TCPA SMS Compliance for Medicare Agents: The Complete Guide

Here is the scenario that keeps Medicare agency owners up at night.

You buy 500 leads. Your team texts them a friendly intro. Two weeks later, you get a demand letter from a TCPA plaintiff's attorney. The math: 500 texts times $500 per violation equals $250,000 in potential liability. And that is the low end.

This is not theoretical. TCPA lawsuits against insurance agents spiked 38% in 2025. Medicare agents sit in a particularly exposed position because you are dealing with seniors, a demographic that regulators watch closely, and CMS adds its own layer of rules on top of the TCPA.

Let us break down exactly what you need to do, what most agents get wrong, and how to send bulk SMS without handing trial lawyers a payday.

What Is the TCPA and Why Should Medicare Agents Care?

The Telephone Consumer Protection Act (TCPA) is a federal law that restricts how businesses can contact consumers via phone calls, faxes, and text messages. For our purposes, the part that matters is this: you cannot send a marketing text message to anyone without their prior express written consent.

Why are Medicare agents high-risk? Three reasons:

• CMS overlay. The Centers for Medicare & Medicaid Services has its own marketing guidelines that stack on top of TCPA. You are playing by two rulebooks simultaneously.
• Senior demographic. Regulators and courts are more sympathetic to older consumers. Juries award higher damages.
• Volume. AEP and OEP drive agents to send high volumes of messages in compressed timeframes. Speed creates compliance shortcuts. Shortcuts create lawsuits.

The Real Cost of TCPA Violations

Let us be specific about what is at stake:

• $500 per text for standard violations
• $1,500 per text for willful or knowing violations (and "I didn't know" is rarely a defense)
• Class action exposure if you texted a list, because every recipient is a potential class member
• CMS sanctions including suspension of your ability to market Medicare products
• E&O claims from your upline or FMO if your compliance failure taints their brand

A 1,000-text campaign with no documented consent? That is $500,000 to $1.5 million in exposure. For context, the average TCPA class action settlement is $6.6 million.

How to Get TCPA-Compliant Consent (The Right Way)

Consent is not "they gave me their phone number." Consent is not "they filled out a form." Consent is a specific, documented, affirmative agreement to receive text messages from your company.

Here is what valid consent looks like:

• Written disclosure that clearly states the consumer agrees to receive text messages
• Your company name explicitly identified in the disclosure
• Affirmative action by the consumer: checking a box, signing a form, or replying YES to an opt-in text
• No pre-checked boxes. The consumer must actively opt in
• Message frequency disclosure. Tell them how often you will text
• "Message and data rates may apply" language included
• Opt-out instructions included in the consent disclosure

The Double Opt-In Gold Standard

The safest approach is double opt-in. The lead fills out your form, then receives a confirmation text: "Reply YES to confirm you want to receive Medicare plan updates from [Your Agency]." Only after they reply YES do you add them to your messaging list.

Is double opt-in legally required? No. Is it the best evidence you can hand a judge when a plaintiff's attorney comes calling? Absolutely.

STOP, START, YES: Keyword Handling That Keeps You Legal

Once someone opts in, you need automated handling for standard keywords. This is not optional. Carriers require it, and the TCPA demands it.

Required Keywords

• STOP / UNSUBSCRIBE / CANCEL / END / QUIT, Immediately cease all messages. Send one confirmation: "You have been unsubscribed. No further messages will be sent." Then stop. Do not send a "Are you sure?" follow-up. Do not send a "We're sorry to see you go" message a week later.
• START / UNSTOP / YES, Re-subscribe the contact. Confirm: "You have been re-subscribed to messages from [Your Agency]. Reply STOP to opt out."
• HELP / INFO, Respond with your company name, contact information, and opt-out instructions.

What Most Agents Get Wrong

The number-one mistake is latency. A lead texts STOP and your system takes 45 minutes to process it. During that window, an automated drip message goes out. That single message after a STOP request is a $500-$1,500 violation.

The second mistake is incomplete logging. You processed the STOP, but you have no timestamp, no record of the original consent, and no audit trail. When the lawsuit arrives, you cannot prove you did the right thing.

Building a Bulletproof Audit Trail

Every TCPA case comes down to one question: can you prove consent? If the answer is "well, we think so" or "our old CRM probably has it somewhere," you are going to settle.

Your audit trail must include:

• Consent timestamp with timezone
• Consent method (web form, paper form, verbal with recording, double opt-in SMS)
• Exact disclosure language the consumer saw or heard
• The phone number that was opted in
• IP address if consent was collected online
• Every message sent to that number with timestamps
• Every opt-out request with timestamps and confirmation
• Retention period: Keep everything for at least 4 years (the TCPA statute of limitations)

How MessageActivity Automates TCPA Compliance

Here is where I will be direct. Building all of this yourself, the consent capture, the keyword processing, the audit logging, the opt-out management, is technically possible. You could duct-tape together Twilio, a spreadsheet, and a prayer. Most agents who try this end up with gaps.

MessageActivity was built specifically for insurance agents who send SMS at scale. Here is what it handles automatically:

• Auto opt-in workflows. When a lead enters your system, MessageActivity sends the double opt-in confirmation and only activates the contact after receiving a YES reply. No manual tracking required.
• Instant keyword processing. STOP, START, HELP, and all variants are processed in under 2 seconds. The contact's status updates immediately across all campaigns.
• Consent audit log. Every consent event is timestamped, stored, and exportable. If you ever face a TCPA inquiry, you can pull a complete compliance history for any contact in seconds.
• CMS-aware templates. Message templates flag language that could violate CMS marketing guidelines before you send. You catch problems before they become violations.
• Opt-out suppression. Contacts who opt out are automatically suppressed from all future campaigns. You physically cannot send to an opted-out number, even by accident.

The difference between "we have a compliance process" and "our system makes non-compliance mechanically impossible" is the difference between hoping you do not get sued and knowing you have a defense if you do.

A Quick TCPA Compliance Checklist for Medicare SMS

Before you send your next campaign, verify every item:

• Every recipient has documented prior express written consent
• Consent records include timestamp, method, disclosure language, and phone number
• Your opt-in disclosure names your company and describes message frequency
• STOP and all opt-out keywords are processed automatically and instantly
• Opted-out contacts are suppressed from all campaigns
• Every message includes opt-out instructions
• You are sending during permissible hours (8 AM to 9 PM in the recipient's timezone)
• Your message content complies with CMS marketing guidelines
• You have a 4-year retention policy for consent records
• Your system logs every message sent with timestamps

Related Articles

• Medicare CRM Compliance: How to Pass Every CMS Audit
• Best CRM for Medicare Agents in 2026
• Drip Email Campaigns for Medicare: AEP, T65, and Year-Round

Frequently Asked Questions

What is the TCPA penalty per unsolicited text message?

The TCPA imposes penalties of $500 per unsolicited text message, and up to $1,500 per message if the violation is found to be willful or knowing. For Medicare agents sending bulk SMS, even a small campaign can generate six-figure liability.

Do Medicare agents need prior express written consent before texting leads?

Yes. Under the TCPA and CMS regulations, Medicare agents must obtain prior express written consent before sending marketing text messages. This consent must be documented, include clear disclosure language, and specify the phone number being opted in.

How do I handle STOP and opt-out requests for SMS compliance?

You must process STOP, UNSUBSCRIBE, CANCEL, END, and QUIT keywords instantly and automatically. The opt-out must be confirmed with a single reply, no further messages can be sent, and the opt-out must be logged with a timestamp for your records.

What records do I need to keep for TCPA compliance?

You need to maintain consent records including how and when consent was obtained, the exact phone number, the disclosure language shown, timestamp of consent, and all subsequent opt-out requests. These records must be readily accessible for at least 4 years.

Can I text Medicare leads who filled out a web form?

Only if your web form includes TCPA-compliant consent language that specifically authorizes text messages, names your company, and the lead actively checks a box or provides affirmative consent. Pre-checked boxes do not count as valid consent under current TCPA rules.

The Bottom Line

TCPA compliance is not a nice-to-have for Medicare agents. It is a survival requirement. The agents who build compliant systems now are the ones who will still be in business when the next wave of TCPA litigation hits.

You can do this manually. You can build spreadsheets and set reminders and hope nothing falls through the cracks. Or you can use a system that makes compliance automatic, so you can spend your time doing what actually makes you money: helping seniors find the right Medicare plan.