The US Telephone Consumer Protection Act (TCPA) regulates SMS and voice calls — not WhatsApp Business API. This guide explains why, what US SMBs switching from SMS platforms to WhatsApp need to know, and how BossBot's channel choice affects your opt-in workflow.
The Telephone Consumer Protection Act (47 U.S.C. § 227), passed in 1991 and repeatedly amended, regulates telemarketing calls, text messages sent using automatic telephone dialing systems, prerecorded voice messages, and unsolicited faxes. Its remit is US telephone infrastructure — Public Switched Telephone Network voice, SMS, and MMS. It does not cover messaging that runs over a third-party over-the-top platform like WhatsApp Business API, Telegram Bot API, or Viber. The distinction matters because TCPA is one of the more expensive US compliance regimes to violate: statutory damages run from $500 to $1,500 per violating message, and class actions have produced multi-million-dollar settlements against SMS marketing platforms.
When a customer messages a business over WhatsApp Business API, the opt-in for that conversation is governed by Meta's terms of service — specifically Meta's Commerce Policy and WhatsApp Business Terms — not by the FCC or the TCPA. The customer initiates conversation by adding your number, messaging first, or clicking a WhatsApp-link CTA (a 'wa.me' link). Meta enforces its own consent requirements at the platform layer: users must opt in through WhatsApp's UI, and Meta blocks bulk-marketing patterns that violate its rules. The technical result: a US business communicating with US customers over WhatsApp Business API is not sending SMS in the TCPA sense, and does not have to run the express-written-consent workflow SMS marketing platforms require.
If your business currently uses Podium, Heymarket, Textline, SimpleTexting, or another SMS-based US SMB messaging platform, you have almost certainly built a TCPA consent workflow: written or verbal opt-in captured at intake, opt-out language on every message, DNC (do-not-call) list scrubbing, and a paper trail. Switching to WhatsApp Business API through a platform like BossBot changes this. You no longer collect TCPA opt-in for those conversations. You do need to comply with Meta's own opt-in rules (the customer must initiate contact, or you must obtain platform-compliant consent for outbound business-initiated messages). You should keep the paper trail habits — they're good security practice — but the specific TCPA compliance workflow does not apply.
TCPA still applies to any voice calls your business places and any SMS you send outside the WhatsApp channel. If your practice sends SMS appointment reminders through your practice management system, or if a staff member manually texts a customer from a personal phone, TCPA is in play for those messages. The rule of thumb: TCPA follows the channel. Change the channel to WhatsApp / Telegram / Viber, and TCPA drops out of that specific communication. Keep any SMS or voice-call touchpoints, and TCPA compliance for those touchpoints remains.
BossBot does not send SMS. All customer communication runs through WhatsApp Business API, Telegram Bot API, or Viber. That channel choice means BossBot users do not have TCPA opt-in workflow obligations for the conversations that flow through BossBot. If you replace an existing SMS platform with BossBot, you effectively remove TCPA from that surface. If BossBot is added alongside an SMS platform you keep, TCPA still governs the SMS half. Detail on our compliance surface, including sub-processor list and DPA availability, is at bossbot.uk/us-compliance.
This is a plain-language overview. It is not legal advice, and it does not substitute for consultation with a qualified attorney about your specific US regulatory posture. TCPA case law evolves — the FCC has issued interpretive orders as recently as 2023 and 2024, and courts have interpreted the definition of 'automatic telephone dialing system' in different ways. If your business handles a large volume of outbound customer communication, or if you operate in a regulated vertical (healthcare, finance, insurance), consult counsel.
Read our plain-language overview of TCPA, CCPA, GDPR, HIPAA, and data storage on our US compliance page.
See US compliance overviewNot ready to sign up yet? Try the free demo →