TL;DR: To run compliant outbound in the US, a sales team needs four things: an approved A2P 10DLC registration for business texting, documented consent that satisfies the TCPA, STIR/SHAKEN-attested caller ID on outbound calls, and DNC scrubbing against the national registry plus your own internal do-not-call list. Add clean records of every opt-in and opt-out, respect quiet hours, and only contact people who gave you their information, and you can scale calls and texts without carrier blocks or legal exposure.

This guide is general education, not legal advice. Rules change and vary by state, so confirm anything high-stakes with a qualified attorney.

Most compliance confusion is really vocabulary confusion, so start with clean definitions.

A2P 10DLC is the US carrier registration system that requires businesses sending application-to-person text messages over standard 10-digit long code numbers to register their brand and campaign before carriers will reliably deliver the traffic. TCPA is the Telephone Consumer Protection Act, the federal law that governs when and how businesses may call and text consumers, covering consent, calling hours, and do-not-call obligations. STIR/SHAKEN is the caller ID attestation framework US carriers use to cryptographically verify that an outbound call really comes from a number the caller is authorized to use. DNC scrubbing is the practice of checking every phone number against the National Do Not Call Registry and your own internal do-not-call list before you dial, and suppressing every match.

Four frameworks, one job: proving that the person you are contacting agreed to hear from you, and that you are who you say you are.

Why compliance became the gating factor for outbound

For decades the constraint on outbound was labor: how many dials and messages a team could physically produce. That constraint is gone. Software can send effectively unlimited volume, and the spam wave that followed forced a trust layer into the network. Carriers now run analytics on every call and message. The FCC mandated STIR/SHAKEN signing. Carriers stood up A2P 10DLC registration for business texting. And the TCPA, a law from 1991, keeps being applied to every new outreach tool, including AI voice.

The practical result is blunt. Unregistered text traffic gets filtered before it reaches a handset. Unattested calls show up as Spam Likely and go unanswered. Compliance stopped being a legal checkbox and became the deliverability layer itself. The teams winning outbound right now are not the ones sending the most; they are the ones whose calls actually ring and whose texts actually arrive. Compliance is one leg of a working outbound system; the complete guide to multichannel outreach covers the rest of the motion.

Takeaway: compliance now decides whether your message is delivered at all, before legal risk even enters the picture.

What is A2P 10DLC and do you need it?

If you text customers or prospects from a business using regular local phone numbers, you need A2P 10DLC registration. There is no volume threshold under which you are exempt; carriers treat any business-to-consumer texting over standard numbers as A2P traffic.

The name decodes simply. A2P means application-to-person: software sending texts on behalf of a business, as opposed to two humans texting each other. 10DLC means 10-digit long code, the ordinary local numbers your customers recognize. The Campaign Registry administers the system on behalf of the major US carriers, and registration happens at two levels: your brand (the legal business entity, verified with details like your legal name and tax ID) and your campaign (the specific use case, such as customer care or marketing).

How the A2P registration review works

  1. Register your brand with your legal business details. The information must match public records, so typos here cause silent failures later.
  2. Define your campaign: the use case, a description of who you message and why, and how those people opted in.
  3. Submit sample messages that honestly represent what you will send, including opt-out language.
  4. Wait for review. Reviewers check your samples, your opt-in description, and your public website against each other.
  5. On approval, your numbers get carrier-sanctioned throughput and far better deliverability than unregistered traffic.
  6. Stay consistent. If your registered use case says appointment reminders and you start blasting promotions, filtering and suspension follow.

Carriers crawl your website and reject entire content categories

This is the step that surprises most teams: reviewers visit your website. They check that the business is real, that your privacy policy explains how phone numbers are collected and used, and that your opt-in flow matches what you described. They also screen for prohibited content categories: SHAFT (sex, hate, alcohol, firearms, tobacco), high-risk financial offers like payday loans and debt relief, and any suggestion that a sender messages people who never gave the sender their information. If your site markets a prohibited category, the campaign is rejected even if your actual messages are innocent, and every re-review costs time and money.

Takeaway: A2P approval is a review of your whole public story, so your website, privacy policy, and opt-in language must all say the same thing.

What are the TCPA rules for sales calls and texts?

The TCPA governs both channels, and courts treat text messages as calls under the statute. The rules that matter most for a sales team:

  • Consent before automated contact. Marketing calls and texts made with automated technology or an artificial or prerecorded voice require prior express written consent from the recipient. The FCC has made clear that AI-generated voices count as artificial voices, so an AI calling agent needs the same consent a prerecorded message does.
  • Calling hours. The commonly cited window is 8am to 9pm in the recipient's local time zone. Note that it is the recipient's clock, not yours: a dialer in New York calling San Diego at 9am Eastern is calling at 6am local, which is a violation.
  • Identification. You must say who you are and provide a way to reach the business.
  • Do-not-call obligations. You must honor the national registry and maintain your own internal do-not-call list, and requests to stop must be honored promptly.

Enforcement is what gives the TCPA teeth. Beyond FCC action, the statute includes a private right of action with statutory damages commonly cited at $500 per violation, and more for willful ones. Because damages are per call or per text, a single sloppy campaign multiplies fast, and plaintiffs' firms actively recruit recipients of non-compliant messages. Assume every message you send could be Exhibit A.

Takeaway: get consent before the first automated touch, and treat the strictest reading of the TCPA as your default setting.

What is STIR/SHAKEN attestation?

STIR/SHAKEN answers one question for the receiving carrier: is the number on the caller ID actually authorized to the entity placing this call? The originating carrier cryptographically signs each call with an attestation level. A-level attestation means the carrier knows the customer and has verified they are entitled to use the number. B and C levels signal progressively less certainty, and analytics engines treat low or missing attestation as a spam signal.

Why should a sales leader care about a signaling protocol? Answer rates. Receiving carriers decide whether your call displays as your business name, an unknown number, or Spam Likely, and attestation is a heavy input to that decision alongside complaint rates and call velocity. A perfectly legal call that displays as Spam Likely might as well not have been placed.

Practical moves that protect caller ID reputation:

  1. Provision numbers through a provider that signs your calls with full attestation instead of grey-market routes.
  2. Register your numbers and business name with the carrier reputation systems so your identity displays correctly.
  3. Spread volume across enough numbers that no single one looks like a robocall cannon.
  4. Watch complaint and short-call rates; they are the earliest warning that labeling is coming.
  5. Keep answer-worthy behavior: local presence, a real voicemail, and a working callback path.

An outbound calling platform should handle attestation for you at provisioning time. DialEcho, for example, issues numbers with STIR/SHAKEN attestation built in and keeps sub-500ms voice latency so answered calls sound human, because a signed call that lags is still a hang-up.

Takeaway: attestation is answer-rate insurance; without it, deliverability problems look exactly like a bad script.

How does DNC scrubbing work?

The National Do Not Call Registry, run by the FTC, lets consumers opt out of telemarketing calls entirely. Before a sales campaign dials, every number must be checked against the registry and matches suppressed. The scrub is not one-and-done: the registry changes daily, and re-scrubbing at least every 31 days is the commonly cited standard.

There are recognized exceptions, generally including an established business relationship and express permission, but they are narrower than most teams assume and some states do not honor them the same way. Treat exceptions as something your attorney confirms, not something you assume.

The second half of DNC compliance is your internal do-not-call list. Anyone who asks you to stop contacting them goes on it, immediately, regardless of whether they are on the national registry. Internal requests outlast registry entries and follow the person, not the campaign. A working scrub process looks like this:

  1. Scrub every number against the national registry before launch.
  2. Scrub applicable state registries; several states maintain their own.
  3. Apply your internal suppression records on top.
  4. Re-scrub on a fixed schedule for any campaign that runs longer than the scrub window.
  5. Log each scrub with a timestamp so you can prove it happened.

Takeaway: DNC scrubbing is a recurring process with a paper trail, not a one-time filter you run at import.

Consent attaches to the content of the message, not to the channel or the sending method. The two tiers that matter:

Consent type What it covers How it is typically captured Example message
Prior express consent Informational and transactional messages related to why the person gave you their number The person provides their number in the course of doing business with you "Your appointment with Sam is tomorrow at 2pm. Reply C to confirm."
Prior express written consent Marketing and promotional messages A signed form, checked box, or keyword opt-in with clear disclosure of what they are agreeing to "Flash offer: mention this text for 10% off your install this month."

The written-consent disclosure has real requirements: it must identify your business, say that the person agrees to receive marketing texts, note that consent is not a condition of purchase, and flag message frequency and message-and-data rates. Burying it in page nine of a contract does not build goodwill with reviewers or courts.

Opt-out mechanics matter as much as opt-in. STOP must work instantly and universally across your campaigns, HELP must return useful information, and the only message allowed after a STOP is a single confirmation of the opt-out. Quiet hours apply to promotional texts the same way they apply to calls, so schedule sends inside the recipient's local window.

This is also why message type strategy matters. Reminder texts to prospects who booked a meeting are informational, which is part of why appointment reminder campaigns cut no-shows so cheaply from a compliance standpoint. And whether you send mass campaigns or 1:1 texts, the consent requirement follows the message content, so a promotional blast and a promotional 1:1 text need the same written consent. A texting platform should enforce opt-out capture and quiet hours automatically so a rep cannot accidentally violate either.

Takeaway: informational texts ride on the consent implied by the relationship; promotional texts need explicit written opt-in with real disclosure.

The four frameworks side by side

Framework What it governs Who enforces it What you must do
A2P 10DLC Business SMS over standard local numbers US carriers, via The Campaign Registry Register your brand and campaign, keep content consistent with the registered use case, honor opt-outs
TCPA Calls and texts to consumers FCC, state attorneys general, and private lawsuits Get the right consent tier, respect quiet hours, identify yourself, honor do-not-call requests
STIR/SHAKEN Caller ID authentication on voice calls FCC mandate, implemented by carriers Use fully attested numbers from a compliant provider and protect number reputation
DNC Who you may call at all FTC nationally, plus state registries Scrub against the national and state registries on schedule and maintain an internal do-not-call list

State rules: the federal floor, not the ceiling

Federal law is the minimum, not the finish line. Several states have passed their own telemarketing and texting statutes, Florida's being among the best known, and they can be stricter on multiple axes: tighter calling-hour windows, limits on attempts per day, their own consent standards, their own do-not-call registries, and their own private rights of action. The details shift as legislatures act, which is why this guide stays general on specifics.

The operational answer is simple even though the legal landscape is not: configure your outreach to the strictest state you operate in, or use tooling that applies per-state rules automatically, including per-state opt-out handling.

Takeaway: treat federal compliance as the floor and build your defaults to the strictest state in your footprint.

Recordkeeping and audit trails

When a compliance dispute happens, it is decided by records, not memories. If someone claims they never consented, the practical burden lands on you to produce the opt-in. Your system of record should retain:

  • Consent records: who opted in, when, through what mechanism, and the exact disclosure language they saw at the time.
  • Message and call logs: every touch, timestamped, with content and outcome.
  • Opt-out log: every STOP, every verbal "take me off your list," and the timestamp it was honored.
  • Scrub history: when each DNC scrub ran and what it suppressed.
  • Registration records: your A2P brand and campaign approvals and the use case language you submitted.

TCPA claims can reach back years, so retention measured in years is the safe posture. This is where automation beats diligence flatly: a built-in CRM that logs every touch automatically, the way DialEcho's self-driving pipeline does, produces an audit trail as a side effect of normal selling rather than as a chore someone forgets.

Takeaway: a consent you cannot produce on demand is a consent you do not have.

Your pre-launch compliance checklist

Run this before any campaign goes live:

  1. Every contact is first-party: they gave your business their information directly, with consent you can document.
  2. Consent tier matches message content: written consent on file for anything promotional.
  3. A2P brand and campaign are approved, and the messages you are about to send match the registered use case.
  4. Your website and privacy policy accurately describe your texting program and contain nothing in a prohibited category.
  5. Numbers are fully attested and your caller ID name displays correctly.
  6. National DNC scrub completed within the last 31 days, plus applicable state registries.
  7. Internal do-not-call suppression applied on top of the registry scrub.
  8. Quiet hours enforced against each recipient's local time, not your office clock.
  9. STOP and HELP handling tested end to end, across every channel you send on.
  10. Audit logging confirmed on: consent, touches, opt-outs, scrubs.

Ten minutes on this checklist beats weeks of stalled deliverability and a legal file you never wanted to open.

Takeaway: make the checklist a launch gate, not a suggestion; the campaigns that skip it are the ones that end up as case studies.

What your platform should handle, and what stays on you

A modern outreach platform should make most of this invisible. Reasonable expectations: guided A2P brand and campaign registration, numbers provisioned with STIR/SHAKEN attestation, quiet-hour enforcement by recipient time zone, automated DNC scrubbing, instant opt-out capture across voice, SMS, and email, per-state opt-out handling, and a full audit log without manual entry. That is the standard DialEcho builds to across calls and texts as one motion, with usage-based token pricing so compliance tooling is not an upsell.

What no platform can do for you:

  • Bring consented contacts. You upload, paste, or sync your own leads: people who filled out your forms, called your business, or bought from you. The consent relationship is yours, and only you can vouch for it.
  • Write honest opt-in language. The disclosure at the point of capture is your storefront promise; software cannot retroactively make a vague form specific.
  • Keep your offer clean. If the underlying product falls in a prohibited category, no amount of registration hygiene fixes that.
  • Respect the spirit, not just the letter. Do not re-add people who opted out, and do not shop for loopholes.

If an AI agent is doing the calling, none of these rules relax; the FCC's position on artificial voices makes the consent bar identical whether a human or an agent dials. The complete guide to AI sales agents covers how autonomous calling and compliance fit together in practice.

Here is the reframe worth ending on: compliance is not friction, it is filtration. Every registration hurdle and consent requirement thins the herd of spammers competing for your prospect's attention. The teams that do this right inherit the answer rates everyone else is losing. Play it straight, log everything, and outbound keeps working while the shortcuts get filtered off the network.