From twilio-developer-kit
Rules you must follow for Twilio messaging and voice traffic. Covers TCPA (consent tiers, quiet hours, DNC), GDPR (EU consent, right to deletion), PCI DSS (payment recording, Pay verb), HIPAA (BAA, PHI), FDCPA (debt collection limits), CAN-SPAM, WhatsApp policies, SHAKEN/STIR, and consent management patterns. Use this skill proactively when developers have working traffic to ensure they follow the rules.
npx claudepluginhub twilio/ai --plugin twilio-developer-kitThis skill uses the workspace's default tool permissions.
Compliance failures block sends, get numbers suspended, and expose your customer to legal liability. This skill covers the **ongoing rules** that apply to live traffic — what you can send, when, and to whom.
Guides Next.js Cache Components and Partial Prerendering (PPR): 'use cache' directives, cacheLife(), cacheTag(), revalidateTag() for caching, invalidation, static/dynamic optimization. Auto-activates on cacheComponents: true.
Guides building MCP servers enabling LLMs to interact with external services via tools. Covers best practices, TypeScript/Node (MCP SDK), Python (FastMCP).
Share bugs, ideas, or general feedback.
Compliance failures block sends, get numbers suspended, and expose your customer to legal liability. This skill covers the ongoing rules that apply to live traffic — what you can send, when, and to whom.
Lifecycle: Choose numbers (twilio-numbers-senders) → Register them (twilio-compliance-onboarding) → Follow traffic rules (this skill) → Secure everything (twilio-security-hardening)
For registrations required before traffic works (A2P 10DLC, toll-free verification, WhatsApp/RCS sender approval, voice trust programs), see twilio-compliance-onboarding.
Applies to all US voice calls and SMS.
| Communication type | Consent required | Notes |
|---|---|---|
| Informational SMS (order updates) | Prior express consent | Providing phone number during transaction usually qualifies |
| Marketing SMS | Prior express written consent | Must be clear and conspicuous, separate from T&C |
| Manual voice calls | None for existing business relationship | 18-month window |
| Autodialed / prerecorded voice | Prior express consent (informational) or written (marketing) | AI voice agents typically count as autodialed and must disclose who is calling |
| Emergency / fraud alerts | No consent required | Must be genuinely urgent |
twilio-lookup-phone-intelligence to determine carrier/region for time zone inference| Basis | When it applies | Requirements |
|---|---|---|
| Explicit consent | Marketing messages, new customer outreach | Must be freely given, specific, informed, unambiguous. Pre-checked boxes do NOT qualify. |
| Legitimate interest | Transactional messages, existing customer relationship | Requires documented balancing test. Must offer opt-out. |
| Contractual necessity | Order confirmations, shipping updates | Directly related to contract performance |
Applies to ALL data stored by your application via Twilio:
Implementation: Build a deletion endpoint that removes data from all systems. Twilio retains message logs for 400 days — you can delete recordings via API but cannot delete message logs from Twilio's system before the retention window.
<Say>This call may be recorded for quality assurance.</Say>Python
# Pause recording when customer gives card number
client.calls(call_sid).recordings(recording_sid).update(status="paused")
# Use <Pay> verb instead of collecting card numbers verbally
response = VoiceResponse()
response.pay(
payment_connector="stripe_connector",
charge_amount="49.99",
currency="usd",
status_callback="https://yourapp.com/pay-status"
)
PCI Mode is IRREVERSIBLE and account-wide. Once enabled:
Recommendation: If you need PCI compliance for one use case, create a separate sub-account. See twilio-account-setup.
<Say>. Use minimum necessary information.twilio-iam-auth-setup| Channel | Safe | Unsafe |
|---|---|---|
| SMS | "Your appointment is tomorrow at 2pm" | "Your appointment with Dr. Smith for diabetes follow-up" |
| Voice IVR | "Press 1 to confirm your upcoming appointment" | "Press 1 to confirm your cardiology appointment" |
| Can include more detail if encrypted/authenticated | Never send PHI in subject line |
Python
# Track call attempts per debt
def can_attempt_call(debt_id, db):
seven_days_ago = datetime.now() - timedelta(days=7)
attempts = db.count_attempts(debt_id, since=seven_days_ago)
return attempts < 7
# Include Mini-Miranda in IVR
response = VoiceResponse()
response.say("This is an attempt to collect a debt and any information obtained will be used for that purpose.")
response.pause(length=1)
response.say("Please press 1 to speak with a representative.")
response.gather(num_digits=1, action="/handle-keypress")
See twilio-sendgrid-email-send for SendGrid-specific compliance features.
| Level | Meaning | Caller ID display |
|---|---|---|
| A (Full) | Carrier vouches for caller identity and right to use number | Green checkmark ✅ |
| B (Partial) | Carrier vouches for caller but not number ownership | Neutral display |
| C (Gateway) | Carrier knows where call entered network, nothing else | May show "Spam Likely" |
# Minimum consent record
consent_record = {
"phone": "+15558675310",
"channel": "sms", # sms, voice, whatsapp, email
"consent_type": "marketing", # marketing, transactional, debt_collection
"consent_method": "web_form", # web_form, verbal, paper, api
"consent_timestamp": "2026-04-13T14:30:00Z",
"consent_source": "checkout_page", # where consent was collected
"ip_address": "203.0.113.42", # for web consent
"opted_out": False,
"opt_out_timestamp": None
}
go.yourcompany.com) configured in your Messaging Service. Twilio's shared twil.io domain is not sufficient — you must register your own branded domain in Console under Messaging > Link Shortening.twilio-compliance-onboardingtwilio-whatsapp-manage-senderstwilio-iam-auth-setuptwilio-account-setup