About Us
5.1 Consumer Consent The messaging ecosystem should operate consistent with relevant laws and regulations, such as the TCPA and associated FCC regulations regarding Consumer consent for communications. Regardless of whether these rules apply and to maintain Consumer confidence in messaging services, Non-Consumer Message Senders are expected to: • Obtain a Consumer’s consent to receive messages generally; • Obtain a Consumer’s express written consent to specifically receive marketing messages; and • Ensure that Consumers have the ability to revoke consent. The table below provides examples of the types of messaging content and the associated level of consent. The examples below do not constitute or convey legal advice and should not be used as a substitute for obtaining legal advice from qualified counsel.
Individual Service Providers may adopt additional Consumer protection measures for Non-Consumer Message Senders, which may include, for example, campaign pre-approval, Service Provider vetting, in-market audits, or Unwanted Message filtering practices that are tailored to facilitate the exchange of wanted messaging traffic.
5.1.1 Message Senders Should Provide Clear and Conspicuous Calls-to-Action A “Call-to-Action” is an invitation to a Consumer to opt-in to a messaging campaign.
The Call-to-Action for a single-message program can be simple. The primary purpose of disclosures is to ensure that a Consumer consents to receive a message and understands the nature of the program.
Message Senders should display a clear and conspicuous Call-to-Action with appropriate disclosures to Consumers about the type and purpose of the messaging
that Consumers will receive.
A Call-to-Action should ensure that Consumers are aware of: (1) the program orproduct description; (2) the telephone number(s) or short code(s) from which
messaging will originate; (3) the specific identity of the organization or individual being represented in the initial message; (4) clear and conspicuous language about opt-in and any associated fees or charges; and (5) other applicable terms and conditions (e.g., how to opt-out, customer care contact information, and any applicable privacy policy).
Calls-to-Action and subsequent messaging should not contain any deceptive language, and opt-in details should not be obscured in terms and conditions
(especially terms related to other services).
5.1.2 Consumer Opt-In
Message Senders should support opt-in mechanisms, and messages should be sent only after the Consumer has opted-in to receive them. Opt-in procedures reduce the likelihood that a Consumer will receive an Unwanted Message. It can also help prevent messages from being sent to a phone number that does not belong to the Consumer who provided that phone number (e.g., a Consumer purposefully or mistakenly provides an incorrect phone number to the Message Sender).
Depending upon the circumstances, a Consumer might demonstrate opt-in consent to receive messaging traffic through several mechanisms, including but not limited to:
• Entering a telephone number through a website;
• Clicking a button on a mobile webpage;
• Sending a message from the Consumer’s mobile device that contains an advertising keyword;
• Initiating the text message exchange in which the Message Sender replies to
the Consumer only with responsive information;
• Signing up at a point-of-sale (POS) or other Message Sender on-site location; or
• Opting-in over the phone using interactive voice response (IVR) technology.
While the Common Short Code Handbook is a separate document specific to the Common Short Code program, the Common Short Code Handbook has additional
examples of opt-in consent that may be helpful to Message Senders. Message Senders should also document opt-in consent by retaining the following data
where applicable:
• Timestamp of consent acquisition;
• Consent acquisition medium (e.g., cell-submit form, physical sign-up form, SMS keyword, etc.);
• Capture of experience (e.g., language and action) used to secure consent;
• Specific campaign for which the opt-in was provided;
• IP address used to grant consent;
• Consumer phone number for which consent to receive messaging was granted; and
• Identity of the individual who consented (name of the individual or other
identifier (e.g., online user name, session ID, etc.)).
5.1.2.1 Confirm Opt-In for Recurring Messages
Message Senders of recurring messaging campaigns should provide Consumers with a confirmation message that clearly informs the Consumer they are enrolled in the recurring message campaign and provides a clear and conspicuous description of how to opt-out.
After the Message Sender has confirmed that a Consumer has opted-in, the Message Sender should send the Consumer an opt-in confirmation message before
any additional messaging is sent.
The confirmation message should include: (1) the program name or product description; (2) customer care contact information (e.g., a toll-free number, 10-digit
telephone number, or HELP command instructions); (3) how to opt-out; (4) a disclosure that the messages are recurring and the frequency of the messaging; and
(5) clear and conspicuous language about any associated fees or charges and how those charges will be billed.
5.1.2.2 Apply One Opt-In per Campaign
A Consumer opt-in to receive messages should not be transferable or assignable. A Consumer opt-in should apply only to the campaign(s) and specific Message Sender for which it was intended or obtained.
5.1.3 Consumer Opt-Out
Opt-out mechanisms facilitate Consumer choice to terminate messaging communications, regardless of whether Consumers have consented to receive the
message. Message Senders should acknowledge and respect Consumers’ opt-out requests consistent with the following guidelines:
• Message Senders should ensure that Consumers have the ability to opt-out of receiving Messages at any time;
• Message Senders should support multiple mechanisms of opt-out, including phone call, email, or text; and
• Message Senders should acknowledge and honor all Consumer opt-out requests by sending one final opt-out confirmation message per campaign to notify the Consumer that they have opted-out successfully. No further messages should be sent following the confirmation message.
Message Senders should state in the message how and what words effect an opt-out. Standardized “STOP” wording should be used for opt-out instructions, however opt-out requests with normal language (i.e., stop, end, unsubscribe, cancel, quit, “please opt me out”) should also be read and acted upon by a Message Sender except where a specific word can result in unintentional opt-out. The validity of a Consumer opt-out should not be impacted by any de minimis variances in the Consumer opt-out response, such as capitalization, punctuation, or any letter-case sensitivities.
5.1.4 Renting, Selling, or Sharing Opt-In Lists
Message Senders should not use opt-in lists that have been rented, sold, or shared to send messages. Message Senders should create and vet their own opt-in lists.
5.1.5 Maintain and Update Consumer Information
Message Senders should retain and maintain all opt-in and opt-out requests in their records to ensure that future messages are not attempted (in the case of an opt-out request) and Consumer consent is honored to minimize Unwanted Messages. Message Senders should process telephone deactivation files regularly (e.g., daily) and remove any deactivated telephone numbers from any opt-in lists.
5.2 Privacy and Security
Message Senders should address both privacy and security comprehensively in the design and operation of messaging campaigns. Additional security guidelines and best practices are described further in the Messaging Security Best Practices.4
5.2.1 Maintain and Conspicuously Display a Clear, Easy-to-Understand Privacy Policy
Message Senders should maintain and conspicuously display a privacy policy that is easily accessed by the Consumer (e.g., through clearly labeled links) and that clearly describes how the Message Sender may collect, use, and share information from Consumers. All applicable privacy policies should be referenced in and accessible from the initial call-to-action. Message Senders also should ensure that their privacy policy is consistent with applicable privacy law and that their treatment of information is consistent with their privacy policy.
5.2.2 Implement Reasonable Physical, Administrative, and Technical Security Controls
to Protect and Secure Consumer Information
Message Senders should implement reasonable security measures for messaging campaigns that include technical, physical, and administrative safeguards. Such
safeguards should protect Consumer information from unauthorized access, use, and disclosure. Message Senders should conduct regular testing and monitoring to ensure such controls are functioning as intended.
5.2.3 Conduct Regular Security Audits
Message Senders should regularly conduct a comprehensive risk assessment of privacy
and security procedures for messaging campaigns on a regular basis and take
appropriate action to address any reasonably foreseeable vulnerabilities or risks.
5.3 Content
5.3.1 Prevention of Unlawful Activities or Deceptive, Fraudulent, Unwanted, or Illicit Content
Message Senders should use reasonable efforts to prevent and combat unwanted or unlawful messaging traffic, including spam and unlawful spoofing. Specifically,
Message Senders should take affirmative steps and employ tools that can monitor and prevent Unwanted Messages and content, including for example content that: (1) is unlawful, harmful, abusive, malicious, misleading, harassing, excessively violent, obscene/illicit, or defamatory; (2) deceives or intends to deceive (e.g., phishing messages intended to access private or confidential information); (3) invades privacy; (4) causes safety concerns; (5) incites harm, discrimination, or violence; (6) is intended to intimidate; (7) includes malware; (8) threatens Consumers; or (9) does not meet age- 4 The Messaging Security Best Practices include, but are not limited to, best practices to prevent or address: (1) general security threats; (2) threats from messages that originate via email; (3) the misuse of disposable telephone numbers and free text-enabled telephone numbers; and (4) compromised API credentials or systems.
gating requirements. Message Senders can also review the Common Short Code Handbook for further examples of Unwanted Message content.
Further, Message Senders should take steps to ensure that marketing content is not misleading and complies with the Federal Trade Commission’s (FTC) Truth-In Advertising rules.
5.3.2 Embedded Website Links
Message Senders should ensure that links to websites embedded within a message donot conceal or obscure the Message Sender’s identity and are not intended to cause harm or deceive Consumers. Where a web address (i.e., Uniform Resource Locator (URL)) shortener is used, Message Senders should use a shortener with a web address and IP address(es) dedicated to the exclusive use of the Message Sender. Web addresses contained in messages as well as any websites to which they redirect should unambiguously identify the website owner (i.e., a person or legally registered business entity) and include contact information, such as a postal mailing address.
5.3.3 Embedded Phone Numbers
Messages should not contain phone numbers that are assigned to or forward to unpublished phone numbers, unless the owner (i.e., a person or legally registered
business entity) of such phone numbers is unambiguously indicated in the text message.
5.4 Text-Enabling a Telephone Number for Non-Consumer Messaging
An authentication and validation process should be used to verify the Message Senders’ authority to enable Non-Consumer messaging for a specific telephone
number. Message Senders should only enable Non-Consumer messaging with a telephone number that the Message Sender has been assigned by a provider of
telecommunications or interconnected Voice over Internet Protocol (VoIP) services.
5.5 Other Non-Consumer Messaging Best Practices
5.5.1 Shared Telephone Numbers and Short Codes
The use of shared telephone numbers or short codes among multiple persons, businesses, entities, or organizations may require special arrangements between
Message Senders and Service Providers. “Sub-aggregating” a single telephone number or short code with multiple Message Senders also may require special arrangements between Message Senders and Service Providers. In instances where shared number use is approved, all Message Senders operating on a shared number should be documented and available, if required through special arrangements between Message Senders and Service Providers.
5.5.2 Snowshoe Messaging
Message Senders should not engage in Snowshoe Messaging, which is a technique used to spread messages across many sending phone numbers or short codes. Service Providers should also take measures to prevent Snowshoe Messaging. Additional best practices addressing Snowshoe Messaging can be found in the Messaging Security Best Practices. Messaging use cases that require the use of multiple numbers to distribute “similar” or “like” content may require special arrangements between Message Senders and Service Providers.
5.5.3 Grey Routes
Message Senders should not utilize Grey Routes to send messages. A Grey Route is a setting, method, or path that is not authorized by Service Providers for Non-Consumer messages. Messages are either Consumer or Non-Consumer in accordance with these Principles and Best Practices and subject to individual Service Providers’ policies and arrangements. Additional best practices addressing Grey Routes can be found in the Messaging Security Best Practices.
5.5.4 Common Short Codes
Common short codes are non-NANP addresses of 5 or 6 digits typically used by businesses, entities, or organizations for high-volume communications with Consumers (e.g., airline flight delays, banking account alerts, shipping company delivery notifications, school delays). The short code platform was developed to
accommodate higher-volume SMS traffic by providing upfront Consumer protections from Unwanted Messaging traffic and procedures to ensure appropriate use of the platform.
In the United States, the Common Short Code Administration (CSCA) operates the cross-carrier short code registry. The CTIA Short Code Monitoring Handbook offers best practices and other guidelines for conducting Non-Consumer messaging campaigns
using short codes.
In Canada, the Canadian Wireless Telecommunications Association (CWTA) administers short code assignments through its txt.ca website. The Canadian Common Short Code Application Guidelines publication offers best practices and other guidelines for short code campaigns in the Canadian marketplace.
5.5.5 Proxy Numbers
Message Senders might utilize a telephone number as a proxy number that functions as a relay point between possibly large sets of phone numbers and/or frequently changing phone numbers in certain wireless messaging use cases. For example, a driver for a ride-sharing service may need to communicate with a prospective passenger to confirm a pick-up location. The proxy telephone number functions as a conference call bridge telephone number, allowing the driver and passenger to communicate without either party having to reveal their personal telephone number. Another example is a service that allows a user to establish a single telephone number with the ability to relay calls and messages to any of several other telephone numbers
held by the user.
A 10-digit NANP telephone number used as a proxy is typically a means to connect two individuals, but proxy numbers are commonly reused in a way that may create high volumes of messaging traffic. Given the use of proxy numbers to facilitate bulk messaging traffic among multiple 10-digit NANP telephone numbers, the proxy number qualifies as Non-Consumer messaging traffic and may be subject to additional validation, vetting, and monitoring by Service Providers. Although Consumer group messaging services may use proxy numbers and display some characteristics of Non-Consumer messaging, special consideration can be given for these group messaging services, as discussed in Section 6.1 below.
5.5.6 Text-Enabled Toll-Free Telephone Numbers
Toll-free telephone numbers are a subset of NANP telephone numbers that use the following numbering plan area codes (NPAs): 800, 888, 877, 866, 855, and 844. NPA 833 is tentatively planned for the future. While toll-free numbers have generally supported only voice calling, the messaging ecosystem has evolved to allow use of a toll-free telephone number as the identifier for wireless messaging services. To uphold the integrity of toll-free telephone numbers, to provide transparency to Responsible Organizations (Resp Orgs) that manage the use of toll-free numbers for voice services, and to protect Consumers from Unwanted Messages from toll-free numbers, Message Senders should operate in accordance with the following guidelines:
5.5.6.1 Authority to Text-Enable Rests with the Toll-Free Voice Subscriber
The toll-free subscriber who is the holder of record of a toll-free number for voice services has the sole authority to control additional services associated with that toll-free number. Only toll-free numbers that are currently reserved or in working status for the benefit of a toll-free number voice subscriber should be enabled for
messaging.
5.5.6.2 Transparency to Resp Orgs
To provide transparency to Resp Orgs and other Service Providers regarding toll-free numbers that are wireless messaging-enabled, any process for provisioning
messaging associated with a toll-free number should allow or provide for synchronization with a registry or registries that provide a comprehensive record of
text-enabled toll-free numbers and associated toll-free number subscribers. In addition, registries should be operated consistent with the principles in Section 6.3 below.
5.5.6.3 Special Considerations for Shared-Use Toll-Free Telephone Numbers
For the benefit of a toll-free number voice subscriber, message enablement of a toll- free number should account for any shared-use arrangements that are part of the voice service associated with the toll-free number. In the case of shared-use toll- free numbers, the toll-free voice Service Provider should be treated as the toll-free subscriber to uphold the integrity of the toll-free number and protect subscribers of a toll-free voice service that terminates voice telephony traffic to more than one subscriber. Such shared-use arrangements include, but are not limited to, geographic-based and time-of-day-based sharing.
6 Special Use Cases
6.1 Group Messaging
Depending on the specific implementation, group messaging might utilize phone numbers that are typically not assigned to a unique individual, and their characteristics may be inconsistent with Consumer messaging. Therefore, depending on the particular characteristics of a service, Service Providers may require special arrangements to facilitate group messaging phone numbers (e.g., similar to Non-Consumer), such as the identification of group messaging phone numbers.
It is recommended that group messaging services:
• Have strong anti-abuse controls and mechanisms appropriate for systems with potentially large message distribution;
• Support the ability of any member to opt-out of the group at any time; and
• Employ mechanisms to prevent recursive group messaging and cyclical messaging involving more than one group (e.g., in which one group is a member of another group).
6.2 Spoofing Telephone Numbers
Message number spoofing includes the ability of a Message Sender to cause a message to display an originating number for the message that is not assigned to the Message Sender, or when a Message Sender originates a message through a Service Provider other than the Service Provider to which reply messages will be delivered or received.
Message number spoofing should be avoided and should comply with all applicable laws. Message number spoofing may also require special arrangements between Message Senders and Service Providers.
6.3 Registries
To achieve impartiality with respect to number registration, Registrars should commit to fair dealing on reasonable and non-discriminatory rates, terms, and conditions with messaging ecosystem stakeholders and to operating the registry in good faith.