Many countries such as the US, the UK, Australia, and the EU Member States, have distinct regulations regarding texting customers. Let’s take a closer look at the most important text messaging laws your business should know.
In most cases, a customer’s written consent is necessary before you can send any type of message. This also applies to loyal customers who opted in for your company’s SMS marketing campaigns.
Texting customers without permission is an intrusive practice that no company should use, considering the current texting privacy laws. Text spam laws should also be considered when contacting customers, but text marketing rules are a work in progress and will suffer significant changes throughout the years, so it’s important to stay informed and constantly brush up on SMS advertising laws.
All of the following text messaging laws include the same general principles – such as prior consent and the ability to unsubscribe – but there are subtle differences between them and understanding these can help you to target your SMS marketing strategy accordingly for different parts of the world.
1. SMS marketing laws in the US
The Telephone Consumer Protection Act
In the US, the three organizations that deal with text regulations are:
- Cellular Telecommunications Industry Association (CTIA)
- Federal Communications Commission (FCC)
- Mobile Marketing Association (MMA)
While the CTIA and MMA are organizations that encourage best practices for text message marketing, the FCC is a fully-fledged government agency with legislative powers that has enacted several laws, including the Telephone Consumer Protection Act and CAN-SPAM, to regulate SMS marketing, SMS restrictions and text message privacy laws.
According to the Telephone Consumer Protection Act (TCPA), which has been the FCC’s leading regulation in electronic communications since 1991, businesses and organizations must obtain written consent from individuals before sending them any text messages.
Can a business text a customer without explicit consent? Even if a business has an individual’s phone number or already has an “established business relationship,” written consent is still required.
To ensure full TCPA compliance, the consumer must have received “clear and conspicuous disclosure” of the text messages they will receive from the organization and must agree to receive these messages to their specific phone number.
These are the main rules to follow to ensure full transparency when sending out your marketing texts:
- According to texting laws, texts must include both the sender’s identity and opt-out instructions;
- Businesses must provide a means for consumers to opt-out by replying directly to the text message;
- Texts can only be sent between 8 am and 9 pm to minimize inconvenience to the consumer.
Texting laws for business state that the consequences for non-compliance include financial damages ranging from $500 to $1500 per text message sent to each individual who did not provide consent. It is worth noting that tax-exempt nonprofit organizations are exempt from the opt-in and “do-not-call” requirements of the TCPA.
Complementing the provisions laid out in TCPA, the CAN-SPAM Act forbids businesses to send commercial email messages to a mobile phone. CAN-SPAM defines commercial messages as advertisements or promotions for a product or service.
Note that this definition does not extend to messages about an existing transaction or relationship – for example, a delivery notification – or non-commercial messages.
When sending a commercial email to a mobile device, CAN-SPAM requires that the following SMS marketing regulations are applied:
- The email is easily identifiable as an advertisement;
- Recipients can easily unsubscribe or opt-out from receiving further messages;
- The sender includes a return email address and postal code.
2. SMS marketing laws in Australia
Are unsolicited texts illegal? Most recently updated in 2016, Australia’s Spam Act makes it illegal to send “unsolicited commercial electronic messages”, including email marketing and texting. Therefore, it is required that businesses must first receive explicit consent from the recipient.
Unlike TCPA in the US, it will suffice under Australia’s Spam Act if the recipient has an existing relationship with your business. However, like TCPA and CAN-SPAM, any text message marketing under the Spam Act must also identify your business at the outset and provide an option to unsubscribe from future text messages.
Another notable difference is that if you buy a list of contacts from another organization and if these contacts have agreed to receive messages from third parties, you can use the list in your own marketing communications.
3. SMS marketing laws in the UK
Privacy and Electronic Communications Regulations
In the UK, the Privacy and Electronic Communications Regulations (PECR), released by the Information Commissioner’s Office (ICO), governs text marketing laws and text message regulations based on the Data Protection Act.
In the interest of transparency and consumer protection, businesses that use consumers’ personal data must inform them how their data is being used.
Similar to Australia, previous customers may have a “soft opt-in” if they have already engaged in a sale or negotiation with the business and provided their contact information (though not necessarily explicit consent) this way. Text opt-in laws state that the option to unsubscribe from messages is also required for SMS compliance.
4. Text message laws in Europe
General Data Protection Regulation (GDPR)
The whole principle behind stricter privacy regulations for the EU has to do with making sure that customers benefit from improved business experiences and higher transparency regarding how their data is being used.Can a business text you without permission?
Companies need to make sure that they explicitly ask for customer permission to send marketing materials, including texts. This has to be your client’s deliberate choice, not a pre-ticked box that automatically signs them in.
They also have to be able to easily access their data at any given time. Emails and texts need to contain unsubscribe links. Texting rules state that the “OPT-OUT” alternative should be visible and available to all clients who receive marketing texts or emails.
Here is our GDPR checklist for small businesses. Make sure to brush up on current texting and data protection policies and ask yourself these questions:.
- Are your EU consumers opting in to share their personal data rather than being automatically enrolled?
- Is there a procedure for data subjects to obtain confirmation from the business’ data controller as to whether or not their personal data is being used, where, and why?
- Does your organization know what personal data you have, what has been shared with other organizations, and where the data came from?
- Do you have specialized protection in place for children’s personal data?
- Does your company have a data breach plan in place?
- Do employees understand how these data security elements might change after May 2018, and is the appropriate training in place to ensure compliance?
GDPR defines “consent ” as “freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
As with most of the other text message marketing laws covered in this article, this means criteria like pre-ticked boxes or inactivity are insufficient, and you must provide alternate mechanisms for consumers to provide written consent, according to texting customers’ laws.
Under GDPR, individuals have the right to access their data, correct inaccuracies, erase information, and opt-out of direct marketing, including text message marketing.
It may be necessary to perform a full audit to determine the integrity and accuracy of existing data and update records accordingly to adhere to the GDPR’s accountability principle.
In order to collect and process personal data about children, a parent or guardian must provide consent.
Articles 33 and 34 of GDPR detail the specific protocol that must be followed in the event of a personal data breach, which is defined as “the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
GDPR requires businesses to notify victims and the appropriate supervisory authority about the breach. Data breaches must be reported within 72 hours of detection.
Key decision-makers and data handlers must be well versed in GDPR and understand what changes should be made. A Data Protection Officer must also be assigned to lead the charge towards data protection compliance.
Key takeaways about SMS marketing laws
Wherever and whenever your organization decides to use text message marketing, compliance with all local regulations is imperative in order to build trust with consumers and the relevant supervisory authorities.
By adhering to the principles of consent, opt-out, and personal data security, you will establish yourself as an entity that prioritizes customers’ choice and protection in addition to providing excellent products and services.
This article contains general information about main messaging laws and regulations and does not constitute legal advice. Please seek professional counsel for in-depth information regarding current text messaging laws and to avoid possible SMS legal complaints.