TCPA + CAN-SPAM compliant SaaS lifecycle messaging

Why this guide exists

SaaS lifecycle messaging — trial activation emails, dunning SMS, NPS surveys, win-back campaigns — involves high-frequency, automated outreach to customers and prospects. That puts it squarely in the scope of multiple overlapping regulations: TCPA, CAN-SPAM, CASL, and increasingly state-level rules like California’s stricter spam enforcement provisions.

Most SaaS founders don’t violate these rules deliberately. They do it by omission — a signup form without a consent string, a dunning SMS that doesn’t honor STOP, a win-back campaign sent to contacts who unsubscribed 18 months ago.

This guide covers what the SaaS Snapshot enforces by default and what you need to configure for your specific customer geography.

TCPA: what applies to SaaS lifecycle messaging

The Telephone Consumer Protection Act was written for calls and SMS. For SaaS lifecycle messaging, the rules that apply most directly are:

Prior express consent for SMS. Before sending any SMS to a customer or trial user, you need prior express written consent that specifically covers:

• The party who will contact them (your company name).
• The method (SMS / text messages).
• The purpose (product/account communications or marketing).

STOP handling. When a recipient replies STOP (or UNSUBSCRIBE, QUIT, CANCEL, END), you must:

• Stop sending SMS immediately.
• Confirm the opt-out with a single confirmation message (“You have been unsubscribed. Reply START to resubscribe.”).
• Suppress across all SMS workflows.
• Maintain the suppression indefinitely unless they explicitly re-opt-in.

The transactional exemption. Purely transactional messages (dunning notifications about a failed payment on an existing account, account access warnings) have more latitude than marketing messages. However, any message that includes an upsell, a feature promotion, or a call to convert from trial to paid is commercial — and needs full consent treatment.

What the snapshot ships: Every trial signup form and checkout form includes a TCPA-compliant consent string. The STOP keyword handler fires on every outbound SMS workflow. Suppressed contacts are added to a global SMS suppression list that blocks all future outbound SMS.

Example consent language (customize for your product):

By submitting this form, I agree to receive text messages and emails from [Product Name] about my account, trial status, and product updates. Message frequency varies. Message and data rates may apply. Reply STOP to unsubscribe from SMS at any time. View our [Privacy Policy] and [Terms of Service].

CAN-SPAM: what applies to SaaS lifecycle messaging

The CAN-SPAM Act covers commercial email. Key requirements:

No deceptive headers or subject lines. Your From name must clearly identify your business. Subject lines must accurately describe the email content — don’t use “Re: our conversation” for a dunning email.

Working unsubscribe mechanism. Every commercial email must include a clear and obvious way to opt out of future messages. The unsubscribe mechanism must be functional for at least 30 days after the email is sent, and you must honor opt-out requests within 10 business days (the snapshot honors them within minutes via automated suppression).

Physical mailing address. Every commercial email must include your physical postal address or a valid PO Box. Include this in your email footer.

Transactional exemption. CAN-SPAM distinguishes between “commercial” and “transactional or relationship” messages. Transactional messages (order confirmations, account access notices, password resets) are exempt from the opt-out requirement. Lifecycle marketing messages (trial nurture, win-back campaigns, upsell sequences) are commercial and require full CAN-SPAM compliance.

What the snapshot ships: All email templates include a properly formatted footer with unsubscribe link and postal address placeholder. The unsubscribe flow adds the contact to GHL’s global suppression list. Opt-out contacts are excluded from all future commercial email workflows automatically.

CASL: if you have Canadian customers

Canada’s Anti-Spam Legislation is stricter than CAN-SPAM in two important ways:

Express consent required before first commercial message. Unlike CAN-SPAM (which allows opt-out-based compliance), CASL requires affirmative express consent before sending a commercial electronic message to a Canadian recipient. This means:

• A checked consent box at signup (must not be pre-checked).
• Separate consent from Terms of Service agreement.
• Clear description of what they’re consenting to receive.

Implied consent has a time limit. Even where implied consent applies (e.g., existing business relationship), it expires after 2 years from the most recent transaction or interaction. After 2 years, you need fresh express consent to resume commercial messaging.

What the snapshot ships: Country-based routing on the consent workflow. Canadian contacts are identified by country field (populated from IP geolocation at signup or from the contact’s billing address) and routed to an express-consent form before entering commercial messaging sequences.

A2P 10DLC for SMS compliance

If you send SMS to US customers, you’re required to register under the Application-to-Person (A2P) 10DLC framework. Without registration:

• Your messages will be filtered and blocked by major carriers.
• There is no workaround — unregistered numbers are systematically filtered.

A2P registration requires:

• Business verification (EIN, legal entity name, business type).
• Campaign registration (describing the SMS use case — transactional, marketing, or mixed).
• Brand registration.

The snapshot’s onboarding includes a 10DLC registration walkthrough. Budget 2-4 weeks for full carrier approval, as it involves multiple manual review steps.

Win-back campaigns and re-consent

Win-back campaigns (emails to churned customers at 30/60/90 days post-cancellation) are one of the highest-ROI recovery tactics — and one of the most compliance-sensitive.

Key considerations:

Voluntary cancellation. If a customer explicitly cancelled their subscription, they’ve expressed a desire to stop the relationship. Win-back campaigns to intentionally cancelled customers should be limited to 2-3 touches over 90 days. More than that starts to look like harassment.

Prior opt-outs. If a churned customer unsubscribed from commercial email before or at cancellation, you cannot send them win-back emails. The suppression list must block them.

Long-dormant contacts. Contacts who haven’t engaged with your product or emails in 12+ months should go through a re-consent workflow before being enrolled in any active campaign. The snapshot’s annual re-consent workflow handles this.

What this guide does not cover

This is a working compliance playbook for the SaaS Snapshot configuration. It is not legal advice. If your product serves customers in the EU or UK, GDPR and UK GDPR requirements are more extensive than anything covered here and require a separate legal review. GDPR covers all personal data processing — not just marketing communications — and imposes requirements on data storage, access, deletion, and portability that go well beyond what a GHL configuration can address.

Your legal counsel should review your complete marketing and communications program for your specific geographies, product type, and regulatory exposure.