SMS Short Codes: CTIA Compliance Guide

SMS marketing rules are confusing, which is why we’re here at Tatango to help. In this blog, we do our best to explain the CTIA rules regarding SMS short codes, who’s making them, and how they’re enforced. While this is a pretty comprehensive look at CTIA compliance, we always recommend you talk to an experienced SMS marketer before launching any new program.


What Is the CTIA?

CTIA Logo at Tradeshow
The CTIA is an acronym for the Cellular Telecommunications Industry Association. The CTIA was established in 1984 as a nonprofit trade organization that represents wireless carriers (AT&T, T-Mobile, Verizon, etc.) and manufacturers and providers of wireless products and services. What does the CTIA have to do with SMS marketing? In the United States, most SMS marketing happens over SMS short codes, which are 5-6 digit phone numbers. The CTIA essentially oversees all aspects of SMS short codes, hence their importance to the SMS marketing industry.


What Is an SMS Short Code?

An SMS short code is a five or six-digit phone number, so 1-2-3-4-5 or 1-2-3-4-5-6, that a brand uses to communicate to consumers. A SMS short code can be used for things like transactional messages, like SMS flight alerts, or SMS package reminders, or SMS marketing messages to receive future coupons and promotions from a business. There are actually two different kinds of SMS short codes, which you can learn about in the video below. For more information on SMS short code, check out this blog post.


Short Code Registry

SMS Short Code Registry - Common Short Code Administration - CSCA
One of the main functions of the CTIA, as it pertains to SMS short codes, is their management of the Short Code Registry, which used to be called the Common Short Code Administration (CSCA). Just to be clear, the Short Code Registry is different than the U.S. Short Code Directory, which is a free resource provided by Tatango to SMS marketers to lookup who owns a short code. The CTIA, as the program administrator for the Short Code Registry, oversees the technical and operational aspects of short code functions and maintains a single database of available, reserved, and registered short codes.

One the operational aspects of overseeing short codes is setting the rules for short code usage. To do this, the CTIA created the Short Code Monitoring Handbook.


CTIA Short Code Monitoring Handbook

CTIA Short Code Monitoring Handbook - Cover Page
The CTIA Short Code Monitoring Handbook is a 24-page document that describes the best practices for SMS, MMS, and FTEU (free-to-end-user) short code programs. The stated primary intention of the handbook is to provide consumers the best experience possible while interacting with SMS short codes, in addition to:

    • Honoring consumer choices and preventing abuse of messaging platforms.
    • Delivering flexible guidelines that communicate compliance values clearly.
    • Enabling the short code industry to self-regulate.
    • Facilitating enforcement measures, if necessary, to protecting consumers quickly and consistently.

It’s important to note that Short Code Compliance Handbook guidelines lay the framework for achieving these goals, but CTIA reserves the right to take action against any short code program deemed to cause consumer harm. So even if you’re following the CTIA rules, you can still have problems. This is why it’s so important to select an SMS software provider like Tatango that has over 12 years in the industry navigating all these rules.

Further down the page, we summarize the most important parts of this handbook for SMS marketers. You can view the entire CTIA Short Code Monitoring Handbook by clicking here. The last update to the handbook was on March 27, 2017, and it’s classified as version number 1.7.


CTIA Compliance Does Not Equal TCPA Compliance

This statement that if your SMS campaign is compliant with the CTIA Short Code Monitoring Handbook, your campaign will be compliant with the TCPA is not only false but extremely dangerous for brands to follow. Why? Well to put it simply, the CTIA guidelines and the TCPA are two completely different sets of documents, created and enforced by two completely different sets of groups, and both documents serve two completely different sets of purposes.

While we could spend days writing about the differences between the CTIA guidelines and the TCPA, I think it’s best to focus on the big points. This should help to assure that brands don’t get mislead into believing that because their SMS campaign is CTIA compliant, that it’s also TCPA compliant, as this couldn’t be further from the truth.

    • The TCPA is a federal law, the CTIA guidelines aren’t law. No one has ever been sued under the CTIA, but countless brands have been sued under the TCPA.
    • Being that the TCPA is law, it’s regularly enforced in the court system. Being that the CTIA guidelines aren’t law, these guidelines are enforced by a private entity that is hired by the wireless carriers to police the industry. Unlike the regular police though, you won’t be arrested for not following the CTIA guidelines, the only risk to not following these guidelines is a wireless carrier not allowing you to send messages to mobile subscribers on their network.
    • The CTIA guidelines are very specific with regard to text message marketing. The CTIA guidelines tell you exactly what needs to be included in an advertisement for an SMS program (Msg&Data Rates, help & stop commands, messaging frequency, links to terms & conditions, privacy policies, etc.), they tell you what needs to be in specific SMS messages, and they even tell you what can’t be in SMS messages. On the other hand, none of this specific text message marketing stuff is addressed in the TCPA. It’s actually interesting to note that in the TCPA it actually doesn’t mention text messaging once. Text messaging was only recently mentioned by the FCC in a clarification that they issued regarding whether the TCPA actually applies to text messaging (it does). There’s no mention in the TCPA of “Msg&Data Rates”, or what must be included in a text message when a consumer texts the word “HELP” to your short code.
    • The TCPA is all about brands receiving permission from the consumer, and the specifics around how this permission can be gathered, and what is allowed after the permission from the consumer is received. The CTIA guidelines don’t even mention the word “permission” once and focus more on the consumer experience after a consumer has given their permission.

As we said earlier, there are hundreds of differences between the TCPA and the CTIA guidelines. Hopefully, though, the four major differences which we’ve elaborated on above will dispel the notion that if your SMS campaign is compliant with the CTIA guidelines, it will also be compliant with the TCPA. Truth be told, that couldn’t be further from the truth.

For additional information on TCPA compliance, check out these videos.


CTIA Compliance Does Not Equal Wireless Carrier Compliance

It’s also important to mention that CTIA compliance does not equal wireless carrier compliance. The CTIA represents all U.S. wireless carriers (AT&T, T-Mobile, Verizon, etc.), so the only time SMS marketing rules make it into the CTIA Short Code Monitoring Handbook is when all wireless carrier agree on something. The most recent version of the CTIA Short Code Monitoring Handbook has been reviewed and accepted by all CTIA members.

Wireless carriers are free to make their own SMS marketing rules and enforce those rules as they see fit. This is why it’s so important to select an SMS software provider like Tatango that has over 12 years in the industry navigating all these rules.

For example, a few recent carrier-specific rules.


Short Code Monitoring & Enforcement

In this section, we talk about who monitors short code compliance, how it’s enforced, and the consequences of not following the rules.

WMC Global

WMC Global SMS Short Code Monitoring
WMC Global was founded in 2006 to help carriers address business and consumer risk through its market and threat intelligence resources, creating industry best practices, and raising the barrier to entry for non-compliant actors. WMC Global leveraged its experience in market compliance to develop a platform to identify, investigate, and neutralize spam-disseminated messaging threats. WMC Global’s threat takedown work in messaging has resulted in a more compliant messaging ecosystem that supports consumer trust and engagement.

WMC Global is employed by the CTIA to monitor in-market SMS short codes. When a violation is found, WMC Global issues an SMS short code audit to the offending short code owner, on behalf of the CTIA and the wireless carriers.


SMS Short Code Compliance Audits

CTIA Short Code Monitoring Handbook - SMS Short Code Audits
When SMS short codes programs are deployed in market, the live programs are captured and audited by WMC Global. This method is more effective than program brief review or routine SMS keyword testing because compliance audits reflect the user experience that actual consumers encounter when they interact with short code programs in market.

WMC Global issues short code audits weekly for standard rate short codes leased with the Short Code Registry. Compliance audits performed by WMC Global are available to all major U.S. carriers, and compliance metrics can be incorporated into individual carrier compliance policies.

To learn more about SMS short code audits, check out this video.



Individual violations are classified as Severity 0, Severity 1, or Severity 2, based on their potential for consumer harm, with Severity 0 representing the most extreme violations. Violations are based on the compliance guidelines outlined in the CTIA Short Code Monitoring Handbook. Taking the severity level of the gravest violation cited, a failed audit must be resolved in the appropriate timeframe (i.e., before or on the cure date).


Audit Notices

If your SMS marketing program is found to be in violation of the CTIA rules during one of these audits, the CTIA will report you to the carriers, and the carriers may shut you down or suspend your program until the issue has been resolved. The CTIA guidelines contain a lot of detail about text message marketing. They tell you what must be included in an advertisement for an SMS program (message and data rates may apply, help and stop commands, messaging frequency, links to terms and conditions, privacy policies, etc.), as well as what must not be included.

Audits are published Tuesday at 2:00 A.M. EST. Although audits might be available for review earlier, the official notice date from which the cure date is calculated is 12:00 P.M. EST each Tuesday.

CTIA SMS Short Code Audit
Since the CTIA guidelines aren’t law, brands can’t be sued for violating them, but you do run the risk of having your SMS program shut down by one or more carriers. In May of 2014, the CTIA reviewed 1,751 campaigns and found advertising failures in 386 of the campaigns, which resulted in a 22% failure rate. What accounts for over 20% of all text message advertising failures, was that there was no mention that message and data rates may apply.



SpamResponse Website for Reporting SMS Short Code Spam
SpamResponse is another WMC Global product to help monitor SMS short code abuse. Spam complaints from SpamResponse are sent to wireless carriers, and wireless carriers use this information to shut down SMS short codes that are spamming consumers.


Basic CTIA Rules

Below is a summary of the most important rules taken from the CTIA Short Code Monitoring Handbook that apply to SMS marketing. Obviously, this is not every rule, so we always recommend either talking to an experienced SMS marketer or reading the handbook for yourself by clicking here. Below are the four principles from the handbook that provide the baseline for all requirements.

    • Display clear calls-to-action. All programs must display a clear call-to-action. Customers must be made aware of what exactly they are signing up to receive.
    • Offer clear opt-in mechanisms. Customers must consent clearly to opt into all recurring-messages programs. Requiring a customer to enter a mobile phone number does not constitute a compliant opt-in. Instead, customers must understand they will receive messages and consent to receive them.
    • Send opt-in confirmation messages. A confirmation message must be sent to customers always. For recurring-messages programs, confirmation messages must include clear opt-out instructions.
    • Acknowledge opt-out requests. Short code service providers must acknowledge and act on all opt-out requests. Monitoring procedures confirm successful opt-out.


Advertising Requirements for SMS Marketing

Calls-to-action must be clear and accurate; consent must not be obtained through deceptive means. For example, opt-in details cannot be displayed obscurely in terms and conditions related to other services. Enrolling a user in multiple short code programs based on a single opt-in is prohibited, even when all programs operate on the same short code.

Recurring-messages short code programs should send a single opt-in confirmation message that displays information verifying the customer’s enrollment in the identified program.

The opt-in for all short code programs must comply with all legal and regulatory requirements, including the Telephone Consumer Protection Act, and the Federal Communication Commission’s rules. For example, the express written consent obtained for any program that is “telemarketing” must, unless exempt from the requirement, include the elements of “prior express written consent”. That rule requires a clear and conspicuous disclosure informing the user that:

    • By opting in, the user authorizes the seller to deliver or cause to be delivered to the user marketing messages using an automatic telephone dialing system; and
    • The user is not required to opt in (directly or indirectly) as a condition of purchasing any property, goods, or services.

Based on the CTIA Short Code Monitoring Handbook, the following things are required in an SMS marketing advertisement.

    • Product description.
    • Service delivery frequency or recurring messages disclosure.
    • Link to terms and conditions.
    • Link to the privacy policy.
    • “Message and data rates may apply” disclosure.

An example of a CTIA compliant SMS marketing advertisement is below:

CTIA Short Code Monitoring Handbook - SMS Advertising Requirements

SMS Marketing Terms & Conditions

In this most recent version (v 1.7) of the CTIA Short Code Monitoring Handbook, you’re no longer able to host your SMS marketing terms and conditions in a website pop-up. Terms and conditions must be hosted on its own web page, and include the following:

    • Program (brand) name
    • Service delivery frequency or recurring-messages disclosure
    • Product description
    • Customer care contact information
    • Opt-out instructions
    • “Message and data rates may apply” disclosure
    • Privacy policy or link to the privacy policy.


SMS Marketing Privacy Policy

The CTIA states that “everybody has a right to privacy, and the mobile carriers are committed to protecting their customers’ privacy. All programs must maintain a privacy policy.” There isn’t much guidance here on exactly what needs to be included in a privacy policy, so we suggest including in your SMS campaign privacy policy things such as what you’ll do with the phone numbers you collect, how you’ll use them, who you’ll share them with, etc.

Service providers are responsible for protecting the privacy of user information and must comply with applicable privacy law. Service providers should maintain a privacy policy for all programs and make it accessible from the initial call-to-action.


Opt-In Message Requirements

The opt-in confirmation message must be delivered immediately after the customer opts into the program. For POS and hardcopy opt-ins, the opt-in confirmation message must be delivered as soon as is reasonably possible after the customer opts into the program. While not required by the CTIA, we always recommend using a double opt-in. Based on the CTIA Short Code Monitoring Handbook, the following things are required in an SMS marketing opt-in message.

    • Program (brand) name OR product description.
    • Opt-out information (txt STOP 2 end)
    • Customer care contact information (text HELP for help)
    • Product quantity or recurring-messages disclosure
    • “Message and data rates may apply” disclosure.

An example of a CTIA compliant SMS marketing opt-in message is below:

CTIA Short Code Monitoring Handbook - SMS Marketing Opt-In Requirements

Opt-Out Message Requirements

Functioning opt-out mechanisms are crucial for all text messaging programs. Programs must always acknowledge and respect customers’ requests to opt out of programs. Short code programs must respond to, at a minimum, the universal keywords:

    • STOP
    • END
    • CANCEL
    • QUIT

When one of these words is received, the consumer must be unsubscribed immediately from receiving future messages. The CTIA does allow one final message to confirm a user has opted out successfully, but no additional messages may be sent after the user indicates a desire to cancel a short code program. Recurring-messages programs must also display opt-out instructions (text STOP to end) at regular intervals in content or service messages, at least once per month.

Based on the CTIA Short Code Monitoring Handbook, the following things are required in an SMS marketing opt-out message.

    • Program (brand) name OR product description
    • Confirmation that no further messages will be delivered

While not required, we highly recommend you add opt-in instructions to your opt-out confirmation message. More info on this here.

An example of a CTIA compliant SMS marketing opt-out message is below:

CTIA Short Code Monitoring Handbook - SMS Marketing Opt-Out Requirements

Customer Care Message Requirements

Customer care contact information must be clear and readily available to help users understand program details as well as their status with the program. Customer care information should result in users receiving help. Programs must always respond to customer care requests, regardless of whether the requestor is subscribed to the program. Recurring-messages programs must also display help instructions (text HELP to end) at regular intervals in content or service messages, at least once per month.

At a minimum, the CTIA Short Code Monitoring Handbook requires that a help response return the following information:

    • Program (brand) name OR product description
    • Further information about how to get help (email address or toll-free phone number)

An example of a CTIA compliant SMS marketing help message is below:

CTIA Short Code Monitoring Handbook - SMS Marketing Customer Care Requirements

Unapproved or Illicit SMS Marketing Content

No programs associated with carrier brands or operating on the carrier networks may promote unapproved or illicit content, including the following:

    • Depictions or endorsements of violence,
    • Adult or otherwise inappropriate content,
    • Profanity or hate speech, and
    • Endorsement of illegal or illicit drugs.

Programs must operate according to all applicable federal and state laws and regulations. All content must be appropriate for the intended audience. Additional legal and ethical obligations apply when marketing to children under age 13, and such programs might be subject to additional review by carriers.


SMS Marketing for Controlled Substances

Promotions of controlled substances might be subject to additional review by carriers. Service providers must receive explicit carrier approval before launching these program types. Marketing of hard alcohol and tobacco brands must either include robust age verification (e.g., electronic confirmation of age and identity) at opt-in or restrict promotions to age-verified locations (e.g., points of sale in bars). Mobile programs must not promote the use of controlled substances directly. Reference to the abuse of controlled substances is prohibited.


Free SMS Marketing Compliance Templates

While all the rules are in the CTIA Short Code Compliance Handbook, who really has time to read all 24-pages of that document? It’s for that reason we created our very own SMS marketing compliance templates. These templates can be used by any SMS marketer as templates when they’re creating their SMS advertisements, terms & conditions, opt-in messages, and both the help and stop response messages, in order to ensure their SMS campaign is fully compliant with CTIA rules.

SMS Marketing Best Practices Templates



Hopefully, the information above helps you stay CTIA compliant when running your own SMS marketing campaign. If you ever have questions about SMS marketing rules concerning the CTIA or even the Telephone Consumer Protection Act (TCPA), please don’t hesitate to contact the SMS marketing experts at Tatango.

Subscribe by Email

Subscribe to Tatango's SMS Marketing Blog to receive great SMS marketing content delivered right to your inbox.