An agency owner signs off on an SMS outreach campaign and assumes one thing protects them: they are texting other businesses, not consumers, so consumer-protection law does not apply. That assumption comes up constantly in vendor calls, and it is wrong on the exact point that carries the financial risk. The Telephone Consumer Protection Act does not carve out an exception for business-to-business text messages sent to a wireless number.
This post walks through where federal TCPA rules actually bind B2B SMS outreach, what the growing list of state "mini-TCPA" laws stacks on top, what a violation costs in real statutory damages, and the specific questions to put in writing before any vendor texts a single prospect under your agency's name.
One note before any of that: this is not legal advice. TCPA law is dense, the state overlays shift often, and the honest answer to most edge cases is "it depends on the exact fact pattern." Treat this as the map that tells you which questions to bring to a telecommunications attorney, and which vendor answers should worry you before you get that far.
Not legal advice. This article is educational only. TCPA and state mini-TCPA law change frequently and turn on specific facts (consent language, the technology used, the state a number is registered in). Consult a qualified telecommunications attorney before launching or approving any SMS outreach campaign.
Why "It's B2B" Doesn't Get You Out of the TCPA
The confusion has a real source. The FTC's Telemarketing Sales Rule does exempt most business-to-business calls from its coverage, so a pitch from one company to another can sidestep that particular rulebook. But the FTC's rule and the TCPA are two different statutes enforced by two different federal agencies, and the FCC does not extend a matching exemption to text messages. B2B calls and texts sent to a wireless number are subject to the same TCPA restrictions on autodialed and prerecorded outreach as consumer texts.
Consent, not who is on the other end of the line, is what determines whether a text is compliant. Even a business-owned cell phone, and even one the owner has posted publicly on a website or directory listing, still needs the outreach to clear the TCPA's consent bar before an autodialed or prerecorded text can legally land on it. Publishing a number is not the same as consenting to receive marketing texts at it.
What Federal Law Actually Requires
Two consent standards do most of the work under federal TCPA rules, and the difference between them matters more than almost anything else in this post.
The strictest bar, prior express written consent, a documented, signed or digitally confirmed opt-in, applies to marketing messages sent using an "automatic telephone dialing system" (an ATDS) or a prerecorded voice to a wireless number. Purely informational texts, ones that are not selling anything, can rely on the lighter "prior express consent" standard, satisfied once the recipient has already given a business the number for that purpose.
The legal definition of an autodialer narrowed considerably in 2021, when the Supreme Court ruled in Facebook, Inc. v. Duguid that a system only qualifies as an ATDS under the TCPA if it stores or produces phone numbers using a random or sequential number generator. A platform that simply dials down a fixed, already-collected list, the kind most appointment-setting vendors use, can arguably fall outside that narrower definition.
That narrowing has not made B2B SMS outreach safe by default, for two reasons. First, courts are still working out exactly which modern sending platforms clear the Duguid bar, and several have found that dialing software with list-management and auto-pacing features still qualifies as an ATDS depending on how it is built. Second, an existing business relationship or a publicly available number provides, at most, limited flexibility. Neither one overrides the underlying consent requirement for outreach to a mobile number on its own. The safest working assumption for a volume SMS campaign is the same one that applied before Duguid: treat prior express written consent as the baseline you require from any vendor, not the exception you hope a court grants you later.
What generally needs the strict written-consent standard
- Marketing or sales texts sent through a platform that auto-sends to a stored contact list
- Any text campaign run at volume through dialer or SMS software with pacing or list-management features
- Outreach to a number with no prior relationship or documented opt-in on file
What sits in narrower, more defensible territory
- Purely manual, one-at-a-time texts sent by a person, with no automated dialing component
- Informational (non-marketing) texts sent to a number that already gave consent for that specific purpose
- Replies inside a conversation the prospect actively started
Where State "Mini-TCPA" Law Adds a Second Layer
At least a dozen states have passed their own telemarketing statutes since 2021, several written specifically to close gaps that plaintiffs' firms saw open up after Duguid narrowed the federal ATDS definition. Some of these state laws define an autodialer far more broadly than the federal post-Duguid standard, and several add a private right of action, meaning an individual recipient (not just a state regulator) can sue directly.
| Law | Statutory penalty | Private right of action | Texting window |
|---|---|---|---|
| Federal TCPA | $500 (negligent) / $1,500 (willful) per message | Yes | 8am to 9pm recipient local time |
| Florida FTSA | $500 (negligent) / $1,500 (willful) per message | Yes | 8am to 8pm |
| Oklahoma OTSA | $500 (negligent) / $1,500 (willful) per message | Yes | 8am to 8pm |
| Texas SB 140 | Up to $5,000 per violation | Yes | State-specific rules apply |
| Maryland | Up to $1,000 ($5,000 for subsequent violations) | Yes | 9am to 8pm |
| Washington | $100 plus attorneys' fees | Yes | State-specific rules apply |
| New York | Up to $11,000 per violation | No (state enforcement only) | State-specific rules apply |
Penalty and texting-window figures compiled from a 2026 mini-TCPA compliance summary written for insurance agencies. Federal statutory damages independently corroborated by TCPA plaintiff-side legal counsel. Florida, Oklahoma, and Maryland also cap outreach attempts at roughly three per recipient within any 24-hour period, tighter than the federal law, which sets no per-recipient daily cap.
The practical effect for an agency that prospects across more than one state: you have to comply with whichever rule is strictest for wherever a given prospect's number is registered, not just the federal floor. A campaign built to satisfy only the federal 8am to 9pm window, for example, would still violate Florida's or Oklahoma's tighter 8am to 8pm cutoff on any number in those states.
What a Violation Actually Costs
Federal TCPA violations carry statutory damages of $500 per message for a negligent violation, rising to as much as $1,500 per message for a willful or knowing one. There is no cap on the number of violations a plaintiff can claim, and a recipient does not have to prove actual monetary harm, the statutory amount is available simply by showing an unauthorized text was sent.
The scale compounds fast at SMS volume. A single campaign of 10,000 non-compliant text messages can generate exposure of $5 million to $15 million once the per-message multiplier is applied. Most TCPA plaintiffs' attorneys work on contingency, which makes even a modest-sized non-compliant campaign an economically attractive target, and state mini-TCPA penalties, several of them shown in the table above, stack on top of the federal exposure rather than replacing it.
For a commercial insurance agency, the practical risk is not that a single stray text triggers a lawsuit. It is that a vendor running an entire campaign on bad consent practices, or without any state-by-state calling-window logic, exposes the agency to that per-message multiplier across the full list, all at once, and the agency's name is the one on the message the recipient received.
Six Questions to Put in Writing Before an SMS Vendor Texts Under Your Name
Before any SMS-based appointment-setting vendor sends a single message on your agency's behalf, get written answers to these six questions. A vendor that cannot answer clearly is asking you to absorb their compliance risk under your own name.
- How and where is consent captured and stored? Ask to see the actual consent record format, timestamp, and source, not just a verbal assurance that "it's all opted in."
- What technology sends the message? If the platform can automatically dial or select numbers from a stored list, the safer approach is to require prior express written consent as the baseline regardless of where the post-Duguid case law currently sits.
- Are opt-outs processed immediately and permanently? A "STOP" reply should remove the number from every future campaign the vendor runs, not just the one that triggered it.
- Do they scrub against federal and state Do Not Call registries before every send? This should happen on every campaign, not as a one-time setup step.
- What hours do they text in, and does that adjust per state? A vendor using one national default window is very likely violating Florida's, Oklahoma's, or Maryland's tighter cutoffs on numbers registered in those states.
- Who is contractually liable if a complaint or demand letter follows? Get indemnification language in writing before the first text goes out, not after the first complaint arrives.
These are the same six categories worth running through the rest of a vendor's contract too. Our full pre-contract checklist covers the broader vetting process, qualification standards, replacement policy, and pilot structure, in how to vet a pay-per-appointment vendor without getting burned.
What this means for you
- There is no B2B exemption from the TCPA for texts to a wireless number. Consent is what determines compliance, not who the recipient is.
- Statutory damages run $500 to $1,500 per message federally, with no cap, and several states layer their own penalties and stricter rules on top.
- Get consent capture, opt-out handling, DNC scrubbing, texting-hour logic, and liability language from any SMS vendor in writing before the first campaign launches under your agency's name.
