149 countries · crypto-native · no KYC

SMS Compliance Checklist 2026: US, EU, India, UK, Australia

Five regimes cover most of the world's business SMS. One page, one table per regime, and the handful of rules that actually get senders fined or filtered.

$0.035/msg from sub-100ms median 98.6% delivered
SMS Compliance Checklist 2026: US, EU, India, UK, Australia — smsroute
$0.004
per SMS from
149
countries
60s
to first message
6
crypto rails
This SMS compliance checklist compresses the five regimes that govern most global business messaging into one working reference. Each row is a check you can action today. Two universal rules sit above all of them, and they do most of the compliance work on their own: consent (send commercial messages only to people who agreed, with working opt-out) and honest identity (never disguise who is sending). Everything below is regional detail on those two ideas.

How to use this page

This SMS compliance checklist compresses the five regimes that govern most global business messaging into one working reference. Each row is a check you can action today. Two universal rules sit above all of them, and they do most of the compliance work on their own: consent (send commercial messages only to people who agreed, with working opt-out) and honest identity (never disguise who is sending). Everything below is regional detail on those two ideas.

Dated snapshot, July 2026. Regimes move. Australia's and Spain's sender rules changed this very year. Verify the destination's current state before major campaigns; our sender ID country map tracks that dimension specifically.

The five-regime table

The five-regime table — comparison diagram
Regime Registration Consent standard The check that catches people
US — TCPA + 10DLC Brand + campaign registration for long-code A2P Prior express written consent for marketing; opt-out must work instantly Quiet hours and STOP handling; unregistered traffic pays 4x surcharges and gets filtered — see our carrier-fees breakdown
EU — GDPR + ePrivacy None for sender ID in most states (Spain mandatory from Sep 2026) Opt-in consent, documented; data minimisation on stored numbers Retention: keeping numbers and message logs longer than needed is itself a violation
India — TRAI DLT Entity + header + every template, for domestic senders Consent registered on DLT for promotional traffic Template drift: copy that no longer exactly matches the registered template gets silently scrubbed
UK — Ofcom/ICO + PECR Sender ID pre-registration (mandatory tier) Opt-in for marketing (PECR); soft opt-in narrow Unregistered alphanumeric senders replaced or blocked
Australia — ACMA + Spam Act SMS Sender ID Register mandatory from 1 July 2026 Express or inferred consent under the Spam Act; functional unsubscribe Unregistered alpha IDs now rewritten to 'Unverified' — a compliance failure your customers see

The India row deserves its own reading if you send there — the domestic-versus-international route decision changes which obligations attach, and we mapped it fully in the DLT guide. For the US, the FCC's TCPA rules are the primary authority (fcc.gov). For example, if a bank changes "offer" to "deal" in a promo template, DLT silently blocks the message because the exact registered text no longer matches.

The transactional carve-out, used honestly

What is the transactional carve-out in SMS compliance and how can it be used honestly?

The transactional carve-out allows sending non-promotional messages like one-time passwords or delivery alerts without prior consent in many regions. Used honestly, it means sending only critical, expected messages (never marketing). SMSRoute supports this with real-time delivery reports and adaptive routing, ensuring your transactional SMS reach reliably across 149 countries.

Every regime treats transactional messages (OTPs, receipts, delivery alerts the user triggered) more leniently than marketing. No written-consent regime blocks a login code the user just requested. But the carve-out is narrow and abused constantly: a 'shipping update' with a promo code inside is marketing in every jurisdiction, and regulators read message bodies, not subject lines. Keep the classes separate in your codebase, not just your policy doc.

The operational checklist

What should be included in an SMS compliance operational checklist for 2026?

An operational checklist should cover consent collection, message categorization (transactional vs. promotional), opt-out mechanisms, sender ID registration, and delivery monitoring. SMSRoute simplifies compliance with no-KYC signup, crypto billing, and automatic failover across 149 countries, so you can focus on sending compliant messages without administrative overhead.

  1. Wire opt-out before the first campaignSTOP handling that actually suppresses, tested per destination. This is the single most-enforced rule across all five regimes.
  2. Log consent with timestampsWho agreed, when, to what wording. In a dispute, the sender without records loses by default — GDPR and TCPA both put the burden on you.
  3. Register where the table says register10DLC, DLT, UK and Australian sender registers. Lead times run days to weeks; late registration mid-campaign means filtered or 'Unverified' traffic.
  4. Minimise what you storeNumbers and logs kept 'just in case' are pure liability under GDPR — the retention model in our data-minimisation guide is the defensible default.
  5. Match copy to registered templatesWhere templates are registered (India, some sender regimes), enforce the match in CI, not in memory.

One scoping note: SMSRoute is a no-KYC SMS API with crypto billing (BTC, ETH, USDT, XMR, LTC, and SOL) — no-KYC describes our onboarding, and none of it exempts any sender from the rules above. Consent and destination law follow the message, whoever carries it. Compliance is cheaper than any fine and much cheaper than a filtered campaign; the OTP flow guide shows the transactional pattern done right from message one. SMSRoute's published route pages list delivery from $0.004/message (premium direct-carrier corridors up to $0.035) with sub-100ms median submission and ~98.6% delivered success (smsroute.cc route pages, 2026).

FAQ

What consent do I need to send marketing SMS?
In nearly every major market: documented opt-in before the first message, with working opt-out in every message. The US (TCPA) requires prior express written consent; the EU and UK require opt-in under GDPR/PECR; Australia's Spam Act accepts express or clearly inferred consent. Log who consented, when, and to what wording.
Do OTP messages need consent and registration?
OTPs and genuinely transactional messages are treated leniently everywhere — the user's request is the consent. Registration regimes still apply to the route (DLT domestic in India, 10DLC for US long codes), but content rules relax. The carve-out dies the moment promotional content appears in a 'transactional' message.
What changed in SMS compliance in 2026?
The headline changes: Australia's ACMA Sender ID Register became mandatory on 1 July 2026 (unregistered alpha senders rewritten to 'Unverified'), and Spain's CNMC sender registration takes effect 15 September 2026. The direction everywhere is more registration and more traceability.
Does using a no-KYC SMS provider affect my compliance obligations?
No. Provider onboarding and sender obligations are separate layers: consent, opt-out, quiet hours, and destination registrations bind the sender regardless of how the provider onboarded them. No-KYC removes identity paperwork between you and your provider — not between you and the law.

Send your first SMS in 5 minutes

How can I send my first SMS in 5 minutes using SMSRoute?

Sign up with just an email on SMSRoute. No documents needed. Fund your account with BTC, ETH, USDT, XMR, LTC, or SOL, or other crypto. Get your API key from the dashboard, then use our REST API or SMPP bind with code examples in Python, PHP, Go, or Node. Your first message reaches any of 149 countries in minutes, with real-time delivery reports.

No KYC. Pay with BTC, ETH, USDT, XMR, LTC, and SOL. Live routes to 149 countries.

Get an API key →