SMS API Guide
SMS API Rules, Regulations, & Compliance
Chances are, you’ve already realized that you need to integrate SMS messaging into your marketing and communication strategies. It’s arguably the best way to connect with customers: affordable, convenient, and effective. Or may you’ve already integrated an SMS API and have been sending text campaigns. Either way, you need to be aware of SMS API laws in order to stay in compliance and avoid fees.
There are several federal agencies and governing bodies that determine the laws and best practices surround text messages and SMS. These include the CTIA, MMA, FCC, and FTC. Each of these has a specific purpose and regulations that apply to SMS messaging, such as what prerequisites companies must meet prior to sending messages.
Keep reading to learn about all the rules and regulations you’ll need to know in order to keep your SMS messages compliant.
SMS API Rundown
SMS messaging is one of the most powerful and popular communication methods currently available to businesses. But with power, comes responsibility— and rules. If you want to connect with users via SMS, you’ll need to stay in compliance.
Below, we’ll cover what spam is and what constitutes spam, what companies regulate SMS messaging and spam, and how to ensure your messages are compliant with SMS API regulations set forth.
What’s Considered SPAM?
Spam text messages are Short Message Service (SMS) messages sent to users without their prior written express consent or invitation. Spam text messages are illegal and users have the right to take legal action against companies that send spam.
Also known as unwanted messages, spam includes any of the following:
- Unwanted commercial text messages to mobile phones
- Autodialed or prerecorded text messages sent to mobile phones with users’ prior express written consent
- Autodialed text messages on wireless devices or unwanted commercial messages to a non-wireless device from telecommunications companies or advertisements for a telecommunication company’s products or services
- Text messages that do not include the ability to opt-out from future messages
In the sections that follow, we’ll cover examples of spam and everything you’ll need to know to stay compliant with SMS API rules and avoid accidentally sending spam to your customers.
Examples of SPAM
Essentially, spam messages are unsolicited texts. Besides lacking prior consent from users, spam messages are also often poorly written, urgent, impersonal, and too good to be true.
Below are some examples of spam text messages:
Spam text messages should be immediately blocked and reported. If your company receives notification of spam texts coming from your numbers, it’s best to hold off on sending SMS messages until the complaint is resolved.
Cellular Telecommunications Industry Association
The Cellular Telecommunications Industry Association (CTIA) represents the U.S. wireless communications industry by coordinating best practices and advocating for legislative and regulatory policies at the federal, state, and local levels.
The CTIA sets out the following best practices for application-to-person (A2P) SMS messaging:
- Consumer Consent – Companies should obtain a user’s express, written consent (opt-in) prior to sending messages and should further ensure that users have the ability to revoke consent at any time (opt-out) and are aware of this consent.
- Consumer Authentication – Companies should use an authentication process to verify a user’s authority to opt-in to receiving texts.
- Privacy and Security – Companies should maintain and display an easy-to-understand privacy policy, implement reasonable security control and protect and secure consumer information, and conduct regular security audits.
- Spam Prevention – Companies should make reasonable efforts to prevent (and combat) unwanted and unlawful messaging traffic (i.e., spam). They should also ensure that embedded links and phone numbers are not intended to harm or deceive users
- Content – Companies are prohibited from sending content related to sex, hate, alcohol, firearms, and tobacco, also known as the SHAFT rule.
- Unwanted Messages – Besides making efforts to prevent unwanted messages, companies should also filter or block unwanted messages, notify users when they engage with or send spam, and adopt traffic practices that protect users from spam.
There are additional best practices related to shared telephone numbers and shared short codes, snowshoe messaging, grey routes, and common short codes.
Review all of the CTIA’s messaging principles and best practices here.
Mobile Marketing Association
The Mobile Marketing Association (MMA) is an international marketing trade association that connects marketers, martech, and media companies. It’s dedicated to researching and adopting peer-driven and scientific best practices.
The MMA provides best practices for implementing short code programs, which covers industry practices, common wireless carrier policies, and regulatory guidance. Here are some of the highlights:
- Messaging Frequency – One-time messages should only result in one or two messages, otherwise the program should be labelled as recurring
- Advertising Messaging Program – Companies should ensure that their advertising terms and conditions are clear
- Opt-In – Users must opt-in to recurring message program through a call to action by sending a mobile originated messages to the company short code or initiate opt-in from a web interface
- Program Messages – When reminder messages are sent, they must include the company’s identity, a program description, messaging frequency, HELP information, opt-out information, and pricing terms for the program
- Program Termination – Companies must offer users the opportunity to opt out of the program at any time
- Program Short Code Transfer – Subscribers to recurring programs can be transferred to a new short code without a new opt-in if the content and purpose of the program remains unchanged
- HELP Guidelines – Help messaging commands, phone numbers, URLs, and email addresses should result in subscribers receiving help
These are just a few of the guidelines. For the full list of best practices, view the MMA’s U.S. Consumer Best Practices for Messaging (here).
Though the MMA isn’t a federal agency like those we’ll cover in the following sections, companies will still need to follow the SMS API rules set forth in order to avoid being reported for spam messages.
Federal Communications Commission
The Federal Communications Commission (FCC) regulates interstate and international communications and serves as the U.S. primary authority for communications laws and regulations. In 1991, the FCC released the Telephone Consumer Protection Act (TCPA), which outlines restrictions on the use of telephone equipment.
The TCPA did the following:
- Restricted the use of telemarketing equipment, automatic telephone dialing systems, and artificial or prerecorded voice messaging systems
- Required companies to institute and follow procedures for maintaining company-specific do-not-call (DNC) lists
- Required telemarketers and companies to obtain express written consent from users before contacting them, with the exception of emergency communication (such as weather alerts, bomb threats, etc. from national entities)
- Prohibited companies from using an “established business relationship” to avoid asking for written consent
- Required telemarketers and companies to provide an automated, interactive opt-out option
- Prohibited telemarketers and companies from contacting emergency lines and guest/ patient room lines in hospitals, healthcare facilities, elderly homes, or similar establishments
Though the TCPA was originally published in the 1990’s, it has been regularly updated in order to account for changing technology, stricter consumer protections, and marketer needs.
Omnibus Declaratory Ruling and Order
Originally, there was some dispute about whether the TCPA, whose language addresses telephone calls, also applied to SMS APIs and messaging. The Omnibus Declaratory Ruling and Order (here) expanded on the TCPA and confirmed that the regulations set forth in the TCPA also applied to SMS and MMS messaging.
More specifically, the Omnibus Declaratory Ruling and Order:
- Asserted that text messages fall under “calls” in terms of language and are subject to all the regulations laid out in the TCPA
- Confirmed that companies must obtain explicit consumer consent for texts and robocalls, including for internet-to-phone text messages, and that customers may revoke consent at any time
- Waived the rule for written consent for certain parties for a limited time to allow those parties to solicit updated consent
- Exempted select pro-consumer financial and healthcare messages from the rule for written consent (subject to separate conditions and limitation regarding consumer privacy and protections)
- Clarified that the presence of numbers on one user’s contact list on third-party applications does not equal consent to receive texts or calls from the owners of those numbers (i.e., consent does not carry over from users to their contacts)
- Clarified that “on demand” text messages sent in response to consumer request are not subject to TCPA liability
The Omnibus Declaratory Ruling and Order provided much-needed clarification for companies and consumers alike. It’s an important expansion of the TCPA, but certainly not the only component that marketers should review. The TCPA and the Omnibus Declaratory Ruling and Order should be reviewed together.
Federal Trade Commission
The Federal Trade Commission (FTC) protects consumers and companies alike by preventing anticompetitive, deceptive, and unfair business practices.
In 2003, the FCC updated the TPCA. In conjunction with this update, they also partnered with the FTC to establish the national DNC registry. This nationwide registry applies to all telemarketers and companies, with the exception of select nonprofits and charities, telephone surveyors, political organizations, and government entities.
Prior to sending text messages to any users, companies should run their contact lists through the DNC registry to ensure numbers are not already registered. Many providers offer this feature, among others aimed at SMS API compliance.
If your company is required to use the registry, you must coordinate your contact lists with updated versions of the registry at least every 31 days.
Fees Associated with SPAM
Whether or not you deliberately unsolicited spam messages, spam is illegal and your company will be fined for it. The statutory fine for spam texts is $500 per SMS message. If it’s proven that you sent the spam texts intentionally, that fine rises to $1,500 per text.
To avoid being fined for spam SMS messages, you need to get prior written express consent. This is the most important component of SMS text campaigns. This consent is required whether your campaign is recurring or just consists of one-time messages.
Remember, a prior business relationship doesn’t constitute user consent. Similarly, getting consent from one user doesn’t mean you automatically have consent from that user’s friends or family, even if that user gives you access to their contact list.
But consent isn’t the only rule your company will need to worry about. You’ll still have to review the SMS API rules we’ve discussed above and make sure you’re in compliance with all of the regulatory agencies.
Avoid Sending SPAM Messages
In order to avoid sending spam messages, you’ll need to thoroughly review SMS API policy, regulations, and rules. We’ve laid out all the major players in terms of federal agencies and industry organizations, which include the CTIA, MMA, FCC, and FTC. Though each coordinate with each other, they independently play a significant role in SMS marketing and have specific rules and best practices.
Let’s start sending, together.