Website Policies for A2P 10DLC Registration: What Carriers and TCR Actually Look For
If you’ve submitted a 10DLC campaign registration and received a rejection with little explanation, there’s a good chance your website policies were part of the problem. The Campaign Registry (TCR) and the major mobile carriers — AT&T, T-Mobile, and Verizon — review your online presence as part of the vetting process, and they’re specifically looking for documentation that confirms your business is collecting consent properly, disclosing how subscriber data is handled, and operating a compliant opt-in flow.
For many businesses, this part of the registration process comes as a surprise. They’ve already completed their brand registration, set up their campaign use case, and started crafting their messages — only to hit a wall because their website doesn’t include the right policy language. A missing privacy policy, vague terms of service, or opt-in copy that doesn’t meet carrier standards can halt your entire A2P messaging program before a single text is ever sent.
This guide covers exactly what your website policies need to say, where they need to appear, and how to get your online presence aligned with 10DLC compliance requirements so your campaigns get approved and stay in good standing.
Why Carriers and TCR Review Your Website
The 10DLC registration framework was designed to reduce spam, phishing, and unwanted commercial messaging by verifying that the businesses sending A2P text messages are legitimate, compliant, and operating with documented consumer consent. One of the most direct ways carriers assess this is by reviewing your website.
Your website serves as independent, publicly accessible evidence of how your business operates. Carriers and TCR use it to verify:
- That your business is real and its online presence matches the brand information submitted in your registration
- That you have a published privacy policy that discloses your data handling practices, including SMS
- That your terms of service or messaging terms acknowledge your SMS program
- That your opt-in mechanisms include the specific disclosure language carriers require before granting campaign approval
Failing on any one of these points can result in a rejected registration, a delayed approval, or a reduced trust score that affects your deliverability and throughput long after approval. Understanding what reviewers are actually looking for — and building your website policies to match — is one of the highest-leverage steps you can take before submitting your 10DLC campaign.
The Privacy Policy: What It Must Disclose for SMS Compliance
Your privacy policy is the cornerstone of your website compliance documentation for A2P purposes. Most businesses already have some version of a privacy policy, but a generic template that covers data collection and cookies isn’t sufficient for SMS program compliance. Carriers expect your privacy policy to explicitly address how your business handles mobile subscriber data and what that data is used for.
At minimum, your privacy policy should include clear disclosures on the following:
How mobile numbers are collected. Your policy should explain the specific methods through which your business collects mobile phone numbers — web forms, keyword opt-ins, point-of-sale enrollment, and any other channels relevant to your program. Vague language like “we may collect contact information” doesn’t satisfy carrier review standards.
How mobile numbers are used. You must disclose what types of messages subscribers will receive — promotional offers, transactional alerts, appointment reminders, or other specific use cases. The more precisely this matches your registered campaign use case, the better.
How mobile data is protected and retained. Carriers want to see that you have documented practices around data security and retention periods for subscriber information. This doesn’t need to be exhaustive, but it needs to be present.
Whether data is shared with third parties. This is a critical disclosure point. Your privacy policy must state clearly whether mobile subscriber data is shared with, sold to, or used by any third parties — and if so, under what circumstances. Carriers are particularly attentive to this language because third-party data sharing is a common vector for spam campaigns.
How subscribers can opt out of data collection or messaging. Your policy should explain how subscribers can request removal of their data and how they can unsubscribe from SMS communications. Referencing the standard STOP opt-out mechanism here is a straightforward way to satisfy this requirement.
If your existing privacy policy doesn’t address these elements specifically, it needs to be updated before you submit or resubmit your 10DLC registration.
Terms of Service: Referencing Your SMS Program
Your terms of service (or terms and conditions) document is another place carriers look during the review process. Many businesses have terms of service that cover their product or service offering but make no mention of SMS communications. This is increasingly a problem under current carrier review standards.
Your terms of service should acknowledge your SMS program in a way that makes clear to subscribers what they’re agreeing to when they opt in. This doesn’t require an extensive standalone section — but it does require explicit language. Key elements to include:
Program description. A brief description of your SMS program and what types of messages subscribers can expect to receive.
Message frequency disclosure. An estimate of how often subscribers should expect to receive messages. “Message frequency may vary” is acceptable when volume isn’t fixed, but some indication of frequency is required.
Carrier disclaimer. The standard language “Message and data rates may apply” should appear in your terms of service and in your opt-in flows. This is a carrier-mandated disclosure that reviewers specifically look for.
Opt-out instructions. Even if you include opt-out language in your opt-in flows and confirmation messages, restating how subscribers can unsubscribe (reply STOP, contact customer service) in your terms of service reinforces your compliance documentation.
Link to privacy policy. Your terms of service should link directly to your privacy policy so that the two documents work together as a unified consent framework.
Opt-In Language: What Carriers Expect to See on Your Website
This is where many 10DLC registrations run into trouble. The opt-in experience on your website — the specific language displayed at the point where a subscriber provides their phone number — is scrutinized closely by carrier reviewers. Generic or incomplete opt-in language is one of the most common reasons registrations are rejected or flagged for review.
Carrier-compliant opt-in language needs to accomplish several things simultaneously. It must identify your business clearly, describe the type of messages the subscriber will receive, disclose message frequency and potential carrier charges, link to your privacy policy and terms of service, and make clear that consent is not a condition of purchase.
A compliant opt-in disclosure might look something like this:
“By submitting this form, you agree to receive recurring marketing text messages from [Business Name] at the number provided. Message frequency varies. Message and data rates may apply. Reply STOP to unsubscribe. View our [Privacy Policy] and [Terms of Service].”
Each of these elements has a purpose. The business name ties the consent to a specific identifiable sender. The message type description sets expectations and aligns with your campaign registration. The frequency language satisfies carrier disclosure requirements. The STOP instruction confirms that a compliant opt-out mechanism exists. The policy links make your full consent documentation accessible at the moment of sign-up.
This language must appear adjacent to the phone number field — not buried in fine print below the submit button, not linked from a footnote, and not hidden in a general terms acknowledgment that doesn’t specifically reference SMS. Placement and proximity matter to reviewers because they reflect whether a subscriber could reasonably understand what they were agreeing to.
Keyword and Confirmation Message Alignment
Carrier reviewers often also check that the messaging in your website opt-in flows aligns with your confirmation message and campaign registration details. If your website says subscribers will receive “promotional offers and exclusive deals” but your registered campaign use case is listed as transactional, that inconsistency can trigger a review flag.
Make sure the language in your website opt-in disclosure, your auto-reply confirmation message, and your TCR campaign description are all consistent with each other. Consistency across these touchpoints signals to reviewers that your program is organized, intentional, and operating in good faith — all factors that contribute positively to your trust score.
Common Website Policy Mistakes That Cause 10DLC Rejections
After reviewing dozens of 10DLC submissions, certain website policy problems come up repeatedly. The most common include:
No privacy policy at all, or a privacy policy that was last updated years ago and makes no mention of SMS communications. A generic terms of service template that covers only products and services with no reference to messaging. Opt-in language that identifies the program as SMS but omits carrier charges, opt-out instructions, or policy links. Phone number collection forms with no opt-in disclosure adjacent to the input field — only a general terms checkbox at the bottom of the form. Inconsistency between the opt-in language on the website and the campaign description submitted to TCR.
All of these are fixable. Most require only modest updates to existing pages rather than full rewrites. The key is knowing what reviewers are looking for before you submit — not after you receive a rejection notice.
Getting Your Website Ready Before You Register
The best time to align your website policies with A2P compliance requirements is before your initial 10DLC submission, not after a rejection forces you to revisit them. Review your privacy policy, terms of service, and all phone number collection forms against the standards outlined here. If you’re updating existing policies, make sure the changes are live and publicly accessible before you submit — reviewers are checking your actual website, not a draft or staged version.
For businesses that are resubmitting after a rejection, start with the website review before changing anything in your TCR submission. In many cases, fixing the website documentation and then resubmitting resolves the issue without requiring changes to your registered campaign information.
Stay Current on A2P Compliance Requirements
Carrier requirements for 10DLC registration and website policy compliance continue to evolve as the A2P ecosystem matures. What satisfied a reviewer eighteen months ago may not be sufficient today, and the standards for consent documentation are moving in the direction of greater specificity, not less.
Subscribe to the mytcrplus.com YouTube channel for ongoing updates on 10DLC registration requirements, carrier compliance standards, and SMS best practices. Whether you’re registering for the first time or managing an existing program, staying ahead of compliance changes is the most reliable way to protect your sender reputation and keep your messaging program running without interruption.
Getting your website policies right is foundational work — but it’s also work that pays dividends every time a new campaign goes through review without a rejection.
