Understanding FCC TCPA Cannabis SMS Compliance in 2025

The regulatory landscape for SMS marketing in the cannabis and hemp sectors has evolved dramatically in 2025. New rules from the Federal Communications Commission (FCC) governing consumer consent and opt-out requirements demand urgent attention from brands, dispensaries, and technology vendors alike. These changes—specifically the “one-to-one” consent rule and simplified consent revocation requirements—impact everyone using text messaging to reach customers or leads in the United States. Here’s how your business can adapt to remain compliant, competitive, and trusted in this high-risk regulatory environment.

The New Era: FCC's One-to-One Consent Rule (Effective January 27, 2025)

On January 27, 2025, the FCC’s updated TCPA (Telephone Consumer Protection Act) regulations introduced the one-to-one consent rule. Instead of accepting broad lead forms that allow a consumer to be contacted by multiple businesses in a sector with a single click, you now must obtain seller-specific, written consent for each individual brand that wants to contact the consumer by phone or SMS.

• Industry impact: This rule was enacted to crack down on the abuse of generic, bulk lead generation in industries like cannabis, finance, insurance, and more. According to the ActiveProspect guide on the FCC 1:1 consent rule, every brand or seller now requires its own, clear and affirmative opt-in from the consumer.

• Old scenario: One consent checkbox covered dozens of brands—none named.

• New scenario: The consumer must check a box, sign, or provide explicit written (digital) agreement for your specific store or delivery service to send texts.

Key takeaways for cannabis and hemp marketers:

• Each SMS program must prove it received brand-specific, prior written consent before sending any promotional texts.
• Businesses purchasing third-party leads must demand granular evidence (logs, screenshots) showing the consumer consented to your brand by name—not just “one of our partners.”
• Age-gating is essential: Consent forms on landing pages must verify recipients are 21+ (for cannabis) or 18+ (for hemp-derived CBD in some states), and capture robust proof of age during the consent process.

Resources:

• FCC's one-to-one consent rule (PDF)
• Womble Bond Dickinson: FCC Lead Generation Consent Rule

New FCC Consent Revocation Rules (Effective April 11, 2025)

As of April 11, 2025, businesses must offer and honor fast, consumer-friendly ways for recipients to revoke SMS consent or opt-out of campaigns—without obstruction. This means “reply STOP” or similar options are now mandatory, and complicated opt-out flows are prohibited.

What does this mean in practice?

• No hidden steps or forcing consumers to call or email for unsubscribing: A simple reply of “STOP” or a clear unsubscribe link suffices.
• Immediate effect: Opt-out requests should be honored without delay, with best practices recommending action in real time or, at most, within a few days.
• Businesses must update recordkeeping to show when and how a consumer opted out, ensuring no further messages are sent after revocation.

Penalties for violations are steep under TCPA, and class-action suits have targeted businesses unable to prove quick, unencumbered compliance.

Resources:

• FCC Public Notice of Rule
• BCLP: The TCPA's New Opt-Out Rules (April 2025)

Lead Generation: New Consent Provenance Demands

For those acquiring leads or relying on digital lead generation services, the compliance bar is higher than ever. Buying bulk lists or using generic consent language (“our marketplace partners may contact you”) is no longer compliant under FCC rules.

Your obligations include:

• Requesting detailed consent logs from all lead vendors, including timestamped screenshots or electronic records proving each consumer checked a box or signed for your specific business or brand.
• Auditing your existing contact lists to ensure that all prior express written consent records are brand-specific and reflect age verification steps.
• Rejecting any sources (or deleting records) where provenance cannot be fully documented.

Further, you must maintain these records for the statutory period (generally four years) in a secure and easily retrievable format in the event of an FCC investigation or private lawsuit.

Resources:

• How to Obtain Consent Under New Lead Generation Laws (Gryphon.ai)
• Phonexa On Consent Management 2025

Best Practices: Age-Gated, Compliant Landing Pages

Cannabis and hemp operators face additional scrutiny around age eligibility for communications:

• Age-gating is required: Consent forms must require DOB entry and deploy modern age-verification (third-party checks or document uploads, not self-attestation).
• Forms should clearly display each brand the consumer may opt-in to receive texts from, with separate checkboxes for each (multi-brand flows are only compliant if every seller is listed and the customer affirmatively selects every opt-in).
• Store each consumer’s age-verification consent together with their brand-specific opt-in for future defense and audit.

Read more:

• Online Age Verification in 2025

Carrier 10DLC SMS Compliance: Aligning With FCC and State Law

Major U.S. wireless carriers continue to enforce strict vetting of SMS senders under the 10DLC A2P (Application-to-Person) registration system. In 2025, carrier registration is required for all promotional cannabis or hemp marketing campaigns. Carriers may block or filter:

• Non-registered traffic
• Non-age-gated messages
• Content lacking robust documented consent under new one-to-one and revocation standards

10DLC registration also surfaces compliance with both federal TCPA and relevant state privacy laws. Non-compliant SMS traffic risks suspension, fines, and loss of texting privileges.

Resources:

• SMS Marketing for Cannabis and Hemp in 2025: TCPA, 10DLC, and Beyond
• TextMyMainNumber: 2025 Compliance Checklist

Reconciling Federal, Carrier, and State Requirements

Cannabis SMS marketing faces overlapping layers of regulation:

• The federal Telephone Consumer Protection Act (TCPA) governs consent, message content, and recordkeeping
• State privacy laws (like CCPA, CTDPA, CPA, etc.) impose additional requirements for consumer data processing and disclosure
• Carrier 10DLC policies require alignment with both, plus specific vetting and age controls for content

Businesses must design their consent capture and communication flows to satisfy the most stringent of these standards. That typically means:

• No implied or blanket consent for promotional SMS
• Explicit, brand-named, age-verified written consent
• Simple, unobstructed opt-out at any time
• Robust consent provenance and retention practices

Implementation Strategies for Cannabis and Hemp SMS Programs

1. Redesign Consent Capture

• Use separate checkboxes for each brand or product line; require active selection and age upload/verification.
• Provide clear opt-in language (“I consent to receive SMS marketing from [Brand],” including required TCPA disclosures).

2. Document Everything

• Archive consent logs, screenshots, submission records, and age verification events.
• Ensure every marketing text sent can be traced to a precise, auditable consent event.

3. Supercharge Opt-Out

• Programmatically process all STOP/unsubscribe/reply opt-outs instantly.
• Remove opted-out consumers from all brand communications within required timeframes.

4. Train Staff & Vendors

• Train marketing staff, CRM vendors, and SMS providers on new compliance standards.
• Regularly audit all SMS traffic and lead sources for conformance.

5. Consult Compliance Resources

• Use reliable platforms such as CannabisRegulations.ai for up-to-date regulatory tracking and workflow guidance.

Enforcement, Risk & Penalties

Enforcement is ramping up as consumers become more aware of their rights and class action law firms target non-compliant cannabis, hemp, and lead-gen marketers. Fines for TCPA violations can exceed $500 per message—and may be trebled for willful misconduct.

• Carriers increasingly filter or block non-compliant messages, risking list and revenue loss in an instant.
• Failure to honor new consent or opt-out rules exposes brands to costly private lawsuits and regulatory action.
• State AGs may piggyback on TCPA actions to assert violations of state privacy statutes.

Key Takeaways for 2025

• Consent must be specific, brand-named, documented, and age-gated: Blanket/bulk/multi-brand consents are no longer sufficient.
• Opt-out must be easy and honored immediately: “Reply STOP” is the gold standard.
• Carrier 10DLC registration is mandatory (and non-compliance means filtering/blocks).
• Audit lead sources: Demand full consent provenance from any third-party data vendor.
• Align federal FCC, state, and carrier policies to stay ahead of enforcement and litigation risks.

To navigate the evolving environment and access live regulatory updates, checklists, and compliance workflows, turn to CannabisRegulations.ai—your partner for cannabis industry regulatory success.