← Back to Blog
Guide

SMS Opt-In Rules 2026: TCPA, GDPR & Global Consent

SMS Opt-In and Consent Rules 2026: TCPA, GDPR, and the Global Compliance Guide

Quick answer: In 2026, US marketing SMS requires prior express written consent, and opt-outs made by any reasonable method must be honored within 10 business days. The one-to-one consent rule is dead (vacated January 2025), and the "revoke-all" provision is postponed to January 31, 2027. The EU, UK, and Canada all require documented opt-in consent with easy withdrawal. The universal rule: if you can't prove consent, you don't have it.

SMS consent law moved more in the last two years than in the previous decade. Here is the current state, market by market, and the consent stack that satisfies all of them.

What Does the TCPA Require in 2026?

The Telephone Consumer Protection Act governs US messaging, enforced by the FCC and a very active class-action bar. Statutory damages run $500 per violation, $1,500 if willful — per message.

For marketing messages you need prior express written consent (PEWC):

  • Written agreement (electronic checkbox or web form counts) obtained before the first promotional text
  • Clear disclosure that the person agrees to receive marketing texts from your specific business
  • Notice that consent is not a condition of purchase
  • Message frequency, "message and data rates may apply," and STOP/HELP instructions disclosed

For transactional messages — order confirmations, delivery updates, OTPs — prior express consent (giving you the number in a related transaction) suffices, as long as content stays non-promotional. One marketing sentence inside a shipping update converts the whole message to marketing.

What Changed in 2025–2026?

Three shifts matter:

ChangeStatusWhat it means
Revocation by "any reasonable method"In force since April 2025STOP, but also plain-language replies, email, voicemail — all valid opt-outs
10-business-day opt-out deadlineIn force since April 2025Down from 30 days; automate suppression
One-to-one consent ruleVacated January 2025Single opt-in may cover multiple sellers with proper disclosure — but broad partner clauses remain risky
"Revoke-all" provisionPostponed to January 31, 2027One revocation cutting off all unrelated message types — build for it now

The practical upshot: your opt-out handling can no longer be a keyword filter. "Please stop texting me," a reply in Spanish, or an email to support all start the 10-day clock.

How Do GDPR and European Rules Treat SMS?

In the EU, marketing SMS falls under GDPR plus national ePrivacy implementations:

  • Opt-in consent must be freely given, specific, informed, and unambiguous — no pre-ticked boxes, no consent bundled into general terms
  • The soft opt-in exception: existing customers may be messaged about similar products if they were offered a clear refusal option at collection and in every message
  • Proof burden is on you: who consented, when, through what interface, seeing what language
  • Withdrawal must be as easy as granting — and honored without delay

The UK mirrors this under UK GDPR and PECR. Fines scale to 4% of global revenue, and European regulators have shown they will use SMS cases to set examples.

What About Canada, Australia, and Other Markets?

  • Canada (CASL): among the world's strictest — express opt-in with documented proof, sender identification, and functioning unsubscribe in every message. Penalties reach CAD 10 million per violation.
  • Australia (Spam Act): consent (express or clearly inferred), sender identification, and a working unsubscribe facility in every commercial message.
  • India, UAE, Singapore, and much of Asia and the Gulf: consent plus mandatory sender/template registration (India's DLT being the heaviest); unregistered traffic is blocked regardless of consent.

The pattern is global convergence: documented opt-in, easy opt-out, sender identification. Build to the strictest market you serve and you rarely need per-country exceptions.

What Does a Compliant Opt-In Flow Look Like?

  1. Unbundled checkbox or keyword opt-in — separate from terms acceptance, never pre-ticked
  2. Full disclosure at the point of collection: brand name, message types, frequency, rates notice, "consent not required for purchase," STOP/HELP
  3. Double opt-in confirmation message — not legally required in the US, but it creates the timestamped proof record that wins disputes and satisfies GDPR's burden
  4. Immediate written confirmation with the same disclosures and opt-out instructions

How Should You Handle Opt-Outs in 2026?

  • Honor any reasonable revocation: keywords, natural-language replies, email, support calls
  • Suppress within 10 business days at the latest — best practice is minutes, automated
  • Send one final confirmation message (allowed, and only that)
  • Propagate suppression across every platform that sends for you — the fragmented-systems gap is where class actions are born
  • Prepare for revoke-all (2027): design your suppression model so one revocation can cut across all campaign types when the provision lands

What Consent Records Must You Keep?

For every subscriber, retain: opt-in timestamp, collection source (URL, keyword, POS), the exact disclosure text displayed, IP/device identifier where applicable, and the full history of preference changes and opt-outs. Retain for the life of the subscription plus your limitation period. In court and audit alike, an undocumented consent is treated as no consent.

ViteMobile enforces suppression lists at the gateway level across all sender IDs, timestamps every opt-in and opt-out event, and exports consent audit trails — so the proof exists the day a demand letter arrives.

Key Takeaways

  • US marketing SMS needs prior express written consent; opt-outs by any reasonable method must be honored within 10 business days.
  • One-to-one consent is vacated; revoke-all arrives January 31, 2027 — architect suppression for it now.
  • GDPR, UK PECR, and CASL all demand provable, freely given opt-in with effortless withdrawal.
  • Purchased lists are radioactive in every major market.
  • Consent you cannot document is consent you do not have.

Frequently Asked Questions

Q: What consent do I need to send marketing SMS in the US? A: Prior express written consent — a clear written or electronic agreement obtained before the first promotional message, with disclosure of message types, frequency, rates, and the fact that consent isn't a purchase condition.

Q: What changed in TCPA rules for 2025–2026? A: Opt-outs by any reasonable method must be honored within 10 business days (since April 2025); the one-to-one consent rule was vacated (January 2025); the revoke-all provision was postponed to January 31, 2027.

Q: Is a purchased phone number list legal to text? A: Effectively no in every major market. In the US it exposes you to $500–$1,500 statutory damages per message; under GDPR and CASL it fails valid-consent requirements outright.

Q: How is SMS consent handled under GDPR? A: Freely given, specific, informed, unambiguous opt-in — no pre-ticked boxes — with provable records and withdrawal as easy as granting.

Q: What records should I keep to prove SMS consent? A: Opt-in timestamp, source, exact disclosure language, IP/device where applicable, and full preference history, retained for the subscription's life plus your limitation period.