TCPA and SMS Compliance for Service Businesses: What You Need to Know

The short answer: you need written consent from every contact before you send them a marketing text. Not implied consent. Not a phone number collected at checkout. A clear, documented, affirmative opt-in where the person agreed to receive texts from your specific business. That is the standard the TCPA (Telephone Consumer Protection Act) has always required, and the FCC's 2025 enforcement updates made it harder to argue you were close enough.

This post covers what the law actually requires, what changed in 2025, how to collect consent correctly at intake, how Florida layers on additional rules, and a practical 10-point checklist you can run against any existing SMS automation today. This is one part of a broader look at business automation for service companies, where compliance sits alongside efficiency as a core design requirement.

What is the TCPA and why does it apply to your SMS automations?

The TCPA is a federal law that regulates unsolicited telephone communications, including text messages sent using automated dialing systems or pre-recorded technology. If your CRM or automation platform sends texts on your behalf without you manually typing and hitting send each time, the TCPA almost certainly applies to you.

The law was written in 1991 for robocalls, but courts and the FCC have consistently applied it to automated SMS. Your appointment reminder sequences, reactivation campaigns, and promotional blasts all fall under its scope. The exposure is not theoretical: plaintiffs' attorneys actively look for businesses running non-compliant campaigns, and the statutory damages framework makes lawsuits worth filing even for small businesses with modest list sizes.

Run the math on a reactivation campaign to 2,000 contacts. Even at the lower $500-per-message figure, a single send to a list built without proper consent produces $1,000,000 in potential exposure. That is not a hypothetical scare number. It is exactly how plaintiffs' class-action attorneys frame these cases.

What actually counts as valid consent under TCPA?

Prior express written consent is the legal standard for marketing texts, and it is more specific than most business owners realize. The consumer must take an affirmative action (checking an unchecked box, submitting a signed form) that clearly authorizes your business to send them marketing messages via text. Three things that do NOT count as valid consent:

• Giving you their phone number. Booking an appointment, filling out a contact form, or handing over a business card transfers a number. It does not transfer consent to market to that number via automated text.
• Pre-ticked checkboxes. If the box was already checked when the form loaded, the consumer did not affirmatively opt in. Courts have consistently rejected pre-checked consent.
• Consent buried in a terms-of-service agreement. SMS consent cannot be a condition of purchase or service. It must be a standalone, voluntary opt-in.

Transactional messages (appointment confirmations, receipts, direct responses to inbound inquiries) sit in a lower-risk category and generally do not require express written consent. The line is: does this message primarily serve the consumer's transaction, or does it promote your business? Appointment reminders serve the transaction. A text saying "We miss you, book your next visit and save 15%" promotes the business. Treat them differently.

What changed about SMS compliance rules in 2025?

The FCC issued clarifications in 2025 that tightened two areas most automation-heavy businesses had been treating loosely: opt-out processing and consent specificity.

Opt-out: any reasonable method, 10 business days. Previously, many platforms only honored STOP replies as opt-outs. The 2025 clarification made clear that businesses must honor opt-out requests sent through any reasonable method. If someone replies "remove me," "unsubscribe," or calls your office to ask you to stop texting, that counts. You have 10 business days to process the opt-out and may send one confirmation message. Continuing to send after receiving an opt-out request through any channel is a violation.

Consent specificity: one consent, one business. The FCC targeted consent farms, third-party lead aggregators that collect a single opt-in and then claim it covers dozens of downstream businesses. If you bought a lead list where the contacts "opted in to receive offers from partners," that consent does not cover your business under the 2025 rules. Consent must name your business specifically (or reference a clearly disclosed category, like a direct partnership you describe on the form).

If your current SMS list includes any contacts acquired through a third-party lead source, a list purchase, or a shared opt-in form, treat those contacts as unconsented for marketing purposes until you collect fresh consent directly.

How should I collect SMS consent at intake?

Compliant consent collection does not require a legal team. It requires the right language and the right form structure. Here is what the intake opt-in needs:

• An unchecked checkbox placed near the phone number field (not at the bottom of the page after the submit button).
• Clear disclosure language adjacent to the checkbox that names your business, describes the message types the consumer is agreeing to receive, and states that consent is not required to purchase. Example: "I agree to receive text messages from [Business Name] about appointment reminders and promotions. Consent is not required to book. Reply STOP to opt out at any time."
• Links to your SMS terms and privacy policy in the disclosure text.
• A logged record of the timestamp, form version, and IP address at the time of submission. Your CRM or form tool should capture this automatically. If it does not, add it.

When we wire up a new intake form for a client, the first field we look at is the phone field and its surrounding consent language. It is the most common gap we find. The good news is that fixing it is usually a 20-minute update to an existing form. The bad news is that it does not retroactively cover contacts already in the system.

For existing contacts with no documented consent: the safest approach is to send one single re-consent message (by text or email, whichever channel you have clear rights to use) asking them to opt in before you add them to any ongoing marketing sequences. Anyone who does not respond affirmatively should be removed from your marketing SMS list. This is not a fast or comfortable process, but it is the right one.

Are there additional SMS rules specific to Florida?

Florida passed its own Telephone Solicitation Act (FTSA) in 2021, which the legislature amended in 2023, and it adds two meaningful rules on top of federal TCPA requirements.

Florida-specific written consent requirement. The FTSA requires written consent for any telephonic sales call to a Florida area code, including automated texts with a commercial purpose. The state definition of "written consent" aligns closely with the federal TCPA standard, but the FTSA created a private right of action with $500 per violation, meaning individual plaintiffs (not just class actions) can sue without proving actual damages.

Time-of-day restrictions for Florida numbers. Florida restricts telephonic sales calls to the hours of 8:00 a.m. to 8:00 p.m. in the consumer's time zone. If you are sending marketing texts to Florida numbers at 7:45 a.m. because that is when your automation fires, you may be in violation. Most South Florida businesses are texting their own local clients, so time zone is not usually the issue. But delivery timing relative to the window is. Pair this post with our deeper look at SMS timing and send rules to make sure your windows are set correctly.

Florida plaintiffs' attorneys have been active under the FTSA. The combination of a private right of action, low burden of proof, and a per-violation fine structure makes non-compliant SMS campaigns an attractive target. This is not a concern unique to large enterprises. Small service businesses with automated SMS have been named in FTSA suits.

What does a non-compliant SMS setup actually look like in practice?

Across the automation stacks we audit, TCPA compliance is the first thing we check. Not because we are lawyers (we are not), but because we have found accounts with zero consent language in the intake form that were actively texting thousands of contacts. The exposure is material and the fix usually takes 20 minutes. The problem is almost never malicious. It is a builder who set up a reactivation workflow and never thought about whether the list itself was legal to use.

A representative situation: a South Florida med spa wanted to run a reactivation campaign over SMS to past clients. The list was roughly 2,000 contacts pulled from appointment records going back two years. The intake form had a standard name, email, and phone field with no consent checkbox, no disclosure language, and no opt-in logging. The campaign would have gone to 2,000 people who had given their number to book a facial, not to receive promotional texts. The fix was to add compliant consent language to the intake form for all new clients, segment the existing 2,000 contacts into "no documented consent," and run a re-consent email sequence before any SMS campaign went out. The campaign launched about three weeks later to a much smaller but fully consented list.

That delay and that smaller list size are the actual costs of building automations before building the compliance layer. The alternative cost is potential five-figure or six-figure exposure. It is a straightforward trade-off once you see it clearly.

How do I audit my existing SMS automations for TCPA compliance?

Run through this checklist against every active SMS sequence in your system. It covers the most common gaps we see in practice. You can also work through the broader naming and tag schema for your workflows as part of the same audit, because clean workflow structure makes compliance reviews much faster going forward.

• 1. Identify every automated SMS sequence. List them all: new lead follow-up, appointment reminders, reactivation, post-visit, review requests, promotional blasts. Nothing should be running that is not on the list.
• 2. Check the list source for each sequence. For each list or segment, document where the contacts came from. Intake form? Third-party lead? Purchased list? Imported CSV? The answer changes what you do next.
• 3. Confirm consent documentation exists. Can you pull up a record showing the timestamp, form version, and IP address for each contact's opt-in? If your system does not log this, that is the first infrastructure gap to fix.
• 4. Audit your intake form. Is there an unchecked SMS consent checkbox near the phone field? Does the disclosure language name your business and describe the message types? Does it say consent is not required to book or purchase?
• 5. Check your opt-out flow. What happens when someone replies STOP? Are they immediately removed from all marketing sequences? Who reviews opt-out requests that arrive by phone or email?
• 6. Verify your send windows. Are marketing texts going out between 8 a.m. and 8 p.m. in the recipient's time zone? For Florida numbers, this is a state law requirement, not just a best practice.
• 7. Confirm transactional vs. promotional classification. Have you clearly designated which sequences are transactional (confirmation, reminder) and which are promotional (reactivation, sale, upsell)? Promotional sequences need express written consent. Transactional sequences are lower risk but are not a blanket exemption.
• 8. Check list sources for third-party consent. Any contact acquired via a lead aggregator, shared form, or list purchase should be treated as unconsented unless you can document that the consent specifically named your business. Remove or re-consent these before including them in marketing campaigns.
• 9. Review message content for commercial intent. A message that says "Your appointment tomorrow is at 2pm" is transactional. A message that adds "And don't forget, book your next visit before June 30 for 20% off" is now partially promotional. Keep promotional language out of transactional messages.
• 10. Confirm who owns ongoing compliance review. Compliance is not a one-time fix. New workflows get built, lists get imported, staff changes happen. Assign someone (even if that is you) to review new automations before they go live and to confirm opt-out processing is working monthly.

This checklist pairs naturally with the rest of your automation review. If you are also thinking about how your workflows hand off leads and confirm appointments, the missed-call text-back piece covers the consent considerations specific to that first-contact automation, which is one of the highest-volume SMS touchpoints most service businesses run.

A word on legal advice

Nothing in this post is legal advice, and we are not lawyers. TCPA litigation is active and fact-specific. The standards here reflect our reading of the law and the FCC's published guidance as of mid-2026. If you are running high-volume SMS campaigns, acquired a large list from a third party, or have received a demand letter, talk to an attorney who specializes in TCPA defense. The cost of a one-hour consultation is a small fraction of what a settlement costs, and the right lawyer can tell you whether your specific situation poses real risk or not.

What we can do is build the systems that make compliance straightforward from the start: intake forms with the right consent language, opt-out flows that actually work, and workflow architecture that separates transactional from promotional at the infrastructure level. That is the difference between compliance being a scramble and it just being part of how the system runs.