How to use this page
This SMS compliance checklist compresses the five regimes that govern most global business messaging into one working reference. Each row is a check you can action today. Two universal rules sit above all of them, and they do most of the compliance work on their own: consent (send commercial messages only to people who agreed, with working opt-out) and honest identity (never disguise who is sending). Everything below is regional detail on those two ideas.
Dated snapshot, July 2026. Regimes move. Australia's and Spain's sender rules changed this very year. Verify the destination's current state before major campaigns; our sender ID country map tracks that dimension specifically.
The five-regime table
| Regime | Registration | Consent standard | The check that catches people |
|---|---|---|---|
| US — TCPA + 10DLC | Brand + campaign registration for long-code A2P | Prior express written consent for marketing; opt-out must work instantly | Quiet hours and STOP handling; unregistered traffic pays 4x surcharges and gets filtered — see our carrier-fees breakdown |
| EU — GDPR + ePrivacy | None for sender ID in most states (Spain mandatory from Sep 2026) | Opt-in consent, documented; data minimisation on stored numbers | Retention: keeping numbers and message logs longer than needed is itself a violation |
| India — TRAI DLT | Entity + header + every template, for domestic senders | Consent registered on DLT for promotional traffic | Template drift: copy that no longer exactly matches the registered template gets silently scrubbed |
| UK — Ofcom/ICO + PECR | Sender ID pre-registration (mandatory tier) | Opt-in for marketing (PECR); soft opt-in narrow | Unregistered alphanumeric senders replaced or blocked |
| Australia — ACMA + Spam Act | SMS Sender ID Register mandatory from 1 July 2026 | Express or inferred consent under the Spam Act; functional unsubscribe | Unregistered alpha IDs now rewritten to 'Unverified' — a compliance failure your customers see |
The India row deserves its own reading if you send there — the domestic-versus-international route decision changes which obligations attach, and we mapped it fully in the DLT guide. For the US, the FCC's TCPA rules are the primary authority (fcc.gov). For example, if a bank changes "offer" to "deal" in a promo template, DLT silently blocks the message because the exact registered text no longer matches.
The transactional carve-out, used honestly
What is the transactional carve-out in SMS compliance and how can it be used honestly?
The transactional carve-out allows sending non-promotional messages like one-time passwords or delivery alerts without prior consent in many regions. Used honestly, it means sending only critical, expected messages (never marketing). SMSRoute supports this with real-time delivery reports and adaptive routing, ensuring your transactional SMS reach reliably across 149 countries.
Every regime treats transactional messages (OTPs, receipts, delivery alerts the user triggered) more leniently than marketing. No written-consent regime blocks a login code the user just requested. But the carve-out is narrow and abused constantly: a 'shipping update' with a promo code inside is marketing in every jurisdiction, and regulators read message bodies, not subject lines. Keep the classes separate in your codebase, not just your policy doc.
- Transactional: user-initiated, no promotional content, sent promptly after the trigger. Consent is inherent in the request.
- Marketing: anything promoting anything. Full consent, opt-out line, quiet hours, and the regional registrations above.
- The graybelt to avoid: re-engagement pings, 'your cart misses you', feedback requests with incentives. Treat all as marketing and you will never argue about it with a regulator.
The operational checklist
What should be included in an SMS compliance operational checklist for 2026?
An operational checklist should cover consent collection, message categorization (transactional vs. promotional), opt-out mechanisms, sender ID registration, and delivery monitoring. SMSRoute simplifies compliance with no-KYC signup, crypto billing, and automatic failover across 149 countries, so you can focus on sending compliant messages without administrative overhead.
- Wire opt-out before the first campaignSTOP handling that actually suppresses, tested per destination. This is the single most-enforced rule across all five regimes.
- Log consent with timestampsWho agreed, when, to what wording. In a dispute, the sender without records loses by default — GDPR and TCPA both put the burden on you.
- Register where the table says register10DLC, DLT, UK and Australian sender registers. Lead times run days to weeks; late registration mid-campaign means filtered or 'Unverified' traffic.
- Minimise what you storeNumbers and logs kept 'just in case' are pure liability under GDPR — the retention model in our data-minimisation guide is the defensible default.
- Match copy to registered templatesWhere templates are registered (India, some sender regimes), enforce the match in CI, not in memory.
One scoping note: SMSRoute is a no-KYC SMS API with crypto billing (BTC, ETH, USDT, XMR, LTC, and SOL) — no-KYC describes our onboarding, and none of it exempts any sender from the rules above. Consent and destination law follow the message, whoever carries it. Compliance is cheaper than any fine and much cheaper than a filtered campaign; the OTP flow guide shows the transactional pattern done right from message one. SMSRoute's published route pages list delivery from $0.004/message (premium direct-carrier corridors up to $0.035) with sub-100ms median submission and ~98.6% delivered success (smsroute.cc route pages, 2026).
Related reading
FAQ
What consent do I need to send marketing SMS?
Do OTP messages need consent and registration?
What changed in SMS compliance in 2026?
Does using a no-KYC SMS provider affect my compliance obligations?
Send your first SMS in 5 minutes
How can I send my first SMS in 5 minutes using SMSRoute?
Sign up with just an email on SMSRoute. No documents needed. Fund your account with BTC, ETH, USDT, XMR, LTC, or SOL, or other crypto. Get your API key from the dashboard, then use our REST API or SMPP bind with code examples in Python, PHP, Go, or Node. Your first message reaches any of 149 countries in minutes, with real-time delivery reports.
No KYC. Pay with BTC, ETH, USDT, XMR, LTC, and SOL. Live routes to 149 countries.
Get an API key →