SMS Compliance
How we are staying ahead of Compliance in SMS.
Legal Disclaimer: We are not attorneys and this is not legal advice – we recommend you work with your own attorneys, but you can take comfort knowing that our system has been vetted by multiple top TCPA legal experts.
Lead Sherpa + TCPA-Compliance SMS Laws
Carriers are rolling out “10DLC” (ten-digit long code) restrictions to monitor peer-to-peer (“P2P”) texting platforms like Lead Sherpa, and other app-to-peer (“A2P”) services will be required to follow this new protocol. Each carrier is rolling out its own set of rules which they interpret to be compliant with CTIA guidelines.
These rules include but are not limited to:
- Registration requirements for all campaigns
- A brand verification status
- Message filtering for non-compliant profiles
Using a non-compliant system exposes you to infinite risk – literally! Current penalties allow for a $500 fine per violation. A single non-compliant SMS campaign has the potential to bankrupt your company, and it is now possible to be held PERSONALLY liable for calls and texts that violate the statute.
The ONLY compliant SMS system for real-estate pros.
Built with “always-on” compliance and vetted by top attorneys, Lead Sherpa keeps your safety from litigators a top priority. We stay ahead of industry regulations, guidelines and rules so that you can focus on closing deals.
Other companies claim to be compliant when they are not – ability to send RVM or automated followups render the entire system to be non-compliant. Prove it! Ask for opinion letter written by an attorney who has vetted their system.
Important components of SMS Compliance
Consent
The GDPR steps up the standard for disclosures when obtaining consent, as it needs to be “freely given, specific, informed and unambiguous,” with controllers using “clear and plain” legal language that is “clearly distinguishable from other matters”. Controllers will also be required to provide evidence that their processes are compliant and followed in each case.
Essentially, your customer cannot be forced into consent, or be unaware that they are consenting to processing of their personal data. They must also know exactly what they are consenting to and they must be informed in advance of their right to withdraw that consent. Obtaining consent requires a positive indication of agreement – it cannot be inferred from silence, pre-ticked boxes or inactivity. This means that informing the user during the opt-in is becoming more important.
New Rights for Individuals
The regulation also builds in two new rights for data subjects: a “right to be forgotten” that requires controllers to alert downstream recipients of deletion requests and a “right to data portability” that allows data subjects to demand a copy of their data in a common format. These two rights make it easier for users to request that any information stored should be deleted or that information that has been collected should be shared with them.
Access Requests
Data subjects always had a right to request access to their data. But the GDPR enhances these rights. In most cases, you will not be able to charge for processing an access request, unless you can demonstrate that the cost will be excessive. The timescale for processing an access request will also drop to a one month period (but this can be extended a further two months in some circumstances. In certain cases, organizations may refuse to grant an access request, for example where the request is deemed manifestly unfounded or excessive. However, organizations will need to have clear refusal policies and procedures in place, and demonstrate why the request meets these criteria.
Privacy by Design and DPIA
There are several new principles for entities that handle personal data, including a requirement to build in data privacy “by design” when developing new systems and an obligation to perform a Data Privacy Impact Assessment (DPIA) when processing using “new technologies” or in risky ways. A DPIA is the process of systematically considering the potential impact that a project or initiative might have on the privacy of individuals so that potential privacy issues can be identified before they arise, giving the organization time to come up with a way to mitigate them before the project is underway.
Data Privacy Officer
On the security side, the GDPR requires many businesses to have a Data Privacy Officer (DPO) to help oversee their compliance efforts. Organizations requiring DPOs include public authorities, organizations whose activities involve the regular and systematic monitoring of data subjects on a large scale, or organizations who process sensitive personal data on a large scale.
Contracts & Privacy Documentation
Since the GDPR is all about transparency and fairness, Controllers and Processors need to review their Privacy Notices, Privacy Statements, and any internal data policies to ensure they meet the requirements under the GDPR. If a Controller engages third party vendors to process the personal data under their control, they need to ensure their contracts with those Processors are updated to include the new, mandatory Processor provisions set out in Article 28 of the Regulation. Similarly, Processors should consider what changes they’ll need to make to their customer contracts to be GDPR compliant.
One-Stop Shop
One particular item in the GDPR should serve to make the lives of these Data Protection Officers easier: the GDPR’s new “one stop shop” provision, under which organizations with offices in multiple EU countries will have a “lead supervisory authority” to act as a central point of enforcement so they don’t struggle with inconsistent directions from multiple supervisory authorities.
Reporting Breaches
The GDPR contains a requirement that controllers must notify their country’s supervisory authority of a personal data breach within 72 hours of learning of it unless the data was anonymized or encrypted. In practice, this will mean that most data breaches must be reported to the Data Protection Commissioner. Breaches that are likely to bring harm to an individual – such as identity theft or breach of confidentiality – must also be reported to the individuals concerned.
Scope
The GDPR applies to non-EU businesses who market their products to people in the EU or who monitor the behavior of people in the EU. In other words, even if you’re based outside of the EU but you control or process the data of EU citizens, the GDPR likely applies to you.
Accountability
This concept requires Controllers and Processors to be able to demonstrate their compliance with the GDPR to their local supervisory authority. Processes should be recorded, implemented and reviewed on a regular basis. Staff should be trained and appropriate technical and organizational measures should be taken to ensure and demonstrate compliance.
Severe Penalties
The importance of the GDPR’s new provisions is underscored by the new penalties it imposes for violations. Depending on the type of violation in question, controllers and processors who mishandle personal data or otherwise violate data subjects’ rights could incur fines of up to €20 million or 4% of their global annual turnover (whichever is greater).
If you’re already a Lead Sherpa customer or partner, please contact your customer success manager if you have any further questions.
Learn more about the SMS compliance
TCPA (Telephone Consumer Protection Act) is a set of laws that govern telephone solicitations in the United States.
Yes, Lead Sherpa is compliant. Here’s why:
- You’re not selling anything – you are making a legitimate offer to purchase the recipient’s property.
- Lead Sherpa is NOT an auto-dialer. The software requires human intervention before every single message can be sent.
Make sure to check state laws since they do vary from state to state.
Here are some simple qualifying questions that anyone who is concerned about compliance should ask before choosing a texting solution:
Does the SMS system allow scheduled messaging of any kind? If yes, it is not TCPA compliant.
If the system can send a message without human intervention, it is not TCPA compliant.
Does the SMS system require opt-out language at the end of every message? If not, it is not CTIA compliant.
Can you pay to have the opt-out messaging removed? If yes, it is not CTIA compliant.
Does the SMS system require sender identification in the first message? If not, it is not CTIA compliant.
Does the SMS system require 10DLC Brand and Campaign registration? If not, it is not CTIA compliant.
Good news: we've enhanced the Lead Sherpa platform to keep you in compliance with recent industry changes.
Watch 10 min platform demo to see how we are keeping REIs like you compliant.

SMS Compliance Guide
Read our always-up-to-date guide on the state of SMS in real estate, including new CTIA standards being implemented by telecommunication carriers.
Evaluating Compliant SMS Software
This checklist will help you to determine if texting is compliant with your use case.
Recent SMS Compliance Changes
Read about recent SMS regulations to make sure you are staying compliant.