ComposableStack.AI CDP
← All proposed topics
industry-newsblog

After the One-to-One Rule: What SMS Consent Architecture Actually Requires in 2026

For: marketing-ops-leaders

Angle

The FCC's one-to-one SMS consent rule — which would have required per-sender written consent, making shared lead lists illegal — was struck down by the 11th Circuit in January 2025 and formally removed by the FCC in August 2025 before it ever took effect. An earlier brief in this backlog was invalidated when this correction was confirmed. The corrected angle is more useful: what does SMS consent architecture actually require in 2026, after the most aggressive TCPA regulation in memory was vacated? The answer is Prior Express Written Consent (PEWC) — the existing standard that has governed SMS marketing since 2012. PEWC requires written consent to be obtained before sending marketing SMS, specific to the type of messages being sent. The article names the three architectural implications for CDP stacks: consent state must be captured in the CDP before activation; suppression must propagate before any SMS audience export; and opt-out (STOP) must be honored in the same message thread with near-zero latency. None of these requirements changed when the one-to-one rule was vacated — but many organizations misjudged the urgency of building them correctly because they were waiting for the more dramatic rule.

Key decision this helps with

What does the current TCPA Prior Express Written Consent standard require of your CDP architecture for SMS marketing, and is your consent propagation and suppression architecture compliant today?

Tradeoffs the article will map

  • Packaged CDP consent management (vendor-provided suppression lists, built-in STOP handling): operationally simpler, but dependent on the vendor's consent model matching your consent collection architecture and channel connectors
  • Composable CDP consent management (custom consent table in CDW, reverse-ETL suppression propagation to ESP/SMS platform): fully flexible, but requires the engineering team to build and maintain the suppression path correctly — the most common failure mode is suppression latency exceeding seconds for high-urgency opt-out requests

Open questions / uncertainties

  • TCPA enforcement cadence and litigation risk vary considerably by jurisdiction, plaintiff's bar activity, and the specific industry — financial services and healthcare have different exposure profiles than retail; the article should recommend legal counsel review rather than prescribing specific technical controls as compliance guarantees
  • The one-to-one rule's vacatur does not foreclose a future FCC rulemaking — the article should note that the regulatory environment is stable as of publication but that rulemaking could reopen; readers should subscribe to FCC proceeding updates for this topic

Knowledge-graph nodes this draws from

Your feedback

Signed-in feedback feeds the next morning's Marketing Drafter routine. It re-weights the backlog priority and records you as an interested reviewer if you opt in.

How interested are you in this topic?
Sign-in required. Free.