A2P 10DLC Website Requirements Checklist (2026)

Q: What exact language does the privacy policy need for SMS?

Something very close to: 'Mobile information will not be shared with third parties or affiliates for marketing or promotional purposes.' The wording can vary, but it must explicitly state that SMS opt-in data is not shared with third parties for marketing. Generic 'we value your privacy' boilerplate is not enough.

Q: Do I need a separate website for every A2P 10DLC client?

Yes. Every brand needs its own dedicated website on its own domain or subdomain. You cannot register multiple A2P brands pointing at a single shared marketing site. This is the problem A2P Genius was built to solve — generating a unique compliant subdomain per client in seconds.

By Tom Pacheco — HighLevel Certified Admin and founder of Clicks to Closes. I’ve personally walked dozens of HighLevel agencies through A2P 10DLC approval and built A2P Genius to automate the worst parts of it.

If you’ve ever submitted an A2P 10DLC registration and been rejected for a “non-compliant website,” you know how vague the requirements feel. The Campaign Registry (TCR) describes what they want in broad strokes. Carriers add their own unwritten rules on top. And the rejection emails almost never tell you exactly what’s missing.

This post is the checklist I wish I’d had when I started. Every item here is derived from published TCR guidance, CTIA Messaging Principles and Best Practices, and real rejection feedback from HighLevel agencies submitting through Twilio, Bandwidth, and the HighLevel LC Phone system.

Why a website is required for A2P 10DLC

Yes, you absolutely need a website. It’s not optional, and a one-page landing site or a Linktree-style “link in bio” tool will not pass review. TCR and the carriers want to see a multi-page, publicly accessible, SSL-secured business website that demonstrates four things at once:

The brand is a real, operating business — not a shell or a lead-gen funnel
Phone numbers are being collected with proper, documented consent
Privacy and terms policies are published on the same domain
The business can be contacted through normal channels (phone, email, physical address)

Without all four, your brand and campaign will be rejected, and there’s no workaround — not even paying for an expedited review. The website gates everything downstream.

The complete TCR website checklist

✅ Required pages

Every compliant A2P 10DLC website must include these pages at minimum:

Home page — brand name, tagline, and a clear plain-English description of what the business does
About page — the story of the business, its mission, founders or team, and why it exists
Services page — what the business actually sells or delivers (be specific — “marketing” is too vague)
Contact page — phone, email, physical address, and a working contact form
Privacy Policy — with explicit SMS-specific language (see below)
Terms of Service — alongside the privacy policy, on the same domain

Why six pages? TCR reviewers look for signals that a site is a “real” business website, not something thrown together to pass review. Six distinct pages linked from a top navigation menu is the de facto standard. Five sometimes works. Three or four almost never does.

A useful test: if a stranger landed on the homepage cold, could they figure out (a) what the business sells, (b) who runs it, and (c) how to reach them — without scrolling past the fold? If the answer is no, the reviewer will think the same thing.

✅ Technical requirements

HTTPS only — no “Not Secure” warnings in Chrome’s address bar. A free Let’s Encrypt cert is fine; the issuer doesn’t matter, only that it’s valid.
HTTP 200 on every page — no 404s, no redirect loops, no “this site can’t be reached” errors. Test every nav link before you submit.
Publicly accessible — no login walls, password protection, IP allowlists, or noindex headers. If the reviewer can’t load it from a fresh browser session, it doesn’t exist.
Matching domain — the website domain should match or clearly reference the brand name. acmeplumbing.com for “Acme Plumbing LLC” is fine. A random domain like xyz123.netlify.app will raise flags.
Mobile-responsive — carriers test from mobile user agents. A desktop-only site that breaks on a phone is an instant rejection on some carrier reviews.

✅ Privacy policy requirements

This is where the majority of rejections happen. Your privacy policy must explicitly state, in language very close to this:

“Mobile information will not be shared with third parties or affiliates for marketing or promotional purposes. All other categories — IP, browser type, etc. — exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.”

That clause (or a near-identical paraphrase) needs to appear on the privacy policy page itself — not linked, not summarized, not implied. This single sentence is the difference between approval and rejection more often than anything else on this list.

The policy should also cover:

What data you collect — phone numbers, names, emails, IP, cookies
How that data is used — appointment reminders, service updates, marketing
How users can opt out — STOP keyword, contact form, email
Retention policy — how long phone numbers are kept after opt-out
Contact info for privacy questions — a real email address, not admin@example.com

The privacy policy must live on the same domain as the rest of the site. A link out to TermsFeed, iubenda, Termly, or any third-party host is an instant rejection — even if the generated content is otherwise compliant. Reviewers want the document hosted under the brand’s own domain.

✅ SMS opt-in form requirements

This is where the website actually collects phone numbers, and it’s the most-scrutinized element on the page. The form must have:

A checkbox that is not pre-checked. Pre-checked boxes are illegal under TCPA and will be rejected on sight.
A checkbox that is not required to submit the form. Opt-in must be truly optional — a user must be able to fill out a contact form, request a quote, or book an appointment without opting in to SMS. If checking the box is mandatory, it’s not real consent.
A visible disclosure placed directly next to the checkbox containing all of these elements:
- Business name (matching the EIN registration exactly)
- Message types — “appointment reminders,” “promotional offers,” “service updates,” etc.
- Message frequency — “Message frequency varies” is the standard phrasing
- Data rates disclaimer — “Message and data rates may apply”
- Opt-out instructions — “Reply STOP to unsubscribe”
- Help instructions — “Reply HELP for help”
Links to the privacy policy and terms of service placed directly below or beside the opt-in checkbox — not buried in the footer.

Here’s a fully compliant disclosure you can copy:

☐ By checking this box, I consent to receive text messages from Acme Plumbing LLC including appointment reminders and promotional offers. Message frequency varies. Message and data rates may apply. Reply STOP to unsubscribe, HELP for help. See our Privacy Policy and Terms of Service.

Tiny details matter: the box must visually look like a checkbox (not a toggle, not a radio button), the disclosure text must be readable (no 8px gray-on-white), and the links must actually work.

✅ Contact information requirements

The website must display, in an obvious place — usually the footer plus a dedicated contact page:

Business phone number, formatted as a clickable tel: link
Business email address, formatted as a clickable mailto: link
Physical business address — not a PO Box, UPS Store, or virtual mailbox. A real street address.
The business name as registered with the EIN, exactly

Reviewers will cross-reference this against the brand registration. Any mismatch — different LLC name, different city, different phone — can trigger a rejection or a manual vetting hold.

✅ Branding consistency

The business name shown on the website must match exactly the name submitted for brand registration. If the EIN is registered to “Acme Marketing Solutions LLC,” don’t put “Acme Digital” in the logo, “Acme Marketing” in the footer, and “Acme Solutions” on the about page. Pick one — the legal name — and use it consistently in the header, footer, contact page, copyright notice, and privacy policy.

This is the single easiest rejection to avoid and one of the most common ones I see in HighLevel agency submissions.

The “gotchas” TCR doesn’t tell you about

After reviewing dozens of HighLevel A2P rejections, here are the non-obvious things that trip people up:

1. The website must be live before you submit

TCR reviewers click the URL in real time during their review. If your site is still being built, DNS hasn’t fully propagated, or a deploy is in progress, you’ll get an instant rejection. Always confirm the site is fully live from a clean browser (try incognito + a mobile network) before hitting submit.

2. “Coming Soon” pages count as broken

A splash page saying “Coming Soon” or “Under Construction” will get you rejected, even if the page returns a 200 and the SSL is valid. Reviewers want to see real content. A skeleton site with placeholder lorem ipsum will fail for the same reason.

3. The opt-in form must be on the homepage or one click away

If your opt-in form is buried three pages deep, reviewers may not find it within their review window and will reject the brand for “no opt-in mechanism.” Put the form on the homepage, the contact page, or both — and link to it from the main navigation.

4. Your privacy policy needs SMS-specific language

A generic privacy policy that covers cookies and analytics but never mentions SMS will get rejected. The policy must specifically address how phone numbers collected through SMS opt-in will be stored, used, and protected. Generic templates from WordPress plugins almost never include this clause by default.

5. Terms of Service and Privacy Policy are not interchangeable

You need both, on separate URLs, both linked from the footer. They serve different purposes — one is the contract between the user and the business, the other is the data-handling disclosure — and TCR checks for both separately.

6. The site must still be live a week later

Some carriers re-check the site during the campaign approval phase, days after brand approval. If you take the site down or move it after the brand passes, the campaign can still be rejected. Plan to keep the site live indefinitely.

How many agencies get this right

Honestly? Very few. Building six compliant pages, writing a privacy policy with the right SMS language, adding a compliant opt-in form, and making sure every detail matches the brand registration is several hours of work per client. Most HighLevel agencies either skip A2P registration entirely (and quietly suffer the deliverability hit), outsource it to expensive compliance services that charge $300+ per brand, or burn out doing it manually one client at a time.

A2P Genius automates every single requirement on this checklist. You fill out a simple onboarding form once, and we generate a complete six-page compliant website on a unique subdomain with valid SSL, the exact privacy policy language TCR wants, a compliant opt-in form, and matching terms of service — in about 30 seconds.

Then our Chrome extension auto-fills the HighLevel brand and campaign registration forms with the same data, so every field lines up on the first submission and you don’t have to copy-paste anything.

TL;DR — the checklist

Here’s everything to verify before submitting an A2P 10DLC registration:

Hit all of these and your first-try A2P approval rate will jump dramatically. Miss any of them and you’re in for another frustrating rejection cycle.

Frequently asked questions

Does TCR really require a privacy policy on the same domain?

Yes. Linking to a third-party hosted policy (TermsFeed, iubenda, Termly) is one of the most common rejection reasons. The policy must be served from the same domain as the rest of the site — even if the content was generated by one of those services, you need to copy it into a page you host yourself.

Can I use a Linktree, Carrd, or single-page site?

No. TCR explicitly looks for a multi-page business website. One-page sites and link-in-bio tools fail review almost universally. You need at least the six pages listed above, linked from a real navigation menu.

What exact language does the privacy policy need for SMS?

Something very close to: “Mobile information will not be shared with third parties or affiliates for marketing or promotional purposes.” The wording can vary, but it must explicitly mention that SMS opt-in data is not shared with third parties for marketing. Generic “we value your privacy” boilerplate is not enough.

Does my client’s phone number on the site need to be a real, answerable line?

Yes. Reviewers occasionally call. The number should at minimum reach a voicemail with the business name. A disconnected number or a number that doesn’t match the brand registration is a rejection trigger.

Can I use a PO Box for the business address?

No. A PO Box, UPS Store mailbox, or virtual office address will typically be rejected. You need a real street address — ideally the address that matches the EIN registration with the IRS.

How long does TCR review take after I submit?

Brand vetting is usually under an hour for standard brands. Campaign approval typically takes 1–3 business days. If you’re rejected, you’ll need to fix the issue and resubmit, which restarts the queue — so it’s far cheaper to get the website right the first time.

What happens if my website goes down after I’m approved?

For brand approval, nothing immediately. But if you’re still in campaign review or you submit additional campaigns later, the site needs to be live. Some carriers also spot-check sites post-approval. Keep the site live indefinitely.

Every brand needs its own dedicated website on its own domain (or its own subdomain at minimum). You cannot register multiple A2P brands pointing at a single shared marketing site. This is exactly the problem A2P Genius was built to solve — generating a unique compliant subdomain per client in seconds instead of hours.

Or — skip the checklist entirely and let A2P Genius handle it.