Why SMS Compliance Cost More Than Most Founders Expected

Email is regulated. Push notifications have rules. But SMS is different in a way most founders don’t anticipate until they’re three years in.

SMS is governed by the Telephone Consumer Protection Act — a 30-year-old law designed when robocalls were the threat. It carries penalties of $1,500 per message sent in violation. Not per campaign. Per message.

Alex Beller, CEO of Postscript, built his company on SMS. And he regrets not fully accounting for the compliance machinery it requires.

The TCPA Penalty Structure

The TCPA is not a gentle regulation. It’s a strict-liability framework that treats SMS marketing like a regulated utility. Every message sent must be:

• Sent to customers who explicitly opted in with documented consent
• Sent during hours when SMS isn’t considered intrusive (restrictions vary by recipient timezone)
• Compliant with the specific opt-out language the law mandates
• Sent by a carrier and sender ID that’s registered correctly

Violate any of these, and the penalty is $1,500 per message, multiplied by the number of messages sent in the campaign. Send 100,000 messages in violation? That’s $150 million in statutory damages.

“There’s a big industry of lawyers who are full-time plaintiffs in SMS,” Alex explains. “And they just send out demand letters all day long trying to catch brands up in lawsuits.”

This isn’t hypothetical. It’s the dominant enforcement mechanism of the TCPA. Class action law firms specialize in TCPA claims. They’re systematically scanning brands for compliance failures.

Why Compliance Eats More Resources Than Expected

Most email marketers think of compliance as a checkbox: have a unsubscribe link, honor opt-outs. SMS is an order of magnitude more complex.

Postscript has built a “large compliance operation that is its own beast,” Alex says. The operational requirements include:

• Building and maintaining an auditable, compliant opted-in customer list (not just a database of phone numbers)
• Ensuring proper consent documentation for each opt-in (not a pre-checked box; affirmative, documented consent)
• Validating sender ID registration with carriers
• Managing timezone-based sending restrictions
• Implementing automated opt-out processing with specific messaging language
• Auditing campaigns pre-send to catch violations before they ship
• Monitoring for bad actor customers who use the platform to send illegal messages

None of this is intuitive. Email platforms can often get away with loose consent management. SMS platforms can’t. The liability structure forces them to build compliance as a core operational function, not an afterthought.

The Customer-Side Compliance Problem

This is the hidden burden on Postscript’s customers. Brands want to run conversational commerce at scale. But if they’re not compliant with TCPA from day one, they’re exposing themselves to lawsuit.

So Postscript has to educate every customer on:

• What “proper consent” means (it’s not what they think)
• How to build a compliant opted-in list
• What they can and can’t say in messages
• When they can send
• What happens if they don’t comply

This turns Postscript’s sales and support teams into de facto legal advisors. And if a customer ignores the guidance and sends illegal messages using Postscript’s platform, there’s a secondary liability question: is Postscript also liable?

This is why large SMS platforms employ full legal teams. They’re not just protecting themselves; they’re protecting customers from liabilities they don’t understand.

The Strategic Constraint

Knowing what Alex knows now, would he still start Postscript?

“I think if we knew all about that before starting Postscript, we probably would have thought twice before getting into SMS.”

That’s a striking admission. He built a $636M company in SMS. But the compliance machinery adds permanent friction to the business — operational cost, customer education burden, legal overhead.

SMS wins because it’s the highest-engagement channel (3x open rates of email), and it integrates natively with Shopify. But the TCPA makes it a lower-margin, higher-friction business than email. That’s the tradeoff most SMS platforms don’t advertise.

What This Means for Conversational Commerce

When Postscript deploys AI agents to send SMS at scale, every message is a compliance decision, not just a conversion decision. You can’t optimize purely for engagement or sales. You have to optimize within the constraints of TCPA.

That’s why brand center exists — to ensure the AI doesn’t discover that aggressive tactics or false claims drive conversions and optimize toward them, because doing so would violate compliance requirements.

It’s also why supervisor agents validate every message before it ships. In email, you might tolerate a few bad outputs from the AI. In SMS, a bad output costs $1,500 per instance and opens the company to regulatory enforcement.

FAQ

What is the penalty for sending one uncompliant SMS message?

$1,500 per message. There’s no per-campaign threshold. If a brand sends 10,000 messages in violation of TCPA, the damages are $15 million. This is why compliance automation is critical.

How do customers prove they have proper consent under TCPA?

TCPA requires affirmative, documented consent — typically via an opt-in form where the customer explicitly checks a box or replies “YES” to a message. Pre-checked boxes don’t count. The consent must be recorded and retrievable.

Can brands send SMS to customer phone numbers they collected in-store or by phone call?

Not without documented prior express written consent. The consent must be connected to the specific phone number and the SMS channel. Just because you have a customer’s phone number doesn’t mean you have permission to text them.

What time of day can brands send SMS?

TCPA restricts calling between 8 PM and 8 AM in the recipient’s timezone. SMS falls under these restrictions. Brands need to know customer timezones and send accordingly, or risk violations.

How do supervisor agents prevent TCPA violations?

They validate message content before sending. They check for false claims, verify links and product information, and block messages that violate brand guidelines or include compliance red flags. They don’t catch all violations (timing violations require external coordination), but they catch content-based risks.

Is TCPA the reason SMS platforms charge more than email platforms?

Partly. SMS has higher engagement, so higher unit value. But compliance overhead also increases operating costs — legal staff, validation systems, customer education, audit overhead. Most SMS platforms price to reflect this operational weight.

What happens if a Postscript customer sends illegal SMS and gets sued?

Postscript has Safe Harbor provisions in their terms of service. They provide compliance tools and guidance. But if a customer ignores it and sends illegal messages, the customer is primarily liable. However, Postscript’s documentation of compliance education is crucial to limiting secondary liability exposure.

Do SMS marketing platforms monitor their customers’ compliance, or is it the brand’s responsibility?

Both. Postscript educates customers and provides tooling. But ultimately, the brand sending the message is liable under TCPA. Postscript can’t prevent a determined bad actor from misusing the platform, but they can make compliance easy for good-faith actors.

Is SMS compliance automation expensive to build?

Yes. It requires legal expertise, carrier integrations, timezone management, consent tracking, and audit systems. This is why most SMS platforms are relatively mature, capital-intensive businesses, not easy-to-build startups.