Compliance Toolkit for Programmable Messaging

To activate Compliance Toolkit, go to your account settings in the Twilio Console.

1. Log in to the Twilio Console
2. Go to Messaging > Settings > General.
3. Select Enabled. The Compliance Toolkit modal displays.
4. Review the text of this modal, then acknowledge that you have read the Twilio Compliance Toolkit: AI/ML and Product Terms Addendum.
5. Click Done then Save. Once activated, the toolkit runs on your existing messaging flows. This requires no further action on your part.

Once you enable Compliance Toolkit, all US outbound SMS traffic in the enabled account will pass through Compliance Toolkit so it can help identify and resolve possible compliance violations by performing the following checks:

Quiet Hours check

When Twilio tries to send a message, Compliance Toolkit checks if it falls within Quiet Hours. The US Federal Communications Commission defines these hours under the Telephone Consumer Protection Act(TCPA) as 9:00 PM to 8:00 AM in the recipient's local time zone in the US. Twilio infers the time zone using the recipient's phone number area code.

Message classification

If the message falls within Quiet Hours, Compliance Toolkit classifies the message using AI/ML model as essential or non-essential. This classification is based on the message content and context.

• Marketing and promotional campaigns like discounts, loyalty rewards, and flash sales
• Charity or events-related broadcasts
• Surveys or product reviews

• One Time Verification Codes
• Fraud alerts or suspicious activity notifications
• Shipping and delivery updates
• Customer support messages
• Emergency announcements
• School alerts to parents and students
• Receipts or confirmations requested through SMS
• Replies to recent inbound messages
• Opt-in and unsubscribe confirmations

If Compliance Toolkit classifies a message as non-essential and it falls within Quiet Hours, it will not be sent immediately. Instead, by default the message is automatically re-scheduled to be delivered after Quiet Hours, and the message metadata is updated in the following ways:

• The delivery status changes to scheduled.
• It adds a ScheduledAt timestamp in the Message Logs that states when the scheduled message would be attempted to be delivered.

You can track the messages with scheduled status with existing webhooks, logs and Messaging Insights experience.

This feature delivers messages while respecting both compliance requirements and recipient experience.

You can set your preference for Quiet Hours message handling as one of two options:

• Reschedule (default): The default behavior that reschedules the message with a new delivery time post Quiet Hours.
• Block: This blocks the non-essential message sent during Quiet Hours and returns a 30610 error code and message delivery is not re-attempted .

In addition to TCPA requirements, Compliance Toolkit enforces state-specific quiet hours mandates in the following US states. This ensures that non-essential messages are not delivered to recipients during the following time windows.

Compliance Toolkit applies these Quiet hours based on the recipient's location. It determines this from either from the area code of the phone number (default) or if available from the location provided by the customer in the Contact API. Non-essential messages that fall into these restricted windows get re-scheduled and delivered once Quiet Hours end.

Compliance Toolkit's Reassigned Number check verifies that the intended recipient's phone number still belongs to the original subscriber who provided explicit consent. By cross-referencing your users's phone number against the FCC's Reassigned Numbers Database, Compliance Toolkit identifies if a number has been reassigned since consent was established.

Determining the Date of Consent

To provide accurate verification, the Compliance Toolkit establishes a date_of_consent for every number using the following hierarchy:

• If you provide the date_of_consent for a given phone number record through the Consent Management API, Compliance Toolkit uses this specific date as the "source of truth" for re-assigned number checks.
• If no date_of_consent is provided, it uses the date the customer onboarded to the Compliance Toolkit as the default date_of_consent and use that as baseline to check against FCC's Reassigned Number Database. This baseline is used to verify the number hasn't been reassigned since you activated Compliance Toolkit.

Enforcement

If the phone number is identified to be reassigned to a different consumer after the established date_of_consent, Compliance Toolkit updates the phone number's consent status to opt-out and blocks any future message attempts returning Error 21610.

After the initial check, Compliance Toolkit re-verifies the re-assigned status of a given phone number every 30 days to align with FCC safe harbor standards.

Compliance Toolkit's TCPA Known Litigator Check helps safeguard your messaging from potential TCPA litigation issues. Once enabled, this feature proactively identifies and blocks messages to phone numbers believed to be associated with prior TCPA-related legal activity.

Intelligent Filtering and Enforcement

To ensure your critical communications remain uninterrupted, Compliance Toolkit uses its AI/ML message classification model to distinguish between different types of traffic.

• Essential Traffic: One-time passwords (OTPs), transactional alerts, and customer support messages etc are always permitted and delivered to the recipient.
• Non-Essential Traffic: Marketing, promotional, flash sales messages etc are blocked if the recipient's phone number is identified as a known litigator and will return Error 30640.

After the initial check, Compliance Toolkit re-verifies the litigator status of a given phone number every 7 days.

To identify users who have opted out of receiving your messages, Twilio checks against its opt-out database.

By sending a reply to your messages with one of the following keywords, these previous subscribers opted out.

• STOP
• UNSUBSCRIBE
• END
• QUIT
• STOPALL
• REVOKE
• OPTOUT
• CANCEL

If the associated recipient replied to a message with the appropriate opt-out keyword, Twilio blocks the message and returns error 21610. To learn more about opt out, see Twilio support for opt-out keywords.

Twilio also checks the recipient's latest consent status using the Consent Management API. If a recipient opted out, Twilio blocks your message to that specific user and returns error 21610.

Twilio's Consent Management API lets you bulk manage user consent preferences globally across your messaging channels. Use it to store, sync, or update opt-in, opt-out, and re-opt-in statuses for your users across RCS, SMS, and MMS channels, along with details about how and when consent was collected.

The Consent Management API lets you upsert multiple consent records in a single request. To synchronize large volumes of user consent preferences between two or more data sources, use this API.

To re-opt-in a user again, update the recipient's consent status to opt-in. This overrides the STOP keyword and lets you resume sending messages to this user.

With this API, you can manage the following user consent statuses:

To block or allow messages, Twilio checks this consent status in the Consent Management API records and keyword-based signals.

To meet your specific messaging needs, Twilio Compliance Toolkit provides customization options through three API resources.

1. Contact API can set the known ZIP code for each end user. By using the recipient's location instead of their phone number's area code, this improves Quiet Hours accuracy.
2. Consent Management API lets you set each subscriber's opt-in or opt-out status. Twilio uses these up-to-date, verified preferences to block or permit messages.
3. Twilio Programmable Messaging API.

   • The riskCheck parameter lets you set which messages the Compliance Toolkit evaluates. When set to disable, Compliance Toolkit doesn't evaluate that message. You also don't incur associated charges.

   • The messageIntent parameter lets you explicitly define the use case for each message. The value provided in messageIntent always overrides Twilio's Compliance Toolkit AI/ML message classification model. If you specify the messageIntent, Compliance Toolkit honors your classification as the source of truth, overriding the prediction from its models.

     • If you set the messageIntent to an essential use case value like otp, customercare, or notifications, Twilio exempts it from Quiet Hours checks and the known litigators check, and delivers it immediately.
     • If you set the messageIntent to a non-essential use case value like marketing or events, Twilio enforces Quiet Hours. If the message is sent during the Quiet Hours window, Compliance Toolkit automatically reschedules it for delivery after Quiet Hours.

The following table lists which use cases you can configure for the messageIntent parameter and the Quiet Hours mapping assigned for that use case.

When Compliance Toolkit blocks a message delivery due to Opt-Out or Reassigned Phone Number identification, Twilio returns an error 21610. This message displays in the Twilio error logs and the API response.

When Compliance Toolkit blocks a message delivery due to TCPA Known Litigator identification, Twilio returns an error 30640. This message displays in the Twilio error logs and the API response.

When Compliance Toolkit detects a marketing message being sent during Quiet Hours, it doesn't deliver it. It sets the delivery status to scheduled and the ScheduledAt timestamp to attempt delivery post Quiet Hours. When you opt to block messages attempted to be sent during Quiet Hours, rather than reschedule these messages, Compliance Toolkit returns error 30610.

To analyze aggregate trends and drill into Compliance Toolkit outcomes on your account, use Messaging Insights in the Twilio Console.

• To view messages attempts automatically re-scheduled by Compliance Toolkit during quiet hours, filter by: "Used Scheduling" = Yes in the Messaging Insights on the Twilio Console.
• To view messages attempts blocked due to phone numbers being opted out or re-assigned by Compliance Toolkit, filter by: "Error Code" = 21610.
• To view message attempts blocked due to phone numbers being associated with known litigators by Compliance Toolkit, filter by: "Error Code" = 30640.

Yes. From the Twilio Console, you can choose to activate Compliance Toolkit only for specific subaccounts.

Yes. Once Compliance Toolkit is activated on your account through the Twilio Console, you can choose how it is invoked per message programmatically by using the riskCheck parameter in the Twilio Programmable Messaging API. The riskCheck parameter lets you set which messages the Compliance Toolkit evaluates.

When riskCheck is set to disable, Compliance Toolkit doesn't evaluate that message. You also don't incur associated charges.

Yes. Compliance Toolkit is designed to be Secure-by-Default but Developer-Controlled. While our AI/ML models are highly accurate at predicting message use cases, we recognize that you know your traffic best. When you include the messageIntent parameter in your API request, it acts as an override that takes precedence over any automated Twilio classification.

Twilio Message Scheduling within the Engagement Suite activates users so they can schedule messages for delivery at a future date and time. Twilio Message Scheduling doesn't analyze the message type nor prevent flagged messages from being sent during Quiet Hours.

This frequency is specifically designed to align with FCC Safe Harbor requirements. The FCC updates its Reassigned Number database monthly on the 16th of each month; Compliance Toolkit checks once every 30 days that you are sending to a valid recipient and protecting your business from unintentional TCPA violations.

By default, Compliance Toolkit infers the time zone from one of two data points:

• User phone number area code
• Latest known ZIP code provided by the customer from the Twilio Contacts API.

Twilio AI Nutrition Facts provide an overview of this AI feature. This overview helps you better understand how AI works with your data. The following Nutrition Facts label outlines the qualities of Compliance Toolkit.