Dispensary SMS Compliance Guide: TCPA, State Rules & Opt-In Requirements

SMS is the highest-performing channel in dispensary marketing. Open rates above 95%, response times measured in minutes, and conversion rates that make email look sluggish. But that performance comes with a catch: SMS is also the most heavily regulated marketing channel in the United States, and cannabis businesses face an extra layer of rules on top of the federal baseline. One misstep can cost your dispensary $500 to $1,500 per message in TCPA fines — and with class action lawsuits now common in the cannabis space, those numbers multiply fast.

We built this guide because we see dispensaries making the same compliance mistakes repeatedly. Some are sending texts without proper consent. Others have consent but lack the documentation to prove it. Many are ignoring state-specific rules that go beyond federal TCPA requirements. Whether you are launching your first dispensary SMS marketing program or auditing an existing one, this is everything you need to stay compliant and protected.

Why SMS Compliance Is Critical for Dispensaries

Cannabis businesses operate under more scrutiny than almost any other retail category. Regulators, carriers, and consumers are all watching. A single TCPA complaint can trigger an investigation, and the financial exposure scales with every message you have ever sent without proper consent.

• TCPA fines are per-message, not per-incident. If you send 5,000 unsolicited texts, you face potential liability of $2.5 million to $7.5 million. These are not theoretical numbers — TCPA class action settlements in 2025 averaged $12.7 million across all industries, and cannabis businesses are increasingly targeted.
• Class action lawsuits are accelerating. Plaintiff attorneys actively monitor cannabis dispensary text messages because the industry is young, compliance awareness is low, and the per-message damages are high. A single customer complaint can become a class action representing every person on your SMS list.
• Carrier filtering shuts down non-compliant senders. Even before a lawsuit, wireless carriers like T-Mobile, AT&T, and Verizon filter messages from senders with poor compliance records. If your messages get flagged, delivery rates drop to near zero — effectively killing your SMS channel.
• State cannabis regulators are watching too. In states like New York and New Jersey, cannabis regulatory bodies have their own marketing rules. A compliance violation can jeopardize your license, not just your marketing budget. The stakes are existential for dispensaries.

The good news: compliance is not complicated once you understand the rules. The framework we outline below protects your dispensary at every level — federal, state, carrier, and platform.

Federal TCPA Requirements

The Telephone Consumer Protection Act is the federal law governing all commercial text messages in the United States. Every dispensary SMS program must comply with TCPA regardless of what state you operate in. Here are the core requirements.

Prior Express Written Consent

Before you send a single marketing text, the customer must provide prior express written consent. This is the cornerstone of TCPA compliance. Consent must meet all of the following criteria:

• Written or electronic signature. The customer must actively agree — checking a box, signing a form, or texting a keyword. Pre-checked boxes do not count. Passive consent (like adding a phone number to a purchase form) does not count.
• Clear disclosure of what they are agreeing to. The consent language must state that the customer agrees to receive automated marketing text messages from your dispensary. Vague language like "we may contact you" is insufficient.
• Not a condition of purchase. You cannot require SMS opt-in as a condition of completing a transaction. The customer must be able to buy from your dispensary without subscribing to texts. This is one of the most common violations we see at point-of-sale.
• Identification of the sender. The consent language must clearly identify your dispensary by name. A generic "this business" is not adequate — the customer must know exactly who will be texting them.

Automated Dialing Systems (ATDS)

The TCPA's rules on automated telephone dialing systems apply to virtually every dispensary SMS platform. If you are using Alpine IQ, SpringBig, or any marketing automation tool that sends texts automatically to a list of numbers, you are using an ATDS under the law. This means the prior express written consent requirement applies in full — there is no workaround for "manual" sending through a platform interface.

Content Requirements

Every marketing text message must include specific content elements to comply with TCPA and CTIA (Cellular Telecommunications Industry Association) guidelines:

• Business identification. Your dispensary name must appear in every message. The recipient must be able to identify who is texting them without any prior context.
• Opt-out instructions. Every message must include a clear way to unsubscribe. The standard is "Reply STOP to opt out" or similar language. This is non-negotiable.
• Message frequency disclosure. At the point of opt-in (not in every message, but at signup), you must disclose the expected message frequency — for example, "up to 8 msgs/month."
• "Msg & data rates may apply." This disclosure must appear at the point of opt-in. While it may seem outdated in an era of unlimited texting plans, it remains a required element under CTIA guidelines.

State-Specific SMS Rules for Cannabis

Federal TCPA is the floor, not the ceiling. Many states impose additional restrictions on cannabis marketing that directly affect your SMS program. If you operate in multiple states, you must comply with the strictest applicable rules. Here is what you need to know for the most regulated markets.

New York (OCM Rules)

New York's Office of Cannabis Management has some of the most detailed cannabis advertising compliance rules in the country. For SMS marketing, NY dispensaries must ensure all messages comply with the OCM's restrictions on promotional content. No health or medical claims. No imagery or language that could appeal to individuals under 21. Promotional messages cannot depict consumption of cannabis products. All marketing must include the state-mandated warning language, and dispensaries must be prepared to provide consent records to the OCM upon request.

New Jersey (CRC Rules)

The New Jersey Cannabis Regulatory Commission requires that all cannabis marketing, including SMS, be approved or approvable under CRC guidelines. Dispensaries must avoid any claims about therapeutic benefits, cannot use promotional tactics that the CRC deems target minors, and must include specific disclaimer language. NJ also restricts certain types of promotional pricing in marketing materials, which affects what discount offers you can include in text messages.

California (CCPA + TCPA)

California dispensaries face a double layer of compliance. The California Consumer Privacy Act (CCPA) gives consumers the right to know what personal data you collect, request deletion of that data, and opt out of its sale. This means your SMS program must be integrated with a CCPA-compliant data management process. On top of CCPA, California has its own state-level telemarketing laws that supplement federal TCPA, including stricter rules on calling hours (no texts before 8 AM or after 9 PM Pacific) and additional consent documentation requirements.

Illinois

Illinois dispensaries must comply with the state's Biometric Information Privacy Act (BIPA) if collecting any biometric data during the opt-in process, plus the Illinois Cannabis Regulation and Tax Act's marketing restrictions. SMS content cannot include health claims, must carry age-restriction notices, and promotional messaging is subject to the Illinois Department of Financial and Professional Regulation's advertising guidelines.

Ohio

Ohio's Division of Cannabis Control requires that all advertising and marketing, including text messages, be submitted for review and comply with the state's prohibited content rules. No testimonials, no claims of curative properties, and no promotional tactics that could be deemed to encourage excessive use. Ohio also requires that all marketing materials be retained for a minimum period as part of the dispensary's compliance records.

Michigan

Michigan's Cannabis Regulatory Agency requires that all marketing include specific disclaimer language and prohibits any health-related claims in promotional text messages. Michigan also restricts promotional messaging near schools and certain public facilities, which can affect geotargeted SMS campaigns. All marketing materials, including text message templates, must be available for regulatory inspection.

Florida

Florida's medical cannabis program has strict marketing rules that apply to SMS. The Florida Department of Health's Office of Medical Marijuana Use prohibits marketing that makes specific health claims, restricts the use of certain images, and requires all advertisements to include the dispensary's license number. Florida also has its own state telemarketing statute (Florida Telephone Solicitation Act) with additional consent and disclosure requirements beyond federal TCPA.

Opt-In Mechanics

How you collect consent matters as much as whether you collect it. The opt-in method you choose affects your legal protection, your list quality, and your deliverability. Here are the four primary opt-in methods for dispensary SMS programs.

Single Opt-In vs Double Opt-In

Single opt-in means the customer provides their phone number and agrees to receive messages in one step — checking a box at checkout, filling out a web form, or texting a keyword. This satisfies TCPA requirements and is the minimum standard.

Double opt-in adds a confirmation step: after the initial signup, the customer receives a text asking them to reply YES (or a similar keyword) to confirm their subscription. Only after this confirmation are they added to your active list. Double opt-in is not legally required by the TCPA, but we recommend it for every dispensary because it creates a stronger audit trail, reduces fraudulent signups, improves deliverability, and is preferred by carriers.

Point-of-Sale Enrollment

The most common opt-in method for dispensaries. The budtender asks the customer if they want to receive text updates, and the customer provides their number at the register. The critical compliance detail here: the customer must see and agree to written consent language before submitting their number. A verbal "sure, add me" is not sufficient under TCPA. Use a tablet or printed sign at the register that displays the full consent disclosure, and have the customer actively check a box or sign.

Online Signup Forms

Website forms, landing pages, and pop-ups that collect phone numbers for SMS subscriptions. These must include the full consent disclosure directly adjacent to the phone number field and submission button. The disclosure cannot be hidden behind a link or buried in a terms-of-service page — it must be visible without scrolling or clicking at the point where the customer enters their number.

Keyword Opt-In (Text JOIN to...)

Keyword opt-in lets customers text a word like JOIN, DEALS, or your dispensary name to a short code or phone number to subscribe. This method is popular for in-store signage, social media, and packaging. When the customer texts the keyword, they should immediately receive a confirmation message that includes your dispensary name, message frequency, "msg & data rates may apply," opt-out instructions, and a link to your privacy policy. If using double opt-in, the confirmation message asks them to reply YES to complete the subscription.

Required Disclosures

Every dispensary SMS program must present specific disclosures at the point of opt-in. Missing even one of these creates legal exposure. Here is the complete list of required disclosure elements.

• Message frequency. Tell the customer how often you will text them. Be specific: "Up to 8 messages per month" is compliant. "We will text you occasionally" is not. If your frequency varies, state the maximum.
• "Msg & data rates may apply." This exact phrase (or a close equivalent) must appear in your opt-in disclosure. It is a CTIA requirement and carriers look for it during compliance reviews.
• Opt-out instructions. The opt-in disclosure must explain how to unsubscribe. Standard language: "Reply STOP to cancel." This must be present at signup and in every marketing message you send.
• Business identification. Your dispensary name must be clearly stated in the opt-in disclosure so the customer knows who will be messaging them.
• Privacy policy link. CTIA guidelines require that a link to your privacy policy be available at the point of opt-in. The privacy policy must explain how you collect, store, and use the customer's phone number and messaging data.
• Help instructions. Include "Reply HELP for help" or equivalent in your opt-in flow. When a customer texts HELP, they should receive a message with your dispensary name, customer support contact information, and opt-out instructions.

Opt-Out Handling

How you handle opt-outs is just as important as how you handle opt-ins. Failing to process an unsubscribe request is one of the most common triggers for TCPA lawsuits and one of the easiest compliance failures to prevent.

• STOP keyword processing. Your system must recognize and immediately process STOP, UNSUBSCRIBE, CANCEL, END, and QUIT as opt-out keywords. When any of these keywords is received, all marketing messages to that number must cease. No exceptions, no delays, no "are you sure?" follow-ups.
• Confirmation message. After processing a STOP request, send one — and only one — confirmation message. Standard language: "You have been unsubscribed from [Dispensary Name] messages. You will not receive further texts. Reply JOIN to resubscribe." This single confirmation is permitted under TCPA; any additional messages after this are violations.
• Processing time. Opt-out requests must be processed immediately. Industry best practice and carrier expectation is within seconds, not hours or days. If your platform batches opt-out processing, fix this immediately — any message sent between the STOP request and the processing completion is a potential TCPA violation.
• Suppression lists. Opted-out numbers must be added to a permanent suppression list. This list must persist across all campaigns, segments, and message types. A customer who opted out of promotional texts cannot be re-added through a different campaign or list import. The suppression list is permanent until the customer voluntarily re-subscribes through a new opt-in action.
• Cross-platform suppression. If you use multiple messaging platforms or switch providers, your suppression list must carry over. Migrating to a new SMS platform does not reset opt-out status. Export your suppression list from the old platform and import it into the new one before sending any messages.

Record-Keeping Requirements

If you cannot prove consent existed, it might as well not have. Record-keeping is the backbone of TCPA defense, and it is the area where most dispensaries are weakest. Here is what you need to document and retain.

• Consent timestamp. The exact date and time the customer opted in, down to the second. This must be stored in your system for every subscriber.
• Consent source. How did the customer opt in? Point-of-sale tablet, website form, keyword text, or third-party integration? Document the specific channel and method for every subscriber.
• Consent language shown. Save a copy of the exact disclosure language the customer agreed to at the time of their opt-in. If you update your consent language, keep archived versions of every previous version with effective dates.
• IP address or device identifier. For online opt-ins, record the IP address. For in-store opt-ins, record the POS terminal or tablet ID. This corroborates that the opt-in event actually occurred.
• Opt-out records. Document every opt-out request — timestamp, phone number, keyword used, and confirmation message sent. This proves you honored the request promptly.
• Message logs. Retain a log of every message sent — content, timestamp, recipient number, and delivery status. In a TCPA dispute, you need to demonstrate exactly what was sent and when.
• Retention period. The TCPA statute of limitations is four years. We recommend retaining all consent and message records for a minimum of five years. Some state cannabis regulations require their own retention periods — check your state's rules and use the longer requirement.

Both Alpine IQ and SpringBig store consent records and message logs automatically. However, we strongly recommend maintaining your own backup of all consent records independent of any platform. If you switch providers or a platform experiences data issues, your compliance documentation must survive.

Cannabis-Specific SMS Rules

Beyond general TCPA compliance, cannabis dispensaries must navigate content restrictions unique to the industry. These rules come from state regulators, carrier policies, and platform terms of service. Violating any of them can get your messages filtered, your account suspended, or your license reviewed.

• No health or medical claims. Do not claim that any cannabis product treats, cures, or prevents any medical condition in a text message. This is prohibited by virtually every state cannabis regulator and violates FDA guidelines. Phrases like "relieves anxiety," "helps with sleep," or "pain management" in a marketing text create immediate compliance risk.
• Age verification at every touchpoint. Your SMS opt-in process should include age verification. Many states require that cannabis marketing only reach individuals 21 and older. While you cannot technically verify age via text message alone, your opt-in language should include an age attestation ("By subscribing, you confirm you are 21 years of age or older"), and your online opt-in forms should include an age gate.
• No consumption imagery or language. Several states, including New York, prohibit marketing that depicts or encourages the consumption of cannabis. For SMS, this means avoiding descriptions like "smoke this" or "vape this deal." Keep promotional language focused on the product and the offer, not the act of consumption.
• Promotional limitations by state. Some states restrict or ban certain types of promotions in cannabis marketing. New York limits promotional pricing tactics. New Jersey restricts bundling offers. California has specific rules about loyalty program promotions. Before including any promotional offer in a text message, verify it complies with your state's current regulations. Our advertising compliance guide covers these rules in detail.
• Required disclaimers and license numbers. Several states (including Florida and Ohio) require that your dispensary license number appear in all advertising, including text messages. Check your state's requirements and build the necessary disclaimers into your message templates so they are included automatically.
• Carrier content filtering. Major wireless carriers actively filter cannabis-related text messages. Words like "marijuana," "weed," "THC," and "get high" are commonly flagged. Use compliant terminology — "cannabis," "dispensary," your brand name — and test your messages before sending to your full list. Platform-specific compliance tools in Alpine IQ and SpringBig help navigate carrier filtering.

How Alpine IQ and SpringBig Handle Compliance

The two leading cannabis marketing platforms both include built-in compliance features designed to keep dispensaries within TCPA and state regulatory boundaries. Here is what each platform offers and where gaps may still exist.

Alpine IQ Compliance Features

Alpine IQ provides automated consent management that records opt-in timestamps, source, and consent language for every subscriber. The platform includes configurable opt-out keyword processing (STOP, CANCEL, END, etc.) with instant suppression. Alpine IQ's content review tools flag messages that may contain carrier-filtered keywords or non-compliant health claims before you send. The platform also supports double opt-in flows and maintains a persistent suppression list across all campaigns.

Where Alpine IQ requires your attention: state-specific disclaimer language must be configured manually by your team or agency. The platform provides the tools, but you are responsible for ensuring the disclaimer content matches your state's current requirements. As part of our email and SMS marketing service, we configure these settings for every client during onboarding.

SpringBig Compliance Features

SpringBig is built specifically for cannabis and includes compliance guardrails tailored to the industry. The platform enforces double opt-in by default on most account types, maintains comprehensive consent records, and processes opt-out keywords automatically. SpringBig's compliance dashboard shows your current opt-in rate, opt-out rate, and any flagged messages that may have deliverability issues.

SpringBig's loyalty integration adds a compliance advantage: because the loyalty signup process naturally collects consent and age verification, dispensaries using SpringBig's loyalty program often have stronger consent documentation than those collecting SMS opt-ins separately. The platform also provides pre-built compliant message templates that include all required disclosures.

Frequently Asked Questions

The Bottom Line

SMS compliance is not optional, and for cannabis dispensaries, it is more complex than most operators realize. The TCPA sets the federal baseline, but state cannabis regulators, carrier policies, and platform requirements add layers that demand ongoing attention. The financial exposure is real — $500 to $1,500 per non-compliant message, class action risk, and the potential loss of your messaging channel or even your license.

The framework is straightforward: get proper written consent, document everything, include all required disclosures, honor every opt-out immediately, and tailor your content to your state's cannabis marketing rules. Use platforms like Alpine IQ and SpringBig that are built for cannabis compliance. Audit your program regularly. And keep records for at least five years. For a deeper look at SMS strategy beyond compliance, read our dispensary SMS marketing guide and our 2026 benchmarks report for current performance data.