Bulk SMS Compliance: TCPA, 10DLC, A2P (Honest Version)

SMS compliance has a reputation for being terrifying. The TCPA fines run into the hundreds of millions. 10DLC sounds like a hacker forum. A2P sounds like a robot. The reality is simpler than the acronyms suggest. This post walks through each layer in plain English, what actually applies to a service business running missed call text back, and what HonorElevate handles for you vs what you have to provide.

One important framing: I am not a lawyer. This is operator-grade compliance education, not legal advice. For high-risk industries (healthcare, debt collection, financial services, multi-state campaigns at scale) get an actual TCPA attorney. For a standard service business running MCTB and routine SMS follow-up, the framework below covers 95% of what matters.

Layer 1: TCPA

The Telephone Consumer Protection Act is the 1991 federal law that governs telephone (and now SMS) consumer protection. It is the law you have heard about because of the lawsuits.

What TCPA actually requires

For SMS, the core requirements are:

• Prior express written consent for marketing SMS sent to a wireless number.
• Prior express consent (not necessarily written) for transactional or informational SMS.
• Honor opt-out within 10 business days of a STOP request (in practice, immediately).
• Identify yourself in the message.
• Quiet hours: generally 8 AM to 9 PM local time for outbound messaging (this is from related FCC rules and state laws, not TCPA proper, but enforced together).

How TCPA applies to MCTB specifically

The key question: is the MCTB SMS marketing or transactional?

TCPA case law and FCC guidance treats a response to an inbound consumer-initiated contact as transactional. The caller dialed your business with the intent to engage. Your responsive SMS continues that engagement. The inbound call serves as the consent record. The MCTB SMS is therefore transactional, which means:

• Prior express written consent is not required (the inbound call satisfies the lower consent standard).
• Quiet hours technically apply, but if the caller dialed you at 11 PM, the responsive SMS at 11 PM is generally permissible because they initiated.
• You still must honor STOP requests and identify yourself in the message.

Where it gets fuzzy:

• Follow-up SMS at 4 hours. If the caller did not reply to the first SMS, the follow-up is still arguably transactional but skirts the marketing edge. The cleanest position: include STOP keyword and keep the content service-focused, not promotional.
• Promotional SMS to that contact later. Different category entirely. Requires actual marketing consent (form opt-in, checkbox, written agreement), not just the original inbound call.

Layer 2: 10DLC

10DLC stands for "10-Digit Long Code." It is the modern framework, established by US wireless carriers in 2021, that lets businesses send SMS from regular 10-digit phone numbers (the kind your customers call) at scale. Before 10DLC, business SMS at any meaningful volume had to go through "short codes" (5-6 digit numbers) which were expensive and slow to provision.

Why 10DLC exists

Carriers got tired of business SMS being indistinguishable from consumer texting, which led to spam, scams, and degraded user trust. 10DLC adds a registration and trust layer to business SMS without forcing every small business onto expensive short codes.

What 10DLC requires

To send automated SMS from a 10-digit number in the US:

• Register the phone number as a business number (not consumer).
• Register the brand sending the SMS with The Campaign Registry (TCR).
• Register the campaign describing what the SMS is used for (customer support, missed call response, appointment confirmations, marketing, etc.).
• Pass carrier vetting which checks brand legitimacy, EIN match, and content category.

Throughput limits

Carrier throughput on 10DLC depends on your assigned trust score. Standard small-business trust scores allow 1-10 messages per second per number. For MCTB volumes (sub-100 SMS per hour even at scale) this is plenty. For SMS marketing blasts you may hit throttling. The platform handles queue management automatically.

Layer 3: A2P

A2P stands for "Application-to-Person" messaging, vs P2P (Person-to-Person, regular texting between two phones). Any SMS sent by software, not a human typing on a phone, is A2P. That includes MCTB, appointment confirmations, review request texts, follow-up sequences, and SMS marketing.

A2P registration mechanics

1. Brand registration with The Campaign Registry. You provide: legal business name, EIN, business address, business website, business email, primary contact name, contact phone, contact email, vertical, country. TCR vets the brand. Approval: 1-3 business days.
2. Campaign registration for each SMS use case. You provide: campaign name, description, sample messages (5-10), use case category, opt-in flow description, opt-out flow description. Carrier vetting: 2-7 business days.
3. Phone number assignment. Once brand and campaign are approved, your 10DLC phone numbers can send SMS under that campaign.

Use case categories that matter

• Customer Care (low-risk, easy approval): includes MCTB, appointment confirmations, service updates, basic customer service.
• Higher Education (medium-risk).
• Marketing (medium-risk, more scrutiny): promotional content, sales, offers.
• 2FA / Account Notifications (medium-risk, specific use case).
• Polling / Voting / Charity / Public Safety Alerts (special categories).
• High-Risk Financial Services / Debt Collection / Cannabis / etc. (significant scrutiny, often need T-Mobile-specific approval).

For most HonorElevate service-business deploys, the primary campaign is Customer Care covering MCTB, appointment confirmations, and review requests. A separate Marketing campaign covers promotional sends. Both run on the same phone numbers but with different content categorizations.

What HonorElevate handles for you

During setup, the registration mechanics are on us. Specifically:

• 10DLC phone number provisioning (or porting your existing number).
• Brand registration with The Campaign Registry.
• Campaign registration for each SMS use case (Customer Care, Marketing, etc.).
• Carrier vetting and trust score management.
• STOP / HELP keyword infrastructure (the platform handles these natively).
• Quiet-hours enforcement for outbound non-response SMS.
• Audit log of consent records (inbound call timestamps, opt-in form submissions, etc.).

What you provide:

• Your EIN (employer identification number).
• Your legal business name, address, website, and primary contact.
• Sample messages for each use case (we draft, you approve).
• Description of how you obtained or will obtain consent.

Total time from "let's start" to "first SMS fires": 5-7 business days, with registration running in parallel to the rest of the build.

The five things that actually get you in trouble

TCPA litigation is real and expensive. Plaintiff's lawyers actively look for non-compliant SMS programs. The five most common violations:

1. Sending marketing SMS to non-consenting recipients

Buying a list and texting it. Pulling phone numbers from public records and texting them. Adding existing email contacts to your SMS list without explicit SMS consent. Any of these is a TCPA jackpot for plaintiff lawyers. Statutory damages: $500-$1,500 per text.

2. Ignoring STOP requests

If a recipient replies STOP and you send another message to that number, you have created a per-text TCPA violation. HonorElevate's STOP handling is automatic at the platform level. You cannot accidentally text a STOP-list person.

3. Texting during prohibited hours

Outbound SMS before 8 AM or after 9 PM local time without specific consent. Quiet-hours enforcement is automatic for HonorElevate non-responsive sends. The platform respects recipient time zone.

4. Misrepresenting your identity

SMS that does not identify the sending business, or that uses someone else's brand name, creates fraud and TCPA exposure. The HonorElevate first-message template requires business name. Most of the templates in What to Actually Say in Your Missed Call Text Back Sequence already comply.

5. Treating MCTB consent as permanent marketing consent

The inbound call gives you license to respond. It does not give you license to text that contact six months later with a promotional offer. Different consent class. The cleanest practice: keep MCTB conversations transactional, and use a separate explicit opt-in for marketing.

State-level rules that compound on TCPA

Some states layer additional restrictions on top of federal TCPA:

• Florida (mini-TCPA / FTSA): 2021 law that lowered the bar for plaintiff suits. Particular caution required for FL-based campaigns. Quiet-hours strictly enforced.
• California (CCPA / CPRA): data privacy rules around how phone numbers are stored and used. Affects retention and consent management.
• Washington, Oklahoma, Maryland, others: emerging mini-TCPA frameworks. Most are aligned with federal TCPA but with local twists.

For service businesses operating in one state with local customers, the federal framework is the primary concern. For multi-state operators, talk to a TCPA attorney about state-specific exposure.

What you should document

If you ever face a TCPA complaint, the question is "show me the consent record." Documentation that holds up:

• Inbound call log with timestamp (for MCTB responsive SMS).
• Form opt-in records with timestamp, form URL, IP, and explicit checkbox text (for marketing SMS).
• Conversation transcripts showing the recipient engaged with subsequent messages.
• STOP-list logs showing the recipient was honored when they opted out.

HonorElevate retains all of this automatically. The platform has an audit-trail export for any contact you need to defend.

The bottom line

SMS compliance for service businesses running MCTB is straightforward when the platform handles the mechanics. The inbound call is your consent record for the responsive SMS. 10DLC and A2P registration is one-time setup. STOP, HELP, and quiet hours are platform-enforced. The five common violations are easy to avoid with disciplined defaults.

Where compliance gets real is when service-business SMS spills over into general marketing. That requires actual marketing consent, real opt-in records, and content discipline. Build the discipline early. The plaintiff bar is patient.

For the pillar context, read The Complete Guide to Missed Call Text Back for Service Businesses. For the message templates that comply by default, read What to Actually Say in Your Missed Call Text Back Sequence.