Text Messaging: A2P 10DLC Step 1 - Website & Privacy Policy Compliance Requirements

Before your organization is ready to register an A2P 10DLC Brand and Campaign, Step 1 is to ensure that your company's website and privacy policy must meet the requirements described here. This article will be updated regularly as requirements continue to change.

Table of Contents

1. What is A2P 10DLC?
2. Background on Step 1
3. Privacy Policy Compliance
4. Website Compliance
5. A2P Registration

What is A2P 10DLC?

A2P stands for "Application-to-Person," and refers to messages sent from a software application to an individual's phone. The term 10DLC stands for "10-Digit Long Code," which is a standard 10-digit phone number designated for business use. Together, A2P 10DLC creates a standard in business messaging that enables companies to send higher volumes of messages more reliably and cost-effectively than before.

All text messages sent from Top Echelon are A2P 10DLC.

Because A2P messaging can appear indistinguishable from P2P (or person-to-person) messages, this can lead to challenges in distinguishing between genuine communications and potential spam or abuse. The A2P 10DLC program creates a reliable way to ensure that legitimate messages are easily identifiable and trusted by recipients.

This program provides a means to more easily identify fraudulent and/or malicious text messages while providing better deliverability to legitimate messages.

It also puts forth a set of best practices to ensure that registered companies continue to engage in quality messaging.

Why should I register?

Beginning December 1, 2024 all mobile carriers (Verizon, AT&T, etc) are set to block all unregistered A2P 10DLC text message traffic. In anticipation of this change, all TE customers must have a registered Campaign (with a status of Campaign Accepted) before they can purchase any new texting numbers.

This deadline has been pushed back before, so we are continuously monitoring the deliverability of messages sent from TE Recruit, and will keep all customers informed as we learn more.

A2P Registration is a one-time process once your Brand and Campaign are Accepted, unless/until your organization's identity, or use-case for using A2P text messaging changes significantly.

Background on Step 1

Since we first learned about A2P 10DLC rules, we at Top Echelon have been doing our best to help our customers get registered to continue sending text messages in TE Recruit. During that time, A2P 10DLC has proven to be a shifting landscape of new and more stringent requirements.

What was once a simple process of establishing your organization's legal identity for mobile carriers like Verizon and AT&T, and briefly describing their use-case for text messaging, has become an intense review process of each organization's website and privacy policy, in addition to the simple act of registering.

The 3rd parties who review Brand and Campaign submissions will also do a deep dive on each organization's website and Privacy Policy, and will reject a Campaign when the requirements described below are not met.

Before you can successfully register your organization for A2P 10DLC messaging, you must first make sure your organization's privacy policy and website are compliant with A2P 10DLC requirements. This is Step 1.

Privacy Policy Compliance

Does my organization need a Privacy Policy?

In short, yes. If your organization does not yet have a Privacy Policy in place, you should get one ASAP. Not only is it a requirement for A2P 10DLC compliance and registration, it is also a best practice for any organization with an online presence.

How do I get a Privacy Policy?

Because a Privacy Policy is a legal document, and we at Top Echelon are not lawyers, we cannot make specific recommendations. Several of our customers have used online policy "generators" or other tools. Others have sought out the policies of other organizations like their own, on which to model their new policy. Some have gone the more traditional route of seeking legal counsel to establish their policy.

What makes a Privacy Policy compliant with A2P 10DLC requirements?

According to Bandwidth, who provides the texting services available in TE Recruit, a compliant Privacy Policy must include all of the following:

1. An explanation that mobile information will not be shared with 3rd parties for purposes not described in the policy, and that mobile opt-in/consent data will not be shared with 3rd parties for any purpose

   1. Example language from Bandwidth:

      "Mobile information will not be shared with third parties/affiliates for marketing/promotional purposes. All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties."

2. Explanation of how a recipient can opt out of receiving additional text messages from your organization

   1. Example language from Bandwidth:

      “If you wish to be removed from receiving future SMS communications, you can opt out by texting STOP, STOP ALL, QUIT, END, CANCEL, or UNSUBSCRIBE.”

   2. Ideally your policy should also provide alternative contact information where a recipient can request to opt out, usually a toll free phone number or email address.

Where should I put the Privacy Policy?

• Once you have a compliant Privacy Policy, it should be displayed on a page on your website, usually something like https://myagency.com/privacy
• You must also place a hyperlink to that page on every other page of your website, usually by adding it to your site's footer, header, and/or navigation menus.
  • Your Privacy Policy must be prominently displayed to all visitors to your site, especially on any pages where a visitor might provide their phone number on a job application or contact form.
• Finally, if you use TE Recruit's integrated Careers Page, you must visit Settings > Careers Page or Job Board > Manage Careers Page, and place your Privacy Policy URL in the corresponding field on that page, and save your changes. This will add your Policy link to all pages in your Careers Page, and (coming soon) to your Consent/CTA, as described below.

Website Compliance

In addition to the Privacy Policy requirements described above, you will need to make sure the rest of your website is compliant with A2P 10DLC requirements. The most common missing piece is collecting consent to receive SMS messages.

In short, any/all forms on your website where a visitor can provide a phone number must also include a consent disclosure and a call-to-action (CTA) for visitors to give or withdraw consent to receive text messages.

Compliant Consent/CTA

In order to be compliant with A2P 10DLC requirements, an SMS consent CTA must include the ability to choose opt-in vs. opt-out (this might be a checkbox, Y/N radio buttons, or other "selector" type - checkbox example below), and the accompanying text must include all of the following elements:

1. The name of the organization that will be sending messages
2. The nature or content of messages recipients are consenting to
3. "Fees" disclaimer - usually "Msg&data rates may apply."
4. Message "frequency" disclaimer - since most messaging in TE Recruit is conversational and not auto-recurring, we use "Msg frequency varies."
5. Opt-out and Help instructions - usually "Text STOP to opt-out or HELP for assistance."
6. A link to a compliant Privacy Policy - or language referring to the Policy, at a minimum

So, a "typical" consent CTA for a Top Echelon customer might look like this:

Job Application Forms

• If your organization uses TE Recruit's integrated Job Board or Careers Page, we have automatically included a compliant CTA like the one above. Visit any of your jobs' "apply" pages to see it.
  • An added benefit of using our integrated options is that for any candidates who withdraw consent on these forms, the phone number in their record in TE Recruit will be automatically marked "Do Not Text", and a further "SMS opt out" status is applied so that users cannot send texts to that number unless/until the owner of that number texts an opt-in keyword like START to any of your texting numbers.
• If you allow jobseekers to apply for jobs or express interest on your website, but you do not use either of our integrated job board options, all job application or similar forms must also include a compliant CTA as above.
  • To maintain compliance, you must also be careful not to send SMS messages to any recipients who have opted out. Applying our Do Not Text designation to any opted-out phone numbers can help you stay compliant.

Contact Forms

Just as with your job application forms, any other form on your site where a visitor can submit a phone number must also feature a compliant CTA.

The CTA requirements are the same regardless of the form, but where a form is designed to collect information from clients/prospects, other visitors, or mixed audiences, you should make sure the CTA calls out the different "types" of messages a visitor is consenting to receive.

For example, if the form is clearly geared for recruiting clients/prospects, the CTA might state:

I consent to receiving text messages related to recruiting services from Acme Agency.

Msg&data rates may apply. Msg frequency varies. Text STOP to opt-out or HELP for assistance. [Privacy policy link]

If the form is multi-purpose, a general "contact us" form, the CTA might state:

I consent to receiving text messages related to employment opportunities or recruiting services from Acme Agency.

Msg&data rates may apply. Msg frequency varies. Text STOP to opt-out or HELP for assistance. [Privacy Policy link]

In short, make sure the CTA specifies exactly what content a visitor is agreeing to receive from your organization.

Step 2 - A2P Registration

Once you are confident that your website and privacy policy meet all of the requirements above, you are ready to register your organization for A2P 10DLC messaging. Please see our A2P 10DLC Step 2 - Registration Help Article for next steps.

If you submit A2P 10DLC registration, and your Privacy Policy and/or website are not yet compliant, your Campaign will most likely be Rejected.