10DLC vetting tips and tricks


Katherine Childers


Bandwidth's aggregator vets all new 10DLC campaigns to ensure campaigns are compliant with the wireless carriers’ codes of conduct. In this article, we'll provide more clarity and insight into them so you can register your campaigns successfully and as smoothly as possible.

Common rejection reasons

  • Call to Action (CTA)
  • Opt-out message
  • SHAFT-C content
  • Privacy Policy
  • Lack of a website or online presence
  • Non-compliance with Know Your Customer (KYC) guidelines
  • Content attributes
  • Sole Proprietor campaign

Call to Action

We often see campaigns rejected for an insufficient Call to Action (CTA) section. This section should contain a clear and concise description of how an end user signs up to receive messages. Opt-in must be 1 to 1, can't be shared with third parties, and can't be implied. It must be clear, conspicuous, and can't be obscured within the terms & conditions and/or other agreement(s).

Examples of how to get users to opt in:

  • Entering a phone number through a website
    • Example: Customers opt-in by visiting www.examplewebsite.com and adding their phone number. They then check a box agreeing to receive text messages from the example brand.
    • Note: If using a website to collect opt-in, our aggregator should be able to find the place on your website where the customer is opting in. If this is missing, the campaign will be rejected.
  • Clicking a button on a mobile webpage
    • Note: Please provide a website somewhere in the campaign registration (in the brand details, campaign description, or the sample messages) if this is where the opt-in is being collected.
  • Sending a message from the consumer’s mobile device that contains an advertising keyword
    • Example: Consumers opt-in by texting START to (111) 222-3333.
    • Important: If consumers can opt in by texting a keyword, the response should include the brand name, confirmation of opt-in enrollment to a recurring message campaign, how to get help, and a clear description of how to opt out. 
  • Signing up at a point of sale (POS) or another message sender on-site location
  • Opting in over the phone using interactive voice response (IVR) technology
    • Example: "Bandwidth: You’re now opted-in to our platform notifications. For help, reply HELP. To opt out, reply STOP."

Additional notes about CTAs:

  • All traffic on behalf of a business, entity, or organization must have prior opt-in/consent.
  • If the CTA mentions the opt-in collected on a website, the website must be provided. If it's not provided, the campaign will be declined.
  • Even if the CTA mentions opt-in collected elsewhere, lead intake forms on the brand's website will be reviewed. If the phone number field is required, the disclaimer about the SMS opt-in must be included. Otherwise, the campaign will be declined.

Opt-out message

Acceptable opt-out language must include at least one of the following words: END, STOP, UNSUBSCRIBE, CANCEL. If you’re using an opt-out phrase, it must be separated by spaces (i.e., STOP2END is not acceptable; it should be STOP 2 END). Please make sure that at least one of your sample messages shows your opt-out.

Example: "[Insert Business Name:] ​You have an appointment for Tuesday at 3:00 PM, reply YES to confirm, NO to reschedule. Reply STOP to unsubscribe."

SHAFT-C content

The following types of content are prohibited on 10DLC: CBD, Cannabis, Sex, Hate, Alcohol*, Firearms, and Tobacco*. It’s also not allowed to be on the customer's website at all. 

*Alcohol and Tobacco can be supported with robust age-gating and proper opt-in.

Example: If a chiropractor's office has CBD oils on its website, the campaign will be denied even if it's not directly related to CBD marketing.

Lack of a website or online presence

Please make sure to include any website or online presence the customer has. This could be a social media page, as long as our aggregator can access it and verify the business is who they say they are. Even if the customer avoids putting their website, our aggregator will still search to see if there's one associated with them. If there’s prohibited content on their website, the campaign will be rejected.

Non-compliance with Know Your Customer guidelines

Please follow proper Know Your Customer (KYC) guidelines for the campaign. The brand needs to reflect who will be sending the message to the customer, not the software behind the delivery.

Remember that the brand is the message sender. The Employer Identification Number (EIN) and company information should reflect the message sender, not you as the reseller.

Content attributes

Please confirm that your content attributes are correct when setting up your campaign. These fields can’t be changed, so you'll need to submit a brand new campaign if you’re rejected for any of these reasons.

Example: If a customer selects "no" for the embedded link but the sample content provided clearly shows links, they’ll need to resubmit their campaign with "yes" selected for the embedded link.

Sole Proprietor campaign

Not all carriers accept these campaign types, so they’ll be automatically rejected. You’ll then be charged the $15 fee and need to resubmit them later, so please hold off on submitting any new Sole Proprietor campaigns until Bandwidth provides further notice.

To learn more about 10DLC registration best practices and how to overcome campaign vetting rejections, please see 10DLC registration best practices and vetting rejection reasons.

Privacy Policy

All message senders must have an acceptable Privacy Policy when registering 10DLC campaigns. The most important aspect of the Privacy Policy mandates clearly describing how consumer data will be used and shared (if applicable), and how consumers can contact the message sender. A compliant Privacy Policy for 10DLC messaging should include the points below to help ensure that campaign registration and vetting are successful.


When a campaign is being vetted, the language presented in a sender's Privacy Policy is heavily scrutinized to ensure the message sender doesn't improperly claim to have the consumer’s consent to share end-user data with third parties for marketing purposes. While it's permissible for a business to share end-user data essential for business operations, the fundamental practice of sharing data to sell consumer information (leads) to third parties without the consumer's explicit direct consent is a prohibited campaign type and will be rejected.

Privacy Policies are reviewed during vetting to ensure consumer data isn't transferred among various organizations without the consumer’s direct consent. To successfully address these requirements, we recommend adopting and including a process in the Privacy Policy that demonstrates that users' consent is required and that senders will otherwise refrain from sharing information consumer data.

Example: "Mobile information will not be shared with third parties/affiliates for marketing/promotional purposes. All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties."

Opt-out instructions

Message senders are required to acknowledge the consumer's right to opt out of a messaging campaign to ensure that message recipients’ consent remains intact. The Privacy Policy must also include instructions on how to opt out of future communications.

Example: “If you wish to be removed from receiving future communications, you can opt out by texting STOP, QUIT, END, REVOKE, OPT OUT, CANCEL, or UNSUBSCRIBE.”

Bandwidth strongly suggests that each brand create a personalized Privacy Policy with accompanying SMS disclosures as discussed above. Bandwidth cannot provide guidance on what is legally required within a Privacy Policy. It's the responsibility of the message sender and their provider to research and ensure the Privacy Policy meets TCPA laws, as well as, individual carrier compliance requirements.  For new, non-established brands entering the messaging space, there are online resources that can help you develop the required operational processes and Privacy Policy templates that will fit the unique needs of your business.

Note: If you're using online resources, your Policy, Practices, and Procedures must still include the above SMS disclosures and functions. Failure to adopt these practices may result in receiving a registration and vetting rejection (i.e., “805 - Compliant privacy policy is required on website”).

Article is closed for comments.