Most experienced SMS marketers have a solid grasp of the Telephone Consumer Protection Act (TCPA) and its requirements around prior express written consent. But TCPA compliance alone does not guarantee that your messages will reach subscribers. The CTIA SMS guidelines — a separate layer of carrier-level rules — govern how wireless carriers evaluate, approve, and filter commercial messaging traffic. Violating these guidelines can result in message filtering, throughput throttling, or outright campaign suspension, even if your TCPA compliance is airtight. This breakdown covers the CTIA framework, explains how it differs from federal law, and provides practical guidance for staying on the right side of carrier expectations.
What Is the CTIA and Why Do Its Guidelines Matter?
The CTIA (originally the Cellular Telecommunications and Internet Association) is the trade association representing the U.S. wireless communications industry. Its members include all major carriers — AT&T, T-Mobile, Verizon, and others — as well as device manufacturers and infrastructure providers. The CTIA publishes the Messaging Principles and Best Practices document, commonly referred to as the CTIA Short Code Monitoring Handbook or CTIA messaging guidelines.
These guidelines are not law. They are industry self-regulatory standards that carriers have collectively agreed to enforce. The distinction matters because it changes the enforcement mechanism. TCPA violations lead to lawsuits and FCC fines. CTIA violations lead to carriers blocking your traffic. In practice, carrier-level enforcement is often faster and more disruptive than regulatory action, because a single carrier flag can shut down message delivery within hours.
The Relationship Between TCPA, CTIA, and 10DLC
SMS compliance operates as a layered system. Federal law (TCPA) sets the legal floor. The CTIA guidelines add carrier-specific requirements on top of that floor. And channel-specific registration programs — like 10DLC registration for application-to-person (A2P) messaging on long codes — add yet another layer of vetting and monitoring.
A message that is TCPA-compliant can still violate CTIA guidelines. For example, TCPA does not require you to include your business name in every message, but CTIA guidelines do. TCPA does not specify how opt-out confirmations should be worded, but CTIA guidelines are prescriptive about it. Understanding where these frameworks diverge is essential for marketers operating at scale.
Core CTIA Requirements for Commercial SMS Programs
The CTIA guidelines cover a broad range of messaging program types, from short code campaigns to toll-free and 10DLC traffic. While the specifics vary slightly by channel, the core principles apply universally to any commercial SMS program. Below is a breakdown of the most critical requirements.
1. Program Disclosure at Opt-In
The CTIA requires that consumers receive clear disclosure about what they are signing up for before they opt in. This goes beyond the TCPA's consent requirement. Specifically, the opt-in flow must communicate:
- The program name or product being advertised
- The message frequency (e.g., "Up to 4 msgs/month")
- A notice that message and data rates may apply
- A link to the privacy policy
- A link to the terms and conditions
- Instructions for how to opt out (e.g., "Reply STOP to cancel")
- Instructions for how to get help (e.g., "Reply HELP for help")
All of these elements must be visible at the point of consent capture — whether that is a web form, a keyword-based opt-in, or a point-of-sale sign-up. Burying disclosures in a linked terms page is not sufficient; the key elements need to be adjacent to the consent action.
2. Confirmation Messages
After a consumer opts in, the CTIA requires a confirmation message that reiterates the program details. This confirmation SMS should include:
- The program or brand name
- A reminder of message frequency
- "Msg & data rates may apply"
- Opt-out instructions ("Reply STOP to unsubscribe")
- Help instructions ("Reply HELP for info")
This confirmation serves as both a compliance record and a consumer protection mechanism. It ensures the subscriber knows exactly what they have signed up for and how to exit. Platforms like Trackly handle this through configurable welcome journeys that automatically send compliant confirmation messages as the first step in any subscriber sequence.
3. Recurring Message Disclosure
For any program that sends more than a single message, the CTIA classifies it as a "recurring message program." These programs must clearly state the recurring nature and expected frequency at opt-in. Vague language like "occasional messages" is not acceptable. Carriers expect specific frequency disclosures such as:
| Acceptable | Not Acceptable |
|---|---|
| "Up to 5 msgs/week" | "We may text you sometimes" |
| "1 msg/day" | "Occasional updates" |
| "Up to 20 msgs/month" | "Frequent messages" |
| "Msg frequency varies" | No frequency disclosure at all |
Note that "Msg frequency varies" is generally acceptable as a fallback when exact frequency cannot be predicted, but carriers prefer more specific disclosures when possible. If you state "Up to 4 msgs/month" and then send 15, you are in violation — and carriers do monitor for this.
4. STOP/HELP Keyword Handling
The CTIA mandates that all commercial SMS programs support at minimum the STOP and HELP keywords. The requirements are specific:
- STOP: When a subscriber replies STOP (or END, CANCEL, UNSUBSCRIBE, QUIT), the program must immediately cease sending messages and respond with a confirmation such as: "You have been unsubscribed from [Program Name]. No more messages will be sent. Reply HELP for help."
- HELP: When a subscriber replies HELP, the program must respond with the program name, a customer support contact (phone number or email), and opt-out instructions.
These keyword responses must work at all times, regardless of where the subscriber is in a messaging sequence. Trackly's built-in opt-out handling processes STOP keywords automatically across all campaign types, updating the contact's status in real time and adding them to the suppression list without requiring manual intervention. This is critical because delayed opt-out processing is one of the most common reasons carriers flag campaigns.
5. Content Standards and Prohibited Content
The CTIA maintains strict content standards that go beyond what federal law prohibits. The guidelines categorize content into tiers and restrict certain content types to specific channels:
| Content Category | Short Code | Toll-Free | 10DLC |
|---|---|---|---|
| Standard marketing | Allowed | Allowed | Allowed |
| Age-gated content (alcohol, tobacco) | Allowed with age gate | Restricted | Restricted |
| Cannabis / CBD | Prohibited | Prohibited | Varies by carrier |
| Firearms | Prohibited | Prohibited | Varies by carrier |
| Lending / payday loans | Restricted | Restricted | Restricted |
| SHAFT content (sex, hate, alcohol, firearms, tobacco) | Heavily restricted | Heavily restricted | Heavily restricted |
The acronym SHAFT — sex, hate, alcohol, firearms, and tobacco — is the industry shorthand for content categories that face the highest scrutiny. Even when such content is technically allowed on a given channel, it requires additional vetting, age-gating mechanisms, and often a dedicated short code with carrier-approved use cases.
Short Code Compliance: The CTIA Approval Process
Short codes remain the standard for high-volume commercial SMS because they offer the highest throughput and carrier trust. They also face the most rigorous CTIA compliance review. Understanding this process helps marketers avoid costly delays and rejections.
The Short Code Application and Vetting Cycle
When you lease a short code and submit it for carrier approval, the CTIA (through its monitoring partner, typically Kaleyra or a similar registry) reviews the entire program. The review evaluates:
- The opt-in mechanism and call-to-action language
- The confirmation message content
- Sample message content for all planned use cases
- The privacy policy and terms of service
- The STOP and HELP response messages
- The program's content category classification
- The expected message volume and frequency
This review process typically takes 8 to 12 weeks. Each carrier reviews independently, and any carrier can reject or request modifications. Common rejection reasons include incomplete disclosures, missing HELP/STOP responses, or content that falls into restricted categories without proper documentation.
Ongoing Monitoring and Audits
Approval is not a one-time event. The CTIA and its carrier members conduct ongoing monitoring of short code programs. This includes:
- Periodic audits of opt-in flows (carriers may test your sign-up pages)
- Complaint rate monitoring (consumer complaints to carriers)
- Content sampling (carriers review actual messages sent)
- Opt-out compliance testing (carriers send STOP to verify proper handling)
If a program is found to be non-compliant during an audit, the carrier can suspend traffic immediately and require remediation before restoring service. For marketers running time-sensitive campaigns, this kind of disruption can be significant.
CTIA Guidelines for 10DLC and Toll-Free Messaging
While short codes have long been subject to CTIA oversight, the expansion of A2P messaging on long codes (10DLC) and toll-free numbers has brought these channels under similar scrutiny. The 10DLC registration process was specifically designed to extend CTIA-style vetting to long code traffic.
10DLC Brand and Campaign Registration
Under the 10DLC framework, brands must register with The Campaign Registry (TCR) and have their campaigns approved before sending A2P traffic. The registration process evaluates many of the same elements the CTIA reviews for short codes: use case description, sample messages, opt-in flow, and content category. Campaigns that fail to meet CTIA standards are rejected or assigned low trust scores, which directly impacts throughput limits.
Toll-Free Verification
Toll-free numbers used for A2P messaging now require verification through a process that mirrors 10DLC registration. Unverified toll-free traffic faces aggressive filtering. The verification process requires the same disclosures and compliance documentation that CTIA guidelines mandate for all commercial messaging.
Message Content Requirements Under CTIA Guidelines
Beyond the structural requirements around opt-in and opt-out, the CTIA guidelines impose specific rules on message content itself. These rules are designed to ensure transparency and prevent deceptive messaging practices.
Sender Identification
Every commercial message must clearly identify the sender. This means including the brand or program name in the message body. Unlike email, where the "From" field serves this purpose, SMS has no built-in sender identification for short codes or toll-free numbers. The brand name must appear in the text itself.
A message that reads "50% off today only — click here" without identifying the sender violates CTIA guidelines, even if the recipient previously consented to receive messages from that brand.
Opt-Out Reminder Frequency
The CTIA recommends including opt-out instructions in messages at regular intervals. While not every single message needs to include "Reply STOP to unsubscribe," the guidelines suggest including it at least once per month for recurring programs. Some carriers interpret this more strictly, particularly for high-frequency programs.
URL and Link Requirements
Messages containing URLs face additional scrutiny. The CTIA guidelines and carrier filtering systems flag:
- Public URL shorteners (bit.ly, tinyurl.com) — these are heavily filtered because they obscure the destination
- Shared short domains used by multiple senders
- URLs that redirect through multiple hops
- Links to landing pages that do not match the program's registered use case
Using a dedicated short domain for link tracking significantly reduces filtering risk. Trackly's link tracking feature supports custom short domains, which helps maintain deliverability by ensuring links are associated with your brand rather than a shared service.
Common CTIA Compliance Mistakes and How to Avoid Them
Even experienced marketers make CTIA compliance errors, often because they assume TCPA compliance covers everything. Here are the most frequent issues and their remedies.
Mistake 1: Exceeding Declared Message Frequency
If your opt-in flow states "Up to 4 msgs/month" and you send 10, carriers can and will flag your program. The fix is straightforward: either increase your declared frequency at the opt-in point or implement send caps in your messaging platform. Trackly's scheduled sends and campaign management tools allow marketers to set frequency caps per contact, reducing the risk of exceeding declared limits.
Mistake 2: Missing or Incomplete Opt-In Disclosures
A web form that says "Sign up for texts" without the required disclosures (frequency, rates, STOP/HELP instructions, privacy policy, terms) will fail carrier review. Audit every opt-in touchpoint — web forms, keyword opt-ins, point-of-sale sign-ups, and third-party lead sources — to ensure full CTIA-compliant disclosure language is present.
Mistake 3: Delayed STOP Processing
The CTIA expects opt-out processing to be effectively instantaneous. If a subscriber sends STOP and receives another marketing message before the opt-out is processed, that is a compliance violation. Batch-processing opt-outs on a daily or hourly schedule is not sufficient. Real-time processing is the standard. Trackly's opt-out handling processes STOP requests immediately, ensuring no subsequent messages are sent to that contact across any active campaign.
Mistake 4: Using Shared Short Domains for Links
Shared URL shorteners remain a common deliverability risk. Many marketers still use them out of convenience, but the solution is to set up a dedicated short domain for your SMS links. This gives carriers a consistent, identifiable domain associated with your brand.
Mistake 5: Ignoring Quiet Hours
While the CTIA guidelines do not specify exact quiet hours, they reference the expectation that marketers will send messages at "appropriate" times. In practice, carriers look to state-level regulations and industry norms. Sending commercial messages between 9 PM and 8 AM in the recipient's local time zone is widely considered non-compliant. For a detailed breakdown of state-specific restrictions, see our guide to SMS quiet hours and state-level texting restrictions.
CTIA Enforcement: What Happens When You Violate the Guidelines
Understanding the enforcement mechanism helps contextualize why CTIA compliance matters as much as — or more than — legal compliance for day-to-day messaging operations.
Carrier Filtering and Throttling
The first level of enforcement is automated. Carriers use content filtering systems that scan messages for compliance signals. Messages missing sender identification, containing flagged URLs, or coming from programs with high complaint rates may be silently filtered — meaning they are never delivered, and you may not receive a delivery failure notification.
Throttling is another common response. Rather than blocking traffic outright, carriers may reduce your throughput to a fraction of normal levels. For time-sensitive campaigns, this can be just as damaging as a full block.
Campaign Suspension
For more serious violations — or repeated minor violations — carriers can suspend a campaign entirely. This means all traffic from the associated short code, toll-free number, or 10DLC campaign is blocked. Reinstatement requires a formal remediation process, which can take days or weeks.
Short Code Revocation
In extreme cases, a short code can be permanently revoked. This is rare but does occur, particularly for programs engaged in deceptive practices, sending prohibited content, or repeatedly failing audits. Losing a short code means losing the number entirely, along with any subscriber associations tied to it.
Building a CTIA-Compliant SMS Program: A Practical Checklist
The following checklist consolidates the key CTIA requirements into an actionable format. Use it to audit existing programs or build new ones from a compliant foundation.
Opt-In Flow Checklist
- Program name clearly stated
- Message frequency disclosed (specific number or "Msg frequency varies")
- "Msg & data rates may apply" included
- STOP instructions included ("Reply STOP to unsubscribe")
- HELP instructions included ("Reply HELP for info")
- Link to privacy policy
- Link to terms and conditions
- All disclosures visible at the point of consent (not behind a link)
Confirmation Message Checklist
- Sent immediately after opt-in
- Includes program/brand name
- Restates message frequency
- Includes "Msg & data rates may apply"
- Includes STOP and HELP instructions
Ongoing Message Compliance Checklist
- Every message includes sender/brand identification
- Opt-out instructions included at least monthly
- Message frequency does not exceed declared limits
- URLs use a dedicated branded short domain
- No prohibited content categories without proper approval
- Messages sent during appropriate hours (respecting state-level quiet hours)
Technical Infrastructure Checklist
- STOP keyword processed in real time across all campaigns
- HELP keyword returns compliant response
- Opt-out list (DNC) synchronized across all sending channels
- Delivery receipts monitored for filtering signals
- Complaint feedback loops established where available
How CTIA Guidelines Fit into Your Overall Compliance Strategy
CTIA compliance does not exist in isolation. It is one layer in a multi-layered compliance framework that includes federal law (TCPA, CAN-SPAM for email-to-SMS), state regulations, and carrier-specific policies. For a comprehensive overview of how these layers fit together, our SMS marketing compliance guide covers TCPA, 10DLC, and carrier rules in detail.
The practical takeaway is that compliance is not a checkbox exercise. It requires ongoing attention to evolving guidelines, regular audits of opt-in flows and message content, and infrastructure that enforces compliance programmatically rather than relying on manual processes.
Trackly's deliverability tools — including GSM-7 encoding validation, segment counting, and throughput rate limiting — are designed to help marketers stay within carrier expectations without constant manual oversight. Combined with automatic opt-out handling and DNC list management, these features reduce the surface area for compliance errors that lead to carrier filtering or campaign suspension.
Staying Current with CTIA Updates
The CTIA updates its guidelines periodically, and carriers may implement new filtering rules or policy changes independently. Staying current requires:
- Monitoring the CTIA's published guidelines (available on ctia.org)
- Tracking carrier-specific policy updates from AT&T, T-Mobile, and Verizon
- Reviewing updates from The Campaign Registry (TCR) for 10DLC changes
- Working with your messaging platform or aggregator, who often receive advance notice of policy changes
The SMS compliance landscape is not static. What was acceptable two years ago may trigger filtering today. Building a program on a foundation of CTIA guidelines — rather than the minimum legal requirements — provides stronger protection against disruption as standards evolve.