Texting and privacy laws: What schools need to know when texting students

Sam DeFlitch

January 7, 2022

How to comply with TCPA regulations when texting students

The Telephone Consumer Protection Act of 1991 (TCPA) is a federal law that limits how and when telemarketers can contact consumers via phone, text, and fax. The Federal Communications Commission (FCC) is the government agency that enforces the TCPA, and it has developed a lengthy set of rules for implementing federally compliant texting programs.

While tax-exempt, nonprofit organizations (which includes most not-for-profit colleges and universities) are not required to comply with some of the TCPA rules, it is best practice to follow them.

If you engage with a third-party organization to make calls or send texts on your behalf, your nonprofit exemption extends to that third party — even if they are for-profit — so long as the content of the messages is informational or educational and not commercial. This means you can use third-party services and software for texting without losing your TCPA exemptions.

When it comes to higher education, here a few essential guidelines to keep in mind when texting prospective and current students:

  • Do get consent to message students or their families. For nonprofit institutions, consent doesn’t have to be a written, signed statement; it can be as simple as a student orally agreeing to text messages, checking an opt-in box on a website form or printed inquiry card, or actively subscribing by texting a word or numeric code to a specified number. This is often called “express consent.” You may wish to display a disclosure next to wherever students enter their mobile phone numbers into your system. An example disclosure on a web form might look like:
  • Don’t use texting to promote the sale of commercial (non-educational) products or services. For example, if your university store is having a sale on t-shirts or a nearby restaurant wants to promote their student discount, share that exciting news via other communication channels such as your newsletter or flyers posted around campus. In addition, don’t send texts about non-school-related topics.
  • Do identify your institution’s name in the very first text message to students. This is one area where FCC rules apply even to nonprofit institutions. Fines can range from $500 to $1,500 per violation, so this is one area where you definitely want to stay in compliance.
  • Don’t initiate text conversations with students or their families between 9 pm and 8 am (using the recipient’s time zone, not yours). This rule doesn’t apply to responding to texts sent by students, so if a student texts your school at 3 am — and you have the capacity to respond at this time via a 24/7, two-way chatbot, you can go ahead and text them right back.
  • Do give all text recipients the opportunity to opt-out of future text messages. The FCC requires that there must be an automated method available for opting out of future text messages; in other words, something like “Reply STOP to opt out of future text messages.” Make sure you’re keeping a list or database of opted-out numbers, and that you’re careful to exclude these numbers from future text messaging campaigns. Mainstay tracks opt-outs within our Student Engagement Platform to automatically ensure students won’t receive future communications if they’ve asked to be removed.

One more recommendation for this list: Don’t let fear of TCPA violations prevent you from using text messages to communicate with current and potential students. Students that have already applied and who provided their cell phone numbers have thereby provided express consent to receiving informational updates pertinent to the service you are providing (their education). While we recommend reading up on the TCPA and following it closely, you should feel confident messaging prospective, enrolled, and former students with updates that impact their journeys.

How to adhere to FERPA regulations for texting students

On top of the safeguards provided to all consumers by the TCPA, students get an extra layer of protection via the Family Educational Rights and Privacy Act (FERPA) — a federal law that protects the privacy of student education records. FERPA is enforced by the US Department of Education, which is responsible for developing and updating related federal regulations as technology changes and advances. These privacy regulations for texting students apply to public K–12 schools as well as all higher education institutions that receive federal funding.

FERPA is particularly concerned with “personally identifiable information” — information that is specific to an individual student. Sharing the school’s deadline for tuition payments is not personally identifiable information, but how much a student owes, how much they have paid in the past, dates of previous payments, and similar information is all protected by FERPA.

FERPA regulations are especially important when it comes to SMS text messages because student education records must be sent via a secure, FERPA-compliant system — and not all texting software is compliant. Since communicating with students always comes with the potential for sensitive information to be transferred, it is best to only use FERPA-compliant systems for texting with students and families. Mainstay’s proprietary software is 100% FERPA-compliant.

How to comply with CTIA guidelines for opt-in and opt-out disclosures when texting students

In addition to federal laws such as the TCPA and FERPA, colleges and universities should be aware of several key industry policies when it comes to sending text messages to students and their families. There are two telecommunication industry organizations that are particularly notable: The Cellular Telecommunications Industry Association (CTIA) and the Mobile Marketing Association (MMA).

The CTIA is a not-for-profit trade association for the wireless communication industry in the United States. Members include wireless carriers and suppliers, as well as manufacturers of wireless products and services, such as Amazon, Apple, AT&T, Comcast, Google, Samsung, T-Mobile, and Verizon.

The CTIA has guidelines for text message marketing. While the CTIA cannot fine you, it sometimes runs audits to catch violations, so it’s best to make sure your text message campaigns comply with CTIA regulations. Mainstay monitors any blocked or flagged messages to provide data insights and help avoid issues moving forward.

When it comes to opt-in requirements, the CTIA is much more stringent than the TCPA. Especially when it comes to SMS short codes — the 5 to 6-digit phone numbers used to opt customers into an SMS marketing program and send text messages — the CTIA requires that your disclosure must:

  • Specify that the program includes recurring, and not one-time, text messages (“subscribe to receive recurring SMS offers”)
  • Include instructions for opting out of receiving future text messages through the SMS program (“text STOP to opt out”)
  • Indicate that sending and receiving texts may incur costs from the recipient’s mobile carrier (“message and data rates may apply”)

When TCPA regulations and CTIA guidelines are both taken into consideration, an introductory text message for an SMS marketing program may look like this:

Hey! This is Thunder from WTAMU University. I can help answer your questions about all thing WT and I'll update you about what's happening on campus!

Shoot me a text any time you have a question! (Msg + data rates apply.) If I don't know the answer, I'll get a human to help. 😊 (Text #PAUSE to unsubscribe.)

In addition to including opt-out instructions in the disclosure, the CTIA also requires that a recipient’s phone number be automatically and immediately removed from your texting program if they unsubscribe. Once a student has unsubscribed, the only message you can send them is a single text to confirm that their request has been successfully processed. Mainstay’s Student Engagement Platform registers this data automatically to prevent students from receiving future messages if they text STOP or #PAUSE, which is Mainstay’s custom opt-out command. 

The good news is that students can always re-subscribe to text messaging, even if they opted out previously. If a student re-subscribes, you can resume sending them SMS messages.

How to follow MMA guidelines for texting students

The Mobile Marketing Association (MMA) is another telecommunications industry association that publishes best-practice guidelines for text message marketing. Members include American Express, Facebook, Google, MasterCard, McDonalds, Microsoft, Coca-Cola, Visa, Walmart, and many more. MMA guidelines are not enforced by any particular group; instead, they are designed to help provide an optimal experience for customers.

For higher education institutions, some key MMA guidelines to consider include:

  • Web opt-ins: If a student opts in to your text messaging program via your website, your system should send a text to the number provided asking them to confirm the opt-in. This ensures that the person who completes the webform is the owner of the phone.
  • Support: Students or parents who reply to your text messages asking for help, phone numbers, website links, or email address should always get a response to their inquiry. One-way messaging — sending out text messages, but not responding to incoming text messages from students — is not acceptable under MMA guidelines.
  • Contests and sweepstakes: Contests, sweepstakes, lotteries, and any other promotional programs that include an element of chance should never be conducted via SMS texting unless the organizer has sought legal guidance and review of the promotional program. 

Although colleges and universities are not required to comply with MMA guidelines, you may wish to refer to their guidelines to ensure you’re providing a positive texting experience for your students.

How to protect your students’ privacy when texting them

Like many other forms of communication, texting is not 100% secure. In particular, texting can be susceptible to “spoofing,” when a sender makes it look like their message is coming from someone else. Many SMS providers don’t have anti-spoofing protection, but good ones do. 

Some good news: Texting isn’t the only option for engaging with students via mobile phones. Other platforms such as Facebook Messenger — which is accessible by cell phones with an Internet connection via Wi-Fi or LTE — support full end-to-end encryption, making them even more secure than SMS or email. Mainstay supports messaging via Facebook Messenger, giving schools additional secure channels to communicate with students. 

While nothing is foolproof, using some best practices for privacy when texting students can increase security. It’s important to note that The Communications Assistance for Law Enforcement Act (CALEA) requires that telecommunications services have the necessary capabilities for law enforcement agencies to conduct electronic surveillance, so messages cannot actually be completely encrypted or erased, anyway. It’s most important to use common sense when texting with students. A solid rule of thumb is to never send or ask for sensitive personal information.

A checklist of recommendations for texting students

With all of these privacy regulations for texting students, it can feel challenging to get started in a compliant way. At Mainstay, it’s one of our superpowers — and we’re excited to help your school make the most of text messaging your students. Here’s a quick checklist of best practices to get your started:

Learn how to use text messaging to supercharge your student engagement

SMS, TCPA, FERPA, CTIA, MMA — there are a lot of acronyms, regulations, and recommendations to understand when it comes to texting prospective and current college students. 

While it may seem like a lot to navigate, the significant benefits of text messaging far outweigh the investment it takes to build and launch an SMS texting program for student engagement. It helps to remember that, while there are many rules to follow and recommendations to consider when texting students, they were all designed to protect the safety and security of both the senders and the recipients.

You don’t need to go it alone. When you partner with Mainstay, you’ll receive support from experts who focus exclusively on real-time, automated communications. Most importantly, you’ll get the helpful guidance, tips, and support you need for a successful text messaging strategy that delights your students and ensures you’re fully comply with all TCPA, FERPA, CTIA, and MMA guidelines.

Download our free white paper, “Defining student engagement,” to learn how you can use text messaging to boost student engagement at your school.

Share on social


Subscribe for free

Sign up to receive Mainstay's latest insights on engagement trends and Behavioral Intelligence — right in your inbox.

Book a call with us:

Get a guided tour of Mainstay’s Engagement Platform

Mainstay’s Engagement Platform uses Behavioral Intelligence to help businesses build meaningful relationships, optimize insights, and drive action.

Sign up for your personalized demo to find out how Mainstay makes it easy to spark conversations with your employees and guide them toward positive results.


Instant support — anytime, anywhere

Mainstay’s behaviorally intelligent chatbots make it easy to engage with employees on the channels they prefer to use:

SMS text messaging
Live chat
Web chat
Social media

Let's talk

Get a guided tour of Mainstay’s Engagement Platform

Mainstay’s Engagement Platform uses Behavioral Intelligence to help schools and businesses build meaningful relationships, optimize insights, and drive action.

Sign up for your personalized demo to find out how Mainstay makes it easy to spark conversations with your students or employees and guide them toward positive results.


Instant support — anytime, anywhere

Mainstay’s behaviorally intelligent chatbots make it easy to engage with students and employees on the channels they prefer to use:

SMS text messaging
Live chat
Web chat
Social media

Let's talk