← All articles
TCPA WhatsApp Business By Kseniia · 2026-07-04 · 8 min read

Does TCPA Apply to WhatsApp Business? A 2026 Guide for US Small Businesses

The US Telephone Consumer Protection Act (TCPA) regulates SMS and voice calls — not WhatsApp Business API. This guide explains why, what US SMBs switching from SMS platforms to WhatsApp need to know, and how BossBot's channel choice affects your opt-in workflow.

What TCPA regulates — and what it doesn't

The Telephone Consumer Protection Act (47 U.S.C. § 227), passed in 1991 and repeatedly amended, regulates telemarketing calls, text messages sent using automatic telephone dialing systems, prerecorded voice messages, and unsolicited faxes. Its remit is US telephone infrastructure — Public Switched Telephone Network voice, SMS, and MMS. It does not cover messaging that runs over a third-party over-the-top platform like WhatsApp Business API, Telegram Bot API, or Viber. The distinction matters because TCPA is one of the more expensive US compliance regimes to violate: statutory damages run from $500 to $1,500 per violating message, and class actions have produced multi-million-dollar settlements against SMS marketing platforms.

Why WhatsApp Business API sits outside TCPA scope

When a customer messages a business over WhatsApp Business API, the opt-in for that conversation is governed by Meta's terms of service — specifically Meta's Commerce Policy and WhatsApp Business Terms — not by the FCC or the TCPA. The customer initiates conversation by adding your number, messaging first, or clicking a WhatsApp-link CTA (a 'wa.me' link). Meta enforces its own consent requirements at the platform layer: users must opt in through WhatsApp's UI, and Meta blocks bulk-marketing patterns that violate its rules. The technical result: a US business communicating with US customers over WhatsApp Business API is not sending SMS in the TCPA sense, and does not have to run the express-written-consent workflow SMS marketing platforms require.

What US SMBs switching from SMS platforms need to know

If your business currently uses Podium, Heymarket, Textline, SimpleTexting, or another SMS-based US SMB messaging platform, you have almost certainly built a TCPA consent workflow: written or verbal opt-in captured at intake, opt-out language on every message, DNC (do-not-call) list scrubbing, and a paper trail. Switching to WhatsApp Business API through a platform like BossBot changes this. You no longer collect TCPA opt-in for those conversations. You do need to comply with Meta's own opt-in rules (the customer must initiate contact, or you must obtain platform-compliant consent for outbound business-initiated messages). You should keep the paper trail habits — they're good security practice — but the specific TCPA compliance workflow does not apply.

Where TCPA still matters — even for WhatsApp-first businesses

TCPA still applies to any voice calls your business places and any SMS you send outside the WhatsApp channel. If your practice sends SMS appointment reminders through your practice management system, or if a staff member manually texts a customer from a personal phone, TCPA is in play for those messages. The rule of thumb: TCPA follows the channel. Change the channel to WhatsApp / Telegram / Viber, and TCPA drops out of that specific communication. Keep any SMS or voice-call touchpoints, and TCPA compliance for those touchpoints remains.

How BossBot's channel choice affects your compliance surface

BossBot does not send SMS. All customer communication runs through WhatsApp Business API, Telegram Bot API, or Viber. That channel choice means BossBot users do not have TCPA opt-in workflow obligations for the conversations that flow through BossBot. If you replace an existing SMS platform with BossBot, you effectively remove TCPA from that surface. If BossBot is added alongside an SMS platform you keep, TCPA still governs the SMS half. Detail on our compliance surface, including sub-processor list and DPA availability, is at bossbot.uk/us-compliance.

What this article is not — legal advice

This is a plain-language overview. It is not legal advice, and it does not substitute for consultation with a qualified attorney about your specific US regulatory posture. TCPA case law evolves — the FCC has issued interpretive orders as recently as 2023 and 2024, and courts have interpreted the definition of 'automatic telephone dialing system' in different ways. If your business handles a large volume of outbound customer communication, or if you operate in a regulated vertical (healthcare, finance, insurance), consult counsel.

Frequently Asked Questions

No. TCPA regulates SMS text messages and voice calls made through US telephone infrastructure. WhatsApp Business API is an over-the-top messaging platform governed by Meta's own terms of service, not by the FCC. Business-initiated messages must still comply with Meta's opt-in rules, but that is a Meta compliance question, not a TCPA one.
Not under TCPA. Meta's platform rules do require the customer to opt in through WhatsApp's UI (adding the business number, messaging first, or clicking a wa.me link). Some regulated verticals may have their own opt-in requirements outside of TCPA, but the specific TCPA express-written-consent workflow does not apply.
Same answer as WhatsApp. Telegram runs over the internet outside US telephone infrastructure. TCPA does not regulate Telegram messages. Telegram has its own platform terms for business bots, primarily focused on preventing spam.
TCPA does not prohibit this because you are switching channels off SMS. But you should still comply with Meta's own opt-in rules for WhatsApp — customers who did not specifically consent to WhatsApp contact may be uncomfortable receiving a first message there. The safer practice is to send one SMS notifying the customer that you are moving to WhatsApp and asking them to initiate the WhatsApp conversation, then let their reply serve as the opt-in.
Any SMS-based platform: Podium, Heymarket, Textline, SimpleTexting, EZ Texting, TextMagic, Salesmsg. Anything that sends a message to a US phone number through the SMS channel triggers TCPA. Voice-based platforms (auto-dialers, ringless voicemail) also fall under TCPA.
See bossbot.uk/us-compliance for a plain-language overview covering TCPA (not applicable), CCPA, GDPR, HIPAA (BossBot is not HIPAA-covered for PHI), data storage location, and the sub-processor list.
What a conversation looks like
🤖
BossBot AI
● Online
')">
Hi! I came across your business and wanted to find out more
Hi there! Happy to help 😊 What would you like to know? I can help with bookings, pricing, availability, or any questions you have.
Great — do you have any appointments available this week?
Yes! I have availability Tuesday and Thursday this week. What time of day works best for you?
Thursday afternoon if possible
Thursday afternoon is available ✅ I'll get that booked for you. Can I take your name to confirm?

Curious how your US compliance surface changes with WhatsApp?

Read our plain-language overview of TCPA, CCPA, GDPR, HIPAA, and data storage on our US compliance page.

See US compliance overview

Not ready to sign up yet? Try the free demo →

💬 Get the free WhatsApp automation checklist