Blog/Compliance
Compliance13 min readPublished 2026-02-05

A Guide to SMS Compliance: GDPR, TCPA, and Beyond

Sending SMS across multiple jurisdictions means dealing with multiple regulatory frameworks. Here is a practical, plain-English guide to GDPR, TCPA, PECR, CASL, and the Telephone Preference Service — what each requires and how to stay compliant.

BulkSMSRates Team

Compliance · BulkSMSRates

Why SMS Compliance Is More Complicated Than Email


Email compliance is relatively straightforward: CAN-SPAM in the US, GDPR/PECR in Europe, clear unsubscribe requirements, established precedent.


SMS compliance is messier. The regulatory frameworks overlap, the standards differ between jurisdictions, and the penalties are serious. A UK business with US customers needs to comply with PECR and TCPA — two frameworks with different consent standards that can conflict in their requirements.


This guide covers the main frameworks, what each requires, and how to run compliant SMS programmes when you're operating across multiple markets.


The UK: PECR + UK GDPR


The UK's SMS compliance framework has two layers.


PECR (Privacy and Electronic Communications Regulations 2003) governs electronic communications marketing, which includes SMS. The key requirements:


You must have explicit consent to send marketing SMS to individual consumers. This means the person must have actively opted in to receiving SMS messages from you, specifically. Bundled consent (clicking "I accept T&Cs" that buried SMS marketing permission in small print) doesn't count.


The soft opt-in exception allows you to message existing customers without explicit opt-in consent, provided:

  • They're your actual customer (bought from you, not just browsed)
  • You're marketing similar products or services to what they purchased
  • You gave them a chance to opt out at the point of data collection
  • Every subsequent message includes an opt-out option

Every marketing SMS must include an opt-out — something like "Reply STOP to opt out." This is non-negotiable.


UK GDPR (the UK's version of GDPR post-Brexit) applies to the processing of personal data — which a phone number is. You need:

  • A lawful basis for processing (consent, or legitimate interests for soft opt-in)
  • A Data Processing Agreement (DPA) with your SMS provider
  • Records of consent (date, source, specific consent given)
  • A process for handling data subject access requests
  • Retention policies (you can't keep phone numbers forever)

The ICO enforces both PECR and UK GDPR. Recent enforcement trends show the ICO actively pursuing companies that buy lists, use bundled consent, and fail to honour opt-outs. Fines for serious PECR violations range from £20,000 to £500,000+.


The US: TCPA


The Telephone Consumer Protection Act is the primary US federal law governing SMS. It was written in 1991 (yes, 1991) and has been extended through regulatory rulings to cover bulk SMS.


The core requirement: You need express written consent before sending marketing SMS to US consumers using an automatic telephone dialling system (ATDS) or artificial or prerecorded voice. Most bulk SMS platforms qualify as ATDS.


"Express written consent" in the TCPA context means:

  • A signed writing (digital is fine — a website form counts)
  • That clearly and conspicuously discloses that the consumer agrees to receive autodialled or prerecorded SMS
  • From a specific identified sender
  • For the specific purpose described

Verbal consent at point of sale does NOT meet TCPA requirements for marketing SMS. A pre-ticked checkbox does not meet TCPA requirements. The consent must be affirmative and specific.


One-to-one consent: A significant 2023 FCC ruling clarified that consent must be obtained on a "one-to-one" basis — meaning consent given on a third-party lead generation form cannot be used by multiple companies. If someone fills in a form on a comparison site, that's one company's consent, not a list you can share.


TCPA violations are expensive. Statutory damages are $500–$1,500 per violation. Per message. Class action lawsuits under TCPA are common and have resulted in settlements in the tens of millions.


Practical requirements for US SMS:

  • Web form opt-in with clear SMS consent language
  • List of required disclosures (message frequency, that message/data rates may apply, help and stop instructions)
  • Immediate opt-out processing when someone texts STOP
  • Do Not Call registry compliance (the wireless DNC registry)
  • No sends before 8am or after 9pm local time

The EU: GDPR + ePrivacy Directive


EU businesses (or businesses targeting EU consumers) need to comply with GDPR and the ePrivacy Directive (ePD). The ePD is the EU equivalent of the UK's PECR.


Under GDPR + ePD:

  • Consent must be freely given, specific, informed, and unambiguous
  • Pre-ticked boxes are explicitly prohibited
  • Consent can be withdrawn at any time
  • You need records of consent
  • Data minimisation: only collect what you need

One important nuance: GDPR's "legitimate interests" basis cannot be used for direct marketing in most EU member states. The ePD requires consent. So unlike some B2B email marketing where legitimate interests might apply, EU SMS marketing needs consent.


EU GDPR enforcement varies by member state, but Ireland (home to many tech companies) and Germany have been particularly active. Fines under GDPR can reach 4% of global annual revenue.


Canada: CASL


Canada's Anti-Spam Legislation (CASL) applies to all commercial electronic messages sent to or from Canada. SMS is a commercial electronic message.


CASL is stricter than most US or UK requirements in some ways:


Express consent is required for marketing SMS. CASL does have an implied consent provision, but it's narrower than UK soft opt-in — it applies only where there's an existing business relationship AND the message is related to that relationship.


CASL requires inclusion of:

  • The sender's identity and contact information
  • An unsubscribe mechanism (must be processed within 10 business days)

CASL also prohibits installing software without express consent (relevant if you're doing anything beyond SMS), and prohibits false or misleading sender information.


CASL violations: maximum $1 million per violation for individuals, $10 million for organisations. CASL also has a private right of action (since 2017), meaning individuals can sue directly.


The Telephone Preference Service (TPS)


The TPS is a UK register of individuals and businesses who have opted out of unsolicited sales and marketing calls. The Fax Preference Service (FPS) is the equivalent for fax, and there's a Corporate TPS (CTPS) for business numbers.


Important clarification that causes a lot of confusion: the TPS does NOT apply to SMS marketing in the same way it applies to telephone calls. The TPS is a register for live calls and automated calls under PECR Regulation 21.


However, the ICO treats sending marketing SMS to someone who has registered with TPS as a strong signal of non-compliance, even if it's not technically a legal requirement to screen SMS against TPS. In practice, if a TPS-registered individual complains about your marketing SMS, the ICO will look closely at your consent practices.


Our recommendation: screen your list against TPS before sending. It's not legally required for SMS, but it reduces complaint risk and is generally seen as good data hygiene.


Practical Compliance Checklist


If you're running SMS campaigns to UK and US recipients, here's what you need in place:


For UK (PECR + UK GDPR):

  • [ ] Explicit opt-in consent with records (date, source, consent text)
  • [ ] Soft opt-in policy documented if using that exception
  • [ ] Opt-out in every marketing message ("Reply STOP to opt out")
  • [ ] STOP reply processing automated (within 24 hours)
  • [ ] Data Processing Agreement with your SMS provider
  • [ ] Retention policy for phone numbers
  • [ ] Sender ID registration (strongly recommended)

For US (TCPA):

  • [ ] Written opt-in consent form with TCPA-compliant disclosure
  • [ ] Records of consent for every number in your US list
  • [ ] Opt-out processing automated and immediate
  • [ ] Sending time restrictions (8am–9pm local time)
  • [ ] Message includes: sender identification, message frequency notice, HELP instruction, STOP instruction, data rates disclosure

For both:

  • [ ] Privacy policy updated to cover SMS data collection and processing
  • [ ] Staff training on SMS compliance requirements
  • [ ] Process for handling subject access requests (who has what data)

When to Talk to a Lawyer


This guide is informational. For specific compliance advice, particularly if you're sending at scale or operating in multiple jurisdictions, speak to a lawyer specialising in data protection or telecommunications law.


A few scenarios where you definitely want legal advice:

  • You're building a platform that sends SMS on behalf of other businesses
  • You're handling healthcare data (HIPAA implications in the US)
  • You're sending to EU consumers and haven't formally assessed your GDPR obligations
  • You've received a complaint or regulatory enquiry

BulkSMSRates can provide template DPAs and basic compliance guidance. For complex multi-jurisdictional programmes, specialist legal advice is worth the investment.

#GDPR#TCPA#PECR#CASL#SMS compliance#data protection

More Articles

SMS Marketing Best Practices for 2026

A comprehensive guide to running compliant, high-converting SMS marketing campaigns. Learn the timing, segmentation, and copywriting techniques that top brands use to achieve 19% click-through rates.

SMPP vs HTTP API: Which Should You Use for Bulk SMS?

A technical comparison of SMPP and HTTP REST API for bulk SMS delivery. Learn which protocol is right for your use case, throughput requirements, and integration complexity.

SMS Delivery Rates Explained: Why Messages Fail and How to Fix It

Understand why SMS messages fail to deliver, what DLR error codes mean, and practical steps to improve your delivery rate from 85% to 99%+ for UK and international campaigns.

Ready to send bulk SMS?

Start from £0.0300/segment. No monthly fees. Free test credits. Setup in minutes.

Create Free Account →