Text Messaging: A2P 10DLC Step 1 - Website & Privacy Policy Compliance Requirements

Before your organization is ready to register an A2P 10DLC Brand and Campaign, Step 1 is to ensure that your company's website and privacy policy must meet the requirements described here. This article will be updated regularly as requirements continue to change.

Table of Contents

1. What is A2P 10DLC?
2. Background on Step 1
3. Privacy Policy Compliance
4. Messaging Terms & Conditions
5. Website Compliance - Collecting Consent
6. A2P Registration

What is A2P 10DLC?

A2P stands for "Application-to-Person," and refers to messages sent from a software application to an individual's phone. The term 10DLC stands for "10-Digit Long Code," which is a standard 10-digit phone number designated for business use. Together, A2P 10DLC creates a standard in business messaging that enables companies to send higher volumes of messages more reliably and cost-effectively than before.

All text messages sent from Top Echelon are A2P 10DLC.

Because A2P messaging can appear indistinguishable from P2P (or person-to-person) messages, this can lead to challenges in distinguishing between genuine communications and potential spam or abuse. The A2P 10DLC program creates a reliable way to ensure that legitimate messages are easily identifiable and trusted by recipients.

This program provides a means to more easily identify fraudulent and/or malicious text messages while providing better deliverability to legitimate messages.

It also puts forth a set of best practices to ensure that registered companies continue to engage in quality messaging.

Why should I register?

Beginning December 1, 2024 all mobile carriers (Verizon, AT&T, etc) are set to block all unregistered A2P 10DLC text message traffic. In anticipation of this change, all TE customers must have a registered Campaign (with a status of Campaign Accepted) before they can purchase any new texting numbers.

This deadline has been pushed back before, so we are continuously monitoring the deliverability of messages sent from TE Recruit, and will keep all customers informed as we learn more.

A2P Registration is a one-time process once your Brand and Campaign are Accepted, unless/until your organization's identity, or use-case for using A2P text messaging changes significantly.

Background on Step 1

Since we first learned about A2P 10DLC rules, we at Top Echelon have been doing our best to help our customers get registered to continue sending text messages in TE Recruit. During that time, A2P 10DLC has proven to be a shifting landscape of new and more stringent requirements.

What was once a simple process of establishing your organization's legal identity for mobile carriers like Verizon and AT&T, and briefly describing their use-case for text messaging, has become an intense review process of each organization's website and privacy policy, in addition to the simple act of registering.

The 3rd parties who review Brand and Campaign submissions will also do a deep dive on each organization's website and Privacy Policy, and will reject a Campaign when the requirements described below are not met.

Before you can successfully register your organization for A2P 10DLC messaging, you must first make sure your organization's privacy policy and website are compliant with A2P 10DLC requirements. This is Step 1.

Privacy Policy Compliance

Does my organization need a Privacy Policy?

In short, yes. If your organization does not yet have a Privacy Policy in place, you should get one ASAP. Not only is it a requirement for A2P 10DLC compliance and registration, it is also a best practice for any organization with an online presence.

How do I get a Privacy Policy?

Because a Privacy Policy is a legal document, and we at Top Echelon are not lawyers, we cannot make specific recommendations. Several of our customers have used online policy "generators" or other tools. Others have sought out the policies of other organizations like their own, on which to model their new policy. Some have gone the more traditional route of seeking legal counsel to establish their policy.

What makes a Privacy Policy compliant with A2P 10DLC requirements?

According to Bandwidth, who provides the texting services available in TE Recruit, a compliant Privacy Policy must include all of the following:

1. An explanation that mobile information will not be shared with 3rd parties for purposes not described in the policy, and that mobile opt-in/consent data will not be shared with 3rd parties for any purpose

   1. Example language from Bandwidth:

      "Mobile information will not be shared with third parties/affiliates for marketing/promotional purposes. All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties."

2. Explanation of how a recipient can opt out of receiving additional text messages from your organization

   1. Example language from Bandwidth:

      “If you wish to be removed from receiving future SMS communications, you can opt out by texting STOP, STOP ALL, QUIT, END, CANCEL, or UNSUBSCRIBE.”

   2. Ideally your policy should also provide alternative contact information where a recipient can request to opt out, usually a toll free phone number or email address.

Where should I put the Privacy Policy?

• Once you have a compliant Privacy Policy, it should be displayed on a page on your website, usually something like https://myagency.com/privacy
• You must also place a hyperlink to that page on every other page of your website, usually by adding it to your site's footer, header, and/or navigation menus.
  • Your Privacy Policy must be prominently displayed to all visitors to your site, especially on any pages where a visitor might provide their phone number on a job application or contact form.
• Finally, to allow us to add your Privacy Policy link to your Job Board or Careers Page consent Calls to Action, as described below, you will need to provide your Privacy Policy link in one of the following three places in TE Recruit:
  1. Manage Careers Page
     1. Only available if you have the Careers Page feature enabled
     2. Adding your Privacy Policy URL here will also add a link to all pages of your Careers Page
     3. Learn more in the Careers Page Help Article
  2. During A2P Registration
     1. You'll be asked to provide your Privacy Policy URL during A2P registration - TE Recruit will automatically add that link to your Job Board or Careers Page's "I consent..." language if it does not find that link elsewhere
  3. Manage Data Privacy Compliance
     1. Learn more about this feature in its Help Article
     2. Intended for agencies who are subject to GDPR and/or CCPA compliance requirements

Messaging Terms & Conditions

According to Bandwidth, who provides texting services in TE Recruit and processes A2P registrations:

All message senders must have compliant Terms & Conditions made available to their consumers/recipients. This document must be provided as a part of the campaign registration. Often, the Terms & Conditions are found on a brand's website.

The Terms & Conditions page must contain the following details:

• Brand name
• Types of messages the consumer can expect to receive
• Message frequency disclosure
• "Message and data rates may apply" disclosure
• Customer care contact information (Text HELP for help, contact [email address] for support, etc.)
• Opt-out information (Text STOP to cancel)

We are working to add a compliant sample T&C to the A2P registration form in TE Recruit. The example text we are providing is:

By opting in on our website or texting an opt-in keyword (START), you agree to receive conversational text messages regarding employment opportunities and/or recruiting services from [agency name]. Message frequency varies. Message & data rates may apply. Reply HELP for assistance or contact us at [HELP Email Address]. Reply STOP to opt out at any time. See our Privacy Policy for more information.

You are welcome to use the language above to publish on your site if desired - but make sure to add your company name and HELP email address in the appropriate [placeholders] first.

This "document" must be easily accessible to any visitor to your website who may be providing consent to receive text messages. It can be published on a page on your site, like myagency.com/messaging-terms, or it can appear in a pop-in window as part of your Consent CTA, as described below.

Website Compliance - Collecting Consent

In addition to the Privacy Policy and Terms & Conditions requirements described above, you will need to make sure the rest of your website is compliant with A2P 10DLC requirements. The most common missing piece is collecting consent to receive SMS messages.

Compliant Consent/CTA

In short, any/all forms on your website where a visitor can provide a phone number must also include a consent disclosure and a call-to-action (CTA) for visitors to give or withdraw consent to receive text messages.

Additionally, all phone number fields must always be optional. Any required phone number fields on your website may result in your Campaign being rejected by reviewers.

In order to be compliant with A2P 10DLC requirements, an SMS consent CTA must include the ability to choose opt-in vs. opt-out (this might be a checkbox, Y/N radio buttons, or other "selector" type - checkbox example below).

Importantly, as of 12/11/24, the consent collection mechanism must default to an opted-out or "neither selected" state. For example, a checkbox with "I consent..." text must default to unchecked, or a "Do you provide consent...?" Yes/No question must default to No, or neither Yes/No is preselected.

The text accompanying this "question" must include all of the following elements:

1. The name of the organization that will be sending messages
2. The nature or content of messages recipients are consenting to
3. "Fees" disclaimer - usually "Msg&data rates may apply."
4. "Frequency" disclaimer - since most messaging in TE Recruit is conversational and not auto-recurring, we use "Msg frequency varies."
5. Opt-out and Help instructions - usually "Text STOP to opt-out or HELP for assistance."
6. A link to a compliant Privacy Policy - or language referring to the Policy, at a minimum
7. A link to a compliant Terms & Conditions [new requirement as of 1/6/25]
   1. This link may open a page containing your T&C, or a pop-in window displaying your T&C text

So, a "typical" consent CTA for a Top Echelon customer might look like this:

Job Application Forms

• If your organization uses TE Recruit's integrated Job Board or Careers Page, we have automatically included a compliant CTA like the one above. Visit any of your jobs' "apply" pages to see it.
  • An added benefit of using our integrated options is that for any candidates who withdraw consent on these forms, the phone number in their record in TE Recruit will be automatically marked "Do Not Text", and a further "SMS opt out" status is applied so that users cannot send texts to that number unless/until the owner of that number texts an opt-in keyword like START to any of your texting numbers.
• If you allow jobseekers to apply for jobs or express interest on your website, but you do not use either of our integrated job board options, all job application or similar forms must also include a compliant CTA as above.
  • To maintain compliance, you must also be careful not to send SMS messages to any recipients who have opted out. Applying our Do Not Text designation to any opted-out phone numbers can help you stay compliant.

Contact Forms

Just as with your job application forms, any other form on your site where a visitor can submit a phone number must meet all requirements described above. Phone number fields must always be optional, and the form must feature a compliant consent CTA.

The CTA requirements are the same regardless of the form, but where a form is designed to collect information from clients/prospects, other visitors, or mixed audiences, you should make sure the CTA calls out the different "types" of messages a visitor is consenting to receive.

For example, if the form is clearly geared for recruiting clients/prospects, the CTA might state:

I consent to receiving text messages related to recruiting services from Acme Agency.

Msg&data rates may apply. Msg frequency varies. Text STOP to opt-out or HELP for assistance. [Privacy policy link] [Terms& Conditions link]

If the form is multi-purpose, a general "contact us" form, the CTA might state:

I consent to receiving text messages related to employment opportunities or recruiting services from Acme Agency.

Msg&data rates may apply. Msg frequency varies. Text STOP to opt-out or HELP for assistance. [Privacy Policy link] [Terms& Conditions link]

In short, make sure the CTA specifies exactly what content a visitor is agreeing to receive from your organization.

Step 2 - A2P Registration

Once you are confident that your website and privacy policy meet all of the requirements above, you are ready to register your organization for A2P 10DLC messaging. Please see our A2P 10DLC Step 2 - Registration Help Article for next steps.

If you submit A2P 10DLC registration, and your Privacy Policy and/or website are not yet compliant, your Campaign will most likely be Rejected.