The SMS marketing compliance SOP for DTC brands

SMS is the highest-converting channel most DTC brands own, and the most legally loaded. The Telephone Consumer Protection Act sets the rules, and the penalty for getting them wrong is $500 to $1,500 per text. Not per campaign. Per message. Class actions built on those numbers settle in the millions, and a cottage industry of plaintiff firms now scans brands for slip-ups.

Here's the part most operators miss: the brands that get caught usually weren't reckless. They had a consent box that came pre-checked, a quiet-hours setting that ignored state rules, an opt-out keyword that quietly stopped working after a platform update, or consent records they couldn't produce when asked. Every one of those is drift, the same slow gap between what you set up and what's actually running that breaks every other operational doc.

A compliance SOP closes that gap. It turns 'we think we're compliant' into 'we can prove it,' which is the only version that holds up. This is the SOP we use with DTC brands running Postscript, Attentive, or Klaviyo SMS: what the law requires in plain language, where brands actually trip, and the repeatable checks that keep your program safe as laws and tools change underneath it.

Why compliance is an SOP, not a setting

The instinct is to treat SMS compliance as a one-time setup: switch on the platform's compliance features, paste in a consent line, move on. That works right up until something changes. A new opt-in form goes live without the consent language. A state updates its quiet-hours window. A platform migration drops your opt-out automation. The setup was compliant; the running system isn't anymore.

Compliance is a moving target because three things underneath it keep moving: the law, your tools, and your own marketing. An SOP beats a setup because it builds in the recheck. It names what to verify, how often, and who signs off, so a setting that silently broke gets caught on a schedule instead of in a demand letter.

What the law actually requires

You don't need to be a lawyer to run a compliant program, but your team needs the four requirements in plain language. Strip the legalese and TCPA marketing compliance comes down to four things:

• Express written consent. Before you text someone marketing, they have to actively agree to receive marketing texts. Actively means an unchecked box they tick or a keyword they send, never a pre-checked box and never bundled into a general terms agreement.
• Clear disclosure at opt-in. At the moment they consent, you state who's sending, that the messages are recurring marketing, that frequency and data rates apply, and how to opt out. The consent language has to be visible, not buried.
• Quiet hours. No marketing texts before 8am or after 9pm in the recipient's local time, with several states setting tighter windows.
• A working opt-out. Every recipient can stop messages with a standard keyword, and you honor it immediately and permanently.

That's the spine. Most of what a compliance SOP does is make sure each of these four keeps working after you set it up, and that you can prove each one if a regulator or a plaintiff's lawyer asks.

Where DTC brands actually get caught

Violations cluster in a handful of predictable places. These are the failure points to check first, because they're where the drift hides:

• The pre-checked opt-in box. A checkout or popup where the SMS consent box is ticked by default is the single most common violation. Consent has to be an action the customer takes, not a default they have to notice and undo.
• Quiet hours set to one national window. A 9pm cutoff in your timezone is already past 9pm further east, and too late for a state with an 8pm rule. Quiet hours run on the recipient's local time, and a few states are stricter than the federal window.
• Opt-outs that don't fully fire. STOP works, but UNSUBSCRIBE or CANCEL doesn't, or a customer who left one list still gets another. An opt-out has to suppress the number across your sends, not just the campaign they replied to.
• Buying, importing, or reusing lists. Consent doesn't transfer. A list from an acquisition, a partner, or your own old email file is not SMS consent. Texting it is texting people who never agreed.
• Consent you can't prove. You collected consent correctly but kept no record of when, how, and what language the customer agreed to. With no proof, a dispute is your word against theirs, and the penalty math is not in your favor.

The consent capture SOP

Consent is where compliance is won or lost, because a flawed opt-in poisons every message that follows it. Lock down the capture first:

• Make every opt-in an unchecked, deliberate action. The customer ticks the box or texts the keyword. Never pre-check it, and never bundle SMS consent into 'I agree to the terms.'
• Show the required disclosure at the point of opt-in: your brand name, that it's recurring marketing, that message and data rates apply, the rough frequency, and the opt-out instruction. A link to full terms is fine; hiding the disclosure inside it is not.
• Audit every opt-in point, not just the main one. Checkout, popups, landing pages, keywords, the back of a postcard. Each is a place consent can be captured wrong, and you're only as compliant as your weakest form.
• Treat email and SMS consent as separate. An email subscriber did not consent to texts. You need a distinct SMS opt-in for every number you message.

Every opt-in point added after launch is the most likely place to drift, because it's built by whoever is shipping that campaign, not by whoever owns compliance. Route new forms through the same checklist before they go live.

Quiet hours and opt-outs

These two are the easiest to automate and the easiest to let rot, because they live in platform settings nobody revisits. Both need to be set against the rules and re-verified after any platform change.

Quiet hours run on the recipient's local time, not your office's. The federal window is 8am to 9pm. Several states are tighter: Florida, Oklahoma, and Washington run 8am to 8pm, and Texas restricts marketing texts to 9am to 9pm on weekdays and Saturdays and noon to 9pm on Sundays. The safe move is to send within the narrowest window your audience spans, or to use a platform that enforces local-time quiet hours per recipient.

Opt-outs have to be effortless and absolute:

• Honor the standard keywords: STOP, UNSUBSCRIBE, CANCEL, END, and QUIT. A customer shouldn't have to guess the magic word.
• Suppress immediately and across every list. An opt-out is a person saying stop, not a campaign preference. They should never get another marketing text unless they re-opt in.
• Send one confirmation of the opt-out, then nothing. The confirmation is allowed; a 'sorry to see you go, here's 20 percent off' is another marketing message to someone who just opted out.

Test the opt-out flow yourself on a real device after any platform migration or automation change. This is the check brands skip, and it's the one a plaintiff's firm tests first.

Keep records you can produce

Compliance you can't prove is compliance you don't have. If a complaint lands, the question isn't whether you believe you had consent; it's whether you can show it. Build the record-keeping into the SOP:

• For every opt-in, store the date, the time, the method (which form or keyword), and the exact consent language the customer saw. Most SMS platforms log this; confirm yours does and that you can export it.
• Keep the records for at least five years. The window for a claim is long, and a deleted record is the same as no record.
• Keep proof of opt-outs too, with timestamps. If someone claims you texted them after they opted out, the suppression log is your defense.
• Know who can produce these on request, and how fast. A record you can't find in time is one you effectively don't have.

This is the difference between a scary letter and an expensive one. Brands with clean, exportable consent and opt-out logs resolve most disputes quickly. Brands without them negotiate from zero leverage.

Who owns compliance and the quarterly audit

Compliance fails when it's everyone's job, which means it's no one's. Name an owner and a cadence:

• One owner for SMS compliance, usually whoever runs retention or lifecycle marketing. They hold the SOP and the audit.
• A quarterly compliance audit on the calendar: re-verify every opt-in point, confirm the quiet-hours config against current state rules, test the opt-out keywords on a real device, and spot-check that consent records still export.
• A pre-launch check for any new opt-in form or SMS automation, run before it goes live, not after.

Pull legal in once to review the SOP and the consent language, then keep them on call for changes. You don't need a lawyer for every send. You need one to bless the process and to weigh in when a law moves.

Keep the SOP current

An SMS compliance SOP drifts faster than most, because the ground moves on three sides at once. States pass new SMS laws and adjust quiet-hour windows. Your platform ships an update that changes a setting or a default. Your own team launches a new popup, a new keyword, a new flow. Any one of these can quietly break a control the SOP assumed was solid.

Review the SOP every quarter, and immediately after any platform migration or any change to SMS law in a state you sell into. This is ordinary documentation drift, and on a compliance SOP the cost of drift isn't a confused new hire. It's per-message penalties on every text you sent while the control was broken.

Where to start this week

Don't try to perfect the whole program at once. Do the two checks that catch the most exposure first. Open every SMS opt-in point you have and confirm not one is pre-checked or missing its disclosure. Then text every opt-out keyword to your own number and confirm each one suppresses you.

Those two checks, the opt-in audit and the opt-out test, cover the violations that draw the most lawsuits. Once they're clean, put the quarterly audit on the calendar and name its owner, so the checks keep happening after this week.

ReccordSOP turns a process like this into a documented SOP with timestamped screenshots, and flags drift when your tools, forms, or state rules change underneath it. Generate your first SOP free at reccordsop.com.