A2P 10DLC is short for Application-to-Person 10-digit long code. It's a communication channel that allows businesses to send A2P messages to U.S. phone numbers using local 10-digit phone numbers.
A2P 10DLC was introduced by major U.S. mobile carriers in 2021. The primary goal is to ensure that business-to-customer messages through regular phone numbers are legitimate and consensual.
This article explains A2P 10DLC, looking at what it entails, who it applies to, what it requires, and how to comply to run legally sound messaging campaigns.
What customers say about TermsFeed:
This really is the most incredible service that most website owners should consider using.
Easy to generate custom policies in minutes & having the peace of mind & protection these policies can offer is priceless. Will definitely recommend it to others. Thank you.
- Bluesky's review for TermsFeed. Read all our testimonials here.
With TermsFeed, you can generate:
- 1. What is A2P (Application-to-Person)?
- 2. What is 10DLC (10-Digit Long Code)?
- 3. What is Application-to-Person 10-Digit Long Code (A2P 10DLC)?
- 4. Who Must Comply With Application-to-Person 10-Digit Long Code (A2P 10DLC) Standards?
- 5. What are the Requirements for Application-to-Person 10-Digit Long Codes (A2P 10DLC) Compliance?
- 5.1. The Messaging Industry's Requirements for A2P 10DLC
- 5.2. Legal Requirements for A2P 10DLC
- 5.2.1. The Telephone Consumer Protection Act (TCPA)
- 5.2.2. The Cellular Telecommunications Industry Association (CTIA)
- 5.2.3. Consumer Privacy and Data Protection Laws
- 5.3. Third-Party Campaign Service Provider Requirements for A2P 10DLC
- 6. How Do You Comply With Application-to-Person 10-Digit Long Codes (A2P 10DLC) Requirements?
- 6.1. Register for A2P 10DLC with The Campaign Registry
- 6.1.1. Brand Registration
- 6.1.2. Campaign Registration
- 6.2. Observe Opt-In and Opt-Out Consent Standards
- 6.2.1. Opt-In Consent Standards Under the CTIA
- 6.2.2. Opt-Out Consent Standards Under the CTIA
- 6.3. Maintain and Display a Compliant Privacy Policy
- 6.4. Implement Measures to Prevent Unlawful Messaging Practices
- 7. What are the Penalties for Violating A2P 10DLC Compliance?
- 8. Summary
What is A2P (Application-to-Person)?
Application-to-Person (A2P) is any communication method that involves sending messages from a software application to a person's mobile device. It's unlike Person-to-Person (P2P) communication, where messages are exchanged between two mobile users.
As a business owner, A2P messaging lets you send automated texts to your customers' mobile phones using a web service. This communication channel has quite a number of use cases, such as:
- Order confirmations
- Shipping notifications
- Marketing campaigns
- Appointment reminders
- Transactional messages
- Two-factor authentication (2FA)
A2P messages are typically one-way communication channels, so recipients are not required to respond.
What is 10DLC (10-Digit Long Code)?
10-digit Long Code (10DLC) is designed specifically for A2P messaging. It's a U.S. standard phone number businesses can use to communicate with their customers at scale. Plus, it allows for two-way messaging between businesses and their customers.
10DLCs are one of three main business communication methods in the United States. Together, they are:
- Short code numbers (typically 5 to 6 digits)
- Toll-free numbers (such as 1-800-XXX-XXXX)
- 10-digit long code numbers (such as 555-XXX-XXXX)
What sets 10DLCs apart is that they look like regular U.S. mobile numbers, making them more recognizable and trustworthy to customers. This familiarity is expected to prompt higher open rates and better engagement for text message campaigns.
It's worth noting that 10DLCs also support voice calls in addition to text messaging.
What is Application-to-Person 10-Digit Long Code (A2P 10DLC)?
A2P 10DLC is a messaging channel that allows businesses to send A2P-style messages to U.S. customers using regular 10-digit phone numbers.
It's a relatively new standard introduced by major U.S. mobile carriers to make SMS/MMS texting authenticated and more reliable.
But A2P 10DLC isn't just about improving business communications. It's also part of the industry's efforts to provide a secure messaging ecosystem by:
- Clamping down on spam, phishing, and smishing attacks
- Improving transparency and accountability for text campaigns
- Increasing throughput for faster and more reliable message deliveries
The A2P 10DLC channel is highly regulated to ensure all messages on its route are secure, legitimate, and reliable for everyone involved.
Who Must Comply With Application-to-Person 10-Digit Long Code (A2P 10DLC) Standards?
Anyone who sends SMS or MMS messages from a software application to U.S. phone numbers using 10-digit long codes must comply with A2P 10DLC requirements.
It's important to note that these requirements aren't reserved for businesses alone. Individuals and hobbyists who meet these criteria are also covered by A2P 10DLC regulations.
What are the Requirements for Application-to-Person 10-Digit Long Codes (A2P 10DLC) Compliance?
A2P 10DLC requirements are admittedly complex to navigate. This is because there are industry guidelines, laws, and best practices that come into play depending on specific circumstances.
Fortunately, these requirements are largely interconnected and build off of each other for the most part. The result is a comprehensive but straightforward set of rules for A2P 10DLC compliance.
Let's briefly unpack the most important ones.
The Messaging Industry's Requirements for A2P 10DLC
The Campaign Registry (TCR) is the reputation authority that vets and oversees A2P 10DLC registration for businesses.
It was created by major North American mobile network operators (Verizon, AT&T, and T-Mobile) to ensure all SMS traffic on the A2P 10DLC route is verified and approved by recipients.
When it comes to A2P 10DLC compliance, the TCR requires businesses to complete two key registration requirements:
- Brand registration: This involves identifying your business with mobile carriers to verify your legitimacy as a message sender.
- Campaign registration: This involves showing mobile carriers examples of the messages you plan to send customers. For instance, informational alerts and marketing promotions will fall under different campaigns.
In short, brand registration tells mobile carriers "who" you are, while campaign registration tells them "what" type of messages you're sending. We'll go into the specifics of what these registrations entail shortly.
Legal Requirements for A2P 10DLC
Complying with the legal requirements for A2P 10DLC means adhering to all applicable laws, guidelines, and industry best practices. Here are the most relevant ones to take note of:
The Telephone Consumer Protection Act (TCPA)
The Telephone Consumer Protection Act (TCPA) is a U.S. federal law that regulates telemarketing calls, pre-recorded messages, and SMS text messages.
Its overarching requirement for SMS texting (as it relates to A2P 10DLC) is to obtain explicit ("opt-in") consent before sending messages.
To compel businesses to comply, the TCPA gives consumers the right to seek compensation ranging from $500 to $1,500 for each unsolicited message they receive.
The Cellular Telecommunications Industry Association (CTIA)
The Cellular Telecommunications Industry Association (CTIA) is a powerhouse in the U.S. messaging ecosystem. It is best known for its robust Messaging Principles and Best Practices.
Although compliance with the CTIA's provisions is voluntary, it's highly recommended for every business using the A2P 10DLC communication channel. Among other requirements, participating businesses are required to:
- Observe strict opt-in and opt-out consent standards
- Avoid including deceptive, fraudulent, and illicit content in their text campaigns
- Maintain and prominently display a clear and easy-to-understand Privacy Policy
Consumer Privacy and Data Protection Laws
In specific instances, phone numbers can qualify as personal information under many privacy and data protection laws.
As such, collecting customers' phone numbers for texting campaigns may place you within the crosshairs of privacy laws in your customers' regions. Some of the more prominent laws are as follows:
- The EU's General Data Protection Regulation (GDPR)
- The California Consumer Privacy Act (CCPA/CPRA)
- The California Online Privacy Protection Act (CalOPPA)
- Canada's Personal Information Protection and Electronic Documents Act (PIPEDA)
- Australia's Privacy Act of 1988
- Brazil's Lei Geral de Proteção de Dados (LGPD)
Third-Party Campaign Service Provider Requirements for A2P 10DLC
Third-party campaign service providers are the 'A' in A2P. They provide the software application for campaign messaging and handle the registration requirements for businesses.
As such, many of them (like Twilio, Alive5, Alianza, etc.) also impose their own set of rules for A2P 10DLC compliance. These rules primarily revolve around:
- Content restrictions
- Consent and notice requirements
- Usage limitations to combat spam and abuse
While each third party's specific requirements differ slightly, their golden rule for messaging is largely the same: Comply with all applicable laws, industry guidelines, and best practices.
For example, here's how Twilio sets out its messaging rules for all A2P senders, including long code users:
Similarly, here's how Alianza sets its house rules for business text messaging in its Terms and Conditions:
Further below, Alianza includes links to recommended laws and best practices all message senders on its platform should observe:
Alive5 sets out similar rules in its Acceptable Use Policy. It requires users to comply with the TCPA, the CTIA's best practices, and other applicable laws, rules, and industry guidelines:
Failing to comply with these third-party requirements can lead to account suspensions and terminations, among other consequences.
How Do You Comply With Application-to-Person 10-Digit Long Codes (A2P 10DLC) Requirements?
Here's our list of compliance steps to bring your text campaigns in line with A2P 10DLC regulations:
- Register for A2P 10DLC with The Campaign Registry
- Observe opt-in and opt-out consent standards
- Maintain and display a compliant Privacy Policy
- Implement measures to prevent unlawful messaging practices
Let's look at these requirements in more detail.
Register for A2P 10DLC with The Campaign Registry
The first step for A2P 10DLC compliance is to get on the radar of The Campaign Registry (TCR). As we've established, this means registering your brand (business entity) and campaigns (messaging use cases). Let's see what each registration entails.
Brand Registration
To register your brand, the TCR requires a number of key business information to verify your legitimacy, including but not limited to the following:
- Legal company name
- Employer Identification Number (EIN) - especially important
- Entity type (private, public, non-profit, government, etc.)
- Business type (sole proprietor, corporation, or LLC)
- Official address (city, state, country, zip codes, etc.)
- Company contact details (email address and phone number)
After providing these details (and paying an invoice), you'll see your brand registered on the TCR's brand details page.
Campaign Registration
To register your campaigns, the first step is to select your use cases (i.e., the purpose of your campaign). The TCR groups use cases in two categories:
- Standard Use Cases are immediately available for all verified brands. Examples include 2FA, account notification, and marketing.
- Special Use Cases are not available to all brands and will require additional vetting by the TCR. Examples include charity, sweepstakes, and emergency services.
After selecting the right use case for your campaign, you'll need to provide key additional information, including:
- Campaign vertical and description
- Campaign content and attributes
- Examples of the messages you'll send to customers
- Proof of verification and consumer consent (opt-in)
If you're using a Campaign Service Provider (CSP), all you need to do is send them the necessary details, and they'll handle the registration process with the TCR.
Once the TCR vets your brand and campaign, it will assign you a Trust Score (from 0 to 100). This score directly influences your message delivery and throughput levels. So, the higher your Trust Score, the better your chances of reaching your audience.
All A2P 10DLC registrations are valid for 12 months and must be renewed annually by re-submitting your brand and campaign details for re-approval.
Observe Opt-In and Opt-Out Consent Standards
Your campaigns are only lawful when recipients have provided their explicit consent (opt-in) and can freely withdraw their consent (opt-out) anytime they wish.
When it comes to the opt-in and opt-out consent standards, the CTIA's Messaging Principles and Best Practices are the most comprehensive. Let's take a look.
Opt-In Consent Standards Under the CTIA
The CTIA provides several examples of valid consumer opt-ins for text campaigns. They include but aren't limited to:
- Providing a telephone number through a website
- Ticking an empty checkbox or clicking a button on a mobile webpage
- Opting in over the phone using interactive voice response (IVR) technology
Here's an example of a valid opt-in mechanism from the TCR's registration page:
Importantly, you must provide a confirmation notice for each consumer opt-in as well as for recurring text campaigns. This confirmation should be placed beside your consent button or checkbox and must include:
- Your campaign name or product description
- Your customer care contact details (such as your phone number or HELP instructions)
- How customers can opt out
- A notice that your messages are recurring and their frequency
- Simple, prominent language about fees or charges and how you will bill customers
Here's an example of how you can phrase your confirmation notice:
"By entering your phone number and submitting this form, you agree to receive SMS text messages from [Your Business Name]. Message frequency may vary. Standard data rates may apply. Reply 'STOP' to unsubscribe from future messages. For more information, reply 'HELP.' Please review our Privacy Policy at [Your Privacy Policy URL] for more details on how we handle your data."
You can only obtain one opt-in consent per campaign. If you need to send out multiple text campaigns, you must get opt-in consent for each separately.
Opt-Out Consent Standards Under the CTIA
The CTIA requires you to keep to the following guidelines for valid consumer opt-outs:
- Let consumers opt out of receiving messages at any time
- Support multiple opt-out mechanisms, including phone calls, emails, and texts
- Honor consumer opt-out requests by sending a final confirmation to let them know that they've successfully opted out
- Avoid sending any other message after the final confirmation
In practice, you must honor all opt-outs that use the standard "STOP" wording and related terms like "end," "unsubscribe," "quit," "cancel," etc. Moreover, capitalization, punctuation, and similar subtle details should not affect opt-outs.
Maintain and Display a Compliant Privacy Policy
A Privacy Policy is a legal document that summarizes your data processing practices. It specifically describes how you collect, use, store, share, and protect personal information.
According to the CTIA, a Privacy Policy that complies with A2P 10DLC regulations must:
- Be easily accessible through clearly labeled links
- Clearly explain how you collect, use, and share your customers' information
- Be referenced in your message's initial call-to-action
- Be consistent with all applicable privacy laws and your actual business practices
Here's how the CTIA's text presents this:
Importantly, your Privacy Policy must clearly state that you won't sell or share consumers' data (i.e., mobile phone numbers) with third parties or affiliates for marketing purposes. Here's an example of how you can phrase this message:
"We will not share mobile contact information with third parties or affiliates for marketing/promotional purposes. All other categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties."
If you use an online contact form to collect phone numbers, your Privacy Policy must also include opt-in language and explain how customers can opt out of future communications. Here's an example of how you can phrase this:
"By providing your mobile number, you permit us to send you text messages. Please note that standard data rates imposed by your carrier will apply. If at any time you wish to stop receiving text communications from us, simply reply with 'STOP' or 'UNSUBSCRIBE.' Upon receiving your opt-out request, we will immediately stop sending future messages to your number."
Let's see some examples of how this can look in actual Privacy Policies.
Here's how the MoMA Design Store provides all relevant details in a dedicated text message Privacy Policy:
And here's how Alive5 does this in its Privacy Policy:
Montague Agency also addresses A2P 10DLC messaging in its Privacy Policy by clarifying its use cases, consent practices, and message content:
To make your Privacy Policy easily accessible, include links in each and every message you send to customers.
You should also place links in other prominent locations like your registration/sign-up page, email newsletter, app settings/menu, and within other legal agreements like your Terms and Conditions.
Here's how Amazon includes a link to its Privacy Notice on its registration page:
Implement Measures to Prevent Unlawful Messaging Practices
To keep your A2P 10DLC messaging practices compliant, you must work proactively to curb unlawful practices that can expose your business to legal risks.
The CTIA's Messaging Principles and Best Practices recommend staying vigilant against any content that fits these descriptions:
- Harmful, abusive, malicious, misleading, harassing, excessively violent, or defamatory
- Deceives or intends to deceive (like phishing messages designed to access private information)
- Invades privacy or causes safety concerns
- Includes malware
- Causes harm, discrimination, or violence
- Intimidates or threatens consumers
- Does not meet age-gating requirements
The CTIA also encourages businesses to review its Common Short Code Monitoring Handbook and comply with the Federal Trade Commission's (FTC) Truth-In-Advertising rules for well-rounded, legally-sound messaging practices.
What are the Penalties for Violating A2P 10DLC Compliance?
Non-compliance with A2P 10DLC regulations can have serious operational, financial and reputational consequences. As of August 31, 2023, mobile carriers will now fully block all messages from unregistered 10DLC numbers.
But that's just the start. Carriers have also begun announcing other penalties for violating their rules. T-Mobile, for instance, has imposed the following fines for violating its code of conduct:
- A $1,000 pass-through fine for practice like snowshoeing or unauthorized number replacement
- A $10,000 fine per unique instance for repeated content violations
Other mobile carriers will likely follow suit with their own non-compliance penalties to further discourage businesses from unethical messaging practices.
Summary
A2P 10DLC is a relatively new communication standard that allows businesses to send A2P messages from local 10-digit phone numbers. It was designed to improve the U.S. messaging ecosystem by making business communications verified, consensual, and reliable.
A2P 10DLC regulations apply to anyone (both businesses and individuals) who sends text messages from a software application to U.S. phone numbers using 10-digit long codes.
To comply, message senders are required to observe all applicable laws and industry guidelines, particularly:
- The Campaign Registry (TCR) registration requirements
- The Telephone Consumer Protection Act (TCPA) rules on SMS messaging
- The Cellular Telecommunications Industry Association (CTIA) Messaging Principles and Best Practices
- Third-party campaign service providers' rules
Practically speaking, compliance with A2P 10 DLC regulations means observing the following requirements:
- Register your brand and campaign with TCR
- Observe opt-in and opt-out consent standards
- Maintain and conspicuously display a compliant Privacy Policy
- Implement measures to proactively prevent unlawful messaging practices
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.