TCPA §227(b)(1)(A) imposes strict liability for marketing SMS sent without prior express written consent — $500 per message, trebled to $1,500 per message if the violation is knowing or willful. Collecting a phone number at signup for 2FA and then sending promotional SMS is the canonical TCPA violation: the user consented to one purpose (authentication) and received communications for a completely different purpose (marketing). TCPA class actions are the most expensive class actions in US consumer law; a list of 10,000 numbers with improper consent is a $5M–$15M exposure. GDPR Art. 6(1)(a) and Art. 7 require the same specificity of consent for EU users, and CCPA §1798.120 grants opt-out rights that must be built into the consent flow.
Critical because TCPA imposes strict per-message statutory damages of $500–$1,500 with no cap per campaign, making even a modest marketing SMS send to users with invalid consent a multi-million dollar liability.
Implement a dedicated TCPA-compliant SMS opt-in form with the full required disclosure language — do not reuse the 2FA phone number collection form.
// components/SmsOptInForm.tsx — full TCPA disclosure required
export function SmsOptInForm() {
return (
<label>
<input type="checkbox" name="smsConsent" />
By checking this box, I consent to receive recurring marketing text messages
from <strong>YourProduct</strong> at the number provided. Message frequency
varies. Message & data rates may apply. Reply <strong>STOP</strong> to opt
out at any time. Consent is not a condition of purchase.{' '}
<a href="/privacy">Privacy Policy</a>
</label>
)
}
// Record consent with evidence — timestamp, source, language version
await db.smsConsent.create({
data: {
userId: user.id,
phoneNumber: normalizedPhone,
consentedAt: new Date(),
consentSource: 'signup-form',
consentLanguage: 'v1-tcpa-2026',
ipAddress: clientIp,
},
})
If you plan to send to more than a few hundred numbers, have a telecom attorney review the consent flow before launch.
ID: email-sms-compliance.consent.prior-express-written-consent
Severity: critical
What to look for: Enumerate every relevant item. The Telephone Consumer Protection Act (TCPA) requires "prior express written consent" before sending marketing SMS to any US phone number. This consent must be: (1) in writing (electronic form counts), (2) clearly disclose that the consumer is agreeing to receive marketing texts, (3) identify the sender by name, (4) disclose the nature of the messages (e.g., "promotional offers"), (5) not be required as a condition of purchase or service. Look at every point in the application where a phone number is collected: signup forms, checkout, profile settings, opt-in forms, SMS keyword opt-in flows. For each collection point, check whether the consent language meets TCPA requirements — not just "I agree to the Terms of Service" but specific disclosure that the user is consenting to receive marketing SMS. Check that the consent form includes the required TCPA disclosure text (message/data rates disclosure, ability to opt out with STOP).
Pass criteria: At least 1 of the following conditions is met. Before any marketing SMS is sent to a US number, the user has provided prior express written consent via a form that: names the sender, describes the message type (promotional/marketing), discloses message and data rates may apply, explains how to opt out (reply STOP), and is not bundled as a required condition of service. Consent records are stored with timestamp and form source.
Fail criteria: Marketing SMS sent to users who only provided a phone number for 2FA or account security (no separate marketing SMS consent). TCPA disclosure language absent from consent form. Consent bundled into generic Terms of Service checkbox with no specific SMS mention.
Skip (N/A) when: The application sends no marketing SMS — only transactional notifications explicitly requested by the user (e.g., order confirmations, appointment reminders triggered by user action with no promotional content).
Detail on fail: Specify the gap. Example: "Application collects phone numbers during signup for 2FA, then sends promotional SMS offers. No separate marketing SMS consent form with TCPA disclosures." or "SMS opt-in checkbox uses text 'I agree to terms' with no mention of SMS, frequency, or STOP opt-out method.".
Remediation: Implement a TCPA-compliant SMS opt-in form:
// components/SmsOptInForm.tsx
export function SmsOptInForm() {
return (
<div>
<label>
<input type="checkbox" name="smsConsent" required />
{/* TCPA-required disclosure — do not abbreviate or simplify */}
By checking this box, I consent to receive recurring marketing text messages
from <strong>YourProduct</strong> at the number provided. Message frequency
varies. Message & data rates may apply. Reply <strong>STOP</strong> to opt out
at any time. Reply <strong>HELP</strong> for assistance. Consent is not a
condition of purchase.{' '}
<a href="/privacy">Privacy Policy</a> |{' '}
<a href="/terms">Terms of Service</a>
</label>
</div>
)
}
// Record the consent with timestamp and source
await db.smsConsent.create({
data: {
userId: user.id,
phoneNumber: normalizedPhone,
consentedAt: new Date(),
consentSource: 'signup-form',
consentLanguage: 'v1-tcpa-2026', // version your consent text
ipAddress: clientIp, // for evidence purposes (do not log PII — log only the IP)
},
})
Note: TCPA class action lawsuits are expensive. If you plan to send marketing SMS to more than a few hundred users, consult a telecommunications attorney to review your consent flow before launch.