Although many consumers appreciate the opportunity to receive information via SMS, an unregulated texting landscape can lead to a barrage of unwanted messages, overwhelming potential customers and preventing them from being able to distinguish between communications they want to receive and those that are spam.
To avoid this problem and improve the consumer experience, as well as the integrity of contact information and personal data, many countries, such as the US, the UK, Australia and EU Member States, have distinct regulations regarding texting customers – in particular covering text message marketing.
All of the following text messaging laws include the same general principles – such as prior consent and the ability to unsubscribe – but there are subtle differences between them and understanding these can help you to target your SMS marketing strategy accordingly for different parts of the world.
United States: The Telephone Consumer Protection Act
In the US, the three organizations that deal with text regulations are the Cellular Telecommunications Industry Association (CTIA), the Federal Communications Commission (FCC) and the Mobile Marketing Association (MMA).
While the CTIA and MMA are organizations that encourage best practices for text message marketing, the FCC is a fully fledged government agency with legislative powers that has enacted several laws, including the Telephone Consumer Protection Act and CAN-SPAM, to regulate SMS marketing.
According to the Telephone Consumer Protection Act (TCPA), which has been the FCC’s leading regulation in electronic communications since 1991, businesses and organizations must obtain written consent from individuals before sending them any text messages. Even if a business has an individual’s phone number or already has an “established business relationship”, written consent is still required.
To ensure full TCPA compliance, the consumer must have received “clear and conspicuous disclosure” of the text messages they will receive from the organization, and must agree to receive these messages to their specific phone number.
To ensure full transparency, texts must include both the sender’s identity and opt-out instructions. Businesses must provide a means for consumers to opt-out by replying directly to the text message. Additionally, texts can only be sent between 8 am and 9 pm to minimize inconvenience to the consumer.
The consequences for noncompliance include financial damages ranging from $500 to $1500 per text message sent to each individual who did not provide consent. It is worth noting that tax-exempt nonprofit organizations are exempt from the opt-in and “do-not-call” requirements of the TCPA.
United States: CAN-SPAM ACT
Complementing the provisions laid out in TCPA, the CAN-SPAM Act forbids businesses to send commercial email messages to a mobile phone. CAN-SPAM defines commercial messages as advertisements or promotions for a product or service.
Note, this definition does not extend to messages that communicate about an existing transaction or relationship – for example, a delivery notification – or to non-commercial messages.
When sending a commercial email to a mobile device, CAN-SPAM requires that the email is easily identifiable as an advertisement, that recipients can easily unsubscribe or opt-out from receiving further messages and that the sender includes a return email address and postal code.
Australia: Spam Act
Most recently updated in 2016, Australia’s Spam Act makes it illegal to send “unsolicited commercial electronic messages”, including email marketing and texting. Therefore, it is required that businesses must first receive explicit consent from the recipient.
Unlike TCPA in the US, under Australia’s Spam Act, it will suffice if the recipient has an existing relationship with your business. However, like TCPA and CAN-SPAM, any text message marketing under the Spam Act must also identify your business at the outset and provide an option to unsubscribe from future text messages.
Another notable difference is that if you buy a list of contacts from another organization, and providing these contacts have agreed to receive messages from third parties, you can use the list in your own marketing communications.
United Kingdom: Privacy and Electronic Communications Regulations
In the UK, the Privacy and Electronic Communications Regulations (PECR), released by the Information Commissioner’s Office (ICO), governs text marketing laws based on the Data Protection Act.
In the interest of transparency and consumer protection, businesses that use consumers’ personal data must inform them how their data is being used. As with the previous acts, SMS marketing is illegal without prior consent.
Similar to Australia, previous customers may have a “soft opt-in” if they have already engaged in a sale or negotiation with the business and provided their contact information (though not necessarily explicit consent) this way. The option to unsubscribe from messages is also required for SMS compliance.
EU: General Data Protection Regulation (GDPR)
The new kid on the block, the European Union’s General Data Protection Regulation (GDPR), will come into effect on 25 May 2018.
The purpose of this law, which applies to all countries looking to do business with the EU and/or to use EU citizens’ personal data, is to improve data security, specifically related to the storing and transport of data, enabling citizens to opt-in to sharing their data, and improving the responses to data breaches.
The new GDPR regulations apply not only to commercial text messaging, but also to data security in general, and will likely affect all aspects of your organization.
With fewer than sixty days remaining before the GDPR deadline, now is the time to ensure that your organization complies with the new requirements.
Here is our GDPR checklist for small businesses. Take stock of your current texting and data protection policies and ask yourself these questions:
- Are your EU consumers opting in to share their personal data, rather than being automatically enrolled?
- Is there a procedure in place for data subjects to obtain from the business’s data controller confirmation as to whether or not their personal data is being used, where and why?
- Does your organization know what personal data you have, what has been shared with other organizations and where the data came from?
- Is your privacy policy up to date?
- Do you have specialized protection in place for children’s personal data?
- Does your company have a data breach plan in place?
- Do employees understand how these data security elements might change after May 2018, and is the appropriate training in place to ensure compliance?
GDPR defines “consent” as “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
As with most of the other text message marketing laws covered in this article, this means criteria like pre-ticked boxes or inactivity are insufficient, and you must provide alternate mechanisms for consumers to provide written consent.
Under GDPR, individuals have the right to access their data, correct inaccuracies, erase information and opt-out of direct marketing, including text message marketing.
It may be necessary to perform a full audit to determine the integrity and accuracy of existing data and to update records accordingly in order to adhere to the GDPR’s accountability principle.
In addition to disclosing use and the sharing and protection of personal data, your privacy policy must detail your legal basis for processing the data, how long you expect to hold the data and the process by which individuals can contact a Data Protection Authority (DPA) in the event they want to lodge a data privacy complaint.
In order to collect and process personal data about children, a parent or guardian must provide consent.
Articles 33 and 34 of GDPR detail the specific protocol that must be followed in the event of a personal data breach, which is defined as “the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
GDPR requires businesses to notify victims and the appropriate supervisory authority about the breach. Data breaches must be reported within 72 hours of detection.
Key decision-makers and data handlers must be well versed in GDPR and understand what changes should be made. A Data Protection Officer must also be assigned to lead the charge towards data protection compliance.
Conclusion
Wherever and whenever your organization decides to use text message marketing, compliance with all local regulations is imperative in order to build trust with consumers and the relevant supervisory authorities. By adhering to the principles of consent, opt-out and personal data security, you will establish yourself as an entity that prioritizes customers’ choice and protection in addition to providing excellent products and services.
Alexa Lemzy
