TCPA, A2P, CAN-SPAM, GDPR: the 4 compliance frameworks every agency operator needs in 2026

Compliance is the silent killer of agency operators. It's silent because it doesn't make itself known until something goes wrong. The first warning sign is usually a demand letter for a TCPA violation, where a single text message sent at the wrong time to the wrong number costs $1,500 per send. Multiply by a list of 800 numbers and your agency just received an invoice for the entire year's revenue.

The four compliance frameworks below — TCPA, A2P 10DLC, CAN-SPAM, and GDPR — govern almost every outbound action an agency operator takes. They are not optional. Understanding them at the structural level (not the rules-list level) is what separates operators who can scale safely from operators who scale into a class-action.

Here's what each framework actually requires, in 2026, with the architectural decisions that keep you compliant.

Framework 1: TCPA (the Telephone Consumer Protection Act)

Jurisdiction: US federal law, enforced by the FCC and through private right of action. Covers: Outbound phone calls, SMS, and ringless voicemail to US phone numbers. Penalty: $500-1,500 per violation, often summable per recipient (so a 1,000-number list with one violation = up to $1.5M exposure).

TCPA is the single most expensive compliance framework to violate. The private right of action means consumers can sue directly without involving regulators, and class-action firms specialize in finding TCPA violations to assemble class plaintiffs.

What TCPA requires:

1. Prior express written consent for marketing calls or texts to mobile numbers that use an automated dialing system. "Written" includes electronic checkbox, but the consent has to be specific (not buried in a generic terms-of-service) and unambiguous.

1. Time-window enforcement. No marketing calls or texts before 8am or after 9pm in the recipient's local time zone. The recipient's local time, not yours. A call from California to Maine at 5pm Pacific is 8pm Eastern — still legal. A call at 6pm Pacific is 9pm Eastern — borderline. A call at 7pm Pacific is 10pm Eastern — illegal.

1. STOP keyword honoring. When a recipient texts STOP (or any reasonable variant — "Stop," "stop," "Unsubscribe," "Remove me," "Don't text me again"), the opt-out is immediate and permanent. Continuing to send after STOP is a per-violation fine.

1. Internal Do-Not-Call list. Maintain a list of every recipient who has opted out. Check every outbound dispatch against the list.

1. National DNC registry compliance. For sales calls (not strictly marketing texts), check every phone number against the National Do-Not-Call Registry before dialing.

Architectural implications:

• The opt-out list cannot be per-campaign. It must be at the workspace level so every campaign honors every prior opt-out.
• Time-window enforcement requires mapping every phone number to a timezone (typically by area code, with corrections for portability).
• STOP classification must handle natural-language variants — not just exact-match "STOP." Most operators use an AI classifier for this.

We covered the workspace-level suppression architecture in the 7 hidden gaps post and the SMS-specific implementation in the dormant nurture sequence post.

Framework 2: A2P 10DLC (Application-to-Person 10-Digit Long Code)

Jurisdiction: Mobile carrier requirement, enforced by carriers (T-Mobile, AT&T, Verizon) via the Campaign Registry. Covers: Any outbound SMS sent from a 10-digit US phone number using application-to-person messaging (i.e., business sending to consumers via API). Penalty: Carrier-level filtering or blocking; in extreme cases, carrier termination of your messaging privileges.

A2P 10DLC is technically a carrier requirement, not a legal one — but functionally, it's required for any agency sending SMS to US consumers. Without it, your SMS gets aggressively filtered and arrives to maybe 30% of recipients.

What A2P 10DLC requires:

1. Brand registration. The business sending the SMS registers with The Campaign Registry, providing legal entity name, EIN, address, and contact info. Approval takes 1-3 weeks.

1. Campaign registration. Each messaging use case (cold outreach, transactional confirmations, customer service, etc.) is registered as a separate "campaign" with sample message templates and an opt-in description.

1. Throughput limits by trust score. A registered brand gets a trust score (1-100). Higher scores allow higher messaging throughput. Cold outbound campaigns typically score lower than transactional/customer-service campaigns.

1. Sample message review. Carriers can review and reject sample messages. Marketing copy that triggers content filters (e.g., excessive emojis, all-caps, suspicious links) gets the campaign rejected.

Architectural implications:

• Registration is per-business-entity, not per-agency. If your agency is sending on behalf of clients, each client needs their own A2P registration. Multi-tenant SMS infrastructure has to handle per-client trust scores and per-client throughput limits.
• Sample messages submitted at registration constrain what you can actually send. Don't submit "Hi {first_name}, want to buy?" as a sample — submit your real message templates.
• Trust score impacts throughput. A new client's first 30 days have lower throughput than the same client at month 6 with established positive engagement.

Framework 3: CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing)

Jurisdiction: US federal law, enforced by the FTC. Covers: Commercial email (marketing email) sent from US senders to any recipient, or to US recipients from any sender. Penalty: $51,744 per violating email as of 2026 (adjusted annually for inflation).

CAN-SPAM is the most-violated framework simply because the rules feel obvious — and operators assume they're already compliant when they're not.

What CAN-SPAM requires:

1. Honest header information. The "From," "To," and "Reply-To" fields must accurately identify the sender. No spoofing, no misleading display names.

1. Honest subject lines. The subject line cannot deceive about the content of the email. "Re: your account" when it's not actually a reply violates this.

1. Clear identification as advertisement. The email must be identifiable as an advertisement. This doesn't require labeling it "AD" — it can be inferred from context. But ambiguous transactional-looking marketing emails violate this.

1. Physical postal address. Every commercial email must include the sender's valid physical postal address. Not a P.O. box (officially you can use P.O. boxes that are properly registered with USPS, but the safe answer is a real street address).

1. Working unsubscribe mechanism. The email must include a clear, conspicuous opt-out mechanism. The unsubscribe link must remain functional for at least 30 days after sending.

1. Honor opt-outs within 10 business days. Once a recipient opts out, you have 10 business days to stop sending to them. Practically, you should honor immediately.

1. Monitor third-party senders. If you hire someone else to send email on your behalf, you're legally responsible for their compliance with CAN-SPAM. Agencies sending on behalf of clients are in this position.

Architectural implications:

• The footer with physical address must be injected automatically into every outbound email — never relied on operator memory.
• Unsubscribe links must route through the agency's infrastructure (not the email tool's default), so the unsubscribe lands in the workspace-level suppression list.
• Honoring opt-outs has to be near-real-time, not eventual. We covered the architectural pieces in the agency operator pre-flight checklist.

Framework 4: GDPR (General Data Protection Regulation)

Jurisdiction: EU law, but applies globally to any business that processes personal data of EU residents. Covers: Collection, processing, storage, and transfer of personal data (broadly defined — includes email, IP address, device fingerprints, browsing behavior). Penalty: Up to 4% of global annual revenue or €20M, whichever is higher.

Most US agency operators assume GDPR doesn't apply to them. That's wrong if any of their clients have EU customers, or if they ever run campaigns that touch EU IPs. The reach of GDPR is global — any data on an EU resident triggers it, regardless of where the agency is.

What GDPR requires:

1. Lawful basis for processing. Every collection of personal data must have a lawful basis: consent, contract, legitimate interest, legal obligation, vital interest, or public task. The default for marketing is consent or legitimate interest, with consent being safer.

1. Specific, informed, freely given consent. Consent has to be granular (separate checkboxes for separate purposes), informed (clear about what you're doing with the data), and freely given (not bundled with required services).

1. Right to access. Any EU resident can request a copy of all personal data you have on them. You have 30 days to respond.

1. Right to erasure. Any EU resident can request that you delete all their personal data. Subject to specific exceptions, you must comply within 30 days.

1. Data Processing Agreement (DPA). When using third-party processors (analytics, CRMs, email tools), you need a DPA in place documenting how they handle the data on your behalf.

1. Cookie consent / tracking consent. Tracking cookies, pixels, and any non-essential tracking requires opt-in consent before the tracking activates. The opt-in cannot be bundled with site access.

1. Privacy by design. Systems should default to the most privacy-protective configuration; data minimization (collect only what's needed) is required architecturally.

Architectural implications:

• Tracking pixels (like the attribution pixel covered in the attribution post) must respect Global Privacy Control signals and cookie consent gates.
• Personal data must be stored with an audit trail: what was collected, when, under what consent, and what's been done with it.
• Deletion requests have to cascade across every system that holds the data — CRM, email tool, analytics, attribution platform, billing platform. If any one system retains data after a deletion request, you're non-compliant.

The platform's role in compliance

Compliance is one of the strongest arguments for an operating system over a tool stack (covered in the operating systems vs tool stacks post). When compliance is layered across 12 vendors, each vendor's compliance posture becomes your problem to verify and maintain. When compliance is owned by the platform, one set of audits covers the operation.

The AcquireOS platform handles compliance by default:

• TCPA: workspace-level suppression list, time-window enforcement, AI-classified STOP handler
• A2P 10DLC: per-client registration support, trust score tracking, sample message templates pre-approved per vertical
• CAN-SPAM: footer auto-injection, unsubscribe routing through workspace suppression, opt-out honored in real-time
• GDPR: DPA available with the platform, deletion requests cascade across all subsystems, cookie consent gates on the attribution pixel

This isn't optional — operators on the platform can't bypass these gates. Compliance is enforced at the architectural level, not at the operator-discipline level. We covered the specific gates that can't be skipped in the agency operator pre-flight checklist.

What an operator should do this week

Three actions every operator should take in the next 7 days, regardless of platform choice:

1. Audit your current opt-out flow. Send a test STOP message to your own number on every active campaign. If you receive any further messages within 24 hours, your opt-out flow is broken.

1. Verify your CAN-SPAM footer. Open the last 5 outbound emails you sent. Each must have a valid physical address and a working unsubscribe link. If any don't, fix the template before your next send.

1. Audit your A2P registration. Log into The Campaign Registry. Confirm your brand and campaigns are registered and active. Trust score should be 50+ for any business sending more than light volume.

If any of those audits fail, you're operating with active compliance risk. Fix it before the next send.

The summary

• TCPA: the most expensive to violate; per-violation fines summed across recipients can exceed annual revenue
• A2P 10DLC: required for SMS deliverability; per-client registration; trust score governs throughput
• CAN-SPAM: the most-violated framework; physical address and working unsubscribe are non-negotiable
• GDPR: applies globally to any business touching EU residents; lawful basis, consent, deletion rights
• Compliance is best handled at the platform/architectural level, not at operator-discipline level

The agencies that grow safely through 2026 and beyond are the ones treating compliance as infrastructure, not a checklist. The ones treating it as a checklist eventually meet a class-action firm.

If you want to walk through how the platform handles compliance for the niche you're running, book a call. The compliance review is genuinely one of the most boring parts of the platform demo, which is exactly the goal.