10DLC Compliance Guide: How to Legally Use 10-Digit Long Codes for SMS Marketing

If you want to send marketing messages or other updates to customers without breaking the bank, using a 10DLC number can be an effective and economic solution. You'll need to follow the law and operating rules to make sure your messages get delivered and you don't get hit with fines. Here's what you need to know and do.

What Is a 10DLC?

A 10-digit long code (10DLC) is a phone number assigned and used primarily for sending marketing and other business communications. It isn't normally used for making phone calls or for sending messages from a phone. Instead, it is specifically designed for application-to-person (A2P) messaging where a business can use a computer or other internet connected device to send messages to people. The recipients then get it as an SMS or MMS text, as if it had been sent from somebody's phone.

As long as you meet the registration requirements of the 10DLC program and get your brand and messaging approved, the messages you sent will not be blocked by mobile carriers. Note that although similar programs exist in some other countries, we're talking about 10DLC in the United States in this guide.

Is This the Same as a Toll-Free or Short Code Number?

A 10DLC is one of three different formats for numbers used in application-to-person messaging alongside toll-free numbers and short code numbers. Though the concept is the same, 10DLC has several differences:

• You can use a 10DLC for voice messaging and two-way messaging (which you can also do on toll-free numbers but not short code numbers.)
• You can use a 10DLC for group messaging (which you cannot do with toll-free or short code numbers.)
• The number you use will be in the same 10-digit format, with area code, use for ordinary phone lines and cellphones. That's in contrast to the toll-free number that starts 1-800 (or a similar code), or the short code system that is usually only five or six digits.

What Are the Benefits of Using 10DLC?

10DLC has benefits involving both the number itself and the technology you use to send messages.

Because a 10DLC number is in a familiar format that resembles that of an individual or business's ordinary phone number, people may be more likely to open and read your messages than with toll-free or short code numbers that may be more associated with unwanted marketing. Using an area code to target particular recipients may also make people more likely to open a "local" message. It's even possible in some cases to use your existing phone number, which may be familiar to message recipients, for the 10DLC technology.

The 10DLC technology is specially designed for sending messages to a large number of recipients at once. This means it's less likely they'll get filtered, slowed down or backlogged in transmission. It also means the costs of messaging scale much more smoothly, making it easier to switch between different audiences and marketing campaigns. This makes 10DLC more economically viable for smaller campaigns than other formats.

Do I Need To Get Verified To Use 10DLC?

Yes, you will need to be registered with, and approved by, an organization called the Campaign Registry. It's a central database used by the major cellphone carriers.

This process can take up to six weeks and includes a token monthly registration fee. You must not use 10DLC without the approval. If you do, your messages will likely be blocked as spam and the carriers could impose significant fines on you.

The 10DLC rules use the term "campaign" to describe sending messages, but this doesn't solely cover marketing. The rules apply to sending messages through 10DLC for any reason.

How Does the 10DLC Verification Work?

The Campaign Registry will need to register both your brand and your messaging campaign. You need to register a new campaign and get it approved each time you want to send messages for a particular reason.

For example, if you already use 10DLC to send two-factor authentication codes, you will need to register a new campaign to start using it to send promotional offer messages.

For the brand, you'll need to provide information about your business to prove it is legitimate. This includes your name, tax number, website, company size and contact details.

For the messaging campaign, you'll need to give an overview of the types of message and the general purpose of the campaign, along with some specific examples of messages. You'll also need to say how you are addressing consent among recipients to receive the messages. You must also say if your messages will include any links or any content that is age restricted.

The Campaign Registry will then assign you a trust score out of 100. This will affect both the total number of messages you are allowed to send each day and the number of messages you can send per second. These may also be affected by the type of messaging you have declared in your registration; for example, if it is for marketing or for two-factor authentication. The specific details of how this works varies between carriers.

How Does Consent Work With 10DLC?

As part of the verification process, you must be able to prove that you will only send messages to users who have consented to receive them.

This must be an opt-in mechanism by which you do not assume consent but instead only add people to a recipient list when they explicitly agree to be on it. To make this consent meaningful, make sure potential recipients understand the type of messages you will send.

Examples of consent methods include (but are not limited to):

• Verbal confirmation to a clear question.
• A form on a website.
• A paper form.
• A response to a text message. (This must be a specific response using a clear term that you have told the customer to use, such as "OPTIN".)

You can use a QR code to direct a user to a consent form. You cannot treat scanning the QR code as giving consent.

GM explains that texting a specific number with a specific message, having had the opportunity to read about its texting policy, will count as giving consent:

If you use an online form, you must clearly tell people what they are consenting to. For added safety, link to your Privacy Policy. Use a method such as a checkbox that requires a positive action to show consent; never use a pre-tricked checkbox.

Walmart links to both a Privacy Policy and a specific page about messages sent as Mobile Alerts:

CompactCath details key elements of the consent including its limited purposes, the fact it is not mandatory, and the option to unsubscribe at any time:

Wells Fargo explains how it uses multiple steps to make absolutely certain users are meaningfully consenting:

Green Paper Products makes clear that providing a phone number only consents to getting messages about an order and that the user must actively tick a box to consent to also getting marketing messages:

When applying for verification you must:

• Detail the specific method or methods you use to collect consent.
• Explicitly state if you are not using your website to collect consent.

The 10DLC rules also say you must give people a confirmation message after they have opted in. This could be an on-screen message if they've used a form to consent, or it could be as a text message. The confirmation message must include:

• A broad description of the types of message you will send.
• A guideline of how many messages you will send and how frequently you will send them.
• A contact number for any queries or complaints.
• Details of how to withdraw consent (ie to opt out of future messages).
• Details of any costs associated with the messages, including them counting towards monthly message allowances.

You'll need to include a copy of this confirmation message when applying for verification.

Do I Need a Privacy Policy To Use 10DLC?

Yes, the 10DLC verification process specifically requires a Privacy Policy. It also imposes the following requirements on the policy and how you use it:

• You must link to the Privacy Policy from any form where you collect phone numbers.
• Your Privacy Policy must clearly state you will not share people's phone numbers with a third party.
• If your Privacy Policy allows for data sharing with third parties, it must explicitly state that this does not cover phone numbers.

Note that these requirements apply even if your Privacy Policy already complies with all relevant laws. Note also that you cannot pass on or share consent for 10DLC messaging: the fact that somebody has consented to receive messages from your business can never be used as consent to receive messages from a third party.

Legal Aid DC has a dedicated Privacy Policy for text messaging:

How Do Privacy Laws Affect 10DLC?

At the time of writing, 20 US states have passed some form of privacy law, mostly based on or inspired by California's law. However, for two reasons, they shouldn't significantly restrict your use of 10DLC:

• The laws usually only restrict selling data such as phone numbers. When it comes to using the numbers, the main requirement is to tell people about your data use in a Privacy Policy.
• Most of the laws have a minimum threshold that means they only apply if you are handling the personal information of tens of thousands of people in a state. If this is the case, 10DLC may not be the most economical messaging method anyway.

If you are sending messages to people outside of the US, you may be covered by other national laws on messaging. These include Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).

The most significant effect of such laws is to make it clearer that you must get specific consent from message recipients based on the type of messages you want to send. Getting consent for text message updates about an order will not be sufficient to then send purely marketing messages.

Do Any Other Laws or Rules Affect 10DLC?

Yes, several laws, company rules and industry guidelines kick in where you use any text messaging. These include:

• The Telephone Consumer Protection Act.
• The (voluntary) rules of the Cellular Telecommunications Industry Association.
• The requirements of third-party providers such as with software for sending messages.

The common theme with these rules is a further reinforcement of the principle that you need to get opt-in consent where people make an informed decision. Providing a clear Privacy Policy is a key part of this. Some of these rules add extra requirements such as not using deceptive content in messages, or only sending messages which meet content guidelines.

Summary

10DLC is a way to use an "ordinary" 10-digit phone number for application-to-person messaging, reducing the risks of messages being backlogged or undelivered. You can only use it after registering and getting approval for both your brand and your messaging campaign.

Key steps you must follow include:

• Figure out how and where you'll collect consent.
• Draft a confirmation message to deliver after getting consent. This must outline your use of messaging.
• Make sure you have a clear Privacy Policy that confirms you don't share people's phone numbers. Link to this policy when getting consent.
• Register both your brand and your specific messaging plans with Campaign Registry.