When people ask how long carriers keep text messages, they usually mean the content — the words in the bubble. The answer to that question is: not long. A few days at most, and often not at all.
The question that matters more is how long carriers keep the record that a message was sent — the metadata. That answer is significantly less reassuring, and it varies in ways that are worth understanding concretely.
The Difference Between Content and Metadata Retention
Every SMS generates two distinct categories of data at the carrier level.
The first is the message content — the text itself. Carriers have little operational reason to retain this after delivery. The major US carriers have confirmed they do not store message content beyond a short delivery window, with one exception: Verizon has acknowledged retaining message content for three to five days. AT&T and T-Mobile do not retain content after delivery.
The second is the message record — metadata documenting that the exchange occurred. This includes the sender and recipient numbers, the date and time, the cell tower used, and device identifiers. Unlike content, this data is retained for business, legal, and regulatory purposes for periods measured in months to years.
For a fuller explanation of what these metadata fields contain and why they are more sensitive than they appear, see what your carrier knows about every text you send.
US Carrier Retention Periods: The Documented Figures
The figures below are drawn from law enforcement guidance documents, DOJ reference charts, and carrier transparency disclosures. These represent publicly confirmed or documented retention windows. Individual retention practices may vary, and carriers update their policies without announcement.
AT&T
- SMS content: Not retained after delivery.
- SMS metadata (sender, recipient, date, time): Retained for approximately five to seven years for postpaid accounts. This is one of the longest retention windows among major US carriers.
- Cell site / tower data: Retained for seven years, according to FBI law enforcement guidance documents.
AT&T’s long metadata retention window reflects the company’s scale and the operational systems it has built to service the high volume of legal requests it receives annually. It also means that an AT&T subscriber’s SMS communication patterns are potentially accessible to legal process for most of a decade after the messages were sent.
Verizon
- SMS content: Retained for approximately three to five days after delivery — the only major carrier that retains any content at all.
- SMS metadata: Retained for one rolling year.
- Cell site data: Retained for approximately one year.
Verizon’s retention window is shorter than AT&T’s, but one year of SMS metadata is still a substantial record. It covers every text exchange you had across twelve months — every contact, every timestamp, every approximate location at time of sending.
T-Mobile
- SMS content: Not retained after delivery.
- SMS metadata: Retained for approximately two years for postpaid accounts.
- Cell site data: Retained within the same general window as SMS metadata.
T-Mobile absorbed Sprint following their 2020 merger. Sprint historically retained SMS metadata for approximately 18 months. Post-merger, Sprint subscriber records have been consolidated under T-Mobile’s infrastructure and policies.
What Prepaid and MVNO Accounts Change
Prepaid accounts sometimes carry shorter retention windows than postpaid, but this is not a reliable privacy protection. The carrier’s core logging infrastructure operates the same way regardless of account type. The difference is primarily in billing record retention, not in the logging of SMS metadata at the network level.
Mobile Virtual Network Operators (MVNOs) — carriers that lease network capacity from AT&T, Verizon, or T-Mobile — typically follow the underlying network’s retention architecture. An MVNO running on AT&T’s network does not change the fact that the network layer is AT&T’s infrastructure. The MVNO may not retain its own copy of the records, but the host network does.
EU Context: The Data Retention Directive and Its Collapse
The EU approach to telecom data retention has followed a different and more contested path than the US one.
Directive 2006/24/EC, the EU Data Retention Directive, required member states to ensure that telecommunications providers retained traffic and location metadata for between six months and two years. It was one of the broadest mandatory surveillance frameworks in the democratic world.
In April 2014, the Court of Justice of the European Union declared the Directive invalid. The court ruled that the indiscriminate, blanket retention of all citizens’ communications metadata — without differentiation, limitation, or exception — constituted a disproportionate violation of the fundamental rights to privacy and data protection enshrined in the EU Charter. The case, Digital Rights Ireland and Ors, remains one of the most significant European privacy rulings of the past two decades.
Since then, individual EU member states have enacted national data retention laws with varying scope and duration. Many of those national laws have subsequently been challenged and struck down by domestic courts applying the CJEU’s proportionality standard. The result is a patchwork: some EU countries effectively have no enforceable data retention mandate; others retain laws whose legal status is contested.
GDPR adds an additional layer. Under GDPR, carriers processing personal data — including subscriber communication records — are subject to purpose limitation and data minimization principles. In practice, this creates tension with any broad retention mandate that is not specifically justified by law.
For users in the EU, the practical implication is that retention exposure depends heavily on which country’s carrier you use. US-based carriers operating on US infrastructure carry no GDPR obligation and retain records on US schedules.
Why Retention Periods Matter Beyond Law Enforcement
The obvious concern is law enforcement access. A subpoena or court order served to a carrier can retrieve SMS metadata for the period that carrier retains it. The practical exposure window, therefore, is the retention window: one year at Verizon, two years at T-Mobile, up to seven years at AT&T.
But law enforcement is not the only access vector.
Civil litigation frequently involves subpoenas to carriers for communication records. Divorce proceedings, employment disputes, and commercial litigation have all produced carrier subpoenas. There is no warrant requirement for civil subpoenas in most US jurisdictions — a party to a lawsuit can subpoena your carrier directly.
Data breaches are another exposure path. Retained records are data that can be compromised. A carrier holding seven years of SMS metadata for hundreds of millions of subscribers is holding a database whose breach would be catastrophic from a privacy perspective. Carriers have experienced significant breaches; they are high-value targets precisely because of the data they retain.
There is also the question of corporate access within carrier systems. The metadata you generate is accessible to employees with the right internal privileges. Carriers employ large workforces and operate complex systems. Insider access to subscriber records has occurred at telecom companies, though it rarely generates the same headlines as external breaches.
What Metadata Retained for One to Seven Years Can Reconstruct
It is worth being specific about what a multi-year SMS metadata record actually contains.
AT&T’s seven-year cell tower retention means that for every text you sent as an AT&T subscriber over the past seven years, there is a record documenting which tower served your phone when you sent it. Combined with SMS metadata — sender, recipient, timestamp — this creates a longitudinal communication log that can be used to reconstruct relationships, routines, locations, and behavior patterns across years.
As research published in the Proceedings of the National Academy of Sciences demonstrated, metadata analysis of phone records can accurately infer sensitive personal information — medical conditions, financial circumstances, relationship dynamics — without any access to message content. Six months of records is sufficient for meaningful inference. Seven years is a comprehensive behavioral archive.
This is why the idea that SMS is private without content surveillance misses the point. The metadata record is the record. Protecting only the content while generating years of metadata is, practically speaking, not protecting much.
Removing Yourself from the Retention Window
The retention periods documented here apply to standard SMS sent from a subscriber account on a US carrier’s network. The record is created because the sending device has a subscriber identity — a phone number tied to an account, a SIM tied to a device, a device tied to a carrier’s infrastructure.
If a message is sent without that subscriber identity — through infrastructure that does not log a source phone number or account — the record described in this article is never created. There is nothing for the carrier to retain, because the carrier is not in the path.
That is the practical distinction offered by services like smsusdt.com, which send SMS globally without requiring an account, a phone number, or identity verification. The message reaches a standard SMS recipient. The metadata trail connecting a sender to that message does not exist on any carrier’s retention schedule, because the sender never touched a carrier account.
Whether that matters depends on your use case. For most texts, it does not. For those where the association between sender and recipient is itself the sensitive data, it is the only technically sound approach.
Leave a Reply