← Back to Homepage

1. Collecting Opt-Ins Without Clear, Affirmative Consent

|14 min read
digital retailonline deale-signaturesoft pullpayment calculator

In 1992, the first cell phone text message was sent—a simple "Merry Christmas" transmitted from a computer to a mobile device. Thirty years later, SMS has become one of the most powerful tools in a dealership's communication arsenal, with open rates that dwarf email and web traffic combined. Yet the majority of dealers handling SMS compliance are still operating like it's 1992: haphazardly, without documentation, and with zero understanding of the regulatory minefield they're walking through.

The irony is sharp. Dealerships invest heavily in digital retail platforms, online deal workflows, e-signature systems, and payment calculators to capture customer data early and often. But then they blow it on the compliance side, triggering TCPA violations, state attorney general complaints, and settlements that dwarf the revenue those messages ever generated. This isn't a gray area. It's not a technicality. And it's not going away.

1. Collecting Opt-Ins Without Clear, Affirmative Consent

Here's the most common mistake: dealers assume that because a customer submitted their phone number on a website form, they've consented to receive SMS messages. They haven't. Not even close.

The Telephone Consumer Protection Act (TCPA) and state regulations like California's CCPA require express written consent before you can send marketing texts. That means the customer must actively agree to SMS communication—not just provide a phone number. A checkbox on your digital retail form that says "We may contact you" doesn't cut it. A pre-checked box? That's worse. And if there's no checkbox at all and the customer just fills in a form field? You've got nothing.

Dealers who get this right have explicit, documented opt-in flows. The language is clear: "I agree to receive SMS messages from [Dealership Name] about my vehicle, service offers, and promotions." The customer must affirmatively select it. No pre-checking. No buried terms. No ambiguity.

The problem gets worse when you factor in multi-step digital workflows. Say a customer starts an online deal on your website, uploads documents via e-signature platform, and then gets transferred to a chat system to discuss financing. At each handoff, if you're not capturing explicit opt-in, you're creating compliance gaps. One dealer we see commonly has customers opt-in during the online deal workflow, but then the F&I team texts them from a different number without re-confirming consent, arguing they already agreed. That's not how it works. Each communication channel may require separate consent, depending on state law and the specific context.

And here's the kicker: many dealers are still collecting opt-ins through verbal conversations on the lot. "Can we text you updates?" "Sure." No record. No timestamp. No documentation. That's not consent,that's a liability.

2. Failing to Document and Timestamp Consent

Compliance lives on paper. Well, digital paper.

If you can't prove the customer consented, you have no defense. When the FTC or a state AG comes knocking (and they do), they're going to ask for your documentation. They want the exact date and time the customer opted in. They want the specific language they saw. They want IP addresses, form submissions, screenshots. If you're relying on memory, a salesman's notes, or a vague entry in your CRM, you're going to lose.

This is where a lot of dealers make a critical error: they assume their CRM is doing the work for them. Many popular dealership platforms have a phone number field and maybe a checkbox labeled "Can Contact." That's not enough. You need timestamped, immutable records of the actual opt-in moment. What did the customer see? When did they agree? From what device? What was the exact language?

The dealers running tighter operations are capturing this systematically. When a customer opts in through an online form, they're logging the timestamp, the form URL, the exact text presented, and the customer's explicit confirmation. Some are even taking screenshots of the opt-in screen for their records. Is that overkill? Maybe. But it's also the difference between winning and losing a compliance audit.

And here's a subtle one: if you're using a third-party service to send SMS (which you should be, for deliverability and compliance reasons), make sure there's an audit trail connecting your customer's consent to that service. If you can't trace the opt-in all the way to the vendor sending the message, you've created a gap in your chain of custody. That gap is where regulators will punch through.

3. Texting Customers Who Never Opted In (Or Opted Out)

This one seems obvious. It almost never is.

A customer buys a vehicle from you. During the sale, someone captures their phone number. Months later, the service department,operating in a completely different system, using a different number, staffed by people who have no idea what happened in sales,sends them a text about an oil change special. The customer never opted in to service texts. They only opted in to deal updates during the sales process. Now you've violated the TCPA.

This is the consequence of poor data hygiene and siloed systems. Sales collects opt-ins. Service doesn't know about them. Parts doesn't know about them. The GM doesn't know about them. So everyone just texts whenever they want, and the customer's phone blows up with messages they never agreed to receive.

The fix requires visibility. Every team,sales, service, parts, fixed ops,needs to see the same customer record with the same consent status. If a customer opted in to promotional texts but not service reminders, that distinction needs to be clear and enforced. If a customer opted out entirely, that status needs to be synchronized across every system that might send them a message. Tools like Dealer1 Solutions that integrate customer data with SMS compliance workflows make this possible, but it requires intentional setup and discipline from the dealership side.

And don't get sloppy about opt-outs. When a customer texts STOP, they're legally opting out of all future SMS from your dealership. You have a legal obligation to honor that request immediately. Many dealers blow this one: they see "STOP" and assume the customer just wants to stop that particular campaign, so they keep texting. Wrong. STOP means stop. Period. You need systems and processes that catch opt-outs and remove customers from all lists automatically.

4. Unclear or Misleading Consent Language

The language matters.

A common pattern: dealers bury SMS consent in a terms-and-conditions document that's 40 pages long, written in legal jargon, and mentions SMS in passing. Regulators don't like that. They want consent to be prominent, easy to understand, and specific to SMS. Not buried. Not vague. Not mixed in with ten other consent requests.

Here's a specific pitfall we see often: dealers use language like "We may contact you about your vehicle and special offers." That's too broad. It doesn't specify SMS. A customer might reasonably think you mean phone calls or emails. Better language: "I agree to receive SMS text messages from [Dealership] about my vehicle, service reminders, and promotional offers. Message frequency varies. Standard message and data rates may apply."

And that last part,"message and data rates may apply",isn't just boilerplate. It's legally required in many states. Customers have a right to know that texts might cost them money, depending on their plan. If you don't disclose that, you're creating liability.

Another mistake: dealers change consent language mid-stream. They start with one set of terms during the digital retail phase, then different language appears in the SMS workflow, and yet another version shows up in the finance office. Inconsistency is a red flag. Regulators will use that to argue you weren't being transparent about what you were asking permission for.

Here's the opinionated take: most dealership consent language is written by someone who's never read a regulatory guidance document, and it shows. If you haven't had a lawyer review your SMS opt-in language in the last two years, you need to do that immediately. Don't wait for a complaint. Don't assume your CRM vendor has it right. Get an opinion. It's cheap insurance.

5. Mixing Marketing and Service Messages Without Separate Consent

This is where compliance gets genuinely tricky, and where a lot of well-meaning dealers go wrong.

There's a legal distinction between transactional messages and marketing messages. A transactional message is one your customer requested or one that's necessary for a transaction. "Your service appointment is confirmed for Tuesday at 2 PM" is transactional. A marketing message is promotional. "Get 20% off your next oil change!" is marketing.

The TCPA treats these differently. Transactional messages have more flexibility around timing and consent. Marketing messages are stricter. Some states, like California, treat them even more strictly under CCPA rules.

Here's where dealers slip up: they collect consent for "service reminders and promotional offers" in a single checkbox, then send everything,appointment confirmations, recall notices, promotional discounts,using that single consent bucket. If the customer later complains that they're getting too many marketing texts, you might have a problem proving you had separate consent for the marketing piece.

The better approach is to separate transactional and marketing consent. Let customers opt in to appointment reminders separately from promotional offers. If someone says yes to reminders but no to promotions, your system needs to respect that distinction. This requires more granular consent tracking, but it also gives you better legal cover and,as a bonus,reduces unsubscribe complaints because you're not spamming customers with offers they never agreed to.

Consider a typical scenario: a customer buys a vehicle, opts in to service reminders during the digital retail process, and later gets enrolled in a loyalty program through your service department. That loyalty program now wants to send them promotional texts about tire rotations and oil change discounts. Do they automatically get those messages because they agreed to "service" communications? No. Loyalty program promotions are marketing. You need separate, explicit consent for that channel. A lot of dealers miss this distinction, and it costs them.

6. Using Personal Phone Numbers and Spoofed Shortcodes

Some dealers still send SMS from personal cell phones or dealer lines, using texting apps that don't provide compliance infrastructure. That's a liability waiting to happen.

When you send SMS from a personal number or an unsecured shortcode, you lose visibility into consent, delivery logs, opt-out status, and timing. You can't prove who sent the message, when it was sent, or whether the customer had consented. You also violate several TCPA rules around message origination and identification.

The FTC expects dealerships to use legitimate, registered SMS infrastructure with proper compliance controls. That means using a vendor like Twilio, Plivo, or a dealership-specific SMS platform that provides opt-in documentation, automatic opt-out handling, and audit trails. Yes, it costs money. No, you don't have a choice.

And don't get clever trying to use shortcodes that don't belong to you or using VOIP numbers that mask your dealership's identity. Regulators are actively cracking down on that. It's deceptive. It violates the TCPA. And it's the kind of thing that gets you named in a class action lawsuit.

The right setup is straightforward: use a reputable SMS provider, register your dealership's identity properly, maintain clean opt-in records, and ensure every message goes through that system so it's logged and tracked. No exceptions. No workarounds.

7. Ignoring State-Specific Regulations

Federal TCPA rules are just the baseline. Many states have additional requirements that can be more restrictive.

California's CCPA, for example, gives customers explicit rights to know what personal information you're collecting and how you're using it. If you're capturing phone numbers through digital retail or payment calculators, you need to disclose that. If you're planning to share that data with third parties, you need to say so. And if a customer requests to know what data you have on them or asks you to delete it, you have legal obligations to comply.

New York has its own regulations around telemarketing and SMS. So do Texas, Illinois, and several other states. And the rules are constantly evolving. What was compliant two years ago might not be today.

A common pitfall: dealers use a single consent form and SMS workflow across all their locations, regardless of state. That doesn't work. A vehicle dealership with stores in Nevada and California needs different consent language, different opt-out processes, and potentially different consent timing for each state. If you're not accounting for state-level differences, you're running an audit waiting to happen.

This is another area where legal review helps. A lawyer familiar with automotive dealership regulations across your operating states can audit your SMS practices and flag state-specific risks. It's worth the investment.

8. Poor Integration Between Sales, Service, and Marketing Systems

Here's a practical operational challenge that creates compliance risk: your sales system, service system, and marketing platform don't talk to each other.

A customer opts in to SMS during the digital retail process in your sales CRM. But that opt-in status never syncs to your service management system. So when service tries to send a message, they don't know the customer consented, and they either skip the text or send it without confidence in their legal standing. Or worse, they send it anyway, and now you've got duplicate messages from different systems and no clear record of who authorized what.

The dealers running cleaner operations have unified customer records and integrated SMS workflows. When a customer opts in anywhere in the dealership ecosystem,sales, service, finance, marketing,that status is immediately visible and actionable across all systems. When they opt out, the same thing happens in reverse. No gaps. No siloed data.

This is exactly the kind of workflow Dealer1 Solutions was built to handle. A unified customer database, integrated SMS compliance tracking, and a single view of opt-in status across sales, service, and marketing. But even if you're using different systems, you need to ensure they're integrated enough to pass consent data back and forth and prevent duplicate or unauthorized messaging.

Set up regular audits to check for consent drift,situations where your systems disagree about whether a customer has opted in. These audits should be automated if possible, flagging records where consent status differs between systems so you can reconcile them.

9. Sending Messages at Inappropriate Times

The TCPA restricts when you can send SMS. You can't send texts before 8 AM or after 9 PM in the customer's local time zone (though there are some exceptions for transactional messages). Many dealers ignore this rule.

A service manager sends a promotional text at 10 PM because that's when they're clearing their desk. A salesman sends a follow-up about a soft pull credit check at 7 AM on a Sunday. An automated system sends appointment reminders at midnight because the scheduling software defaults to the dealership's time zone, not the customer's. All of these violate the TCPA.

This requires time-zone awareness in your SMS system. When you send a message, your platform needs to know the customer's local time and queue the message appropriately. If it's 10 PM in their zone, the message waits until 8 AM. If it's midnight on Sunday, it waits until 8 AM Monday.

For transactional messages like appointment confirmations, you have more flexibility. But for marketing? You need to be strict about the window. And your SMS platform should enforce this automatically, not rely on your team to remember the rule.

10. No Clear Audit Trail or Compliance Documentation

When a regulator comes asking questions, you need to be able to prove your compliance. That means documentation: consent records, opt-out logs, message delivery confirmations, timing records, and remediation actions.

A lot of dealers have vague SMS practices but no paper trail. They can't show when a customer opted in. They can't prove they honored an opt-out request. They can't demonstrate that they sent messages at appropriate times. That's not just bad practice. That's indefensible in a compliance action.

The dealers with their act together maintain systematic records. Timestamped consent logs. Automated opt-out processing with confirmation records. Message delivery logs with timestamps and time zones. Complaint logs showing how they responded to customer issues. If they can't answer a question from the FTC or a state AG immediately, they have the data to reconstruct the answer within a day.

This requires discipline and the right tools. You can't do it on spreadsheets. You need a system that captures, stores, and can retrieve this data reliably. That's what compliance-focused SMS platforms are built to do.

The Bottom Line: Compliance Is Non-Negotiable

SMS is powerful. When used right, it drives engagement, increases service revenue, and improves customer satisfaction.

Stop losing vehicles in the recon process

Dealer1 is the all-in-one platform dealerships use to manage inventory, reconditioning, estimates, parts tracking, deliveries, team chat, customer messaging, and more — with AI tools built in.

Start Your Free 30-Day Trial →

All features included. No commitment for 30 days.

← Back to Blog