Get started →

TCPA Compliance for SMS, Text & WhatsApp from Salesforce

February 5, 2026

Your TCPA violations cost $500 per message minimum, $1,500 if the violation is wilful. A sales team that sends 200 SMS a day to non-opted-in US recipients is $30,000 in fines per day. Your Salesforce compliance stack has to block that before it happens, not after.

Salesforce TCPA compliance dashboard showing opt-in status, opt-out honouring and quiet-hours controls for SMS, text and WhatsApp

What TCPA actually requires for business messaging

Your US Telephone Consumer Protection Act (TCPA) applies to any SMS, text or WhatsApp message you send to a US phone number for marketing purposes. Your core requirements:

  • Prior express written consent before sending marketing messages
  • Clear opt-out mechanism in every marketing message (typically “Reply STOP”)
  • Immediate honouring of opt-outs, no more messages after STOP
  • Quiet hours, no marketing sends before 8am or after 9pm recipient local time
  • Identification, sender must identify themselves in each message
  • Record-keeping, proof of consent retained for the retention period

Your transactional messages (appointment confirmations, account alerts, two-factor codes) have lighter requirements but still need opt-out handling and identification. The distinction between marketing and transactional matters, a lot of teams get fined for treating marketing messages as transactional.

Consent capture and storage in Salesforce

Your Salesforce Contact and Lead records carry explicit TCPA consent fields, typically one per channel, with timestamp, source (web form, phone call, in-person), and wording the consumer saw. The fields are standard Salesforce fields so they work with your existing validation rules and reports.

Your user trying to send an SMS, text or WhatsApp from a record, the messenger checks the consent field first. No consent, no send, not even if the user overrides. The TCPA risk sits at the sender’s workflow, not at the compliance team’s follow-up.

Opt-out handling that doesn’t miss

Your TCPA enforcement focuses heavily on opt-out failures. If a recipient replies STOP and your system sends them another marketing message anywhere else in your org, that’s a violation per message. Your messenger handles STOP, UNSUBSCRIBE, END, CANCEL, OPT-OUT and similar variations automatically, updates the Salesforce consent field, and blocks future sends to that recipient.

Your opt-out flag isn’t just on the message record. It’s on the Contact. Every one of your automations, every bulk send, every Agentforce AI agent respects it going forward. The consent system is enforced at the record level, not at the workflow level.

Quiet hours with time zone awareness

Your TCPA prohibits marketing sends outside 8am-9pm recipient local time. Your Salesforce Contact record holds the recipient’s time zone either directly or inferred from address. Scheduled bulk sends, Flow-triggered sends and Agentforce AI agent sends all respect the recipient’s local time zone.

Your 3pm Eastern send to a California number goes out correctly. A 9pm Pacific send to an East Coast number gets held until 8am the next morning. Your team doesn’t manually check time zones, the messenger does it on every send.

Audit evidence for TCPA defence

You’re ever challenged on TCPA, you need four pieces of evidence per recipient: (1) the consent captured, (2) the wording they agreed to, (3) the timestamp and source, (4) every message sent to them and whether it was delivered. Your Salesforce audit trail produces all four on demand through standard reports.

Your TCPA defence isn’t about sending fewer messages. It’s about documentation. Every SMS, text and WhatsApp from AI SMS House in Salesforce logs the evidence you’d need, from the start, without any extra effort at send time.