Why Twilio Bans CBD and Other High-Risk Businesses (and Your Options)

Why Twilio and 10DLC reject CBD, vape, and other high-risk businesses, what the vetting really checks, and your real SMS options if you keep getting turned away.

If you run a CBD shop, a vape brand, a firearms accessories store, or another legal-but-restricted business, you have probably hit a wall trying to send SMS through Twilio. Your account gets flagged, your campaign registration gets rejected, or your messages quietly stop delivering. It feels arbitrary, but it is not. There is a specific system behind it, and once you understand how it works you can make a clear decision about what to do next.

This post explains why mainstream providers reject these industries, what the vetting actually checks, and the honest tradeoffs of each path forward.

How US SMS Got Gatekept: A2P 10DLC

Most US business texting now runs over a framework called A2P 10DLC (Application-to-Person messaging on 10-digit long codes). The mobile carriers (AT&T, Verizon, T-Mobile) built it to cut down on spam and unwanted traffic. Before you can send application-driven SMS at any real scale, you have to register two things:

A brand: your legal business identity, EIN, address, and contact details.
A campaign: a description of what you are sending, your sample messages, opt-in flow, and use case.

Twilio, and every other 10DLC provider, submits this registration to a central registry, which is then vetted by the carriers and their downstream partners. Approval is not guaranteed. The carriers hold the final say over what traffic rides their network, and they maintain lists of prohibited and restricted content.

The “SHAFT” categories and restricted verticals

Carriers group sensitive content under an industry shorthand sometimes called SHAFT: Sex, Hate, Alcohol, Firearms, and Tobacco. Cannabis and CBD usually get folded into the same restricted bucket. Other commonly restricted or scrutinized verticals include vaping, gambling, lending and debt relief, certain supplements, and anything that touches controlled substances.

Here is the important nuance: many of these businesses are completely legal. A hemp-derived CBD product can be federally compliant. A licensed firearms dealer is operating lawfully. The carriers are not making a legal judgment. They are making a risk and policy judgment about traffic on their own network, and they apply it bluntly.

Why CBD Specifically Gets Rejected

CBD is one of the clearest examples of the gap between “legal” and “carrier-approved.”

CBD sits in a regulatory gray zone. Hemp-derived CBD became federally legal under the 2018 Farm Bill, but the FDA still has not fully settled its rules, state laws vary, and the product is adjacent to cannabis. From a carrier’s point of view, that ambiguity is exactly the kind of thing they would rather avoid. Cannabis itself is federally illegal, and carriers tend to treat CBD with the same caution to stay on the safe side of their own policies.

So even a spotless, consent-based CBD program can be denied during 10DLC vetting, not because you did anything wrong, but because the entire category is flagged at the carrier policy level. Your opt-in quality and message content often do not even get a fair look.

What the Vetting Actually Checks

When your registration is reviewed, the process is looking at signals like:

Industry and use case: does your stated vertical fall into a restricted or prohibited category?
Brand legitimacy: does your EIN and business info match public records?
Opt-in evidence: can you show how recipients consented?
Sample content: do your messages match your stated use case and avoid prohibited material?

A restricted vertical can sink an otherwise clean application on the first signal alone. That is the part that frustrates legitimate operators the most: you can do everything right on consent and content and still be turned away because of the box your business sits in.

Your Options When You Keep Getting Rejected

There is no single right answer here. Each path has real tradeoffs.

Option 1: Keep fighting the 10DLC process

You can resubmit, provide more documentation, hire a messaging consultant, or work with a provider that specializes in restricted-industry registration. Sometimes this works, especially for borderline cases. But it can be slow, the outcome is uncertain, and a hard “no” on your vertical is a hard no. If carriers have categorically restricted your category, more paperwork will not change that.

Option 2: Rethink the channel

Email, push notifications, and in-app messaging do not run through carrier SMS gatekeeping. For some use cases this is genuinely the better move. The downside is reach and immediacy: little else matches the open rate and speed of a text, which is usually why you wanted SMS in the first place.

Option 3: Use a real-carrier number that does not require 10DLC

This is where a service like smskick fits. smskick sends real SMS through physical consumer LTE dongles it owns and operates. Because the traffic originates from dedicated real-carrier numbers rather than the A2P 10DLC application pipeline, there is no brand or campaign registration step to pass, and no industry-vetting gate to be rejected by. You sign up, get a real number, and send.

That removes the specific failure point that blocks CBD and other restricted verticals during 10DLC vetting. It does not remove your responsibilities, and it is not the right tool for every job. Here is the honest picture:

Throughput is limited. Each dongle sends a few messages per minute. smskick is built for low-to-medium-volume transactional and targeted messaging, not mass blasting. If your plan is to text hundreds of thousands of cold contacts, this is the wrong tool, and consumer-SIM bulk traffic carries real carrier-ban risk. The pricing is deliberately set to discourage high-volume blasting.
Consent still matters. “No 10DLC” does not mean “no rules.” Recipients must have opted in, STOP and UNSUBSCRIBE are honored automatically, and TCPA compliance is your responsibility as the sender. smskick provides the opt-out tooling and a per-tenant suppression list; using it lawfully is on you.
Only legal verticals. This path is for legitimate, legal-but-restricted businesses. It is not a way to route spam, fraud, or genuinely prohibited content around the carriers, and it does not exempt anyone from the consent and content rules that protect recipients.

On price, smskick is pay-as-you-go with a per-SMS floor of $0.035 and credit packs that bring the rate down with volume (for example, 1,000 messages for $45). It is premium compared with raw developer APIs priced under a cent per message. The value is not the cheapest possible send. It is getting a real number, instantly, for an industry that other providers turn away.

The Honest Bottom Line

Twilio and the broader 10DLC system reject CBD and similar businesses because carriers apply blunt, category-level policies to legal-but-restricted verticals. It is rarely about your specific consent practices or message quality.

Your options are to keep fighting the registration, switch channels, or use a real-carrier path like smskick that sidesteps 10DLC registration entirely while keeping you on the hook for consent and opt-out. If you are a legitimate operator in a restricted vertical sending modest, consent-based volumes, that last option is worth a look. Just go in clear-eyed about the throughput limits and your own compliance duties, because those do not disappear no matter which provider you choose.