Blog/Compliance
Compliance11 min readPublished 2026-02-14

SMS Compliance UK 2026: What Changed and What You Must Do Now

The complete 2026 guide to UK SMS compliance. Covering PECR updates, ICO enforcement trends, DPA registration, sender ID registration, and what B2B vs B2C SMS rules look like now.

BulkSMSRates Team

Compliance · BulkSMSRates

UK SMS Compliance in 2026: The Landscape


The UK SMS regulatory landscape has evolved significantly since Brexit. Post-2024, the UK operates under its own data protection framework (UK GDPR and UK Data Protection Act 2018), separate from EU GDPR.


Key differences for SMS marketers:

  • UK ICO (not EU DPA) enforces compliance
  • UK GDPR follows EU GDPR closely but with UK-specific nuances
  • PECR (Privacy and Electronic Communications Regulations 2003) remains in force
  • The ICO has increased enforcement activity since 2023 — fines are real

What Hasn't Changed


The core principles of SMS marketing compliance remain the same:


  1. 1.Consent first — Explicit opt-in for marketing SMS (with soft opt-in exception for existing customers)
  2. 2.Opt-out must be provided — Every marketing message needs an opt-out
  3. 3.Sender ID must be honest — Don't impersonate other brands or use misleading identifiers
  4. 4.Process opt-outs promptly — ICO expects removal within 28 days
  5. 5.Data minimisation — Only collect what you need

    6. ICO Enforcement Trends (2024–2025)


    The ICO has stepped up SMS enforcement. Recent notable actions:

    • Multiple fines of £150,000–£500,000 for PECR SMS violations
    • Focus on "purchased lists" — providers who sold numbers without consent were also fined
    • Increased attention to healthcare and financial services SMS
    • New guidance on AI-generated SMS content and personalisation

    Key lesson: The ICO is actively monitoring and does investigate complaints. Even one valid complaint can trigger an audit.


    B2C vs B2B SMS Rules


    B2C (Business to Consumer)

    • PECR applies in full — explicit consent required for marketing
    • Soft opt-in only for your own existing customers (not leads or third-party contacts)
    • Opt-out must be in every message

    B2B (Business to Business)

    • PECR applies to individual business email addresses (e.g., [email protected])
    • For corporate emails/numbers (e.g., [email protected]), the threshold is lower
    • ICO guidance: still need to provide opt-out and avoid clear nuisance messaging
    • UK GDPR still applies to personal data even in B2B contexts

    Practical advice: Treat B2B contacts with the same respect as B2C. Even if the technical bar is lower, spam complaints trigger ICO attention regardless.


    Sender ID Registration


    Ofcom's voluntary scheme for SMS sender ID registration launched in 2023. While not yet mandatory, registered sender IDs:

    • Cannot be spoofed by fraudsters
    • Receive priority routing on participating networks
    • Increase consumer trust in your messages

    How to register: Work with your SMS provider. BulkSMSRates facilitates sender ID registration with UK networks for eligible customers.


    The Data Processing Agreement (DPA) Requirement


    Under UK GDPR Article 28, you must have a written DPA with any data processor who handles personal data on your behalf — including your SMS provider.


    BulkSMSRates provides a standard DPA on request. This covers:

    • Processing purposes and duration
    • Types of data processed (phone numbers, message content)
    • Security measures in place
    • Sub-processor chain
    • Your right to audit

    Without a DPA, you are technically non-compliant under UK GDPR — even if you have consent for the SMS itself.


    Action Checklist for 2026


    • [ ] Review all SMS lists for valid consent evidence
    • [ ] Ensure consent was obtained with clear SMS-specific opt-in language
    • [ ] Set up automated opt-out processing (STOP keyword handling)
    • [ ] Register with ICO as a data controller (if not already)
    • [ ] Sign a DPA with your SMS provider
    • [ ] Register your sender ID with UK networks
    • [ ] Implement retention policies — delete lapsed consent after 2–3 years
    • [ ] Review T&Cs to ensure they don't bundle SMS consent with purchase acceptance
    • [ ] Train staff who handle customer data

    Getting Help


    BulkSMSRates offers compliance consultation for customers who need help navigating UK SMS regulations. Our team can review your consent flow, message templates, and data handling practices. Contact us at [email protected].

#compliance#PECR#UK GDPR#ICO#SMS regulations

More Articles

SMS Marketing Best Practices for 2026

A comprehensive guide to running compliant, high-converting SMS marketing campaigns. Learn the timing, segmentation, and copywriting techniques that top brands use to achieve 19% click-through rates.

SMPP vs HTTP API: Which Should You Use for Bulk SMS?

A technical comparison of SMPP and HTTP REST API for bulk SMS delivery. Learn which protocol is right for your use case, throughput requirements, and integration complexity.

SMS Delivery Rates Explained: Why Messages Fail and How to Fix It

Understand why SMS messages fail to deliver, what DLR error codes mean, and practical steps to improve your delivery rate from 85% to 99%+ for UK and international campaigns.

Ready to send bulk SMS?

Start from £0.0300/segment. No monthly fees. Free test credits. Setup in minutes.

Create Free Account →