Compliance

Overview

SMS messaging is heavily regulated to prevent spam and protect consumers. Transactional helps you stay compliant with built-in features and best practices.

US Regulations

TCPA (Telephone Consumer Protection Act)

The TCPA regulates SMS marketing and requires:

• Prior express consent - Recipients must opt-in before receiving messages
• Clear identification - Messages must identify the sender
• Opt-out mechanism - Easy way to unsubscribe (we handle this automatically)

Consent Types

10DLC (10-Digit Long Code)

10DLC is the standard for Application-to-Person (A2P) messaging in the US:

• Required for business SMS on 10-digit numbers
• Campaign registration with carriers
• Brand verification through The Campaign Registry (TCR)

10DLC Status in Transactional

Our pool numbers are pre-registered for 10DLC. When you use our templates:

• Templates are approved for specific use cases
• Numbers are registered for those use cases
• You benefit from our carrier relationships

Enterprise 10DLC

For dedicated numbers or custom templates, you may need your own 10DLC registration:

1. Register your brand with TCR
2. Register your campaign/use case
3. Get carrier approval
4. Use approved numbers and templates

Contact support for help with enterprise 10DLC setup.

CAN-SPAM Overlap

While CAN-SPAM primarily covers email, some provisions apply to SMS:

• Don't send to numbers on the Do Not Call registry
• Honor opt-out requests promptly
• Include clear sender identification

Canadian Regulations

CASL (Canada's Anti-Spam Legislation)

CASL requires:

• Express consent for commercial messages
• Implied consent allowed for existing relationships (up to 2 years)
• Clear unsubscribe mechanism

CRTC Requirements

The Canadian Radio-television and Telecommunications Commission (CRTC) requires:

• Sender identification
• Contact information
• Unsubscribe mechanism

UK Regulations

PECR (Privacy and Electronic Communications Regulations)

UK regulations under PECR require:

• Consent for marketing messages
• Opt-out mechanism
• Sender identification

ICO Guidelines

The Information Commissioner's Office provides guidance on:

• When consent is needed
• How to record consent
• Handling opt-outs

India Regulations

DLT (Distributed Ledger Technology)

India requires DLT registration for SMS:

• Entity registration - Register your business with telecom providers
• Header registration - Register sender IDs (e.g., "ACMECO")
• Template registration - Pre-approve all message templates
• Content scrubbing - Messages are verified against templates

DLT Status in Transactional

For India messaging:

1. We provide DLT-registered templates
2. Our sender headers are pre-registered
3. Messages are automatically formatted for compliance

Enterprise customers can register custom DLT templates.

Opt-Out Handling

Automatic Processing

We automatically handle standard opt-out keywords:

Confirmation Messages

When users opt out, they receive automatic confirmation:

You have been unsubscribed and will not receive further messages. Reply START to resubscribe.

Suppression Lists

Opted-out numbers are stored in suppression lists:

• Messages to suppressed numbers are blocked
• API returns specific error code (1006)
• You can view and manage suppressions in the dashboard

Consent Management

Best Practices

1. Get clear consent before sending
2. Document consent - timestamp, source, scope
3. Allow easy opt-out - honor requests immediately
4. Re-confirm periodically for marketing

Consent Recording

Track consent in your application:

interface SmsConsent {
  phoneNumber: string;
  consentType: 'EXPRESS' | 'IMPLIED' | 'TRANSACTIONAL';
  consentSource: 'WEB_FORM' | 'VERBAL' | 'TEXT_KEYWORD' | 'MOBILE_APP';
  consentedAt: Date;
  consentText: string;  // What they agreed to
  ipAddress?: string;
}

Consent Workflow Example

// 1. Collect consent during signup
async function collectSmsConsent(userId: string, phone: string) {
  await db.insert(smsConsents).values({
    userId,
    phoneNumber: phone,
    consentType: 'EXPRESS',
    consentSource: 'WEB_FORM',
    consentedAt: new Date(),
    consentText: 'I agree to receive OTP and account notifications via SMS.',
  });
}
 
// 2. Verify consent before sending
async function canSendSms(phone: string): Promise<boolean> {
  // Check suppression list
  const suppressed = await client.sms.checkSuppression(phone);
  if (suppressed) return false;
 
  // Check consent
  const consent = await db.query.smsConsents.findFirst({
    where: eq(smsConsents.phoneNumber, phone),
  });
 
  return !!consent;
}
 
// 3. Send only with consent
async function sendOtp(phone: string, code: string) {
  if (await canSendSms(phone)) {
    await client.sms.send({
      to: phone,
      templateAlias: 'otp-verification',
      templateModel: { code },
    });
  }
}

Message Content Guidelines

Required Elements

1. Business name - Include your company name
2. Purpose - Clear reason for the message
3. Opt-out - For non-transactional messages, include "Reply STOP to unsubscribe"

Prohibited Content

• Spam or unsolicited marketing
• Phishing or fraud
• Adult content
• Illegal activities
• Misleading information

Template Examples

Good:

Acme Inc: Your verification code is 123456. Valid for 10 minutes.

Good (with opt-out):

Acme Inc: Your order #123 has shipped! Track: bit.ly/xxx. Reply STOP to unsubscribe.

Bad:

Your code is 123456

(Missing business identification)

Penalties for Non-Compliance

Compliance Checklist

• Obtain proper consent before sending
• Include business name in messages
• Provide opt-out mechanism
• Honor opt-out requests immediately
• Use templates appropriate for message type
• Keep consent records
• Don't send to suppressed numbers
• Follow country-specific requirements

Next Steps

• Suppressions - Manage opt-out lists
• Webhooks - Track opt-out events
• FAQ - Common compliance questions