SMS is the highest-performing channel for collecting Google reviews from customers — open rates above 90%, response windows measured in minutes, and a frictionless path from text to review tap. But the same qualities that make SMS effective make it regulated. The Telephone Consumer Protection Act (TCPA) sets specific rules for businesses that send text messages to customers, and the penalties for non-compliance run from $500 to $1,500 per text, per recipient. A single bad list and an untested consent process can produce a class-action exposure that no small business can absorb.

This guide explains what the TCPA requires for SMS review requests specifically, what changed in 2025, and what a compliant implementation looks like. This article is for informational purposes only and is not legal advice. Consult qualified legal counsel before designing your SMS compliance program.

What Is the TCPA?

The Telephone Consumer Protection Act (TCPA) is a federal law administered by the Federal Communications Commission (FCC) that governs how businesses may contact individuals by phone and text message. Passed in 1991 and significantly updated by FCC rule-making, the TCPA applies to any text message sent to a cellular phone number for marketing, promotional, or transactional purposes.

Key point: review requests are not purely transactional. A message asking a customer to perform an action that primarily benefits your business — even if framed as a follow-up to a recent service — occupies a gray zone that TCPA practitioners generally treat as requiring express written consent. Do not assume your review request is exempt as a "transactional" message without legal guidance.

To send an SMS to a customer, the TCPA requires you to obtain prior express written consent before sending any marketing or promotional text.[^1] The consent must:

  1. Be in writing — physical signature, electronic signature, or a checked checkbox on a web form all qualify. A verbal "sure, you can text me" does not.
  2. Be clearly and conspicuously disclosed — the customer must understand what they are agreeing to (that they will receive text messages), from whom (your business name), and the general nature of those messages
  3. State that consent is not a condition of purchase — you cannot require a customer to accept texts in order to book a service or complete a transaction
  4. Include your message frequency estimate — "you may receive up to 2 texts per visit"
  5. Include the standard carrier disclosure — "Message and data rates may apply"
  6. Not use pre-checked boxes — the customer must actively check the consent box; it cannot arrive pre-checked

A compliant consent disclosure on a booking form or appointment confirmation might read:

"By checking this box, you agree to receive up to 2 text messages from [Business Name] regarding your service and an invitation to share your feedback on Google. Consent is not required to book a service. Message and data rates may apply. Reply STOP to opt out at any time, HELP for help."

Notice every element: what they are agreeing to, how many messages, that consent is optional, carrier disclosure, and opt-out instructions — all in the consent language itself.

The 2025 Opt-Out Rule Changes

In 2025, the FCC updated its opt-out revocation rules in a way that materially affects all SMS senders. As of April 11, 2025, consumers may revoke consent through any reasonable channel — not just by replying STOP to a text.[^2]

This means a customer who emails you saying "please stop texting me" has legally revoked consent. A customer who tells your front desk staff "take me off your text list" has legally revoked consent. A customer who submits a form through your website has legally revoked consent.

Businesses must:

  • Honor revocation requests within 10 business days (down from the previous standard)
  • Have a process for capturing opt-out requests from channels beyond STOP replies — email, phone, in-person, website form
  • Train staff to recognize opt-out requests and route them to wherever your SMS list is managed

If your SMS review request tool only tracks STOP replies and does not give you a way to record and honor opt-outs from other channels, that is now a compliance gap.

STOP and HELP Keywords: Non-Negotiable

Every SMS program must support two standard keywords:

  • STOP (and equivalents: UNSUBSCRIBE, QUIT, CANCEL, END, REVOKE, OPT-OUT) — immediately removes the customer from your list; no more messages
  • HELP — triggers a reply with your business name and contact information for support

These keywords must work from the first message you send. They are not optional features — they are TCPA requirements and CTIA industry standards. Any SMS platform you use for review requests should handle STOP/HELP automatically and maintain an opt-out list that prevents future sends to opted-out numbers.

If a customer replies STOP and then receives another message from you, that second message is potentially a TCPA violation — even if the send was automated and the list suppression had a lag.

Quiet Hours: When You Cannot Send

The TCPA and FCC regulations set a federal quiet hours window: you may not send marketing texts before 8:00 a.m. or after 9:00 p.m. in the recipient's local time zone.[^3] Several states are stricter — Florida, for example, limits SMS marketing to 8 a.m.–8 p.m., and Texas restricts calls and texts to 9 a.m.–9 p.m. Monday through Saturday.

Best practice is to use the most conservative window that applies to your customer base: 9:00 a.m.–8:00 p.m. in the recipient's local time zone.

The "recipient's local time zone" part is critical and often overlooked. If your business is in Texas but you have a customer whose phone number is registered in a Florida area code, Florida's rules may apply to that person. The safest approach is to either use the most restrictive state rule for all customers or to use a platform that automatically determines time zone by area code and enforces quiet hours accordingly.

For a deeper guide on opt-in mechanics and quiet hours implementation, see our article on SMS opt-in and quiet hours.

Transactional vs. Promotional: Why the Line Is Blurry for Review Requests

Some businesses assume that a review request following a completed service is transactional — like a receipt or an appointment reminder — and therefore requires only "prior express consent" rather than "prior express written consent." The distinction matters because the written consent standard is more demanding.

The FCC's transactional exemption is narrow: it applies to messages that provide "information regarding a prior or existing transaction" at the customer's request. A review request does not fit this definition because:

  • The customer did not request it
  • The primary beneficiary is the business, not the customer
  • It invites the customer to take an action (leaving a review) rather than informing them of the status of a transaction

Until there is clear FCC guidance specifically exempting review requests from the written consent requirement, the conservative and defensible position is to treat review request SMS as requiring prior express written consent. Most TCPA practitioners advise this approach.

At booking (online or phone):

Include consent in your booking confirmation. Online forms should have an unchecked checkbox with the disclosure language described earlier. For phone bookings, note that verbal consent alone is insufficient — send an SMS or email immediately after the call with a "reply YES to consent" or include a consent link.

At check-in or job completion:

Some businesses collect consent at the point of service — a tablet-based intake form or a text-to-confirm flow when the tech closes the job. This works well if the consent is documented with a timestamp and the source of capture.

What to keep in your records:

For every opted-in customer, document:

  • Date and time of consent
  • Method of consent (web form, in-person form, keyword opt-in)
  • Exact consent language shown at the time of capture
  • IP address or device identifier if collected via web

If you face a TCPA dispute, this documentation is your defense. Without it, the burden shifts to you to prove consent existed.

The Penalty Structure: Why This Matters

TCPA violations carry statutory damages of $500 per violation for negligent violations and $1,500 per violation for willful or knowing violations.[^4] A "violation" is typically one unlawfully sent text message to one recipient. A class-action lawsuit covering 1,000 customers who received a text without proper consent produces exposure of $500,000 to $1,500,000 — before legal fees.

TCPA class actions are common and actively filed. Plaintiff attorneys search for businesses that use SMS marketing, send test opt-out requests to verify whether the STOP keyword works correctly, and file suit when it does not. This is not a theoretical risk for mid-size businesses with active SMS programs.

The cost of getting compliance right — building a proper consent form, using a platform that handles STOP/HELP automatically, enforcing quiet hours — is a small fraction of the cost of one class-action settlement.

How GBP Autopilot Handles TCPA Compliance

GBP Autopilot is designed around TCPA compliance from the ground up:

  • Consent capture at intake — the platform stores opt-in timestamp and source for every contact
  • Automatic STOP/HELP handling — replies processed instantly; opted-out numbers are permanently suppressed
  • Quiet hours enforcement — messages queue and send only during the 9 a.m.–9 p.m. local window based on the recipient's area code
  • No review gating — the same review link goes to every customer, with no sentiment screening before delivery (see review gating and Google's policy)
  • Opt-out recording across channels — staff can manually suppress a number when a customer opts out by phone or email

This is not just a feature list — it is the design philosophy. A business that automates SMS review requests without these protections is building liability while trying to build reviews. GBP Autopilot is built to do both at once.

For a comparison of SMS and email as review request channels, including when to use each, see our guide to SMS vs. email review requests.

TCPA Compliance Checklist for Review Request SMS

  • Obtain prior express written consent before sending any text
  • Document consent with timestamp and source for every opted-in customer
  • Include disclosure language that names your business, message frequency, that consent is not required for service, carrier message rates, and opt-out instructions
  • Support STOP, UNSUBSCRIBE, QUIT, CANCEL, END, and REVOKE opt-out keywords
  • Support HELP keyword with business name and contact information in the reply
  • Suppress opted-out numbers immediately and permanently
  • Honor opt-out requests from email, phone, and in-person channels within 10 business days
  • Enforce quiet hours: no sends before 9 a.m. or after 8 p.m. in recipient's local time zone
  • If sending to customers in Florida or Texas, apply those states' stricter rules
  • Maintain documentation of consent records indefinitely (not subject to routine data purges)
  • Review and test your opt-out process quarterly

Sources

[^1]: Bloomreach. "TCPA and CTIA Compliance for SMS Marketing in the US." https://www.bloomreach.com/en/blog/understanding-tcpa-and-ctia-compliance-for-sms-marketing-in-the-us

[^2]: BCLP. "The TCPA's New Opt-Out Rules Take Effect on April 11, 2025." https://www.bclplaw.com/en-US/events-insights-news/the-tcpas-new-opt-out-rules-take-effect-on-april-11-2025-what-does-this-mean-for-businesses.html

[^3]: ActiveProspect. "TCPA text messages: Rules and regulations guide for 2026." https://activeprospect.com/blog/tcpa-text-messages/

[^4]: TermsFeed. "TCPA Compliance for SMS Marketing: How to Avoid Fines." https://www.termsfeed.com/blog/tcpa-compliance/