Compliance Toolkit for Programmable Messaging
Public Beta
Programmable Messaging customers can activate the Public Beta of the Compliance Toolkit from the Twilio Console.
This feature supports SMS messages terminating in the United States written in English and Spanish languages only.
Compliance Toolkit is available as a Public Beta release and the information contained in this document is subject to change. Some features are not yet implemented and others may be changed before the product is declared as Generally Available. Public Beta products are not covered by the Twilio Support Terms or the Twilio Service Level Agreement.
To learn how Twilio supports products in public beta, see Twilio Beta Product Support.
Legal notice
Compliance Toolkit is not a HIPAA Eligible Service and shouldn't be used in workflows that are subject to HIPAA.
Pricing
To learn about Compliance Toolkit pricing for Programmable Messaging, the SMS Pricing page or contact Sales.
Compliance Toolkit helps you mitigate your compliance exposure by using artificial intelligence and machine learning to proactively detect possible regulatory violations and prevent or reschedule their transmission.
To activate Compliance Toolkit, go to your account settings in the Twilio Console.
- Log in to the Twilio Console
- Go to Messaging > Settings > General to view Compliance toolkit settings.
- Select Enabled. The Compliance Toolkit modal displays.
- Review the text of this modal, then acknowledge that you have read the Twilio Compliance Toolkit: AI/ML and Product Terms Addendum.
- Click Done and Save. Once activated, the toolkit runs on your existing messaging flows. This requires no further action on your part.
Twilio passes all US outbound SMS traffic through Compliance Toolkit to help you identify and resolve possible violations specific to the following regulations.
Quiet Hours check
When Twilio tries to send a message, Compliance Toolkit checks if it falls within Quiet Hours. The US Federal Communications Commission defines these hours under the Telephone Consumer Protection Act(TCPA) as 9:00 PM to 8:00 AM in the recipient's local time zone in the US. Twilio infers the time zone using the recipient's phone number area code.
Recommended
To improve accuracy, you can provide the most known zip codes of the your recipients with the Contact APIs. When used, Compliance Toolkit will use the zip codes as entered in the Contacts API to enforce Quiet Hours.
Message classification
If the message falls within Quiet Hours, Compliance Toolkit classifies the message as essential or non-essential. This classification is based on the message content and context.
If you want to override the defaults and bypass Compliance Toolkit's classification model and set specific messages as essential, use the MessageIntent parameter. See Consent Management API .
Examples of non-essential messages
- Marketing and promotional campaigns like discounts, loyalty points, and flash sales
- Charity or events-related broadcasts
Examples of essential messages
- Fraud alerts or suspicious activity notifications
- Shipping and delivery updates
- Customer support messages
- Emergency announcements
- School alerts to parents and students
- Receipts or confirmations requested through SMS
- Replies to recent inbound messages
- Opt-in and unsubscribe confirmations
Delivery behavior
If Compliance Toolkit reschedules non-essential messages for delivery after Quiet Hours, it changes the message metadata in the following ways:
- The delivery status changes to
scheduled. - It adds a
ScheduledAttimestamp in the Message Logs that states when it plans to deliver the message.
You can track the scheduled status with existing webhooks, logs and Messaging Insights experience.
This feature delivers messages while respecting both compliance requirements and recipient experience.
You can set your preference for Quiet Hours message handling as one of two options:
- Reschedule (default): The default behavior that reschedules the message with a new delivery time.
- Block: This blocks the non-essential message sent during Quiet Hours and returns a 30610 error code.
To identify users who have opted out of receiving your messages, Twilio checks against its opt-out database.
These previous subscribers sent a reply to opt out with the standard keywords:
- STOP
- UNSUBSCRIBE
- END
- QUIT
- STOPALL
- REVOKE
- OPTOUT
- CANCEL
If the associated recipient had replied to a message with the appropriate opt-out command and on a date later than the recorded opt-in date, Twilio blocks the message and returns an error code. To learn more about opt out, see Twilio support for opt-out keywords.
Twilio also checks the recipient's consent status using the Consent Management API. If a recipient has set their consent status to opt-out, Twilio blocks your message to that specific user and returns an error code., regardless of keywords.
Compliance Toolkit verifies that the intended recipient's phone number is still with the original subscriber who opted-in (consented) to communications by automatically tracking & updating customer's blocklist with reassigned phone numbers to make sure outbound messages destined for recipients with reassigned numbers are prevented from being sent. After the first Reassigned Number check on a particular phone number, this feature checks that number for new messages every 30 days.
To bulk update and manage user consent preferences for SMS messaging, use the Twilio Consent Management API. Use it to store or update opt-in, opt-out, and re-opt-in statuses for your users, along with details about how and when consent was collected.
The Consent Management API lets you upsert multiple consent records in a single request. Use it to synchronize large volumes of user consent preferences between two or more data sources.
You can re-opt in a user by updating the recipient's consent status to opt-in, which overrides the STOP keyword and allows messages to be sent again.
Supported consent preferences
With this API, you can manage the following user consent states:
| Consent status | Description |
|---|---|
opt in | The user has provided valid consent to receive SMS messages. |
opt out | The user has revoked consent or replied with STOP-like keywords. |
re-opt in | Handled as opt-in. The user has opted in again after a prior opt-out. Overrides STOP keyword |
To block or allow messages, Twilio checks this consent state and Consent Management API records and keyword-based signals.
Learn more about the Consent Management API.
Twilio Compliance Toolkit provides you with customization options to meet your specific messaging needs. Compliance Toolkit offers three API resources to override its default behaviors .
- Consent Management API allows you to set each subscriber's opt-in or opt-out status. Twilio uses these up-to-date, verified preferences to block or permit messages.
- Contact API allows you to set the known ZIP code for each end user. This improves Quiet Hours accuracy by using the recipient's location instead of relying solely on their phone number's area code.
- Twilio Programmable Messaging API
- The
riskCheckparameter sets which messages the Compliance Toolkit evaluates. When set todisable, Compliance Toolkit doesn't evaluate that message. You don't incur associated charges for its use. - The
messageIntentparameter sets the nature of the message as per your use case
If you set the messageintent as an essential use case value like otp and notifications using this parameter, Twilio exempts it from Quiet Hours checks and delivers it.
If you set the messageintent as non-essential use case value like marketing using this parameter, Twilio reschedules its delivery after Quiet Hours.
The following table lists the use cases that can be configured for the MessageIntent parameter, Quiet Hours Mapping assigned for the use case.
| Use case | MessageIntent parameter value | Quiet Hours Mapping |
|---|---|---|
| Two-factor auth (2FA) and one-time passcodes (OTP) | otp | Essential |
| Account notifications, two-way conversational messaging | notifications | Essential |
| Fraud alerts | fraud | Essential |
| Security alerts, emergency | security | Essential |
| Customer care | customercare | Essential |
| Delivery notifications | delivery | Essential |
| Education | education | Non-Essential |
| Event marketing | events | Non-Essential |
| Polling and voting (non-political) | polling | Non-Essential |
| Public service announcement (non-emergency) | announcements | Non-Essential |
| General and campaign marketing | marketing | Non-Essential |
When Compliance Toolkit blocks an SMS delivery due to Opt-Out or Reassigned Phone Number identification, Twilio returns an error 21610 is displayed in the Twilio error logs and the API response.
When Compliance Toolkit detects a marketing message being sent during Quiet Hours, it doesn't deliver it. It sets the delivery status to scheduled and the ScheduledAt timestamp for after the end of Quiet Hours, up to 4 hours later
When you opt to block, rather than reschedule these messages, Compliance Toolkit returns error 30610 is displayed in the Twilio error logs and the API response.
To analyze aggregate trends and drill into Compliance Toolkit outcomes, use the Messaging Logs and Insights on Twilio Console.
Q: Can I use Compliance Toolkit only for specific messages or subaccounts?
Yes. From the Twilio console, you can activate Compliance Toolkit only on specific subaccounts.
To selectively invoke Compliance Toolkit per message, use the riskCheck parameter in the Twilio Programmable Messaging API. You control when to apply Compliance Toolkit.
Q: How does this differ from Twilio's Message Scheduling feature?
Twilio Message Scheduling (within the Engagement Suite) activates users to schedule messages for delivery at a future date and time. Twilio Message Scheduling doesn't analyze the message type nor prevent flagged messages from being sent during quiet hours.
Q: How does Compliance Toolkit determine a recipient's timezone for quiet hours?
By default, Compliance Toolkit infers the timezone from:
- User phone number area code, or
- If available, the latest known zipcode provided from the Twilio Contacts API.
Twilio AI Nutrition Facts provide an overview of the AI feature you're using, so you can better understand how AI is working with your data. The qualities of Compliance Toolkit are outlined in the following Nutrition Facts label. For more information, including the glossary regarding the AI Nutrition Facts label, refer to Twilio's AI Nutrition Facts page.
AI Nutrition Facts
Compliance Toolkit for Programmable Messaging
- Description
- Compliance Toolkit is a product available to Twilio Messaging customers that uses Artificial Intelligence to help manage their obligations with respect to certain local regulatory or compliance requirements.
- Privacy Ladder Level
- 3
- Feature is Optional
- Yes
- Model Type
- Machine Learning
- Base Model
- Logisitic Regression
- Base Model Trained with Customer Data
- Yes
- Customer Data is Shared with Model Vendor
- No
- Training Data Anonymized
- Yes
- Data Deletion
- Yes
- Human in the Loop
- Yes
- Data Retention
- 30 days
- Logging & Auditing
- Yes
- Guardrails
- Yes
- Input/Output Consistency
- Yes
- Other Resources
Trust Ingredients
Customer messaging traffic metadata is used for model training.
Compliance
Standard service logging is applied and logs are stored for future review.
Learn more about this label at nutrition-facts.ai