TCPA Compliance for Hotel SMS: Opt-In, STOP & Audit Trails
Key Takeaways: TCPA compliance for hotel SMS programs comes down to four operational disciplines: express written consent captured at the right moment in the reservation flow, automatic STOP/HELP handling on every branded number, a defensible audit trail tied to the guest profile, and continuous opt-in status enforcement before any message sends. Hospitality operators get into trouble not because the rules are obscure, but because consent gets captured in one system (the booking engine), opt-outs land in another (the front desk text app), and nobody can reconstruct who agreed to what when a complaint shows up 18 months later. The fix is structural: one guest profile, one consent timestamp, one channel for SMS sends, and one audit log that survives a subpoena.
Why TCPA Matters More for Hospitality Than People Think
The Telephone Consumer Protection Act has been the dominant US framework for SMS marketing since the FCC clarified its application to text messaging. As of 2026, plaintiff-side firms are still actively filing class actions in this space, and the statutory damages of $500 to $1,500 per message make a sloppy SMS program an existential risk rather than a slap on the wrist.
Hospitality looks like a soft target from the outside. Hotels and vacation rental managers run high-volume pre-arrival, in-stay, and win-back text programs. They sit on years of guest phone numbers collected from reservations, booking engines, OTA syndication, WiFi captive portals, and front desk walk-ins. Each of those collection points has a different consent posture, and most operators have never reconciled them.
The risk is not theoretical. We have seen audits where a property had captured 80,000 phone numbers across five years of operations, intended to “warm up” the list with a single promotional blast, and discovered that fewer than 20% of those numbers had clean, documented express written consent for marketing SMS. The other 64,000 were a liability.
The Four Compliance Layers Operators Must Build
1. Express Written Consent at the Right Moment
For marketing SMS (anything promotional, including upsell offers and win-back nudges), TCPA requires prior express written consent. Transactional SMS (a one-time check-in code, a balance-due alert tied to an existing reservation) has a softer standard under industry practice, but most operators are better off treating everything as if it required express consent and capturing it cleanly.
The capture moment matters. A pre-checked box at the bottom of a booking engine page is not consent. A separate, conspicuous opt-in with clear language about message frequency, expected message types, “message and data rates may apply,” and a link to terms is the defensible posture. The disclosure language should mention the brand sending the messages by name — important for multi-property operators where the brand the guest knows is not the legal entity that owns the property.
The reservation flow is the highest-converting moment to capture consent because the guest is already in a transaction mindset. Tie the consent timestamp directly to the reservation record in your hotel CRM so it travels with the guest profile forever.
2. STOP, HELP, and Quiet Hours Handling
Every branded number sending marketing SMS must honor STOP, UNSUBSCRIBE, CANCEL, QUIT, and END as universal opt-out keywords. HELP must return a clear response naming the brand and offering a support contact. These are not nice-to-haves — they are carrier-enforced and part of the CTIA Messaging Principles.
Quiet hours are the next layer. Most operators target 8am–9pm in the recipient’s local timezone, which means the SMS platform needs to know the guest’s timezone (usually inferable from area code or, better, from the reservation’s property timezone for arrival-window messages). Sending a 2am “your room is ready” promo because your back-end runs on UTC is a common own-goal.
In SendSquared’s unified inbox, STOP handling is automatic across every branded number, opt-in status is enforced on every individual and bulk send, and quiet-hours rules apply per-property timezone — but you should verify the same guardrails exist in whatever platform you run.
3. Audit Trail That Survives a Subpoena
When a TCPA complaint lands, the question is never “did you mean well.” It is: produce the record. Show the consent moment. Show the IP address. Show the form version. Show every message sent. Show the opt-out timestamp if there was one. Show that you stopped sending after the opt-out.
Most hospitality operators cannot produce this because the data lives in fragments — booking engine logs, the PMS, the marketing tool, the front desk SMS app, the WiFi captive portal vendor, and the channel manager all hold pieces of the picture.
The fix is consolidating SMS sends and consent capture into a single system that writes everything to the guest record. Every send logged. Every opt-in source-stamped. Every opt-out timestamped with the keyword used and the message that triggered it. This is the operational difference between a 20-minute exhibit and a six-figure settlement.
4. Opt-In Status Enforcement Before Every Send
The most common audit failure is not “we sent to someone who never opted in.” It is “we sent to someone who opted out three months ago because the marketing system did not check against the inbox.”
Opt-in status must be a hard pre-send check, not a periodic sync. A guest who replies STOP to a Tuesday SMS should not be eligible for a Wednesday automation send. The automation engine and the messaging stack need to share one source of truth — the guest profile — and queries against it must happen at send time, not at audience-build time.
This is also why segment management for SMS audiences should always count from opt-in status, not from contact count. A segment that says “120,000 contacts in California” is meaningless. The number that matters is “47,300 SMS-eligible, opted-in, not-currently-blocked contacts in California.”
Hospitality-Specific Consent Patterns That Work
A few patterns we see at properties running clean SMS programs:
Reservation-confirmation opt-in. A separate consent step after the booking is created, sent by email, asking the guest to opt in to text updates for their stay. Conversion typically lands at 55–70% because guests want check-in instructions and want them by text. This single flow refreshes consent for every booking and source-stamps it cleanly.
WiFi captive-portal capture. Lower trust signal — guests are mashing through the form to get online — but legally valid if the disclosure is conspicuous. Tag these contacts with their consent source so a future audit can show the capture context.
Front-desk verbal consent. Risky. Industry practice is to convert verbal “yes, text me” to written consent by sending a confirmation message (“Reply YES to confirm you’d like to receive texts from [Brand]”) and only enabling marketing sends after the YES is received. Tie the agent who captured it, the timestamp, and the resulting reply to the guest record. The guest verification workflow is a natural home for this kind of agent-attributed action.
OTA channel data. Guests who book through Airbnb, VRBO, Booking.com did not consent to your marketing SMS — they consented to the OTA’s. Treat OTA-derived phone numbers as transactional-only until you collect direct consent (typically via the pre-arrival email).
What “Implicit Consent” Actually Means
The CTIA framework distinguishes between marketing and conversational (transactional) messages. A guest who texts you first has provided implicit consent for the conversational reply. That implicit consent extends to the reasonable scope of the conversation — but it does not authorize promotional messages.
In practice: if a guest texts “what time is checkout?” your SMS reply is fine. A follow-up “while you’re here, would you like to extend your stay?” is borderline (a transaction-relevant upsell can be defended). A two-weeks-later “come back for fall foliage rates” is marketing and needs separate consent.
This nuance matters because most hospitality SMS conversations start with the guest. Operators sometimes assume the inbound message is full consent for all future sends. It is not.
When You Inherit a Dirty List
Buying a property, taking over management, or migrating CRMs often hands you a phone-number list with mixed consent history. The defensible path:
- Quarantine the list. Do not send marketing SMS to inherited contacts until consent is refreshed.
- Run a re-permission campaign via email. Email has a softer compliance posture; use it to ask guests to opt back in to SMS with a clear value proposition (early check-in alerts, last-minute rate offers).
- Source-tag the refreshed opt-ins. Mark them with the re-permission campaign and the new timestamp.
- Suppress the unconverted segment. Anyone who did not opt in stays off SMS, period. Email-only or no contact, depending on email consent.
This is unglamorous work, but it converts a liability list into a clean, audit-defensible list — usually in 60–90 days.
The Operational Bottom Line
TCPA compliance for hotel SMS is not a lawyer problem. It is a systems problem. The lawyers can write the disclosure language. They cannot stop a marketing manager from blasting an inherited list, and they cannot reconstruct opt-out trails after a Twilio number got recycled.
The structural fix: one guest profile per contact, one SMS sending system, automatic STOP/HELP handling, hard opt-in checks at send time, and an audit log that survives counsel review. Get that right and TCPA stops being a daily worry.
See also: hotel messaging across every channel — the unified inbox plus the messaging stack that powers it (SMS, WhatsApp, Airbnb, email, voice) with one guest profile per contact.
See also: unified inbox with TCPA-aware SMS — opt-in enforcement, automatic STOP handling, and a full audit trail per conversation.