UK SMS Compliance Guide 2026

Sending commercial SMS in the UK is governed by two primary pieces of legislation: 1. PECR (Privacy and Electronic Communications Regulations 2003, as amended) — governs unsolicited electronic marketing communications including SMS. 2. UK GDPR (UK General Data Protection Regulation) and the UK Data Protection Act 2018 — governs how personal data (including phone numbers) is collected, processed, and retained. The ICO (Information Commissioner's Office) is the UK's data protection regulator and enforces both PECR and UK GDPR. Fines can reach £500,000 under PECR and £17.5 million (or 4% of global annual turnover) under UK GDPR.

Under PECR Regulation 22, you must NOT send unsolicited marketing SMS to an individual unless: a) The person has given their prior explicit consent, OR b) You are using the "soft opt-in" exemption (existing customer rule) Explicit consent must be: • Freely given (not bundled with T&Cs) • Specific (for SMS marketing from your organisation) • Informed (person understands what they're signing up for) • Unambiguous (a positive opt-in action, not pre-ticked boxes) Consent must be documented with a timestamp, IP address, and the exact consent wording used.

PECR allows you to send marketing SMS without fresh consent if all four conditions are met: 1. You obtained the phone number during a sale (or negotiation of a sale) of a product/service 2. The marketing is for your own similar products/services (not third parties) 3. You gave the customer a clear chance to opt out at the time of collection 4. You give an opt-out opportunity in every subsequent message This is the "soft opt-in" and only applies to your existing customers. You cannot use soft opt-in for prospecting or third-party lists.

Every marketing SMS must include a clear and free opt-out mechanism. Accepted methods: • STOP keyword: "Reply STOP to unsubscribe" • Website opt-out: "Opt out at: [link]" • Telephone: "Call 0800 xxx to opt out" Opt-outs must be: • Processed within 28 days (ICO guidance) • Permanent (don't re-add opted-out numbers) • Honoured across all channels from the same brand The opt-out must be free to the recipient (i.e. don't charge for the STOP reply).

Your SMS sender ID (the "from" name) must: • Identify your organisation clearly • Not be misleading about who is sending the message • Be consistent with your brand name known to the recipient Sender IDs can be: • Alphanumeric (e.g. "MyBrand") — up to 11 characters • Numeric (e.g. a virtual mobile number) • A shortcode Note: Alphanumeric sender IDs cannot receive replies. Use a virtual mobile number or shortcode if you need two-way SMS.

Under UK GDPR: • Consent records must be retained for as long as you are using that consent (plus audit periods). • Right to erasure ("right to be forgotten"): If a subscriber requests deletion, remove their number from all marketing lists within 30 days. • Right to access: Individuals can request a copy of their data and consent record. • Data minimisation: Only collect the data you need; don't hold personal data longer than necessary. ICO recommends reviewing and refreshing consent at least every 2–3 years.

The ICO and ASA recommend (though PECR does not explicitly legislate) sending marketing SMS only: • Monday–Saturday: 8:00am – 9:00pm • Sundays: 9:00am – 9:00pm • Avoid public holidays for sensitive sectors (healthcare, finance) Sending outside these hours is likely to generate complaints and ICO referrals. Always consider the recipient's timezone — especially important for international campaigns.

The ICO issues fines for SMS marketing violations. Common violations include:

BulkSMSRates is built for compliance: • STOP keyword processing: We automatically handle STOP replies and add numbers to your suppression list. • Opt-out import: Upload existing opt-out lists via API or dashboard. • Consent timestamps: API response includes timestamp for audit trail. • DPA available: Data Processing Agreement on request for UK GDPR Article 28 compliance. • PECR-compliant sender IDs: We validate sender IDs against ICO guidelines. • TLS encryption: All messages encrypted in transit.