The most-cited reason small insurance agencies refuse to adopt SMS automation is fear of TCPA exposure. The fear is reasonable — penalties for non-consensual marketing texts run $500–$1,500 per message, and class actions have hit agencies for seven figures. But the fear is also disproportionate to the actual risk if you set the SMS layer up correctly.
Here’s the field guide.
Express written consent — the only consent that matters
For marketing SMS (anything that promotes a product, service, or commercial transaction), TCPA requires express written consent. That means:
- A clear, conspicuous disclosure that the consumer is agreeing to receive SMS
- Disclosure of message frequency (or “varies”)
- Disclosure that consent is not a condition of purchase
- Disclosure that standard message and data rates may apply
- Opt-out instructions (STOP for unsubscribe, HELP for help)
Every form on your website that captures a phone number for marketing purposes needs this consent block above the submit button. Not buried in the privacy policy. Not as an afterthought in the footer. Above the submit button, with a checkbox the consumer actively engages.
The form should capture:
- Timestamp
- IP address
- Page URL
- Exact text of the consent disclosure as it appeared
Retain these records for 4+ years (TCPA statute of limitations).
Transactional vs marketing — the line matters
Transactional SMS (renewal posts on the 21st, claim assigned to adjuster X, policy documents attached) does not require express written consent — implied consent from the policyholder relationship is sufficient. But transactional SMS has its own constraints:
- Still respects STOP / HELP keywords
- Still respects time-of-day windows
- Cannot embed marketing content (a “renewal posts on the 21st — by the way, did you know we also do home insurance?” is a marketing message, not transactional)
In practice, most agencies should treat all SMS as if it were marketing — same consent capture, same STOP handling, same time windows. The marginal cost of being more careful is near zero. The cost of being wrong is six figures.
STOP / HELP keyword handling
The full required keyword set:
- STOP / STOPALL / UNSUBSCRIBE / CANCEL / END / QUIT → opt-out
- HELP / INFO → help reply with support email + phone
When any opt-out keyword arrives:
- Immediate acknowledgment SMS (“You’ve been unsubscribed. Reply START to opt back in.”)
- Update contact record’s
marketing_sms_opt_into false - Every workflow checks that field before sending
- Log the opt-out with timestamp + originating message ID
Critical: the opt-out must apply across all SMS from your agency, not just the campaign that triggered it. A policyholder who texts STOP on a renewal reminder must not receive a cross-sell SMS the following week.
A2P 10DLC registration
In 2023, U.S. carriers began requiring A2P 10DLC registration for any business sending SMS at scale from a 10-digit business number. Without it:
- Your messages get filtered as spam by the carriers
- Your delivery rate drops below 50%
- Eventually your number gets carrier-blocked
The registration process requires your real agency entity, EIN, address, contact info, sample message content, and use-case description. Most snapshot sellers charge $150+ to do this. The Insurance Snapshot for GHL files it free during the 10 dedicated install hours.
Falsifying any registration information voids carrier compliance and exposes your agency to suspension by Twilio or the underlying carriers.
Time-of-day windows
TCPA requires marketing SMS only between 8:00 AM and 9:00 PM in the recipient’s local time zone. Industry best practice tightens this to 9:00 AM – 8:00 PM. Workflows should:
- Detect recipient time zone (from area code + zip)
- Schedule sends inside the window
- Hold messages outside the window until the next valid send time
Transactional SMS may run outside the marketing window (a 24/7 claim acknowledgment is fine), but the agency must be able to defend why the message was transactional, not marketing.
CMS overlay for Medicare
Medicare adds rules on top of TCPA. The Centers for Medicare & Medicaid Services (CMS) requires:
- Scope of Appointment (SOA) before any Medicare Advantage / PDP marketing conversation
- No cold SMS to Medicare-eligible contacts without prior SOA
- AEP window respect (Oct 15 – Dec 7) for enrollment campaigns
- OEP window respect (Jan 1 – Mar 31) for changes
- Permission-marketing only for educational content (no carrier solicitation without SOA)
- Carrier-allowance disclosure in any campaign content
CMS violations can suspend your appointment with all Medicare carriers — agency-ending consequence. The Medicare workflows in the Insurance Snapshot for GHL ship with these rules baked into hard gates.
State DOI overlay
Some state insurance departments add additional disclosure requirements: producer name, license number, state of licensure, agency physical address, opt-out language. The snapshot’s compliance footer is configurable per state.
Audit-trail requirements
Every consent capture, opt-out, message send, AI conversation, and producer hand-off should be logged in the CRM and exportable as CSV. State DOI auditors, plaintiff attorneys, and your E&O carrier will all eventually ask for this. The snapshot maintains the audit log automatically.
The final-disclaimer point
This article is general guidance — not legal advice. Your agency, your producers, your E&O policy carry the final responsibility for TCPA / state-DOI / CMS compliance. If you’re not sure whether your current SMS practice is compliant, hire an insurance-specific compliance attorney for a one-hour review. It’s the cheapest insurance you can buy.
The Insurance Snapshot for GHL gives you the structural compliance — consent capture, STOP handling, A2P 10DLC registration, audit logs. You bring the judgment for the edge cases. Both pieces matter.
See the snapshot’s TCPA layer → or read the full TCPA & Communications Policy →.