Opt-In Versus Opt-Out Compliance

Most SMS compliance problems aren’t caused by teams that don’t care about the rules. They’re caused by teams that assumed their Salesforce SMS setup was handling opt-in and opt-out automatically — when it wasn’t. A contact who filled in a web form three years ago and never explicitly consented to texts. A STOP reply that logged in the messaging tool but never updated the CRM field. An opt-out that stopped one campaign but left another running.

This post covers the practical requirements: what counts as valid opt-in, what your opt-out language has to say, how to manage both inside Salesforce, and where the actual risk sits.

What SMS Opt-In Compliance Actually Requires

Consent is the foundation. Under the Telephone Consumer Protection Act and CTIA carrier guidelines, you can’t send marketing or promotional texts without explicit prior written consent from the recipient. That’s the rule most teams know. The part they get wrong is what “explicit” actually means.

A contact handing over their phone number — on a form, at an event, in a CRM record imported from a trade show — is not consent to receive SMS. That’s data collection. Opt-in is a separate, additional action. The contact needs to agree specifically to receive text messages, and that agreement needs to be captured and stored somewhere you can retrieve it later.

The SMS opt-in requirements that actually hold up under CTIA scrutiny have four components. First, a clear description of what the contact is signing up for — “receive promotional SMS from [Company]” not just “stay in touch.” Second, disclosure that message and data rates may apply. Third, confirmation that the contact can opt out at any time. Fourth, a recorded timestamp of when consent was given.

Keyword opt-in — where a contact texts a keyword like JOIN to a short code — also qualifies, provided the confirmation message they receive back restates what they’ve opted into and how to unsubscribe. Checkbox opt-in on a web form qualifies if the checkbox is unchecked by default and the description is specific. Pre-checked boxes don’t count.

Opt-In Text Messaging: Express vs Implied Consent

Okay, real talk. The “express vs implied” distinction is where most legal guides get hand-wavy, so let’s be direct about what it means in practice.

Express written consent is required for marketing and promotional messages — anything where you’re selling something, promoting a product, or sending non-transactional content. This is the highest standard, and it’s what most SMS campaigns require. Written doesn’t mean paper — digital consent with a timestamp qualifies. But it does need to be specific to SMS, not buried in a terms-of-service paragraph your contact never read.

Express consent (non-written) covers informational and transactional messages — appointment reminders, shipping updates, account alerts. You still need consent, but the threshold is slightly lower. A contact confirming an appointment by text, or texting you first about a service issue, has given express consent for that conversation thread.

The mistake most teams make: using transactional consent as cover for promotional sends. Contacts who agreed to appointment reminders haven’t agreed to flash sales.

If you’re running both transactional and promotional campaigns in Salesforce, they should be tracked against separate consent fields. One CRM checkbox for “SMS opt-in” doesn’t distinguish between the two. When that becomes relevant — and it does, usually at the worst moment — you won’t have the documentation to prove which contacts consented to which type of message.

SMS Opt-Out Language: What It Has to Say and When It Has to Fire

The CTIA standard opt-out language requirements are specific. Every message thread — or at minimum your first message and any recurring campaign — should include an unsubscribe instruction. “Reply STOP to opt out” is the standard phrasing that carriers recognize. Variations like STOP, STOPALL, UNSUBSCRIBE, CANCEL, END, and QUIT must all work even if you don’t list every one in your message body.

When a contact replies STOP — or any of those variants — two things must happen. One: they receive a confirmation message. The CTIA-recommended confirmation says something like “You’ve been unsubscribed and will receive no further messages from [Company]. Reply START to resubscribe.” That’s the template that satisfies carrier requirements. Two: the opt-out is applied immediately and universally — not just to the current campaign, but to all future sends from that number.

The text opt-in laws that govern this — TCPA in the US, CASL in Canada, GDPR for EU contacts — all require a functional opt-out mechanism, but the US carrier layer is where enforcement actually happens day to day. Carriers monitor opt-out response rates. A number that consistently receives STOP replies without proper handling gets flagged and can be suspended.

How to Map Opt-In and Opt-Out Inside Salesforce

The compliance piece gets over-explained in most guides. The implementation is simpler than it sounds — but it does require deliberate setup. Here’s what the admin configuration actually looks like.

Consent fields on the Contact record. You need at minimum two fields: an SMS opt-in boolean (checked/unchecked) and an opt-in timestamp. If you’re running transactional and promotional separately, add a second boolean for each. These fields drive your send logic — Flows and campaigns should always check the opt-in field before firing. If the field is empty or false, the message doesn’t send.

Opt-out suppression via keyword handling. 360 SMS App processes inbound STOP, STOPALL, UNSUBSCRIBE, CANCEL, END, and QUIT replies automatically — the contact’s SMS opt-in field updates to false and they’re excluded from future sends without any manual action. The confirmation message fires within seconds. What the admin needs to verify is that every active Flow and campaign list checks that field before sending. If you have a weekly bulk send that pulls a static list, that list needs to refresh against current opt-in status before each send — not once at list creation.

Opt-in collection at the source. Web-to-Lead forms with an SMS consent checkbox (unchecked by default) feed directly into Salesforce records. When the form submits, the opt-in field populates with true and the timestamp captures the moment. That’s your documented consent. For keyword opt-in flows, 360 SMS App can handle the inbound keyword trigger and create or update the record in Salesforce automatically — the opt-in and timestamp log without anyone on your team touching anything.

The piece most admins skip is the SMS compliance mechanism audit — checking that every active Flow, campaign, and drip sequence is actually filtering by the opt-in field. A Flow that was built before you added consent tracking will happily message opted-out contacts if nobody updated the entry criteria. Worth a two-hour audit before your next campaign send.

Opt-Out Compliance: The Carrier Enforcement Layer

If you’re thinking about compliance purely in legal terms — TCPA violation, FTC investigation, that kind of thing — you’re missing where most organizations actually get hurt. The carrier layer moves faster than the courts.

US carriers — AT&T, T-Mobile, Verizon — all run automated filtering on commercial SMS traffic. They’re looking at opt-out response rates, spam reports, message volume patterns, and link behavior. A number that generates elevated STOP responses gets throttled. One that ignores opt-outs gets blocked. The appeal process is slow and the damage to your sending reputation compounds quickly — because the block follows the number, not the company, and porting or replacing numbers takes weeks.

10DLC registration — which is now mandatory for most business SMS in the US — includes campaign registration that specifies the type of content you’re sending. If your registered use case says “appointment reminders” and you’re sending promotional offers, carriers treat that as a misuse flag. The registration system has made it harder to hide compliance gaps behind volume.

The practical protection is also the simplest: build compliant texting practices into your default workflow rather than checking compliance on top of an existing one. Opt-in field as a required Flow entry condition. Automated keyword handling that updates consent status in real time. Template messages that include opt-out instructions. These aren’t extras — they’re the baseline that keeps your numbers healthy.

Compliance Checklist for SMS Opt-In and Opt-Out

Use this before your next campaign send. It’s not exhaustive legal advice — treat it as an admin-level readiness check.

The TCPA, GDPR, and CCPA compliance rules differ in scope and jurisdiction, but all three require a working opt-out mechanism and documented consent. If your organization messages contacts in multiple regions, the consent standard is the highest one that applies to any contact on that list.