The purpose of this policy is to ensure that every messaging program built, configured, or operated through CA Solutions captures legally sufficient, well-documented consent; provides required disclosures; honors opt-outs promptly; and maintains durable evidence of consent. The policy is designed to support compliance with the U.S. Telephone Consumer Protection Act (TCPA) and FCC rules, applicable U.S. state telemarketing and privacy laws, the CAN-SPAM Act, Canada’s Anti-Spam Legislation (CASL) and applicable Canadian privacy laws, CTIA messaging principles and carrier rules, messaging-provider rules, and the WhatsApp Business Messaging Policy and Meta business terms.
This policy applies to the following channels and contexts: 2.1 SMS — text messages to mobile numbers. 2.2 MMS — multimedia messages. 2.3 RCS — Rich Communication Services messages. 2.4 WhatsApp — messages via the WhatsApp Business Platform. 2.5 Voice Calls — autodialed, prerecorded, or artificial-voice calls where in scope. 2.6 Email Relationship — email consent is governed separately (CAN-SPAM / CASL) but coordinated with messaging suppression. 2.7 Client-Managed Campaigns — programs the Client operates using systems CA Solutions built or configured. 2.8 CA Solutions-Managed Campaigns — programs CA Solutions operates on the Client’s behalf within a written scope.
Consent — a recipient’s permission to receive messages, obtained as required by applicable law and platform policy. Express Written Consent — for telemarketing/marketing autodialed or prerecorded messages under the TCPA, a written agreement, signed by the recipient (including electronically), clearly authorizing the sender to deliver marketing messages to a specified number using an autodialer or prerecorded/artificial voice, that is not a condition of purchase and that includes the required disclosures. Opt-In — the recipient’s affirmative action to provide Consent. Opt-Out — the recipient’s request to stop receiving messages. Transactional Message — a message that facilitates, completes, or confirms a transaction or relationship the recipient previously requested (e.g., order or appointment confirmations). Marketing Message — a message that promotes or advertises products, services, or offers.
Informational Message — a non-marketing message providing information the recipient would expect (e.g., account notices). Automated Message — a message sent using automated technology or templates. One-to-One Consent — consent given to a single, identified seller for a logically and topically related purpose. Status note: the FCC’s 2023 “one-to-one” consent rule was vacated by the Eleventh Circuit in January 2025 and is not currently a federal requirement; CA Solutions nonetheless treats one-to-one, seller-specific consent as a best-practice control to reduce legal and platform risk and to satisfy lead-generation and carrier expectations. Suppression List — the record of numbers/handles that have opted out and must not be messaged. Consent Record — the durable evidence of a recipient’s Consent (Sections 8 and 9).
4.1 TCPA. Marketing autodialed/prerecorded calls and texts generally require prior express written consent; certain informational/transactional messages require prior express consent. 4.2 FCC Rules. The FCC’s consent-revocation rule (effective April 11, 2025) requires senders to honor opt-out requests made through any reasonable means and to process them promptly; a sender may send a single confirmation/clarification message. 4.3 State Telemarketing Laws. Several states (e.g., Florida, Oklahoma, Washington, and others) impose additional consent, timing, and disclosure requirements; confirm applicable state rules for each program. 4.4 CAN-SPAM Relationship. Email programs require sender identification, a valid physical address, and a functioning unsubscribe mechanism. 4.5 CASL. Commercial electronic messages to Canadian recipients generally require express opt-in consent (unchecked boxes), sender identification, and an unsubscribe mechanism; consent records must be retained. 4.6 PIPEDA and Canadian Privacy Requirements. Collection and use of phone numbers and messaging data must follow meaningful-consent and safeguards principles; Quebec Law 25 may add transparency obligations. 4.7 CTIA and Carrier Rules. Messaging must follow CTIA messaging principles and carrier requirements, including 10DLC brand/campaign registration for application-to-person SMS in the U.S. 4.8 Messaging-Provider Rules. Provider terms (e.g., Twilio or other messaging providers) impose consent, content, and opt-out requirements. 4.9 WhatsApp Business Messaging Policy. Senders must obtain opt-in permission before messaging recipients on WhatsApp and respect opt-outs; template messages are categorized (e.g., marketing, utility, authentication) and subject to approval, with regional restrictions that may apply (including limits on marketing templates to certain regions). 4.10 Meta Business Terms. Use of the WhatsApp Business Platform is subject to applicable Meta terms.
Currency note (June 2026): Confirm the live status of FCC waivers (including the “revoke-all” portion of the consent-revocation rule, subject to extension), state-law changes, and current WhatsApp template-category restrictions before each launch.
Every consent mechanism must embody these principles:
deliver a requested service.
Consent may be captured through the following approved channels, each configured per this policy: 6.1 Website Form; 6.2 Checkout Flow; 6.3 Account Signup; 6.4 Lead Form; 6.5 Booking Form; 6.6 Paper Form; 6.7 Verbal Consent (recorded or documented per applicable law); 6.8 Inbound Text Opt-In (recipient texts a keyword to a published number); 6.9 WhatsApp Inbound Conversation (recipient initiates or accepts opt-in); 6.10 QR Code linking to a compliant opt-in page; and 6.11 Point-of-Sale Capture.
Website opt-in forms used for SMS/WhatsApp must include the following elements:
and submit button.
[PROGRAM TYPE: e.g., marketing and account] text messages from [SELLER/BRAND NAME] at the number provided, including messages sent by autodialer. Consent is not a condition of purchase. Message frequency varies. Message and data rates may apply. Reply STOP to opt out and HELP for help. See our Privacy Policy and Terms.”
shared with third parties for their own marketing.
Each SMS Consent Record must capture, where available: (1) Phone Number; (2) Consent Status; (3) Date and Time; (4) Time Zone; (5) Consent Source (form/URL/keyword); (6) Consent Language Version; (7) IP Address or equivalent evidence; (8) User Agent; (9) Related Form URL; (10) Program Name; (11) Seller or Sender Name; (12) Message Category (transactional/marketing/informational); (13) Terms and Privacy Version; and (14) Revocation History.
Each WhatsApp Consent Record must capture, where available: (1) WhatsApp Number; (2) Opt-In Permission; (3) Consent Source; (4) Consent Scope (message categories); (5) Message Category; (6) Business Name; (7) Date and Time; (8) Proof of Disclosure; (9) Withdrawal Method; (10) Template Category; and (11) Meta/Provider Account Reference.
Where double opt-in is used or required, after the initial opt-in the system sends a confirmation message asking the recipient to confirm (e.g., reply YES). Only after confirmation is the recipient marked fully opted in. The confirmation message must identify the sender and include HELP and STOP instructions. Double opt-in is recommended for marketing programs and may be required by certain providers or for WhatsApp.
Transactional messages must relate to a transaction or relationship the recipient initiated, identify the sender, avoid marketing content unless separately consented, and honor opt-outs. Prior express consent (not necessarily written) is generally appropriate for informational/transactional messages.
Marketing messages require prior express written consent (TCPA) for autodialed/prerecorded marketing, must not be a condition of purchase, must include sender identification and opt-out instructions, and must respect frequency representations. For Canadian recipients, CASL express consent applies.
If a program sends both transactional and marketing content, the more protective consent standard (marketing) applies, and disclosures must reflect the full scope of messages. Recipients who consent only to transactional messages must not receive marketing messages.
Imported contacts may be messaged only if each contact has a valid, documented consent meeting this policy. Lists must be screened against suppression lists, deduplicated, and validated. Purchased or rented lists, and contacts without verifiable consent, must not be used.
15.1 One-to-One Consent — as a best practice (see Section 3 status note), consent should identify the specific seller that will message the recipient. 15.2 Seller-Specific Consent — avoid using a single consent to message on behalf of multiple unrelated sellers. 15.3 Topical Relationship Requirement — messages should be logically and topically related to the interaction that prompted consent. 15.4 Consent Transfer Restrictions — consent generally may not be transferred to unrelated parties. 15.5 Third-Party Lead Vendor Review — lead vendors must be vetted, and their consent capture, disclosures, and records must be obtained and retained.
16.1 SMS Template Review; 16.2 WhatsApp Template Review (including correct category selection and Meta approval); 16.3 Legal Review of consent and disclosure language; 16.4 Brand Review; 16.5 Platform Approval (10DLC campaign and WhatsApp template approval); and 16.6 Version Control of approved templates. All templates are recorded in Appendix E.
Outbound program messages should include, as applicable: (1) Sender Identification; (2) Purpose of Message; (3) Opt- Out Instructions; (4) HELP Instructions; (5) Frequency Statement (at least at opt-in and periodically); and (6) Rates Disclosure (at least at opt-in).
Opt-outs must be honored when made by any reasonable means (consistent with the FCC rule), including but not limited to: 18.1 STOP Keywords (e.g., STOP, END, QUIT, CANCEL, UNSUBSCRIBE, REVOKE, OPT OUT); 18.2 WhatsApp Withdrawal (blocking, replying to stop, or other published method); 18.3 Email Requests; 18.4 Phone Requests; 18.5 Web Form Requests; and 18.6 Reasonable Alternative Methods. 18.7 Processing Deadline — opt- outs must be processed promptly and no later than the time required by law (the FCC requires honoring revocation within a reasonable time, not to exceed ten business days). 18.8 Confirmation Message — a single opt-out confirmation/clarification message may be sent. 18.9 Suppression List Update — the number/handle is added to the suppression list immediately. 18.10 Cross-System Sync — suppression is synchronized across all systems and channels used for the program.
A previously opted-out recipient may be re-added only after providing a new, documented opt-in meeting this policy. Senders must not message opted-out recipients to solicit re-opt-in except as permitted by law.
Suppression lists are maintained, backed up, and protected as Consent Records. They are not sold or shared for third- party marketing. Suppression entries are retained for the period required to demonstrate compliance and are synchronized across systems.
Replying HELP returns sender identity, program description, support contact, and opt-out instructions. Inbound questions are routed to [CLIENT SUPPORT CHANNEL] for response.
Consent capture and records are periodically audited (Appendix F) to confirm checkbox configuration, disclosure language, record completeness, opt-out functionality, suppression sync, and platform registration status.
Consent Records, opt-out records, and suppression lists are retained for at least the longer of (a) the period required by applicable law (for example, CASL generally requires retaining proof of consent for three years after the relevant business relationship ends), and (b) [RETENTION PERIOD, e.g., 4–5 years] to support TCPA and other limitations periods. The party that owns the messaging program is responsible for retention unless the SOW states otherwise.
Messaging providers and platforms must be configured to support consent capture, opt-out handling, suppression, and required registrations (e.g., 10DLC, WhatsApp Business). Provider and platform terms must be followed.
Client is responsible for: the lawfulness of its lists and consent; approving disclosure and consent language with its counsel; content accuracy; honoring opt-outs; maintaining suppression lists it owns; completing required registrations; and overall program compliance. CA Solutions implements consent and messaging workflows only within the written scope.
Within the agreed scope, CA Solutions will: configure compliant opt-in forms and flows; implement Consent Record capture; implement STOP/HELP and opt-out handling; implement suppression and cross-system sync; support template submission and platform registration; and provide reasonable documentation. CA Solutions does not guarantee platform approval, message deliverability, or that any program is compliant in the absence of Client legal review.
The following messaging incidents trigger investigation and remediation: 27.1 Wrong Recipient; 27.2 Opt-Out Failure; 27.3 Consent Record Gap; 27.4 Platform Complaint; 27.5 Carrier Filtering; and 27.6 Unauthorized Campaign. Each incident is logged, the root cause identified, suppression and consent records corrected, and affected parties notified as required by the MSA, DPA, and applicable law.
Personnel who operate messaging programs must be trained on this policy, including consent capture, disclosures, opt- out handling, and incident response, before operating a program and periodically thereafter.
Programs are monitored for opt-out rates, complaint rates, carrier filtering, delivery issues, and registration status, with periodic reporting to [STAKEHOLDER] .
This policy and all program templates and disclosures are reviewed by counsel at least annually and upon material changes in law or platform policy.
Appendix A — Website SMS Consent Screen Checklist
ElementPresent
Unchecked consent checkbox near phone field [ ]
Seller/brand identified in consent text [ ]
Program/message types described [ ]
“Consent not a condition of purchase” [ ]
Message frequency disclosure [ ]
“Message and data rates may apply” [ ]
STOP and HELP instructions [ ]
Carrier-liability disclosure [ ]
Privacy Policy and Terms links [ ]
Consent Record created on submit [ ]
Appendix B — WhatsApp Opt-In Checklist
ElementPresent
Opt-in obtained before messaging [ ]
Business clearly identified [ ]
Message categories disclosed (utility/marketing/auth) [ ]
Withdrawal method explained [ ]
Template categories approved by Meta [ ]
Regional restrictions checked (e.g., US marketing templates) [ ]
Consent Record created [ ]
Appendix C — Consent Record Schema
FieldExample
phone_or_handle[+1XXXXXXXXXX]
channelSMS / WhatsApp
consent_statusopted_in / confirmed / opted_out
consent_datetime / time_zone[ISO 8601 / TZ]
consent_source / form_url[URL or keyword]
consent_language_version[v#]
ip_address / user_agent[value]
program_name / seller_name[value]
message_categorytransactional / marketing / informational
terms_version / privacy_version[v#]
revocation_history[timestamps & method]
Appendix D — Approved Opt-Out Keywords STOP, END, QUIT, CANCEL, UNSUBSCRIBE, REVOKE, OPT OUT (and reasonable variations). Note: under current FCC guidance, opt-outs in any reasonable manner must be honored even if a non-listed word is used.
Appendix E — Message Template Inventory
Template ID Channel Category Status Version
[ID] [SMS/WhatsApp] [Category] [Approved/Pending] [v#]
Appendix F — Audit Checklist
Audit ItemPass
Opt-in forms match Appendix A/B [ ]
Consent Records complete & retrievable [ ]
STOP/HELP tested and working [ ]
Opt-outs processed within deadline [ ]
Suppression synced across systems [ ]
10DLC / WhatsApp registration current [ ]
Templates approved & version-controlled [ ]
Records retained per Section 23 [ ]
CA SOLUTIONS LLC[CLIENT LEGAL NAME] (for Client-managed programs)
Approved By / TitleApproved By / Title
DateDate
Download PDF