The Complete TCPA-Compliant Insurance Marketing Guide
The Telephone Consumer Protection Act (TCPA) is the single most-cited compliance fear among insurance agencies considering SMS automation. The fear is reasonable — penalties for non-consensual marketing texts run $500–$1,500 per message, and TCPA class actions have hit agencies for seven figures. But the fear becomes manageable once the operational decisions are made deliberately. This guide walks through every one.
Step 1: Decide What You Need Consent For
The most important distinction in TCPA: marketing vs transactional.
Marketing SMS — anything that promotes a product, service, or commercial transaction. Examples:
- Quote follow-up texts
- Cross-sell suggestions
- Renewal reminders that include offers
- “We miss you” win-back campaigns
- Promotional discount announcements
Marketing SMS requires express written consent before sending.
Transactional SMS — operationally necessary communications to existing customers. Examples:
- Claim status updates
- Policy document delivery
- Appointment reminders
- Payment confirmations
- Service-recovery follow-ups
Transactional SMS does not require express written consent — implied consent from the existing relationship is sufficient. But transactional SMS still respects STOP / HELP keywords and time-of-day windows.
In practice, most agencies should treat all SMS as if it were marketing. The marginal cost of being more careful is near zero. The cost of being wrong is six figures.
Step 2: Build Compliant Forms
Every web form on your agency’s website that captures a phone number for marketing purposes needs a consent block above the submit button. Not in a popup. Not buried in the privacy policy. Above the submit button, with a checkbox the consumer actively engages.
The consent block must disclose:
- The consumer is agreeing to receive automated SMS
- Message frequency (or “varies”)
- Consent is not a condition of purchase
- Standard message and data rates may apply
- Opt-out instructions (STOP / HELP)
- Where to find the privacy policy and terms
Capture and store:
- Timestamp of consent
- IP address of submitter
- Page URL where consent was given
- Exact text of the consent disclosure as it appeared
- Form-field state (what other data was submitted with consent)
Retain these records for 4+ years (TCPA statute of limitations). The Insurance Snapshot for GHL captures all of this automatically on every snapshot-included form.
Step 3: Configure STOP Handling Across Every Workflow
The full required opt-out keyword set:
- STOP / STOPALL / UNSUBSCRIBE / CANCEL / END / QUIT → opt-out
- HELP / INFO → help reply with support email + phone
When any opt-out keyword arrives:
- Immediate acknowledgment SMS (“You’ve been unsubscribed. Reply START to opt back in.”)
- Update contact record’s
marketing_sms_opt_into false - Every workflow checks that field before sending
- Log the opt-out with timestamp + originating message ID
Critical: the opt-out must apply across all SMS from your agency, not just the campaign that triggered it. A policyholder who texts STOP on a renewal reminder must not receive a cross-sell SMS the following week. The snapshot’s STOP handling is global by default.
HELP returns a short reply pointing the contact to your agency’s support email and offering a phone number for live assistance. HELP does not opt the contact out.
Step 4: File A2P 10DLC Registration
In 2023, U.S. carriers began requiring A2P 10DLC registration for any business sending SMS at scale from a 10-digit business number. Without it:
- Your messages get filtered as spam by the carriers
- Your delivery rate drops below 50%
- Eventually your number gets carrier-blocked
The registration requires:
- Your real agency entity name + EIN
- Physical business address
- Contact info (name, email, phone)
- Sample message content
- Use-case description (in our case: “insurance agency customer communications”)
Most snapshot sellers charge $150+ to file this. The Insurance Snapshot for GHL files it free during the 10 dedicated install hours.
Falsifying any registration information voids carrier compliance and exposes the agency to suspension by Twilio or the underlying carriers. Be honest in the filing.
Step 5: Set Time-Of-Day Windows
TCPA requires marketing SMS only between 8:00 AM and 9:00 PM in the recipient’s local time zone. Industry best practice tightens this to 9:00 AM – 8:00 PM. Workflows should:
- Detect recipient time zone (from area code + zip)
- Schedule sends inside the window
- Hold messages outside the window until the next valid send time
Transactional SMS may run outside the marketing window (a 24/7 claim acknowledgment is fine), but the agency must be able to defend why the message was transactional, not marketing.
Step 6: Layer CMS Rules For Medicare
Medicare adds rules on top of TCPA. The Centers for Medicare & Medicaid Services (CMS) requires:
- Scope of Appointment (SOA) before any Medicare Advantage / PDP marketing conversation
- No cold SMS to Medicare-eligible contacts without prior SOA
- AEP window respect (Oct 15 – Dec 7) for enrollment campaigns
- OEP window respect (Jan 1 – Mar 31) for changes
- Permission-marketing only for educational content (no carrier solicitation without SOA)
- Carrier-allowance disclosure in any campaign content
- 48-hour SOA rule for first-time appointments
- 10-year retention of SOA records
CMS violations can suspend your appointment with all Medicare carriers — agency-ending consequence. The Medicare workflows in the Insurance Snapshot for GHL bake these rules into hard gates that cannot be overridden by producers.
See our AEP campaign design post for more on this.
Step 7: Configure Audit-Trail Export
Every consent capture, opt-out, message send, AI conversation, and producer hand-off should be logged in the CRM and exportable as CSV. The following parties will eventually ask for these logs:
- State DOI auditors
- Plaintiff attorneys (in the event of a TCPA complaint)
- Your E&O carrier (during policy renewal or after a claim)
- Carriers (during compliance reviews)
- CMS (for Medicare-related agencies)
The Insurance Snapshot for GHL maintains the audit log automatically. Make sure you know how to run the export — practice once a quarter.
Step 8: Train Producers + Document Edge Cases
The structural compliance is the easy part. The judgment for edge cases is the hard part.
Edge cases that come up:
- A long-time policyholder who texted “no more reminders” 18 months ago — can you send them a renewal reminder? (Yes if it’s transactional; no if it’s marketing-tinged. Defaults to transactional with permission re-prompt.)
- A prospect who completed your form but later said “I changed my mind, don’t text me” — what’s the documentation requirement? (Honor the verbal opt-out immediately. Capture the opt-out conversation in the CRM.)
- A Medicare-eligible prospect who started an ACA conversation and then asked about Medicare — does your existing consent cover Medicare outreach? (No. Capture a separate Medicare SOA before any Medicare conversation.)
- A commercial account whose AP department complains about your renewal SMS to the policyholder of record — is this a TCPA issue? (Not strictly — but consider whether the consent capture happened at the right level. May indicate the consent block needs improvement.)
For each edge case, document the decision and the reasoning. Build a “TCPA decision log” inside your agency. After a year, you’ll have a playbook for your own edge cases.
Final Disclaimer
This guide is operational guidance. It is not legal advice. Your agency, your producers, your E&O policy carry the final responsibility for TCPA / state-DOI / CMS compliance. Hire an insurance-specific compliance attorney for a one-hour review of your campaign blueprint before your first marketing SMS under any new system.
The Insurance Snapshot for GHL gives you the structural compliance — consent capture, STOP handling, A2P 10DLC registration, time-of-day windows, audit logs, CMS gates. You bring the judgment for the edge cases. Both pieces matter.
See the TCPA layer → or read the full TCPA & Communications Policy →.