Start here: are you covered at all?
SB 140 applies if you send marketing communications — including voice calls, SMS, and MMS — to Texas residents or to Texas phone numbers. The law does not have a small-business exemption, a volume threshold, or a "we're just a startup" carve-out. If you're sending marketing messages to Texas at any volume, you're potentially covered.
Three categories of business are most exposed:
- Direct-to-consumer brands running promotional SMS campaigns to a Texas audience.
- Lead-gen and acquisition marketers texting cold lists, purchased lists, or lists obtained through co-registration.
- Out-of-state telemarketers who included Texas in their target geography without specific Texas-compliance review.
The November 2025 settlement: who gets the carve-out
The key change
Under the November 2025 settlement framework, businesses running genuine, documented opt-in SMS programs are effectively exempt from Chapter 302's registration and bonding requirements. This dramatically reduced the compliance burden for legitimate marketers but did not eliminate it — and it doesn't apply to anyone whose opt-in practices don't meet the standard.
To qualify for the opt-in exemption, your consent practices generally need to meet all of the following:
- Specific to your brand. Consent transferred from a list partner, lead-gen source, or unrelated business relationship typically doesn't qualify. The consumer must have opted in to receive marketing from you, by name.
- Documented and producible. You must be able to produce the consent record — the opt-in mechanism, the date/time, the IP or source, and the language presented to the consumer — if challenged. "We're sure they opted in" doesn't survive litigation.
- Specific to marketing. Consent for transactional messages (delivery alerts, appointment reminders, two-factor codes) does not automatically extend to marketing.
- Clear and unambiguous. Pre-checked boxes, consent buried in terms-of-service language, and "if you don't unsubscribe within 30 days you've consented" language do not meet the standard.
- Honored on opt-out. Once a consumer opts out, your exemption doesn't cover further messages to that consumer. Opt-out processes must work and must be timely.
If your consent practices don't meet all five tests, your messages are likely still subject to Chapter 302's registration and bonding requirements — and to private DTPA actions if a consumer believes they didn't consent.
What's required if you're not in the carve-out
Registration with the Texas Secretary of State
Businesses subject to Chapter 302 must register with the Texas Secretary of State as a "telephone solicitor." Registration involves:
- A $200 annual registration fee.
- Disclosure of the names, addresses, and roles of the individuals operating the telemarketing program.
- Disclosure of the products or services being marketed.
- Quarterly reporting on solicitation activity.
- Maintenance of records sufficient to demonstrate compliance.
The $10,000 bond or security
Registered telephone solicitors must post a $10,000 bond, letter of credit, or other security with the Secretary of State. The security is payable to the State of Texas in the event of violations and remains in place for as long as registration is active. Surety bonds for this purpose are available from licensed Texas surety providers; annual premiums typically range from $100 to $1,000 depending on credit quality.
Time-of-day restrictions
Marketing texts to Texas numbers may only be sent during the following windows in Central time:
- Monday through Saturday: 9:00 AM to 9:00 PM
- Sunday: noon to 9:00 PM
These restrictions apply regardless of opt-in status. Even a business with valid opt-in cannot send marketing texts outside these hours. Automated campaigns scheduled in UTC or in another time zone must be carefully configured to respect Central time boundaries.
Texas No-Call list scrubbing
Numbers on the Texas No-Call list cannot be marketed to by SMS or voice. Lists must be scrubbed against the Texas No-Call registry before each campaign.
Sender identification
Marketing texts must include identifying information so recipients can determine who sent the message. This typically means including your business name in the message body, especially when sending from a number or short code that isn't itself identifying.
Penalties for non-compliance
The risk side of the equation has three layers:
- Civil penalties up to $5,000 per violation, enforced by the Texas Attorney General. Each unlawful message is a separate violation.
- Private actions under the Texas DTPA, with recovery available for actual damages, treble damages for knowing violations, and attorney's fees. The DTPA's plaintiff-friendly fee-shifting has produced a meaningful plaintiff bar focused on SB 140 since the law took effect.
- Successive recoveries: a single consumer who receives multiple unlawful texts can pursue multiple separate claims rather than being limited to consolidated relief.
Class actions and aggregated individual actions began appearing in Texas courts within weeks of SB 140's September 2025 effective date and continue to be filed in 2026.
A compliance checklist
Use this to audit your program
A minimum-viable compliance review covers consent quality, operational controls, vendor management, and incident response. The following items are the practical baseline; specific situations may require more.
- Audit your opt-in mechanism. Is consent specific to your brand, documented with timestamp and source, and clear about what consumers are signing up for? Can you produce the record on demand?
- Separate marketing from transactional. Consent for transactional SMS doesn't extend to marketing. If you mix both, your marketing messages need their own consent.
- Time-zone your sends. Configure your SMS platform or workflow to respect Central time windows for Texas numbers. Don't rely on UTC-based scheduling.
- Scrub against the Texas No-Call list. Add this to your pre-send checklist and document each scrub.
- Honor opt-outs immediately and across channels. A STOP reply should propagate to all marketing systems within minutes, not days.
- Identify yourself in the message. Include your brand name in the body, especially for non-identifying sending numbers.
- Review vendor and partner practices. If a third party sends on your behalf, their compliance failures are your liability. Contracts should include compliance reps and warranties.
- Document the registration question. If you're claiming the opt-in carve-out, document the legal analysis supporting that conclusion. If you're registering, do so before sending.
- Train your team. The most common compliance failures come from operational shortcuts (testing on real numbers, ad-hoc campaigns, marketing-via-transactional-channel). Training is cheaper than litigation.
- Plan for incident response. If a violation occurs, having a documented process for opt-out, internal escalation, and outside-counsel engagement reduces downstream exposure.
Frequently asked compliance questions
We only send to customers who bought from us — do we need to register?
Probably not, if your purchase flow included specific, documented marketing-SMS opt-in at the time of purchase. But "they're our customers" is not itself consent to marketing texts under SB 140. Many businesses discover during audit that their checkout flow doesn't include the explicit marketing opt-in the law requires.
What if we don't know whether a number is Texas?
Texas area code or Texas-resident status triggers the law. Most businesses default to applying SB 140 rules to any phone number where Texas residency is uncertain. The cost of compliance is low; the cost of accidental violation is not.
Does the federal TCPA preempt SB 140?
No. State mini-TCPAs like SB 140 operate independently of and alongside the federal TCPA. A single violation can produce liability under both regimes. After the U.S. Supreme Court's June 2025 McLaughlin decision created new uncertainty around federal TCPA enforcement, state mini-TCPAs have become relatively more important.
What about MMS — same rules?
Yes. SB 140's definition of "telephone solicitation" includes text messages, multimedia messages (MMS), images, and similar electronic communications when used to solicit a sale or claim.
How long does Secretary of State registration take?
Standard processing is typically a few weeks. The Secretary of State publishes processing-time estimates on its website. Plan registration well in advance of any planned launch.
Are there other state mini-TCPAs we need to think about?
Yes — Florida (FTSA), Washington (CEMA), Oklahoma (TCPA), and Maryland have their own state-level rules, each with different specifics. A multi-state SMS marketing program needs jurisdiction-by-jurisdiction analysis. Texas is currently the most actively enforced state mini-TCPA, which is why it has driven much of the 2025–2026 compliance conversation.
Official Texas resources
Where to file and verify
- Texas Secretary of State — Telephone Solicitor Registration: sos.state.tx.us
- Texas Attorney General — Telemarketing enforcement: texasattorneygeneral.gov
- Texas No-Call List — Consumer registration and scrubbing: texasnocall.com
- Texas Business and Commerce Code, Chapters 301–306 (as amended): statutes.capitol.texas.gov
If you operate a marketing program at scale or have specific questions about whether your opt-in practices qualify for the November 2025 carve-out, consult a Texas attorney experienced in consumer-protection or TCPA work. The cost of a compliance review is far below the cost of a class action.