SMS Compliance Guide

The GDPR is the EU's comprehensive data protection regulation, retained in UK law post-Brexit as the UK GDPR. It applies to any organisation processing personal data of UK/EU residents.

Key requirements for SMS:

• • Lawful basis: You need a lawful basis for processing phone numbers — typically consent (marketing) or contract performance (transactional).
• • Transparency: Recipients must be informed about how their data is used, who processes it, and their rights — typically via a privacy notice.
• • Data minimisation: Only collect and retain data necessary for your stated purpose. Don't keep numbers “just in case”.
• • Right to erasure: Recipients can request deletion of their data at any time. You must comply within 30 days.
• • Data processing records: Maintain records of processing activities (Article 30). Document what data you hold, why, and how long.
• • Data breach notification: Report breaches to the ICO within 72 hours if they pose a risk to individuals.

The UK DPA 2018 supplements the UK GDPR with additional provisions specific to UK law. It sets out the framework enforced by the Information Commissioner's Office (ICO).

• • Applies to all organisations processing personal data in the UK, regardless of where they're based.
• • Establishes the ICO as the supervisory authority with enforcement powers.
• • Sets rules for direct marketing, including electronic communications.
• • Penalties align with GDPR: up to £17.5M or 4% of global annual turnover.
• • Organisations processing personal data must pay an annual data protection fee to the ICO.

PECR is the UK regulation that specifically governs electronic marketing, including SMS. It sits alongside GDPR and adds extra rules for direct marketing messages.

Requirements:

• • Prior consent: You must have opt-in consent before sending marketing SMS to individuals (not just legitimate interest).
• • Soft opt-in exception: You may message existing customers about similar products/services if: (a) you obtained the number during a sale or negotiation, (b) you only market similar products, and (c) you gave them a simple opt-out opportunity at collection and in every message.
• • Sender identification: Every marketing SMS must identify who you are. Anonymous marketing messages are prohibited.
• • Opt-out mechanism: Every message must include a way to opt out (e.g. “Reply STOP”).
• • Enforcement: The ICO can fine up to £500,000 for PECR violations. They regularly take enforcement action against SMS spammers.

What constitutes valid opt-in:

• ✅ Unticked checkbox with clear description of what they're consenting to
• ✅ SMS keyword opt-in (e.g. “Text JOIN to 88000”)
• ✅ Web form with explicit SMS marketing consent separate from T&Cs
• ✅ Double opt-in (recommended): send a confirmation SMS asking them to reply YES

What does NOT count as valid opt-in:

• ❌ Pre-ticked checkboxes
• ❌ Consent bundled into Terms & Conditions
• ❌ Purchasing a phone number list
• ❌ Business card collection at events (without explicit SMS consent)
• ❌ “By providing your number you agree to receive SMS” buried in fine print

Every marketing SMS must include an opt-out mechanism. BulkSMSRates automatically processes opt-out keywords for you.

Recognised keywords:

How BulkSMSRates handles opt-outs:

• 1. Recipient replies with a STOP keyword
• 2. We immediately add the number to your account suppression list
• 3. We send an automatic confirmation: “You have been unsubscribed. You will not receive further messages.”
• 4. Future sends to that number are automatically blocked
• 5. You can view and export your suppression list from the dashboard

GDPR requires you to retain personal data only as long as necessary. Here are recommended retention periods for SMS-related data: