TCR Error Code 9108: What It Means, Why It Happens, and How to Fix It Fast
If you’ve submitted a 10DLC A2P campaign through The Campaign Registry and received Error Code 9108, your campaign has been rejected due to a privacy policy issue. It’s one of the more common rejection codes businesses encounter — and fortunately, one of the more fixable ones. But “fixable” doesn’t mean trivial. Carriers and TCR reviewers take privacy policy compliance seriously, and a rushed or incomplete remediation will often result in a second rejection.
This guide breaks down exactly what Error 9108 means, the specific triggers that cause it, and the step-by-step remediation process to get your campaign approved and your messages flowing again — often within days.
What Is TCR Error Code 9108?
Error Code 9108 is a campaign rejection issued by The Campaign Registry (TCR) and the downstream carriers — AT&T, T-Mobile, and Verizon — that audit registered campaigns before approving them for A2P messaging. The error specifically signals a privacy policy failure associated with your website or campaign consent flow.
The rejection doesn’t always mean you have no privacy policy. It means your privacy policy failed to meet one or more of the standards carriers and TCR require for SMS data handling, consumer opt-out rights, and data disclosure. In some cases, the policy exists but is inaccessible. In others, the policy exists and is accessible but doesn’t contain the right SMS-specific language. In still others, the policy is perfectly written but is inconsistently linked or disconnected from your opt-in flow — which is enough to trigger the flag.
Understanding the specific version of the problem you’re dealing with is the first step toward resolving it efficiently.
Common Triggers for Error Code 9108
TCR reviewers and carrier vetting systems evaluate your privacy policy across several dimensions. Any one of the following issues is enough to generate a 9108 rejection:
No Privacy Policy Page at All Some businesses — particularly smaller operations or newer e-commerce stores — simply haven’t published a formal privacy policy. If your website doesn’t have one, this is the first and most straightforward fix. You cannot operate an A2P SMS program without a publicly accessible, properly structured privacy policy.
Broken or Inaccessible Links Your privacy policy may exist on your website, but the link provided during campaign registration is broken, returns a 404 error, requires a login to access, or redirects incorrectly. TCR’s automated systems and carrier reviewers will attempt to crawl the link you provide. If they can’t access it, the campaign will be flagged regardless of what the policy actually says.
Generic Privacy Policy Language Without SMS References This is the most common version of the 9108 problem. Many businesses use boilerplate privacy policies generated for e-commerce or general data collection purposes — but these templates rarely include any language about SMS messaging, phone number collection, or text-based communications. Carriers require that your privacy policy explicitly address how you collect, use, store, and protect mobile phone numbers in the context of your SMS program. A policy that doesn’t mention SMS at all, even if it’s otherwise comprehensive, will fail this review.
Missing Required Disclosures Beyond SMS mentions, there are specific disclosures carriers expect to see. These include: how consumers can opt out of SMS communications (and what happens when they do), how long their data is retained, whether their phone number is shared with third parties or affiliates, and what categories of messages they’ll receive. Missing any of these elements — even if the rest of the policy is solid — can result in a 9108 rejection.
Inconsistency Between the Policy and the Campaign Use Case If your campaign is registered for one category of messaging — say, marketing promotions — but your privacy policy describes data usage in a way that contradicts or doesn’t align with that use case, carriers will flag the mismatch. Similarly, if your opt-in form describes one type of messaging consent but your privacy policy describes another, that inconsistency is a red flag.
No Link from the Consent Form or Opt-In Touchpoint Even a perfectly written, fully accessible privacy policy can contribute to a 9108 rejection if it isn’t visibly linked from the point where consumers provide consent. TCR expects that subscribers can review your privacy policy at the exact moment they’re deciding to opt in. If your opt-in form, landing page, or checkout flow doesn’t include a clear, working link to your privacy policy, reviewers may treat this as a consent integrity issue.
Why Carriers Flag Privacy Policy Issues
Mobile carriers are operating under increasing regulatory and legal pressure around A2P messaging. TCPA litigation, FCC oversight, and growing consumer complaints about unwanted texts have pushed AT&T, T-Mobile, and Verizon to scrutinize campaign registrations far more aggressively than they did even a few years ago.
From the carrier’s perspective, a business that can’t demonstrate a properly structured privacy policy is a business that may not be handling consumer data — including mobile phone numbers — with appropriate care. That’s a liability risk for the carrier’s network and a reputational risk for the broader 10DLC ecosystem. Flagging and rejecting campaigns that lack adequate privacy documentation is the carrier’s way of enforcing minimum standards before granting network access.
Each major carrier has published its own messaging policies and code of conduct, and they each evaluate submitted campaigns against those standards. A policy that satisfies one carrier’s minimum requirements may still fall short of another’s. This is why generic privacy policies — even ones that technically mention SMS — often still fail: they’re not written with carrier-specific expectations in mind.
Step-by-Step: How to Fix TCR Error Code 9108
Step 1: Audit Your Current Privacy Policy (or Create One)
Start by locating your existing privacy policy and evaluating it against the checklist in this guide. If you don’t have one, you’ll need to create one before proceeding. There are compliant template generators available online — including tools specifically designed for SMS programs — but be cautious with fully automated generators. The output should be reviewed for SMS-specific completeness before you publish it.
Step 2: Add Explicit SMS Language
Your privacy policy must directly address your SMS program. At minimum, include language that covers:
- How you collect mobile phone numbers (e.g., “We collect phone numbers when you opt in to receive SMS notifications through our website contact forms.”)
- What types of SMS messages subscribers will receive (promotional, transactional, appointment reminders, etc.)
- How subscribers can opt out at any time (typically by replying STOP)
- Whether you share phone numbers with third parties, and if so, with whom and for what purpose
- How long you retain subscriber phone numbers and what happens to that data upon opt-out
Step 3: Ensure the Policy is Publicly Accessible and Crawlable
Host your privacy policy on a public-facing page of your website. Make sure the URL is stable, doesn’t require authentication to access, and returns a proper 200 HTTP status. The page should be indexable by search engines and crawlable by TCR’s and carriers’ review systems. Avoid hosting it behind a login wall, inside a PDF that requires downloading, or on a domain that isn’t directly associated with your business.
If your business doesn’t have a dedicated website, consider a hosted microsite specifically for your SMS program. Several compliance platforms offer hosted policy pages that meet carrier requirements and include a stable, verifiable URL.
Step 4: Link the Policy from Your Opt-In Touchpoints
Every place where a consumer can provide consent to receive SMS messages — your website forms, checkout pages, landing pages, text-to-join flows — should include a clearly visible link to your privacy policy. The link should appear in close proximity to the consent language itself, not buried in a site footer or hidden behind a generic “legal” menu.
Step 5: Update Your Campaign Registration
Once your privacy policy is updated, accessible, and properly linked from your opt-in flow, update the privacy policy URL in your campaign registration through your CSP (Campaign Service Provider) or directly in TCR. Resubmit for carrier vetting. If you’ve addressed all the issues correctly, approval typically follows within a few business days.
Carrier-Specific Expectations: AT&T, T-Mobile, and Verizon
While the core requirements are consistent across carriers, there are some nuances worth understanding.
T-Mobile is generally considered the most stringent reviewer in the 10DLC ecosystem. Their vetting process is thorough and they’re particularly attentive to whether opt-in flows and privacy policies are consistent with each other. Inconsistencies that might pass AT&T’s review are more likely to generate a flag from T-Mobile.
AT&T places strong emphasis on data handling disclosures and third-party data sharing language. If your business works with SMS service providers, marketing platforms, or data aggregators, AT&T wants to see that relationship disclosed in your policy.
Verizon focuses heavily on opt-out mechanism clarity. Your policy should explicitly state that consumers can reply STOP at any time and that opt-out requests will be honored promptly.
Addressing all three carriers’ priorities in a single, well-structured privacy policy is entirely achievable — it just requires being thorough rather than minimal.
Industries Most Affected by Error 9108
Error Code 9108 appears across virtually every industry that runs SMS programs, but certain sectors encounter it with disproportionate frequency due to the nature of their data handling and the heightened scrutiny they attract from carriers:
E-commerce businesses often use third-party platforms for both their websites and SMS tools, and the privacy policy on their storefront may not reflect their actual SMS data practices. Platform-generated policies are especially prone to lacking SMS-specific language.
Healthcare providers face additional complexity because SMS programs in healthcare settings may involve PHI (protected health information). Carriers expect healthcare SMS operators to have privacy policies that explicitly address HIPAA compliance alongside standard SMS disclosures.
Financial services and insurance companies are subject to elevated scrutiny because of the sensitivity of the data involved and the frequency of TCPA litigation in these sectors. Carrier reviewers apply a higher bar to privacy policy quality for these campaigns.
Staffing and recruiting firms that use SMS for candidate outreach need to be particularly careful about how they describe data retention and third-party sharing, since candidate phone numbers may move through multiple systems.
Legal services providers are among the highest-risk categories for TCPA exposure, and carriers reflect that by reviewing their campaign documentation — including privacy policies — with additional care.
Prevention: How to Avoid Error 9108 on Future Submissions
The best time to address privacy policy compliance is before you submit a campaign, not after a rejection. Build these practices into your pre-submission process:
Run a privacy policy audit every time you register a new campaign. Confirm the policy URL is live, accessible, and contains current SMS-specific language that matches the campaign use case you’re registering.
Maintain a stable, dedicated URL for your privacy policy and don’t change it without updating your campaign registrations. A policy that was valid when a campaign was registered can still trigger issues during re-review if the URL has changed or the content has been altered.
Use a pre-submission checklist that includes: privacy policy URL verification, opt-in flow review, consent language audit, and carrier-specific requirement cross-check. Many CSPs provide compliance review tools that can catch common issues before submission.
Consider a hosted microsite for your SMS program if your primary website doesn’t lend itself to easy policy updates. A dedicated, stable landing page with your opt-in flow, consent language, and privacy policy in one place is a clean, verifiable package that tends to perform well in carrier review.
Get Your Campaign Approved and Keep It Running
TCR Error Code 9108 is a fixable problem — but it requires genuine attention to what carriers and TCR are actually looking for, not just a quick edit to an existing page. The businesses that resolve it fastest are the ones that treat the remediation as an opportunity to build a privacy infrastructure that will hold up not just for this campaign, but for every SMS program they run going forward.
For more guidance on 10DLC registration, A2P compliance, trust score optimization, and avoiding common campaign rejection errors, subscribe to the mytcrplus.com YouTube channel and explore the full library of SMS compliance resources at mytcrplus.com.
