This is a really important question, and the answer is it depends, and the risk is real. Here's the full picture:
The Core Legal Problem
Under TCPA, you generally cannot send an SMS message to obtain consent for future SMS messages. The logic is circular — you need consent to send the message, but the message itself is asking for consent. The first message is itself potentially a violation if the recipient never agreed to receive SMS communications.
The FCC and courts have largely closed what was once called the "welcome message" loophole, where brands would send an initial opt-in notification as a way to build a consent list from an existing customer database.
What the CTIA Says
The CTIA guidelines — which carriers enforce through 10DLC — are explicit that:
- Consent must be obtained before the first message is sent
- Sending an unsolicited message asking someone to opt in is itself a violation of their guidelines
- Prior business relationship alone does not constitute consent to receive SMS messages
The Gray Area — Existing Business Relationship
There is a narrow argument that if a customer:
- Provided their mobile number directly to the business
- Did so in a context where receiving communications was reasonably expected
- Has an active and recent relationship with the business
...then a single, strictly informational message about an upcoming SMS program with a clear opt-out may carry lower risk. However this is not a guaranteed safe harbor and has not been definitively blessed by the FCC or courts.
The Safer Approaches
Rather than sending a cold SMS notification, there are better ways to build a consented SMS list from an existing customer base:
Email first — Send an email to the existing customer base inviting them to opt in to SMS communications. Include a clear call to action such as "Text JOIN to 12345" or a link to a web opt-in form. This is the most widely accepted approach and keeps you fully compliant.
Point of sale or in-app opt-in — Capture SMS consent at the next purchase or app interaction, with a clear checkbox or prompt.
Keyword opt-in campaign — Invite customers through existing channels (email, social, in-store signage) to text a keyword to opt in. This is clean, documented, and carrier-friendly.
Website opt-in form — Add an SMS consent field to account pages, checkout flows, or a dedicated sign-up page so existing customers can opt themselves in.
If You still Want to Follow the Initial SMS Approach
If you want to proceed despite the risks, the message would need to at a minimum:
- Clearly identify the business by name
- Explain what types of messages the customer will receive
- State message and data rates may apply
- Provide a clear and easy opt-out (e.g. "Reply STOP to opt out")
- Not contain any promotional content whatsoever
- Be a single one-time message — not a series
Even with all of this, the legal risk remains and varies by state. Some states like Florida, Oklahoma, and Washington have passed their own mini-TCPA laws that are stricter than the federal standard and may make even this approach non-compliant.
Bottom Line
| Approach | Risk Level |
|---|---|
| Cold SMS to existing customer base asking them to opt in | High — likely TCPA violation |
| Single informational SMS with opt-out, no promo content | Moderate — not a guaranteed safe harbor |
| Email invitation to opt in to SMS | Low — widely accepted best practice |
| Opt-in captured at next purchase or interaction | Low — clean consent |
| Keyword campaign promoted through existing channels | Low — clean consent |
Our recommendation is to not do a cold SMS approach and instead use one of the alternate methods to build your SMS consent list through compliant opt-in methods.
As always, you should consult your own legal counsel for specific guidance on your situation.
Comments
0 comments
Article is closed for comments.