SMS Compliance After Yotpo: What Every Brand Needs to Know

This guest post is authored by Justin H. Mueller, independent SMS compliance expert. Views are his own.

Updated: August 13, 2025

What Changed (and What's Actually Being Offered)

• Yotpo is winding down native SMS (and Email). Their offboarding guide tells you how to export data and shut down services, but registration, verification, and number control are on you. Execution quality, not vendor marketing, decides whether you can legally and operationally send on Day 1.
• Two non-negotiables shape every plan:
  • Toll-Free (US/CA): Unverified TFNs are blocked from messaging. Submit and get Approved before cutover.
  • 10DLC: Brand + campaign registration via The Campaign Registry is mandatory for A2P long codes.

Why "Too-Good-to-Be-True" Migration Claims Backfire

• No one can guarantee deliverability except the networks themselves. Carriers own the rails; they can reject, filter, throttle, suspend, or disconnect traffic, even if you think you "followed the rules."
• CTIA documents codify common expectations, but they're not law, and carriers can enforce stricter, sometimes unwritten acceptance criteria (e.g., disclosure size/contrast, opt-out placement).
• Translation: lock registrations, verifications, and number control first; treat "seamless" promises as red flags.

Key Compliance Principles to Keep in Mind

1. Assume you (the brand) are fully liable.
   Legally, everyone in the chain can be held responsible, but it's rare for brands to escape by pointing at providers. Courts and regulators look at intent, negligence, carelessness, and ignorance. Providers will document their controls; you must prove ongoing oversight. If you allow the migration to be automated or handled by a provider/agency, keep visibility, authority, and final sign-off on every compliance choice.
2. In SMS, "compliance" does not equal "just the law."
   TCPA is the legal floor, not the operating ceiling. TCPA-only programs often underperform on carrier/CTIA expectations (clear identity, HELP/STOP behavior, frequency disclosures, link hygiene, quiet hours). These brands get flagged via audits, filtering, or blocks, even if they're "legal."
3. Multiple authority layers apply. Treat them as real constraints:
   • Federal: TCPA / FTC / COPPA / HIPAA (as applicable)
   • State: FL (quiet hours & FTSA), OK, TX SB 140, privacy (CCPA/CPRA)
   • CTIA: Industry expectations & auditing (WMC Global)
   • Carriers (Tier-1 MNOs): Final arbiters; can impose stricter/unwritten requirements
   • Aggregators: Sinch, Vibes, Infobip (routing & submissions)
   • CPaaS/Platforms: Twilio, Bandwidth, Klaviyo, etc. (tooling & ops)
   • Consumers: 7726/SPAM reports, opt-outs, complaints (which drive carrier actions)
   Canada: CASL is technology-neutral. Texts are CEMs; you must prove consent, identify the sender, and include an unsubscribe.

The Migration Playbook

Pick your sender path and execute the matching checklist.

A) Toll-Free Number (TFN)

Use when: Support-heavy 2-way CX, national reach, steady throughput.

Do this (minimum carrier-acceptable steps):

• Verification first. Submit TFN Verification with: use case, consent capture screenshots, message samples, HELP/STOP flows, link domains, and compliance contacts. Do not schedule cutover until status = Approved.
• If keeping your TFN: Your new provider initiates a RespOrg Change (ROC) in TFNRegistry with your LOA. Track release/accept; remember voice ownership does not equal messaging clearance. You still need TFN Verification.
• If changing numbers: Run a two-message transition (final on old, first on new) to orient subscribers and reduce opt-outs.
• Cutover checks: Validate STOP (and synonyms) + HELP behavior, quiet hours, and watch toll-free error patterns (e.g., 30032/30007) as canaries for verification/filter issues.

TFN risk controls:

• Evidence pack on file (see Consent & Data section)
• Branded short links only; no public shorteners
• Monitor deliverability by carrier; alert on HELP latency >60s and STOP spikes

B) 10DLC (Local A2P Long Code)

Use when: Brand-local presence, granular use cases, short-to-mid timeline.

Do this (minimum carrier-acceptable steps):

• Register brand + campaign via The Campaign Registry (through your provider). Provide accurate use case descriptions, sample messages, exact disclosure language, and link domains.
• Map approved campaigns to the sending numbers before any traffic; unregistered A2P on local long codes is not allowed.
• Expect vetting (often via WMC Global/RISQ), which influences throughput and filters; fix whatever is flagged (identity clarity, consent wording, link domain).
• Functional checks: STOP (and synonyms), HELP latency, quiet-hour controls by state, link domain routing, per-carrier pacing.

10DLC risk controls:

• Stagger sends (avoid uniform bursts); warm by engagement & carrier
• Ensure keyword automation parity (JOIN/YES/HELP/STOP) from day one
• Monitor campaign health and brand caps (especially during promos)

C) Dedicated Short Code

Use when: High-throughput national programs, promo cadence, or carrier whitelisting is strategic.

Do this (minimum carrier-acceptable steps):

• Complete program brief with opt-in mechanics, screenshots of disclosures, frequency, fees, message samples, and user flows. Carriers review/approve and can reject for UX issues (e.g., tiny font, low contrast, vague frequency) even if unwritten. Plan weeks for provisioning and iterations.
• Expect WMC/CTIA audits; remediate quickly and archive every capture surface and reply path.
• If transferring an existing short code: Coordinate carrier routing changes and keep overlap until fully live on the new provider.

Short code risk controls:

• Rapid remediation loop with carrier feedback; pre-approved alternates for disclosure copy
• Clear escalation path with your aggregator and provider for audit findings

Consent & Data Continuity

Move proof, not just lists.

Export from Yotpo now (and retain long-term):

• Consent ledger fields (minimum viable proof): timestamp, source/medium (URL/keyword/POS), exact disclosure text shown, IP/UA (if web), purpose/campaign mapping, phone, user_id (if any), jurisdiction
• Suppression history: STOP/HELP transcripts, global opt-out state across all senders
• Program logic: flows/branches/throttles, segment rules, quiet-hour/time-zone logic
• Linking: Branded short-link domains and UTM tables

Rebuild capture exactly (site pop-ups, checkout, POS, QR, keywords): brand identity, frequency, fees, HELP/STOP, T&Cs/Privacy links, and branded links.

Canada (CASL): Keep demonstrable consent records; identify sender and include unsubscribe in every CEM (texts included).

Number Control & Porting

Rights vs. realities.

• U.S. porting is your right. The gaining provider initiates; the losing provider cannot refuse a valid port due to contracts/balances (those are separate disputes). Keep CSR/Billing name, BTN, account PIN/passcode, service address, and latest invoice ready to avoid "mismatch" rejections.
• TFN ownership vs. messaging: ROC/RespOrg change handles voice ownership; TFN Verification handles texting. You need both before scale.

Communicate the Number Change

Only if you're changing numbers.

• Final text from the old number (pre-cutover): Announce the new number, restate program purpose/frequency, include STOP/HELP.
• First text from the new number (12-24h later): Confirm identity, restate expectations, include STOP/HELP. This two-message pattern aligns with carrier/CTIA expectations on clarity and opt-out, and reduces confusion-driven opt-outs.

Stabilize Deliverability

Prove to carriers you're "safe."

• Warm by engagement & carrier (VZW/AT&T/T-Mo). Stagger windows; avoid uniform bursts (snowshoe profiles get filtered).
• Link hygiene: Branded short domain only; landing pages must clearly identify the sender.
• Operating checks: Quiet hours (e.g., Florida 8 a.m.-8 p.m. local), STOP synonyms honored globally, HELP replies return brand + support.
• Monitoring: Delivery % per carrier, toll-free error clusters (30032/30007), STOP rate, HELP latency, 7726/SPAM reports.
• If filtered: Pause that cohort, reduce frequency, tighten targeting, fix disclosures/links, and re-warm.

Risk Scenarios & Pre-Mortems

Plan before they happen.

• Verification delays (TFN) or campaign rejections (10DLC): Hold cutover; keep old rails warm; prep a temporary sender with conservative pacing.
• Short code design rejections: Pre-test disclosure contrast/size, add frequency line, reposition consent copy above CTA; include alternate designs in the brief.
• Opt-out spike after number change: Send the new-number message sooner, add value in first campaign (not just promos), re-segment by high engagement, check HELP/STOP latency.
• Audit findings: Reply within 24-48h with screenshots, updated copy, and dates; maintain an internal audit log.

Governance & Ownership

How you stay out of trouble.

• RACI on file: Who owns sender strategy, registrations/verifications, capture UX, HELP/STOP keywords, quiet hours, link domains, and audit responses.
• SOPs: Incident response (filtering/audits), consent capture changes (who approves), content QA (what's prohibited), data retention & exports.
• Evidence pack: Consent ledger exports, capture screenshots/URLs, keyword logs, audit close-outs, registration/verification approvals, porting records (LOA/FOC/ROC).

State & Canada Overlays

Don't skip these.

• Canada (CASL): SMS are CEMs; you must obtain consent, identify the sender, include an unsubscribe, and be able to prove consent upon request.
• Florida (FTSA): Telemarketing quiet hours 8 a.m.-8 p.m. local; texts are "telephonic sales calls." 2023 amendments add a STOP + 15-day safe harbor. Build and test your STOP workflow.
• Texas (SB 140, effective Sep 1, 2025): Expands mini-TCPA scope to texts and raises enforcement. Tighten disclosures and suppressions for Texas residents.

Note: There are many more states with SMS-specific legislation, and more legislation than what is noted here for Florida and Texas. It is ultimately the brand's responsibility to follow all rules.

Bottom Line

Migration succeeds when you verify/register first, control your numbers, and preserve consent continuity, then prove to carriers you're safe through clean UX, warmups, and monitoring. The law is the minimum; carriers are the gate. If a promise sounds effortless, it's marketing.

- Justin H. Mueller, The SMS Coach
LinkedIn | Email | Website

Quick References

• CTIA - Messaging Principles & Best Practices (May 2023)
• The Campaign Registry - 10DLC Overview
• Twilio - Toll-Free Verification for US/Canada
• FCC - Porting: Keeping Your Number
• Yotpo - Offboarding from Yotpo SMS & Email
• Florida Statutes - Section 501.616 (quiet hours)
• Eversheds Sutherland - Texas SB 140 (effective Sep 1, 2025)
• CRTC - CASL Guidance: Proof of Consent

Need help migrating your SMS program? Get a free audit and we'll make sure your transition is compliant and clean.

Keep Reading

• Why Yotpo Dropping Email & SMS Is a Good Thing
• How to Migrate from Yotpo Email & SMS to Klaviyo
• How Much Revenue Should Come From Email Marketing?