SMS & TCPA compliance

How we stay legal on every SMS we send for you.

A single TCPA class action can cost between $500 and $1,500 per message. Every operator who runs SMS at scale lives with that exposure. Here's exactly how LeadRescue AI captures consent, registers with carriers, enforces quiet hours, scrubs DNC, honours opt-outs, and where the legal liability sits between us and the customer.

Get my free audit → See pricing

Express written consent on every form

Before we send a single SMS, the homeowner must have ticked an explicit consent checkbox at the point of lead capture. The minimum compliant wording we ship is:

"By submitting this form, I agree to be contacted by {{Company}} via SMS at the phone number provided, including for marketing and quote follow-up. Message and data rates may apply. Message frequency varies. Reply STOP to opt out, HELP for help."

That language is reviewed by your team before go-live and embedded directly under the phone field. We keep a timestamped log of every consent capture for 4 years — the standard TCPA limitation period — and surface it in your dashboard.

A2P 10DLC carrier registration

Every SMS to a US mobile number sent for marketing or customer-care purposes is subject to A2P 10DLC. We register the brand and campaign with The Campaign Registry (TCR) on your behalf during onboarding. That registration covers:

Brand registration — your legal entity vetted by TCR (typical score 75+).
Campaign type — usually Customer Care / Lead Response for the recovery flow, plus a separate 2FA / Conversational campaign for missed-call replies.
Sample messages reviewed by carriers before sending starts.
Throughput & daily caps aligned to your registered campaign tier.

Setup cost for 10DLC registration is included in the Pilot. If you already have a registered brand from another vendor, we adopt it instead of opening a duplicate.

Quiet hours, recipient timezone aware

The TCPA defines "calling hours" as 8 AM to 9 PM in the recipient's local time — not yours. Most states layer additional restrictions on top. Our system:

Inferences timezone from the homeowner's area code + zip (zip wins where there's a conflict).
Defaults the sending window to 9 AM – 8 PM recipient time, one hour tighter than the federal minimum, to leave margin for state-level rules (Florida, Mississippi, Oklahoma, Washington and a dozen others).
Treats the initial auto-reply as a conversational message (allowed any time once the homeowner has initiated contact), and the day-2 / day-5 cadence as marketing (strict quiet hours apply).

DNC scrubbing & STOP enforcement

Every outbound recipient is scrubbed against:

The federal Do Not Call registry (refreshed every 30 days).
All state DNC lists that supplement the federal list (notably Indiana, Massachusetts, Pennsylvania, Tennessee, Wyoming).
Your own customer opt-out list, which syncs back the moment a homeowner replies STOP, STOPALL, UNSUBSCRIBE, CANCEL, END, QUIT, or "remove".
A litigator block list maintained by the SMS deliverability industry to filter known TCPA plaintiff numbers.

STOP opt-outs are honoured immediately across every channel (SMS, email, voice). HELP requests get an auto-reply with your support contact. We never reuse an opted-out number even if the homeowner re-submits a form months later, without a fresh opt-in.

Frequency caps and unsubscribe footer

Carrier guidelines require that no recipient receives more than a reasonable number of messages without re-engagement. Our defaults:

Maximum 4 messages on a single lead unless the recipient is actively replying.
Maximum 3 messages on a single unsigned quote, spaced ≥48 hours apart.
Every first message includes the "Reply STOP to opt out" footer. Subsequent messages in the same thread don't repeat it (carriers consider that spammy).

Who's on the hook — liability allocation

This is the part most vendors fudge. We'll be explicit:

You (the customer) are responsible for the legality of the lead source — i.e. that the phone numbers you funnel into LeadRescue were captured with the required consent language. If you import a purchased lead list without consent, you're on the hook.
LeadRescue AI is responsible for everything happening downstream of that consented lead: 10DLC registration, quiet hour enforcement, DNC scrubbing, STOP handling, frequency caps, and message content matching the registered campaign type. If a class action arises from our failure on any of these, we indemnify you up to the liability cap in our Terms.

The Pilot includes a one-time review of your existing form and lead-source consent language. If it's non-compliant, we flag it before any SMS goes out and recommend the minimum fix.

Sub-processors handling SMS data

We send SMS through carrier-vetted upstream providers (Twilio, Telnyx, or Bandwidth, depending on geography and tier). All sub-processors are bound by GDPR-compliant data processing agreements. Customer data is encrypted in transit and at rest, retained 24 months, and deletable on request within 30 days. See our privacy policy for the current sub-processor list.

What this means in plain English

If you bring us leads captured cleanly through your own forms, you can run SMS recovery at scale without anxiety. The infrastructure is set up the way TCR auditors and TCPA-defense lawyers expect to see it set up. If you bring us a scraped list or a purchased CSV, we'll flag it during onboarding and decline to send until consent is fixed.

We don't promise zero litigation risk — nobody who runs SMS at scale can. We promise that the parts of the stack we control are configured to keep that risk small and the audit trail clear if it ever surfaces.

Questions about a specific state, a specific consent flow, or a specific lead source? Email raph@leadrescueoutreach.com — we'll answer plainly, not in legalese.

Want to see the compliance setup applied to your business?

Your free audit includes a review of your current consent language, your lead sources, and how SMS recovery would fit on top — within TCPA, 10DLC, and your state-specific rules.

Request my free audit →