Legal Policies for SMS Marketing

Written by John Lister (FreePrivacyPolicy Legal writer) and last updated on 11 December 2024.

Legal Policies for SMS Marketing

If you engage in SMS marketing, you need to do so in a legally compliant way. This article will explain what laws require when it comes to sending SMS marketing messages, and what steps you'll need to take to comply.

Use FreePrivacyPolicy.com to generate the necessary legal agreements for your website/app:

You check our Free Cookie Consent to start making your business legally compliant with the Cookies Directive in the EU.



What is SMS Marketing?

SMS (short message service) marketing means sending promotional messages to customers and potential customers to their phones through text messages. The key advantages include more direct communication and being able to reach a large number of people quickly and sometimes cheaply.

Sending SMS marketing messages could breach a range of laws and regulations, often depending on the consent or permission you have. The legal situation can feel confusing because you are actually doing two separate things that could have legal implications:

  • Sending the message itself
  • Using the recipient's personal data (most notably their phone number) for the purpose of sending marketing material

Depending on where you are and what you send, it's possible you are doing one of these things perfectly legally but are breaking the law with the other.

Note that most rules distinguish between transactional messages (such as confirming an order) and marketing messages (such as promoting an offer or product). In most cases, a message containing both transactional and marketing information (such as an order confirmation with a money off code for future orders) counts as a marketing message for legal purposes.

What Laws Apply to SMS Marketing?

What Laws Apply to SMS Marketing?

Laws can apply to both sending the message and how that is done, as well as how personal data (such as the phone number) is used.

Sending the Message

The main law in the U.S. covering sending commercial messages is the federal CAN-SPAM Act, which stands for Controlling the Assault of Non-Solicited Pornography And Marketing.

While this is commonly referred to as a law covering spam emails (and some measures apply specifically to emails) it actually covers all commercial electronic messages. This includes SMS messaging.

The most important requirements are:

  • You must clearly mark any message that is an advertisement unless you got “affirmative consent” before you started sending marketing messages.
  • You must clearly identify the sender and not use a blocked or hidden number.
  • You must provide an easy way to opt-out of receiving further messages and must honor this opt-out as quickly as possible.

Using Personal Data

A range of personal data privacy laws may apply when you use SMS marketing. These include:

  • The General Data Protection Regulation or GDPR, which applies if you or the recipient is in an EU country, Iceland, Liechtenstein or Norway.
  • United Kingdom domestic law, which currently replicates the GDPR's key measures.
  • LGPD, which applies if you or the recipient is in Brazil.
  • PIPEDA, which generally applies in Canada unless you're already covered by a similar state or provincial law.

These laws all follow a similar concept and framework that applies to SMS marketing in a specific way. It's not the fact you are sending the commercial message that matters, but rather that you are using personal data to do so. This includes the recipient's phone number. It could include information such as their location or buying habits if you are using targeting messaging.

These laws all broadly say that you must tell people about the specific purposes for which you use their personal data. A Privacy Policy is the best way to do this, as we'll explore later on.

With most laws you must also have a lawful basis for using the data. Sometimes businesses can use a basis called "legitimate purposes," but this won't usually cover SMS marketing because your business interests don't outweigh the recipient's privacy rights. Instead, you'll usually need to use the consent basis. This means the recipient must:

  • Give specific consent for you to use their personal data for marketing purposes. You can't just get general consent or rely on them having consented to other uses of their data.
  • Have the ability to withdraw the consent as easily as they gave it. For example, if somebody can consent by replying to a text message, they must also be able to withdraw consent by replying, for example sending the word ‘STOP.'

Several U.S. states have data privacy laws that could apply to SMS marketing. The laws usually only apply if you use personal data about a large number of customers in a state, or if buying or selling personal data is a core part of your business.

You will need to check the specific laws that apply in any state where you operate. As a general rule, these laws don't require you to get active consent before using personal data for SMS marketing. Instead, you must publish details of the different ways you use personal data. You must also allow customers to opt-out of you using their personal data.

What Legal Policies Do I Need For SMS Marketing?

If you engage in SMS marketing you should have a Privacy Policy and Terms agreement on display and accessible to the public. Here's more information about why each of these policies is important.

Privacy Policies

A Privacy Policy is a legal policy that outlines how you collect and use people's personal data, along with their rights and how they can exercise them. Most data privacy laws require you to make this information available in a clear and readily available manner and a Privacy Policy is the best way to do this.

You'll need to check that your Privacy Policy contains all the information necessary to comply with all applicable laws, but the following are some of the key points you should include if you use SMS marketing.

What Personal Data You Collect and Use

You can give an overview or a list of categories, but you need to be detailed enough that people would not be surprised by the data you collect about them. Remember to mention that you collect and use people's names and phone numbers, along with any other personal information you use for SMS marketing.

For example, you may use the person's hometown or previous purchase details to send targeted SMS marketing messages.

Schleich USA lists the information it collects relating to text messaging:

Schleich Privacy Policy: Personal information collect clause

The Purposes for Processing Personal Data

You must explain the particular ways you use particular data. Think carefully about a customer's expectations so they aren't surprised by anything.

For example, a customer may know you use their order details to send them text messages when you dispatch a product. However, unless you spell it out in the Privacy Policy, they may not realize you use the order details to create and send them an SMS marketing message with a money off voucher for a similar product.

These are two separate purposes for using the same data (order fulfillment and marketing) and you must detail them both.

UNICEF USA clearly details both the personal data it collects through text messages and the way it uses it:

UNICEF Privacy Statement excerpt

If you are relying on consent to make SMS marketing lawful (which will usually be the case), your Privacy Policy must:

  • Make clear you are relying on consent
  • Tell people they can withdraw their consent and how to do so

Green Paper Products clearly explains how to opt out of marketing messages:

Green Paper Products SMS Privacy Policy: Opting Out clause

User Rights

Explain how the user can exercise rights by requesting that you:

  • Tell them what personal data you hold about them
  • Correct any errors in your personal data
  • Delete any personal data that is no longer relevant or necessary

Note that the rules on deletion requests usually depend on how long you need the data for its original stated purpose. For example, if somebody asks you to delete their contact details such as a phone number, you can usually wait to do so until any ongoing order is complete.

Community details ways people can exercise these rights:

Community Privacy Policy: Rights clause

Terms and Conditions Agreements

A Terms and Conditions agreement isn't legally required but it usually makes sense to have one. It lets you set the rules for your contractual arrangement with a customer and will make it easier to enforce any terms in this arrangement. These terms could cover the way you send SMS messages to the customer, including for marketing.

You should normally already have a Terms and Conditions agreement that covers anything you sell or supply to a customer, in which case you can add relevant points about your use of SMS messages. Alternatively, you could create a dedicated Terms agreement covering the SMS messages. Which option is best will depend on how long the SMS-specific terms are, and how big a part of your business the SMS messages are.

Include any of the following information that is relevant to your use of SMS messages.

Make clear that the customer consents to receiving text messages. Inform users about if and how they can withdraw consent.

Fifty/50 uses a dedicated Terms and Conditions agreement for its SMS messaging, including consent to receiving messages:

Fifty 50 SMS Terms and Conditions: Consent and opt in clause

Opting Out of Receiving SMS Messages

Explain clearly how the user can opt out of receiving further messages, which may constitute formally withdrawing consent. List all available methods and give specific instructions.

Desmond and Dempsey's Terms and Conditions agreement covers withdrawing consent:

Desmond and Dempsey SMS Marketing Terms and Conditions: Opt out clause

Charges Associated with SMS Messages

Make clear the customer is responsible for any charges their carrier imposes for delivering the messages, including those involving marketing.

Here's how Desmond and Dempsey's Terms and Conditions agreement covers charges:

Desmond and Dempsey SMS Marketing Terms and Conditions: Charges clause

Content and Frequency of SMS Messages

Describe the types of messages you send and the likely frequency of the messages.

Here's how Chambers Creek includes information about message frequency:

Chambers Creek SMS Terms and Conditions: Message frequency clause

Privacy Policies and SMS Messages

Note that your use of SMS messages involves handling personal data and that you do this in line with your Privacy Policy. Link to this policy.

Reid State Technical College makes mention of and links to its full Privacy Policy within a clause in its Terms:

Red State Technical College SMS Terms and Conditions: Privacy Policy clause

Governing Law

Set out which laws cover the agreements (jurisdiction), which court system will hear any dispute (venue) and whether and how you'll use alternative resolution methods such as arbitration.

Here's how Government Executive does this:

Government Executive Text Message Terms: Governing law clause

Limitation of Liability and Warranty Disclaimer

Make clear that you are not responsible for any errors in the messages, failure to send the messages, or harm caused to the recipient. Make sure you do not limit liability or disclaim responsibility beyond the legally allowed limits in your jurisdiction.

Here's how Town and Country Insurance includes a limitation of liability and a warranty disclaimer:

Town and Country Insurance SMS Terms: Warranty and Limitation of liability clause

If you are relying on a legal agreement or policy to make your SMS marketing lawful, make sure the people have a reasonable opportunity to see it before and after becoming a customer. The best way is to:

  • Publish it on your website.
  • Clearly link to it throughout your site, for example from a footer menu.
  • Clearly link to it (or use a drop-down or pop-up window) when a user is about to take a relevant action such as placing an order or consenting to SMS marketing.
  • Include a link to the Policy in the SMS marketing.

Woodfords Family Services has a link on every page pointing to a "Legal Notices" page, which contains multiple documents including both a general Privacy Policy and one specifically covering text messages:

Woodfords website footer with legal notices link highlighted

With both Privacy Policies and Terms and Conditions agreements, you may need to prove the user accepted the relevant terms. The safest way to do this is with a clearly marked checkbox or similar mechanism that requires the user to take a specific action. Don't rely on a pre-ticked checkbox.

Here's an example of how you can require users to tick a box consenting to the Privacy Policy before signing up to SMS text alerts:

Sample consent to receive sms messages checkbox

Summary

SMS marketing - sending promotional messages by text message or similar technologies - raises two legal issues. Laws such as CAN-SPAM cover the action of sending the message itself. Laws such as GDPR cover using people's personal data, including their phone number, for marketing purposes.

CAN-SPAM says you must get affirmative consent to send marketing messages, you must clearly identify them as promotional material, and you must give people an easy way to opt out of further messages. A Terms and Conditions agreement could cover some of these points.

Privacy laws vary but usually you'll need specific consent to use personal information for marketing, even if you don't need it for other SMS messages such as order confirmations. A Privacy Policy is the best way to comply with the legal requirement to tell people how you use their personal data and how to exercise their privacy rights, including withdrawing consent for marketing.