The TCPA — the Telephone Consumer Protection Act — turned 35 this year, and the FCC's 2024 amendments fully took effect in January 2026. If your SMS program is still operating on a 2022 understanding, here's the diff that matters.
Prior express written consent — narrowed
The big change: a single consent now applies to one seller for one purpose. The old “lead generator collects consent, sells it to 200 partners” pattern is gone. If you bought a list from a third party and the consent record covers “our partners and affiliates,” that's no longer good consent under TCPA.
If your contact source is anything other than “they gave you their number, on your form or in your store, with your brand on the page” — assume it's on shaky ground.
Revocation — clarified
Recipients can revoke consent through any reasonable means: text reply, email, web form, voice call, mailed letter. You have 10 business days to honor it. Importantly, “revocation in any reasonable manner” means a customer telling your call center agent “stop texting me” counts — even if your call center software doesn't auto-flag it. Your processes need to handle non-SMS revocation paths.
Quiet hours — federal floor, state ceiling
Federal quiet hours remain 8am–9pm in the recipient's local time. But: 17 US states have stricter rules that override the federal baseline (Florida is famously strict — 8am–8pm and Sundays prohibited). If your platform doesn't honor recipient-timezone quiet hours by state, you have technical risk you may not be tracking.
What didn't change
- Per-message statutory damages — still $500 to $1,500.
- Class actions — still allowed, still where the real money is.
- The 4-year statute of limitations.
- The do-not-call registry interaction — your SMS opt-in is not a DNC override.
What we built in response
Treply's consent ledger now records the source URL, IP, timestamp, consent text shown, and the specific seller-purpose pairing — for every opt-in. Revocation logs do the same. If you're ever in a TCPA suit, your defense starts with this evidence. Most platforms log only the timestamp and the opt-in checkbox state.
Bottom line for 2026: consent is harder to get and easier to lose. Tighten your opt-in language, audit your data sources, and instrument your revocation paths. The lawsuits aren't getting smaller.