TCPA Compliance for Review Request Texts: What Every Local Business Should Know

Every few months a new customer sends the same panicked message: "Someone told me I could get sued $1,500 per text for sending review requests. Is that true?" The honest answer is yes in theory, in narrow circumstances, and no in practice if you set things up correctly. The TCPA is a real law with real teeth, and a local-business owner texting a thousand customers a year without knowing what it says is taking on more risk than they realize. The good news is that the compliance work is straightforward. The bad news is that almost nobody does it until they get a scary letter.

This piece is the plain-English version of the conversation every operator should have before they send their first review-request SMS. It covers what the TCPA actually prohibits, where review requests sit on the marketing-vs-transactional line, what consent really means in this context, the carrier-level rules that aren't laws but get enforced like laws, and the disclosure language you'll want on your intake forms. None of this is legal advice. More on that at the end.

Why Local Operators Get Blindsided by TCPA

The Telephone Consumer Protection Act was passed in 1991 to deal with robocalls. In the mid-2010s, a wave of class-action lawyers discovered that the law had been written broadly enough to cover text messages too. Statutory damages of $500 to $1,500 per violating message turn even small lists into seven-figure lawsuits if a plaintiff can establish a pattern. Most of the headline cases have been national brands, but the law applies the same way to a salon in Topeka sending a hundred texts a week.

Where most operators get blindsided is the assumption that "they're my customers, so I can text them." That assumption is half-right. Buying from you doesn't automatically give you the right to send automated SMS, especially if the text is anything that could be construed as marketing. The line between "transactional" and "marketing" is where almost all the trouble lives, and review requests sit right on that line.

The other place owners get caught is the gap between what's actually illegal and what's enforced by the carriers. Verizon, T-Mobile, and AT&T have their own rules layered on top of the law, and they enforce them more aggressively than the FCC ever does. You can be fully TCPA-compliant and still have your messages silently filtered into oblivion because you skipped the A2P 10DLC registration step. More on that below.

What TCPA Actually Prohibits (in English)

The law has a lot of moving parts, but for an SMB sending review requests, the core prohibition is this: you cannot send an automated text message to a cell phone number for a marketing purpose without prior express written consent from the recipient. Three pieces of that sentence carry the weight.

Automated means sent by a system rather than typed out one at a time by a human. Every review-request tool, including ours, is "automated" by this definition. There's no practical way to run review automation manually at scale, so assume you're in the automated bucket the moment you turn anything on.

To a cell phone matters because landlines are mostly outside the TCPA's text-message rules; they can't receive texts. In practice, almost every consumer phone number you collect is a cell phone, and number portability means you can't tell which is which without a lookup. Assume cell.

For a marketing purpose is the gray area. A confirmation that your appointment is at 3 p.m. is transactional and basically uncontroversial. A blast announcing 20% off this weekend is marketing and clearly requires consent. A review request sits in between. The next section digs into that.

The remedy for a violation is statutory damages, which means the plaintiff doesn't have to prove they were harmed. They just have to prove the message was sent. That's what makes the law dangerous for businesses with sloppy lists. A single plaintiff with a thousand texts on their phone can sue for $500,000 to $1.5 million without ever claiming actual injury.

Is a Review Request a "Marketing" Text? (The Gray Area)

This is the question that matters most, and the answer is that it depends, and reasonable lawyers disagree.

The argument that review requests are transactional is that they're directly tied to a specific completed transaction with the customer. There's no offer in the message, no promotion, no attempt to sell anything new. It's a follow-up on a service the customer already received and paid for. Under this reading, the consent bar is much lower; implied consent from the customer providing their number at booking or checkout is generally enough.

The argument that review requests are marketing is that they exist to benefit the business's public reputation, which exists to attract new customers, which makes the request marketing by intent if not by content. Under this reading, you'd need prior express written consent (the higher bar) before you can send.

The FCC has not given a definitive ruling on review requests specifically. Most TCPA defense attorneys land somewhere around "transactional, probably, but treat it like marketing to be safe." In practice that means three things: collect explicit consent, include an opt-out in every message, and don't keep texting people who don't want to be texted. Do those three things and your exposure is minimal regardless of how a future court rules on the gray-area question.

The operational lesson is to stop trying to be clever about which bucket you're in. Build for the stricter standard. The cost of doing so is roughly one extra checkbox on your intake form and one extra line of text at the bottom of your messages.

Consent: What Counts and What Doesn't

"Prior express consent" under the TCPA isn't a vibe. It has specific elements that have been litigated for the better part of a decade. For non-marketing transactional messages, the bar is lower; providing your phone number in the context of a transaction generally implies consent for messages about that transaction. For marketing messages, the bar is higher, and the standard is "prior express written consent."

Written consent in this context means a clear, conspicuous disclosure that the person is agreeing to receive automated marketing texts, signed (electronically or otherwise) before the texts start. The key word is "clear." Buried in the 47th paragraph of your terms of service does not count. Pre-checked boxes do not count. "By using our service you agree" language buried in a privacy policy does not count.

What does count, in roughly increasing order of safety:

• A line on your intake form, near the phone number field, that says something like "By providing your number, you agree to receive appointment-related and review-request text messages. Reply STOP to opt out."
• An explicit checkbox the customer has to actively check, with similar disclosure language next to it.
• A double opt-in: customer provides number, system sends a confirmation text, customer replies YES (or similar) to confirm.

For most local businesses, the first option is sufficient, the second is comfortable, and the third is overkill unless you're running a high-volume marketing list. The crucial point is that the disclosure has to be visible at the moment they hand over the number. Adding it to the privacy policy three months later does not retroactively cover the texts you already sent.

Two more things worth flagging. First, consent is per-channel. Someone agreeing to email does not constitute agreement to SMS. Second, consent is revocable by any reasonable means. If a customer replies STOP, calls and asks to be removed, or sends an email to the front desk saying "stop texting me," you have to honor that. A well-run business honors it across all future communications, not just the one campaign.

STOP Keyword: The Non-Negotiable

Every automated SMS you send to a U.S. consumer needs to honor opt-out requests, and the standard for doing so is the STOP keyword. If a customer replies STOP (or UNSUBSCRIBE, QUIT, CANCEL, END, or several other carrier-recognized variants), three things must happen, in roughly this order:

The carrier intercepts the message and blocks the recipient from receiving further texts from your sending number for the rest of the day, automatically. This isn't something you can opt out of. It's built into the carrier network.

Your sending platform should detect the STOP and add the number to a suppression list across your entire account, so it doesn't get re-added to a campaign tomorrow.

The customer should receive a confirmation message ("You've been unsubscribed. Reply HELP for help.") that confirms the opt-out worked. Most platforms send this automatically.

What you cannot do, ever, is treat the suppression list as advisory. Owners sometimes get a STOP, mentally note it, and then re-add the customer six months later when they come back for another service. The TCPA does not care that it's been six months. Opt-out is sticky. If the customer wants back in, they have to opt themselves back in, in writing.

One other STOP-keyword mistake worth flagging: do not get cute with the unsubscribe language. Messages with "reply UNSUB to opt out" or "text NOMORE to stop" don't qualify under carrier policy and can get your sending number flagged. Stick with the standard: "Reply STOP to opt out."

A2P 10DLC: Not Legal, But Enforced

This is the piece that catches most operators by surprise, because it isn't a law and most lawyers don't mention it.

In the U.S., as of 2023, the major carriers require any business sending automated SMS to consumers to register the brand (your business) and the campaign (the kind of messages you're sending) under a framework called A2P 10DLC, which stands for Application-to-Person, 10-Digit Long Code. If you don't register, the carriers either silently filter your messages, charge punitive per-message rates, or block your sending number entirely.

The registration process involves submitting your EIN, business address, website, sample message content, and use-case category to The Campaign Registry (TCR), the central database the carriers use. There's a one-time brand-registration fee (usually $4) and ongoing campaign fees ($1.50–$10/month per campaign depending on category). Approval typically takes a few business days for low-volume use cases and longer for marketing-heavy ones.

For review requests, the right campaign category is usually "Account Notification" or "Customer Care," not "Marketing," because the messages are tied to a specific completed transaction. Getting the category right matters. The marketing categories have lower throughput limits, higher fees, and more scrutiny.

If you're using a tool to send your review requests, A2P 10DLC registration should be a step in onboarding. If it isn't, ask why. If you're rolling your own with Twilio or another raw SMS provider, you'll need to register yourself. Skipping this step doesn't get you sued. It just makes half your messages quietly disappear, and you won't know which half. We get deeper into the operational picture in our review automation guide.

Disclosure Language That Actually Protects You

The good news is that the disclosure language for a review-request SMS program is short. Here are versions to adapt for the three places it usually shows up.

On a paper intake form or kiosk check-in, next to the phone number field:

By providing your mobile number, you agree to receive automated text messages from [business name] about your appointment and to leave us a review. Message and data rates may apply. Reply STOP to opt out at any time.

On an online booking form, as a checkbox below the phone field:

[ ] Yes, send me appointment confirmations and review requests by text. (Reply STOP to opt out. Standard message and data rates apply.)

At the bottom of every automated review-request text, every time, no exceptions:

Reply STOP to opt out.

Those four words ("Reply STOP to opt out") are the single most important addition you can make to your texts. They're not optional. They're not "best practice." They're how every automated SMS to a U.S. consumer ends, every time, and the absence of them in even one message is the kind of detail a plaintiff's attorney will use to build a class.

If you want extra coverage, the message can also include the business name (so the recipient knows who's texting them) and a HELP keyword response, but STOP is the non-negotiable.

A Note on Legal Advice

Everything above is operational guidance based on what works for local businesses. It is not legal advice. The TCPA is a federal law with state-level analogues (Florida and Washington have their own particularly aggressive versions), and the right answer for your specific business depends on factors that take a lawyer fifteen minutes to ask about. If you're sending review requests in any volume (say, more than a few hundred a month), it's worth a one-hour consult with a TCPA-aware attorney to review your intake forms and disclosure language. The cost of the consult is a tiny fraction of the cost of a single statutory-damages claim.

The operational habits in this piece (explicit consent, STOP keyword honored, A2P 10DLC registered, every message with an opt-out line, suppression list maintained across the account) will put you ahead of probably 90% of the local businesses sending SMS today. That's not a guarantee. It's a much better starting position than "we never thought about it."

If you'd rather have all of this handled by default (the registration, the suppression list, the disclosure language, the opt-out plumbing), that's a meaningful part of what ThankYouReview was built for. Compliance is one of the boring parts of the system, and the right time to think about it is before you send the first message, not after the first complaint.

For a sense of what well-written review requests actually look like (compliance is necessary but not sufficient), see our breakdown of common review-text mistakes. And if you haven't yet decided whether SMS is even the right channel for your situation, the email vs SMS conversion piece is the place to start.

Frequently Asked Questions

Frequently Asked Questions

Are Google review request texts considered marketing under TCPA?

+

It is a gray area. The FCC has not ruled specifically on review requests. Most TCPA defense attorneys treat them as transactional-but-build-for-marketing-rules: collect explicit consent, include STOP in every message, and honor opt-outs. Build to the stricter standard and the gray area stops mattering.

What does TCPA consent look like for SMS in 2026?

+

Clear and conspicuous disclosure visible at the moment the customer hands over their number, with language stating they agree to receive automated texts about appointments and review requests. A checkbox they actively check is comfortable; double opt-in is overkill for most local businesses.

Do I need A2P 10DLC registration to text my customers for reviews?

+

Effectively yes if you are in the US. The major carriers throttle, filter, or block unregistered business SMS. Registration runs $4 brand fee plus $1.50-$10 per month per campaign and takes a few business days to approve for low-volume use cases.

What happens if a customer texts STOP to my review request?

+

Three things: the carrier blocks further texts from your number, your platform should add the number to a suppression list across the entire account, and the customer gets an automatic confirmation. Re-adding the number later, even months on, is a TCPA violation.

Is it legal to text past customers asking for a Google review?

+

Only if they gave you their number for service-related communication and you have explicit consent for automated texts. Texting an old list scraped from a POS export without re-consenting and without an opt-out line is the highest-risk move operators make.

What disclosure language should I put on my intake form?

+

Something close to: 'By providing your mobile number, you agree to receive automated text messages about your appointment and to leave us a review. Message and data rates may apply. Reply STOP to opt out at any time.' Place it directly next to the phone-number field.

Does the TCPA apply to small local businesses?

+

Yes. The statutory damages of $500-$1,500 per text apply equally to a national brand and a salon in Topeka. The size of the business does not change the rules; the size of the list determines the size of the exposure.

TCPA compliance for review-request SMS comes down to four habits: collect explicit consent at the moment of phone-number capture, include the opt-out line in every message, honor STOP across your entire account forever, and register A2P 10DLC before your first send. Get those four right and you can spend your attention on the parts of the business that actually grow it.