This guide is for informational purposes only and does not constitute legal advice. Consult a qualified attorney for guidance specific to your business and jurisdiction.
SMS is one of the highest-ROI marketing channels available to independent restaurants. But getting it wrong legally isn’t just a fine — it’s a $500 to $1,500 per-message problem that can escalate into a class-action lawsuit before you’ve sent your second campaign.
The good news: the rules are straightforward once you understand them. In our work with New York restaurant owners, we’ve found that most compliance questions come down to three concerns — how to collect phone numbers properly, what must go in every text, and how to handle customers who want to stop receiving messages. This guide answers all three, plus covers the 10DLC registration requirement that trips up many small business owners in 2025.
Key Takeaways
- Prior express written consent is required before sending any promotional SMS — past purchases alone don’t count as consent.
- Every marketing text must include your restaurant’s name, the offer, and an opt-out instruction (e.g., “Reply STOP”).
- 10DLC registration is now mandatory for US businesses sending automated texts — unregistered messages are blocked by carriers.
- Opt-out requests must be honored within 24 hours, and records must be kept for at least four years.
- Time restrictions apply: no texts before 8 a.m. or after 9 p.m. in the recipient’s local time zone.
- The National Do Not Call Registry applies to SMS — you must scrub your list against it.
What Is the TCPA and Why Should Restaurant Owners Care?
The Telephone Consumer Protection Act (TCPA) is the federal law that governs how businesses can contact customers by phone and text. Enacted in 1991 and enforced by the Federal Communications Commission (FCC), it was originally written for telemarketing calls — but courts and regulators have consistently applied it to SMS marketing as well.
The Basic Rule for Promotional Texts
Under the TCPA, sending promotional SMS messages requires prior express written consent from the recipient. “Written” in this context includes digital equivalents — a checked box on a digital form or a keyword reply counts. What does not count: someone handing you their business card, a customer mentioning their phone number in passing, or placing an online order without a separate SMS opt-in step.
The FCC has consistently interpreted the TCPA broadly when it comes to marketing. As compliance attorneys explain, “basically, anything that’s not purely informational is considered potentially marketing” under the TCPA’s framework — which means even a text asking for a Google review may require written consent.
Transactional vs. Promotional: The Key Distinction
Not all restaurant texts require the same level of consent. Transactional messages — order confirmations, pickup notifications, reservation reminders — do not require express written consent, because they relate to a transaction the customer already initiated. Promotional messages — discount offers, new menu announcements, loyalty points reminders, re-engagement campaigns — always require prior express written consent before you can send them.
A practical rule: if the message benefits you (drives revenue, builds brand awareness), it’s promotional and needs consent. If the message purely informs the customer about their existing order or reservation, it’s transactional.
Penalties for Getting It Wrong
TCPA violations carry fines of $500 to $1,500 per message sent without proper consent. Because class-action lawsuits are permitted under the TCPA — meaning a single non-compliant campaign sent to hundreds of customers can result in combined liability in the millions — this isn’t a theoretical risk. In a documented settlement, DSW Shoe Warehouse paid over $4.4 million for sending marketing texts to customers who had opted out. Uber paid $20 million in 2017 for similar violations.
How to Collect Phone Numbers Legally
Building a compliant SMS list means collecting prior express written consent before sending any promotional message. For restaurants, there are several practical touchpoints where this is easy to do without friction.
What Valid Consent Looks Like
Valid written consent under the TCPA has four components: (1) the customer takes a clear affirmative action — an unchecked box they choose to check, a keyword they text in, or a form they submit; (2) they’re informed they’ll receive automated marketing messages; (3) they know who is sending the messages; and (4) they’re told that consent isn’t required to make a purchase.
A compliant opt-in disclosure looks like this:
“By providing your phone number and checking this box, you agree to receive recurring automated promotional text messages from [Restaurant Name] at the number provided. Consent is not a condition of purchase. Message & data rates may apply. Reply STOP to unsubscribe.”
Pre-checked boxes and passive opt-ins are not valid under the TCPA — every consent must be an explicit, affirmative action by the customer.
Where to Collect Opt-Ins in a Restaurant
| Opt-In Method | How It Works | Best For |
|---|---|---|
| Keyword opt-in | Post signage: “Text DEALS to 555-0100 for weekly specials.” Customer texts keyword → receives confirmation text to double-confirm. | In-store, table tents, takeout bags, windows |
| QR code + web form | QR on receipt or counter → mobile form with unchecked SMS consent checkbox and required disclosure language. | Receipts, counter displays, packaging |
| Online ordering checkout | Optional, separate checkbox at checkout — never bundled with order confirmation. Disclosure must be visible on the same page. | Your own website ordering flow |
| Loyalty program enrollment | Phone number + SMS consent as part of loyalty sign-up — consent must be separate from the loyalty enrollment itself. | Loyalty programs, reward cards |
| Reservation / waitlist form | Add an optional SMS marketing checkbox alongside transactional confirmation — clearly labeled, unchecked by default. | Table reservations, call-ahead waitlist |
Double opt-in — where the customer texts a keyword and then replies YES to a confirmation text — is considered best practice because it creates a clear digital record of consent. For restaurants, this also means your list contains only genuinely interested customers, which keeps unsubscribe rates low.
One thing that cannot be done: purchasing a list of phone numbers and texting them. Buying telephone numbers violates both the ethics of SMS marketing and the legal consent requirements under TCPA — every contact must have individually given you permission.
What Every Marketing Text Must Include
Even with proper consent, each promotional text you send must meet certain content requirements. Missing any of them can void your compliance even on an otherwise legitimate list.
Required Elements in Every Promotional SMS
Under TCPA and CTIA guidelines, every marketing text must contain:
- Your restaurant’s name — recipients must know immediately who is texting them
- The offer or reason for the message — the message must state what you’re communicating
- An opt-out instruction — typically “Reply STOP to unsubscribe” or “Reply STOP to opt out”
- A help instruction or contact reference — often “Reply HELP for help” or a phone number
A compliant promotional text looks like this:
Golden Dragon: 🦞 Lobster Special — $28 tonight only, dine-in or takeout. Order: goldendraganny.com/order. Reply STOP to unsubscribe.
Timing Restrictions
The TCPA prohibits sending marketing texts before 8 a.m. or after 9 p.m. in the recipient’s local time zone. For a New York restaurant whose customers are all local, this is easy to manage — simply don’t schedule sends outside those hours. For restaurants with customers in multiple time zones, your SMS platform should handle automatic time zone compliance.
Some states impose additional timing restrictions, including blackout periods on certain holidays. New York does not currently have its own separate “mini-TCPA” with stricter timing rules, but federal 8 a.m.–9 p.m. restrictions are non-negotiable.
The 10DLC Requirement: What It Is and Why It Matters
This is the compliance topic that catches the most restaurant owners off guard in 2025. If you’re sending automated marketing texts from a standard 10-digit business phone number, you are legally required to register that number under the 10DLC framework.
What 10DLC Means
10DLC stands for “10-digit long code” — essentially, a regular-looking phone number like (212) 555-0100 used for business texting. Since February 1, 2025, all US businesses sending SMS or MMS messages via standard 10-digit numbers must be registered through The Campaign Registry (TCR). Messages sent from unregistered numbers are blocked by carriers like AT&T, Verizon, and T-Mobile — they simply don’t arrive.
Registration involves two steps: brand registration (verifying your business identity using your EIN and website) and campaign registration (describing your SMS use case and submitting sample messages). Campaign approval typically takes 5 to 30 business days, so plan accordingly before launching any SMS campaign.
What Information You Need to Register
To complete 10DLC registration, you’ll need your business’s legal name, EIN (Employer Identification Number), business address, a public-facing website URL, contact information, a description of your SMS use case, and 2–3 sample messages that accurately reflect the texts you plan to send. You’ll also need links to your SMS privacy policy and terms and conditions, both of which should be accessible on your website.
For most independent restaurants, the process is handled through an SMS platform (like Textedly, EZTexting, or similar) that acts as a Campaign Service Provider (CSP) and submits registration on your behalf. Your platform’s support team can walk you through it.
Handling Opt-Outs: Your Legal Obligations
Once a customer asks to stop receiving texts, your obligations are immediate and specific.
The STOP Keyword and Opt-Out Processing
Opt-out requests must be processed within 24 hours, and consumers must be able to opt out using a single keyword — “STOP” — without needing to take any additional action. You cannot require them to click a link, visit a page, or call to confirm. Once they reply STOP, they are off your list. You may send one final confirmation text acknowledging their unsubscribe, but that confirmation text must not contain any promotional content.
The FCC’s April 2025 opt-out rule update expanded the types of opt-out signals businesses must recognize. While carriers were given additional time to implement the universal revocation component (now pushed to January 2027), the core requirement — honor STOP requests immediately — remains firmly in effect.
Record-Keeping Requirements
Opt-out records must be retained for at least four years, which is the TCPA’s statute of limitations. Your records should show who opted in (with timestamp and method), who opted out (with timestamp), and what messages were sent. Most SMS platforms maintain these records automatically — but it’s worth confirming with your provider that logs are being stored.
The National Do Not Call Registry
The National Do Not Call (DNC) Registry applies to SMS marketing, not just phone calls. Courts have generally held that text messages qualify as “calls” under the TCPA for Do-Not-Call purposes, meaning numbers on the DNC Registry should not receive unsolicited marketing texts. Most reputable SMS platforms include automatic DNC scrubbing, but if yours doesn’t, you should manually verify your list against the registry before each campaign.
State Laws: What New York Restaurant Owners Should Know
Federal TCPA compliance is the floor, not the ceiling. State laws can impose additional requirements beyond federal regulations, and businesses must comply with both. New York does not currently have a standalone “mini-TCPA” that imposes separate consent requirements for SMS marketing, but this landscape continues to evolve.
For restaurants in New York, the federal TCPA framework covers the core requirements. The most important practical step is using a reputable SMS platform that keeps compliance infrastructure — DNC scrubbing, opt-out processing, 10DLC registration, and timestamp logging — up to date automatically.
How AI Phone Systems Interact with TCPA
For restaurants using AI phone answering systems, the FCC issued a declaratory ruling in February 2024 confirming that AI-generated voices fall under the TCPA. Restaurants using AI voice systems for outbound calls must obtain either prior express consent or prior express written consent before placing AI-generated calls, depending on whether the call is informational or promotional.
Inbound AI phone systems — where the customer calls the restaurant and an AI answers — are a different story. When the customer initiates the call, the restaurant is not placing an outbound automated call, so the TCPA consent requirements for outbound calling don’t apply to standard AI call-answering. What does apply is any SMS follow-up the restaurant sends after that call — those still require prior written consent before sending promotional content.
Tunvo’s AI voice agent handles inbound calls — customers call your restaurant and the AI answers. This is fundamentally different from outbound robocalls, which carry stricter TCPA requirements. If you want to follow up with callers via SMS promotions, that’s a separate opt-in step that needs to happen explicitly. Learn more about how Tunvo handles inbound calls at tunvo.ai/about.
Practical Compliance Checklist for Restaurant SMS Marketing
| Checklist Item | Status |
|---|---|
| Prior express written consent collected from every contact | ☐ Not started ☐ In progress ☐ Done |
| Opt-in disclosure language includes: who is texting, message type, frequency, opt-out instruction, “consent not required to purchase” | ☐ Not started ☐ In progress ☐ Done |
| 10DLC brand and campaign registration completed through SMS platform | ☐ Not started ☐ In progress ☐ Done |
| SMS privacy policy and terms published on website | ☐ Not started ☐ In progress ☐ Done |
| Every marketing text includes restaurant name + opt-out instruction | ☐ Not started ☐ In progress ☐ Done |
| Texts scheduled between 8 a.m. and 9 p.m. local time only | ☐ Not started ☐ In progress ☐ Done |
| STOP requests honored within 24 hours, no further promotional texts sent | ☐ Not started ☐ In progress ☐ Done |
| Opt-in and opt-out records retained for minimum 4 years | ☐ Not started ☐ In progress ☐ Done |
| List scrubbed against National Do Not Call Registry | ☐ Not started ☐ In progress ☐ Done |
| No purchased phone number lists in use | ☐ Not started ☐ In progress ☐ Done |
Frequently Asked Questions
Can I text customers who ordered from me in the past?
No — not without their explicit written consent to receive marketing texts. A past purchase does not constitute consent under the TCPA. You need to collect a separate opt-in for promotional SMS specifically, even from existing customers. Transactional texts about their current order (confirmation, pickup notification) don’t require written consent, but promotional texts always do.
Do I need a lawyer to set up restaurant SMS marketing?
For most independent restaurants running straightforward promotional campaigns, the steps in this guide — combined with a reputable SMS platform that handles 10DLC registration and opt-out processing — are a solid foundation. That said, TCPA litigation is active and the regulatory landscape does shift. If you’re unsure about your specific consent collection methods or are building a high-volume campaign, consulting a TCPA-experienced attorney is worth the cost versus the potential exposure.
What happens if a customer complains about my texts?
Under the TCPA, consumers have a private right of action — they can sue directly without involving a regulator. A single consumer complaint rarely escalates to litigation, but if you receive a complaint, the right response is to honor the opt-out immediately, check your consent records, and stop sending. If you can’t confirm you had written consent, stop sending to that number regardless. Document everything.
Is it true the TCPA one-to-one consent rule was overturned?
Yes — in January 2025, the 11th Circuit Court of Appeals vacated the FCC’s one-to-one consent rule, which would have required separate written consent for each individual seller. The core requirement of prior express written consent before sending promotional texts remains fully in effect; what changed is that you’re no longer required to meet the stricter “one seller per consent” standard that was briefly in play. The FCC has indicated it may revisit this, so monitoring developments remains advisable.
What’s the difference between a short code and a 10DLC number for restaurant texting?
Short codes are 5–6 digit numbers (like 55500) used for very high-volume campaigns — they’re expensive (starting around $1,000/month) and typically used by large chains. 10DLC numbers are standard 10-digit local numbers, which feel more personal and cost far less. For most independent restaurants, 10DLC is the right choice. Since February 2025, 10DLC registration is mandatory for all US businesses sending automated texts from local numbers — your SMS platform handles the registration process.
Every missed call is also a missed chance to grow your SMS list. Tunvo’s AI voice agent answers every inbound call and can be configured to mention your SMS loyalty program to callers — capturing opt-ins at the moment of highest intent. See pricing or book a demo to see it in action.
