The Short Version
If you use a service like Twilio, Plivo, or Bandwidth to send text messages from a regular 10-digit business number in the United States, you are required to register that traffic with the mobile carriers. This registration process is called A2P 10DLC — short for "Application-to-Person, 10-Digit Long Code."
It's not optional. Carriers started filtering unregistered traffic in 2023, and the enforcement has only tightened since. Unregistered campaigns get lower deliverability, higher per-message fees, and in some cases complete rejection.
For a small business, the practical impact of A2P 10DLC is simple: you register your "campaign," your application gets reviewed by a third-party vetting body, and if anything is out of order, you lose the $15 vetting fee and cannot send any texts until you pass a review.
This guide covers what the review actually checks, the mistakes that cause rejections, and how to get approved on the first attempt.
What A2P 10DLC Actually Is
A2P 10DLC is a registration framework maintained by The Campaign Registry (TCR), an industry body backed by the major U.S. mobile carriers. Every SMS-sending service (Twilio and others) is plugged into this registry.
When you register, you declare two things:
- Your brand — the legal entity sending the texts, including EIN, business type, and contact details
- Your campaign — the specific use case (customer care, marketing, notifications, appointment reminders, etc.) and what your messages look like
The brand registration is a one-time cost (usually $4 for sole proprietors, higher for larger entities). The campaign registration is where you pay the $15 vetting fee per campaign — and where most rejections happen.
Key fact: The $15 campaign vetting fee is charged every time the review runs — not just on the first submission. Every resubmit after a rejection is another $15, and the cost compounds fast. Getting the campaign approved on the first attempt is the only way to avoid that cumulative cost.
What the Review Actually Checks
The review isn't just looking at your forms. It's cross-checking what you say you'll send against what you're set up to send and what your website promises.
1. Sample Messages
You'll be asked for 2 to 5 sample messages. These are checked for:
- A clear identification of your business in the first message of any conversation
- STOP opt-out language (for example: "Reply STOP to unsubscribe")
- Consistency with the campaign's use case — an "appointment reminder" campaign should not include marketing copy
2. Policy URLs
The review requires two publicly accessible URLs on your website:
- A Privacy Policy that explicitly addresses SMS — how phone numbers are collected, stored, and used; whether data is shared with third parties; and the user's right to opt out
- A Terms of Service (or SMS Terms) that covers message frequency, message-and-data-rates disclosure, and the keyword responses a user will get when they text HELP or STOP
3. The Opt-In Flow
You have to describe, in plain language, how a person gives consent to receive texts. This is called the "message flow." If your flow is "a person fills out a form on our website," the reviewer may visit that form to confirm it actually includes a checkbox or explicit language indicating consent to SMS.
4. HELP and STOP Keyword Responses
When a user texts HELP, your system must automatically respond with support information. When a user texts STOP, your system must respond with an opt-out confirmation and stop sending to that number. Both responses need to be configured in your SMS platform before submission — not after.
The True Cost of Failing a Review
There's a common misconception that a rejected campaign means your texts just get "blocked." That's not quite right. Here's what actually happens:
- You submit your campaign and pay $15 to the vetting body.
- TCR reviews it, typically within a few business days.
- If rejected, you get an error code (often a vague one like "CTA verification failure") and a brief message pointing at the area of concern.
- Your account cannot send SMS under that campaign until the review passes.
- You edit the campaign and resubmit — and in practice each resubmit is another $15 charge.
- Deleting and recreating the campaign is a fresh $15 charge too.
The cost has two components. First, each submission — including every resubmit after a rejection — is a fresh $15 charge, so a campaign that takes three tries to get right is $45 out of pocket with nothing to show for it except a (hopefully) approved campaign. Second, campaign reviews can take multiple business days, and while you're stuck in the cycle, your business is operating with no outbound SMS capability. For service businesses that rely on appointment reminders, confirmation texts, or lead follow-up, that's a real operational gap on top of the direct cost.
The Mistakes That Cause Most Rejections
The failure reasons that show up again and again in rejected campaigns:
Policy URLs That Don't Exist (Or Don't Cover SMS)
Reviewers will open the Privacy Policy and Terms URLs you submit. If those pages return 404, if they aren't accessible without login, or if they don't mention SMS at all, the campaign is rejected. A Privacy Policy that only discusses cookies is not sufficient.
Sample Messages Without Opt-Out Language
Every sample message — including "You have an appointment tomorrow at 2pm" — should include STOP instructions somewhere in the flow (usually in the initial message). Reviewers don't assume you'll add it later.
A Mismatched Use Case
Submitting sample marketing copy under a "Customer Care" use case gets rejected. Use cases have specific definitions — read them before picking one.
Missing Message-and-Data-Rates Disclosure
Both your website and your initial SMS message flow must include the disclosure "Message and data rates may apply." This wording is specifically what reviewers look for.
Incorrect Opt-In Description
Describing the opt-in flow as "customers provide their number during consultation" isn't enough. The reviewer wants to see the mechanism — the form, the checkbox, the explicit language. "Customer checks a box on our contact form that says 'I consent to receive SMS updates'" is what passes.
Editing and Resubmitting via API Can Silently Drop Your Policy URLs
Some SMS platforms allow editing a rejected campaign through their API instead of their console UI. Historically this has had a dangerous quirk: editing the campaign via API could silently drop the Privacy Policy URL and Terms URL from the campaign record entirely — even though the edit call looked successful. The campaign would then be resubmitted for review with no policy URLs attached, guaranteeing another rejection (and another $15 charge) for missing fields that you thought were still there.
Major SMS platforms have improved handling of this over time after customer support tickets, but the general practice is worth keeping: after any API edit of a vetted campaign, pull the full campaign record through a separate GET request and verify that every required field — especially Privacy Policy URL and Terms URL — is still populated before it goes to review. Don't trust the edit response body; trust the fresh read.
A Country-Restricted Website Will Get Your Campaign Rejected
The vetting body's reviewers can access your policy URLs from IP addresses outside the United States. If your website's firewall, CDN, or hosting provider restricts traffic to U.S. visitors only, those reviewers will see 404 errors or blocked responses — and they'll reject the campaign for "missing policy URLs" even though the URLs are live and working for your U.S. customers.
The fix is simple but easy to miss: during the vetting process, your Privacy Policy and Terms pages must be accessible from anywhere in the world. Once the campaign is approved, you can re-enable country restrictions if you want.
As a side note: country restrictions are a reasonable security practice for a small business that doesn't operate globally. If all your customers are in North America, there's no business reason for traffic from other continents to reach your website at all — and restricting it cuts down on bot scanning, reduces the surface area for scraping, and eliminates entire classes of automated attacks that originate from regions you don't do business in. Just remember to lift the restriction temporarily whenever you're being vetted for something that requires external auditors to access your site.
A recurring failure mode: Many small businesses try to register a campaign via the SMS platform's API. The API may be missing fields that the console UI requires — particularly the Privacy Policy URL and Terms URL. An API-created campaign with those fields absent is guaranteed to fail review. Always create and edit campaigns in the console interface.
Your Website Has to Be Ready Before You Apply
A2P 10DLC reviewers check your website as part of their audit. If your site isn't ready, your campaign isn't ready.
Privacy Policy Requirements
Your Privacy Policy must specifically address:
- That you collect phone numbers for SMS communications
- How those numbers are stored, secured, and used
- Whether numbers are shared with third parties (usually "no," but state it explicitly)
- The user's right to request deletion
Terms of Service (SMS Addendum) Requirements
Your Terms of Service (or a linked SMS Terms page) must include:
- Program name (what the SMS program is called — for example, "Appointment Reminders")
- Program description (what kinds of messages users will receive)
- Message frequency cap ("Up to 10 messages per month" is a common low-volume setting)
- The phrase "Message and data rates may apply"
- Instructions for HELP and STOP keywords
- Support contact information (phone and email)
If your Terms of Service page currently has none of this, adding it is usually a 30-minute job — but it's the one piece most small businesses skip, and it's the fastest path to rejection.
A Pre-Submission Checklist
Before you click "Submit" on your campaign registration, work through this list:
Website Readiness
- Privacy Policy URL is live and publicly accessible
- Privacy Policy explicitly addresses SMS collection and use
- Terms of Service URL is live and publicly accessible
- Terms of Service includes an SMS addendum with program name, frequency, rates disclosure, and HELP/STOP instructions
Campaign Content
- Use case matches the actual content of your messages (not aspirational)
- 5 sample messages prepared, each containing STOP language
- "Embedded links" flag set to true if any sample message contains a URL
- "Embedded phone" flag set to true if any sample message contains a phone number
- Message-flow description names the specific opt-in mechanism
Platform Configuration
- HELP keyword response configured with support contact
- STOP keyword response configured to confirm opt-out
- Campaign created in the SMS platform's console (not the API)
Paperwork
- EIN or tax ID matches the brand registration exactly
- Business address and phone number match what's on your website
A Note on Compliance Edits
If your first submission is rejected, read the failure reason carefully before resubmitting. The rejection language is often vague — a code like "30909" or "CTA verification failure" — and it's tempting to assume the reviewer missed something and just resubmit as-is.
Don't. Every resubmission is a fresh review — and a fresh $15 charge. If the reviewer flagged your Privacy Policy and you resubmit without changing it, the next reviewer will flag it too, and you'll have paid twice for the same rejection. Treat each resubmission as an expense you want to avoid repeating.
The three most common edits that convert a rejection into an approval:
- Adding or updating SMS-specific language in the Privacy Policy
- Rewriting sample messages to include STOP instructions in the opening message
- Adding an SMS addendum to the Terms of Service page with the exact required elements
Conclusion
A2P 10DLC is a compliance process, not a technical one. The review doesn't check the quality of your code or the design of your opt-in form — it checks whether your documented policies match what you're actually going to send, and whether a reasonable user would understand what they're consenting to.
Most first-time rejections come down to one of three things: a Privacy Policy that doesn't mention SMS, sample messages that don't include opt-out language, or a use case that doesn't match the content. Fix those three, and you'll pass on the first try.
If you're setting up business texting for the first time — or recovering from a rejected campaign — take the extra day to get your website policies in order before you submit. It's the cheapest hour of work in the entire process.