Guides

SMS marketing regulations in the UK and EU: How to stay GDPR compliant

There are strict laws governing the use of SMS for commercial purposes in the UK and EU. Failure to abide by them can undermine your brand’s reputation, and potentially leave you facing prosecution. Ensure compliance by following our guide to GDPR.

Robi O'Cleirigh
Content Manager @ Blueprint

SMS marketing is a powerful channel for brands to reach their consumers directly. It can fulfil any number of purposes, from brand awareness and community building to sales outreach and long term retention. 

What it isn’t, however, is a free-for-all. The use of SMS by brands is heavily regulated. Legal requirements vary depending on region, and the consequences for failing to comply can result in serious reputation damage at best, and criminal lawsuits at worst. 

In the United Kingdom (UK) and the European Union (EU), the use of SMS for commercial purposes is regulated by the General Data Protection Regulation (GDPR). GDPR is the toughest privacy and security law in the world, designed to protect the personal data of those living within the UK and EU. 

It is a large, wide-ranging legal document which is light on specifics, making compliance is a tough prospect - particularly for SMEs. From a brand’s perspective, central GDPR compliance is establishing a ‘lawful basis’ to ‘process personal data’, and adhering to strict data protection principles and privacy rights once data has been collected. 

For SMS marketers this means gaining the ‘consent’ of consumers through an ‘opt-in’ process before sending messages, offering an easy way of ‘opting-out’, and professionally managing customer data in a robust and secure manner.

Here we break down the key stipulations required by GDPR, unpack what ‘consent’, ‘opt-in’ and ‘opt-out’ really mean in a marketing context, and recommend some best practices for delivering a complaint SMS campaign. 

What is GDPR?

Drafted and passed by the EU in 2016, GDPR is in many ways a beefed up, more heavily enforced version of the Data Protection Directive, which it superseded. The new law aims at giving individuals control over their personal data, and simplifying the regulatory environment for businesses operating in the EU. 

Crucially, the regulation is extra territorial - meaning it imposes obligations on any organisation, regardless of location, which collects, targets or processes data related to EU citizens. The same applies to the UK, which has adopted GDPR in full, with Brexit having no bearing on its implementation.

Once the regulation was passed, businesses were given a 2-year grace period to ensure compliance, after which the legislation became enforceable in May 2018. At the heart of GDPR is the simulations it places on any organisation which ‘processes personal data’. Article 4 of the regulation defines ‘personal data’ as follows: 

“‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’)” 


Under GDPR the term ‘process’ in relation to personal data has an equally broad definition: 


“‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means”

 

By holding a consumer’s mobile phone number, and using it to contact them for commercial purposes, a brand is ‘processing personal data’ in the eyes of the law. In order to execute an SMS campaign legally, all businesses must establish a ‘lawful basis’ for handling that data. 

What constitutes a ‘lawful basis’ for ‘processing personal data’ under GDPR:

There are six instances in which it is legal to process personal data under GDPR, two of which are appropriate for marketing activities. They are as follows: 

  1. The data subject has given you unambiguous consent to process their information
  1. You have a legitimate interest to process someone’s data, though the ‘fundamental rights and freedoms of the data subject’ always override your interests

The second instance is the most flexible lawful basis, and although it can mean you are within your rights to contact a consumer under certain circumstances without their consent, we would not advise doing so for an SMS marketing campaign due to the ambiguous nature of the law. Should you want to go down that route, however, the UK Information Commissioner’s Office provides useful guidance here

By far the most effective way to execute an SMS strategy, from both a reputational and legal perspective, is to establish consent from individual consumers before contacting them.

Under Article 7 of GDPR, consent must be ‘freely given, specific, informed and unambiguous’. Requests for consent must also be ‘clearly distinguishable from other matters’ and presented in ‘clear and plain language’

For eCom marketers, the best way to do this is to offer potential subscribers both a transparent opt-in process, and an easily accessible means of opting-out of your communications

How can customers opt-in to your SMS marketing campaign? ✍️

In order to provide their consent, all subscribers must knowingly agree to receive commercial messages from a brand in writing. In this context, ‘writing’ refers to a declaration that can be documented and saved rather than the physical act of making a mark on paper. They must receive a clear, transparent description of the service they are subscribing to, as well as having access to a full privacy policy. 

In practical terms, there are two main ways consumers can opt-in to receive your SMS communications. The first is inbound texting. This is where subscribers text a designated keyword from their mobile phone, indicating their willingness to join a marketing list.

Beverage brand Moment does this with a simple piece of copy on their website encouraging customers to contact them via SMS to join a ‘secret’ meditation club - an example of how you can comply with regulations whilst remaining creative: 


Moment encourage their audience to contact them | Source: SMS Marketing Examples 


The second most common means of opting-in is via physical or online form. By filling in a transparent form, which clearly details what they are subscribing to, an individual can agree to receive SMS messages from a business. This can either be presented as a landing page, as in the example below from Kopari, or as a well-labelled tick-box at checkout:


Kopari’s form fill details exactly what the customer is agreeing to | Source: SMS Marketing Examples


Data protection principles 

Once you’ve established a legitimate list of consumers who have opted-in to your SMS marketing, you can begin to contact them for your own purposes. That does not mean, however, that you can forget about compliance regulation. 
Under GDPR, organisations must manage the data they collect appropriately. For SMS marketers this means limiting its use to the purposes explicitly specified at opt-in, processing only as much data as is absolutely necessary for those purposes, storing it only for as long as required, and maintaining the security and confidentiality of the information. The full wording of these stipulations is laid out in Article 5 of GDPR. 

As a brand you are accountable for the customer data you hold, and must demonstrate appropriate business processes to ensure you comply. These include investing in a tech stack capable of handling data securely, training for employees to handle it safely, as well as the appointment of a named data controller liable for these business practices. 

There are several high profile examples of major organisations falling foul of data breaches, and held accountable under GDPR. Airline British Airways were fined £22 million after a cyber attack compromised the personal data of 400,000 customers in 2019. Similarly, hospitality chain Marriott International shelled out £99 million in compensation last year when the data of 31 million EU residents was hacked from its records.

Organisations are only permitted to hold such data for as long as they have consent to do so. Consumers are entitled to withdraw their agreement at any time, which brings us to another key pillar of GDPR - the opt-out. 

How can consumers opt-out of your SMS marketing campaign? 👎

Under the existing Data Protection Directive, providing a means for consumers to opt-out of commercial communications from businesses was already a requirement. However, GDPR has further strengthened the regulations in this area. 

Legally it must now be as easy for consumers to remove consent as it was for them to grant it. An opt-out mechanism must be available at all times, and explicitly provided as an option in every message a brand sends. 

There are two common ways of doing this. The first is providing a means of opting-out in-channel using a keyword. Typically subscribers will be asked to text a clear, one-word instruction like STOP, to the number they are receiving messages from. This example from sports supplement brand UNICO Nutrition is fairly typical:  


UNICO include a keyword to opt-out in every message | Source: SMS marketing examples 


The other option is to include in your messages a clearly designated hyperlink to a readily accessible web page which offers customers an opt-out mechanism. This might come in the form of tick boxes, where users can easily adjust their subscription preferences, or unsubscribe altogether. It’s important to note that this page must be a one-click process for the user - an interface requiring multiple click throughs to opt-out violates TCPA. 


A one click opt-out via hyperlink is another means of compliance | Source: SMSAPI


What are the best practices for running an SMS marketing campaign?

Let’s turn our attention to the best practices for running an SMS marketing campaign in the UK and EU. GDPR makes it a legal requirement to establish a lawful basis for processing data, provide opt-in and opt-out mechanisms, and adhere to robust data protection principles. However, there are a number of non-legally binding guidelines which you should strongly consider following to help keep your brand’s use of SMS both compliant and commercially beneficial.

Opt-ins

As well as being where you collect express written consent from consumers, your point of opt-in is also the top of your SMS marketing funnel. Your goal here is to maximise the number of sign-ups whilst remaining compliant. Whichever means of opt-in you’re using (inbound text, landing page, form fill etc.), being clear and transparent about what your SMS service will deliver is the best way to achieve this. 

The best opt-in processes communicate to would-be listers the purpose of your campaign, the value it can offer them, and the frequency of messages they should expect to receive. Consumers don’t sign up for the unknown - ambiguous or evasive messaging will not only undermine your compliance, but hurt your subscriber numbers. Once an individual has opted-in, they should also receive a confirmation message.

A poor, or even non-existent opt-in process, will damage your reputation with buyers and potentially leave you in hot water with the law. Bedsheets vendor Brooklinen recently attracted the ire of customers on Twitter who complained after apparently receiving unsolicited spam from the brand:


A bad opt-in can cause you reputational damage, as well as legal problems  | Source: SMS Marketing Examples


Privacy policy 📄

Just as you would with an email marketing campaign, you should be displaying a specific SMS privacy policy as part of your messaging, or at an accessible location on your website. Energy bar brand Verb are extremely transparent around their SMS service, you can take a look at their privacy policy here.

Set silent hours  🤫

Under GDPR there is nothing to stop you sending SMS messages at any time of the day to your subscribers. But in reality, it doesn’t make much commercial sense to bug consumers day and night with your marketing efforts - it’s counterproductive and damages your reputation. 

Avoid this by restricting your outreach to certain hours of the day. This tactic is particularly useful if you’re contacting customers based in a different time zone, and want to avoid sending messages at odd times.

Opt-out

As we’ve established, an opt-out option must be open to your subscribers at any time. Although not a legal requirement, it should ideally be available to them via call, email and text. Best practice dictates that each opt-out should prompt a final confirmation message, after which there can be no further communication. 

To safeguard against the accidental recontacting of unsubscribed numbers, it’s advisable to maintain an internal do not contact list within your team. 

Key takeaways 💪

In whichever region you are operating as a brand, compliance is fundamental to the success of any SMS marketing campaign, both from a reputational and legal perspective. 

As highlighted, GDPR stipulates the importance of establishing your legal basis for contacting consumers, having a clear means of opt-in and opt-out and strong data protection processes when using SMS as a business in the UK and EU. Nailing both of these will not only keep you on the right side of the law, but will also help you realise the commercial benefits of a well executed SMS strategy.  

For a breakdown on SMS marketing regulation in the US, check out ‘How to stay TCPA compliant’.

To find out more about what SMS can do for your brand, take a look at this 3-min breakdown:



Disclaimer - Whilst we have checked our sources and are confident in our interpretation of the legislation discussed, Blueprint is not a certified legal advisor. You should consult your legal counsel to ensure your SMS processes are GDPR compliant. If sending SMS communications to numbers outside the UK and EU, you must comply with the anti-spam laws relevant to the recipient's country. 
Thumbnail image courtesy of Mapsland.

Interested in SMS? Do all this + way more:
1:1 Customer Messaging
Group Messaging Campaigns
SMS Automations
Smart Abandoned Carts
Personalized Upsells
Deep analysis brought to you by
Your eCommerce SMS marketing toolbox