethically.

There are also specific regulations in individual countries. For example, some EU countries allow one-way commercial SMS messages to be sent, and others do not.

On the whole, SMS regulations in Europe are some of the tightest and most strictly enforced in the world, especially when it comes to opt-in and crucially opt-out.

Consumers must explicitly opt-in to receive marketing communication. It must be clear and unambiguous, and all required information must be easily available, for example via a link to the company’s privacy policy. All marketing messages, including SMS, must include a simple and free method of opting out, for example replying STOP. Removing consent has to be as easy as granting it in the first place.

GDPR is definitely not toothless legislation. Just ask British Airways who were fined £20 million after the personal data of over 400,000 customers was stolen by hackers. Hotel chain Marriott International was initially proposed a fine of nearly £100 million, later reduced to £18.4 million, after millions of people had their private data stolen from the organization.

While fines for not complying with SMS regulations are nowhere as high, they are still significant enough that businesses have to be very careful to not break any rules.

SMS regulations in APAC (Asia-Pacific)

The Asia-Pacific region is the largest SMS market in the world. In the list of countries with the most active mobile phone users, the top three spots are occupied by APAC nations: China, India, and Indonesia.

China

In China, the following types of marketing/promotional messages are strictly prohibited: real estate, stocks, loans, investment banking, education, immigration, politics, adult supplies, pornography, violence, gambling, and other illegal information.

Business SMS messaging is restricted to long codes. To send SMS messages, businesses need to register message templates and a business license, along with their official website, company name, type of traffic, message content, and sender name and signature.

Learn more about SMS registration and guidelines for China here.

India

To send commercial SMS in India, businesses must register with telecom authorities or service providers using Distributed Ledger Technology (DLT). DLT uses blockchain technology to stop unsolicited communication, synchronizing Do Not Disturb (DND) subscriber data with all Mobile Network Operators and keeping a record of every SMS sent.

When registering on a DLT platform, you will need to provide the business’s name along with the templates (messages that will be sent), headers (Sender IDs), and consent templates.

Promotional messages can only be sent between 10 AM and 9 PM. Gambling and cryptocurrency messages are forbidden.

You can learn more about the process of registering an SMS sender in India here.

Indonesia

These are the most important aspects of SMS compliance in Indonesia: gambling, religious, adult, and racial content is prohibited; sender registration with Indonesian network operators is mandatory and requires a Letter of Authorization (LOA); different requirements apply for local and international senders; sender names must not exceed 11 characters; only one sender ID is allowed per company (a statement is required for multiple IDs); and only alphanumeric, brand-related sender IDs are permitted.

You can learn more about SMS guidelines for Indonesia here.

Australia

No adult, religious, or political content is allowed when sending SMS to customers in Australia. Anyone providing a regulated interactive gambling service must hold a license under Australian State or Territory laws. Gambling promotional messaging is strictly prohibited for new users unless the user specifically opts in with the gambling company before SMS termination. Inducing new or existing users to gamble is prohibited in message content, and opt-in/opt-out is required for all promotional or transactional gambling messages. Online sports betting is legal through licensed operators, with numerous additional restrictions.

You can use an alphanumeric sender ID, a virtual long number, or a short code. To register as a business sender, you must provide a Letter of Authorization (LOA). You can learn more about SMS guidelines for Australia here.

Singapore

Singapore’s Personal Data Protection Act (PDPA) governs SMS marketing. All promotional messages must include the letters “ADV” at the start of the message to clearly identify them as advertisements. Businesses must obtain consent before sending marketing SMS and must provide a functioning opt-out mechanism in every message.

SMS regulations in MENA (Middle East & Northern Africa)

Our latest Messaging Trends report shows an increasing demand for SMS and CPaaS solutions due to a wider adoption of CRM systems across industries, investments in customer experience, and growing cybersecurity demands.

Saudi Arabia

A2P SMS traffic in Saudi Arabia is categorized into local and international (by origin), and transactional and promotional (by type). Your company must have a local presence and provide relevant documentation for local SMS termination. Alphanumeric senders are allowed, but gambling, betting, spam, loan traffic, crypto, forex, and adult content are likely to be blocked by Saudi Arabian operators. URL shorteners such as bit.ly or goo.gl are strictly forbidden, and other URLs must be safelisted beforehand. Promotional traffic can only be sent between 8 AM and 10 PM local KSA time, and companies must add a “-AD” suffix to the sender name for promotional messages.

Morocco

In Morocco, A2P SMS traffic is categorized into local and international (by origin), and sender registration is mandatory for both types with proper documentation. Sender IDs are limited to 11 characters and cannot include generic senders, special characters, spaces, or numbers. Two-way messaging is available for local traffic only, and promotional messages can be sent between 10 AM and 8 PM local time (9:00 to 19:00 UTC). There are no specific content restrictions.

Algeria

In Algeria, you can use a dynamic alphanumeric sender, though numeric senders might get blocked on some networks. Two-way SMS is currently unavailable. Gambling traffic is forbidden, as is content that is illegal, adult, religious, or political.

SMS regulations in LATAM (Latin America)

Brazil

Both dedicated and shared short codes are allowed in Brazil, but local regulations and approvals must be obtained. Alphanumeric sender IDs are only permitted for companies with a local presence. Virtual Long Numbers (VLNs) are not allowed. Messages referencing bank or mobile network operator names require authorization from those companies. Political and gambling content is prohibited, and marketing messages require explicit opt-in consent.

Opt-out is mandatory and must be included in every message. A DND registry is available, but end-users must explicitly request it. Messaging is permitted between 8 AM and 8 PM on workdays (Monday to Friday) and 8 AM to 2 PM on Saturdays; no SMS may be sent on Sundays. When setting up MO (Mobile Originated) messages, use specific keywords to ensure the right customer receives the message.

Colombia

Short codes (shared or dedicated) are allowed for SMS notifications in Colombia, but Virtual Long Numbers (VLNs) are prohibited. Explicit opt-in from end users is required before sending any messages. Debt collector and marketing messages are restricted to between 8:00 AM and 9:00 PM under CRC regulations. Political content requires opt-ins and must include a Spanish version of the text “paid political ad.” NLI (Non-Latin Identifiers) are not supported, and short codes must remain active or the regulator may remove them.

How to ensure SMS compliance globally

To summarize, there are some best practices common across most global regions that you should follow to ensure SMS compliance.

Obtain clear consent: Always get explicit consent from customers before sending text messages.

Send appropriate content: Check and respect the legal restrictions in the country regarding message content.

Respect time windows: Send texts at appropriate times and avoid spamming.

Register your sender: Use a verified business sender for messaging, according to country-specific regulations.

Ensure an opt-out mechanism: Provide an easy way for subscribers to opt out of receiving further messages.

Maintaining SMS compliance across countries can pose quite a challenge. There is little doubt that to succeed, you will need the help of an experienced and proven enterprise SMS provider to reach your customers in all corners of the globe.

We would love to help. With 20+ years of experience in international SMS delivery, compliance capability is built into our platform. We have a staff of dedicated compliance specialists on the ground on every continent, maintaining direct relationships with more than 800 operator connections across 190+ countries, the largest direct network of any SMS provider.

The end result? Our customers remain compliant in every territory and get the best possible delivery rates.

This blog was originally published in May 2022 and has been updated regularly as global SMS regulations evolve. The latest update was in March 2026 and included updates to the US TCPA following the Eleventh Circuit’s vacating of the one-to-one consent rule, the FCC’s updated consent revocation timelines, Canada’s A2P long code registration requirement under CASL, and the addition of Singapore to the APAC section.