Back to Blog

The Complete A2P 10DLC Compliance Guide for 2026

Every step from brand registration through campaign approval, with the specific privacy policy clauses TCR actually checks.

Why A2P 10DLC keeps tripping up GoHighLevel users

If you're sending SMS through GoHighLevel using a Twilio sub-account, you've hit A2P 10DLC. And if you're like most people who've tried to get registered without a clear playbook, you've also probably hit a rejection.

A2P 10DLC isn't designed to be hostile — it exists because carriers got tired of US consumers being buried in spam SMS. The Campaign Registry (TCR) is the gatekeeper. Their job is to verify that the brand sending messages is real and that the campaign is legitimate. Their tooling is rough, their feedback is often vague, and rejections leave you guessing.

This guide walks through what they're actually checking, why submissions fail, and how to pass on the first try.

What you're actually registering

There are two things to register, in this order:

1. Brand: legal entity information — company name, EIN, address, support contact, website. This verifies who is sending.
2. Campaign: use-case description, sample messages, traffic projections, and consent flow. This verifies what is being sent.

Brand approval is generally faster and easier (assuming your EIN matches your legal name and your website is real). Campaign approval is where most rejections happen, because that's where TCR is checking your consent and disclosure language.

The 5 things that get most campaign submissions rejected

1. Pre-checked consent boxes

If your signup form has an "I agree to receive SMS" checkbox that's checked by default, that's an immediate fail. TCR considers pre-checked boxes a violation of meaningful consent.

Fix: Every SMS consent checkbox must be unchecked by default. The user has to actively opt in.

2. Generic privacy policy

Stock privacy policies pulled from a generator don't include the SMS-specific language carriers now require. Specifically missing:

• Explicit statement that SMS consent is not shared with third parties for marketing purposes
• Data retention disclosure for phone numbers and consent records
• Opt-out mechanism documentation (STOP, HELP, contact methods)
• Message frequency disclosure

Fix: Add an SMS-specific section to your privacy policy. Sample language is later in this article.

3. Vague use-case description

"Marketing messages" is not a use case. TCR reviewers want specifics. What kind of marketing? Promotional? Transactional? Notifications? Account alerts? Mixed? Each has different compliance rules.

Fix: Pick the most specific use-case category that fits, and write a 2-3 sentence description of exactly what you'll send. Include the recipient relationship (customers, prospects, past patients, etc.).

4. No sample messages

The campaign submission has a field for sample messages. Most people throw in one generic example. Reviewers want to see the full range of messages you'll send.

Fix: Submit 3-5 sample messages covering the different types of communication. Include the opt-out instruction in each ("Reply STOP to opt out").

5. Brand and campaign submitted simultaneously

If you submit both at once, TCR can flag the campaign before the brand finishes verification. Even if both eventually pass, the race condition can trigger a rejection that's painful to recover from.

Fix: Submit brand first. Wait for "Verified" status. Then submit the campaign.

Privacy policy: the SMS-specific clauses you need

Here's the structure that's gotten 50+ brands approved on the first submission. Adapt the language to your business but keep the substance.

Section: SMS / Text Message Communications

By providing your mobile phone number and opting in to receive SMS communications from [Company Name], you consent to receive text messages from us at the phone number provided. Message frequency varies based on your interaction with us — typically up to [N] messages per month. Message and data rates may apply.

Section: SMS Consent Sharing

We will not share your phone number or SMS opt-in consent with any third parties or affiliates for marketing or promotional purposes. Phone numbers may be shared with our SMS service providers (e.g., Twilio) solely for the purpose of delivering messages on our behalf.

This exact phrase about not sharing SMS consent is what carriers want to see. It's effectively required for higher throughput tiers.

Section: How to Opt Out

You may opt out of SMS communications at any time by replying STOP to any message. For help, reply HELP. You may also contact us directly at [support email] to be removed from SMS communications. Opt-out requests are processed within 24 hours.

Opt-in form requirements

Every place where you collect a phone number for SMS purposes needs:

• An unchecked consent checkbox with explicit SMS opt-in language
• Inline frequency disclosure — "up to 4 messages/month" or similar
• Data rates disclosure — "Message and data rates may apply"
• Opt-out instructions — "Reply STOP to unsubscribe"
• Link to your privacy policy and terms — the consent should reference the documents

Sample consent text for a form checkbox:

By checking this box, I consent to receive text messages from [Company] at the phone number provided. Message frequency varies. Message and data rates may apply. Reply STOP to opt out. See Privacy Policy and Terms.

Use-case framing: what TCR wants to see

The use-case description is where most submissions get fuzzy. Reviewers want a clear narrative: who's getting messaged, why, and how did they consent.

Template:

[Company Name] sends text messages to [recipient type — e.g., customers who have purchased our service / prospects who have opted in via our website / patients who have scheduled appointments]. Messages include [specific types — e.g., appointment reminders, service updates, follow-up requests]. Consent is collected via [exact mechanism — e.g., unchecked opt-in checkbox on our contact form at example.com/contact]. Recipients can opt out at any time by replying STOP.

Sample messages: how to write them for approval

Include 3-5 examples covering different message types. Each should:

• Identify the sender clearly ("From [Company]:")
• Include the recipient's relationship to you (if relevant)
• State the actual message content
• End with opt-out language

Example for an appointment reminder use case:

From SunsetDental: Hi Sarah, this is a reminder that your appointment is tomorrow at 2:00 PM with Dr. Lee. Reply Y to confirm or call (555) 123-4567 to reschedule. Reply STOP to opt out.

What happens after rejection

If your campaign is rejected, TCR provides a rejection reason — but the reasons are often generic ("Consent flow does not meet requirements"). You'll need to interpret what's actually wrong.

Common rejection patterns and what they usually mean:

• "Consent flow does not meet requirements" → Opt-in form is missing required disclosures, or consent checkbox is pre-checked
• "Privacy policy non-compliant" → Missing SMS-specific clauses, especially the "we won't share" language
• "Use case description insufficient" → Vague description, no recipient relationship, no consent mechanism
• "Sample messages do not align with use case" → Sample messages are different category than the declared use case

Throughput tiers and what they mean

Once approved, your campaign gets assigned a throughput tier. This determines how many messages per second you can send. Tiers depend on:

• Your brand trust score (verified business, EIN match, age of business)
• Campaign type (transactional gets higher than promotional)
• History of complaints and opt-outs

For most small businesses, expect to land at the lowest or middle tier initially. Trust score improves over time with clean sending behavior. High bounce rates and high opt-out rates pull it down.

The TL;DR checklist

When to get help

If you've been rejected once, you can usually figure out the fix yourself with this guide. If you've been rejected twice, the system itself is probably the issue — your forms, your privacy policy, your use-case framing. At that point, getting an expert involved usually saves more time than it costs.

I do A2P 10DLC registration work on a fixed-fee basis. My LLB law degree is what anchors the compliance reasoning, and the privacy policy templates I use have a first-pass approval rate above 95%.