AI Summarize

Share

SMS marketing has become an essential part of many businesses' marketing strategies. With a click-through rate six times that of email, if you aren't using it yet, you probably should be. The problem is that SMS marketing can quickly become a legal minefield. Every business must comply with 10DLC, TCPA, and global privacy laws before customers' phones start pinging.

In this guide, we'll break down how to legally run SMS marketing campaigns in the US, Europe, Canada, Brazil, and beyond. You'll learn the meaning of terms such as 10DLC, TCPA, GDPR, and LGPD, which all impact SMS marketing compliance. We'll also explore how to handle consent, build compliant opt-in flows, and avoid common SMS marketing pitfalls.


Step 1: Understand the Laws That Apply to You

Before you send a single text, you need to figure out what rules you're subject to. That depends on:

  • Where your business is located
  • Where your contacts are located

Most SMS marketing laws protect the recipient, not the sender. So if you're in the US texting someone in the UK or Canada, you still need to comply with UK or Canadian privacy laws.

Here's a quick overview.

United States

In the US, SMS marketing campaigns must comply with the following:

  • The Campaign Registry (TCR): This is not a law, but a system that regulates the use of 10DLC for SMS campaigns. 10DLC stands for 10-digit long code, a local long-code phone number businesses can use for large-scale SMS marketing campaigns. The system used to send the text messages is called Application-to-Person (A2P) messaging. Businesses must register their brands and campaigns with TCR, which is designed to reduce fraud and prevent spam.
  • Telephone Consumer Protection Act (TCPA): A 1991 federal law that protects US consumers from receiving unwanted SMS messages. Additionally, the Cellular Telecommunications Industry Association (CTIA), a telecommunications trade body, issues guidelines for SMS marketing.

  • State-specific SMS marketing laws: More than a dozen states have enacted their own laws that go further than the federal TCPA, including:

    • Arizona
    • California
    • Colorado
    • Connecticut
    • Florida
    • New Jersey
    • New York
    • Utah
    • Virginia
    • Washington

Key requirements include:

  • Brands and SMS marketing campaigns must be registered with TCR
  • Prior express written consent must be obtained from customers
  • Clear disclosures in opt-in messages – who you are, what they are signing up for, and how they can unsubscribe

As seen below on the TCR website, the main benefit of the 10DLC system is traceability, which can strengthen your business's reputation and reassure customers.

A screenshot showcasing the traceability benefits offered by the 10DLC system on The Campaign Registry Website

Canada

Canada's Anti-Spam Legislation (CASL) regulates commercial electronic messages sent to electronic addresses, including SMS messages.

As the Canadian Radio-television and Telecommunications Commission explains below, you must obtain consent, clearly identify the sender, and make it easy to unsubscribe.

A snippet from the Canadian Radio-television and Telecommunications Commission explaining CASL regulations

As seen below, if you are an overseas company targeting Canadian consumers, you still need to follow CASL.

An excerpt indicating that overseas companies targeting Canadian consumers must comply with CASL

European Union / United Kingdom

If your business targets customers in Europe, prepare to comply with the General Data Protection Regulation (GDPR). This law covers most of Europe, and the United Kingdom has adopted it since leaving the EU.

If you are specifically targeting UK customers, you must also comply with the ePrivacy Directive (PECR). PECR contains specific rules affecting SMS marketing, although they mainly relate to unsolicited marketing messages.

Similar to US regulations, some of the key requirements of EU and UK data privacy laws include:

  • Opt-in consent before sending marketing texts
  • Right to withdraw consent at any time
  • Transparency about why your business is collecting phone numbers and how it will use them

Brazil

Brazil has no specific law regulating SMS marketing, but this does not mean businesses have a free hand. All businesses must comply with LGPD (Lei Geral de Proteção de Dados) - Brazil's equivalent of the EU's GDPR.

Best practices in Brazil include:

  • Clear, freely given, and informed consent
  • Fulfill data rights such as access, deletion, and correction
  • Only send messages during daytime hours
  • Include HELP/STOP messages in the user's language

Step 2: Register Your Campaign Under 10DLC (US Only)

If you're sending Application-to-Person (A2P) messages using a 10-digit long code in the US, 10DLC rules apply. These rules are enforced by US mobile carriers, not a government agency. However, if you want your messages delivered by the biggest mobile operators in the US, including AT&T, Verizon, and T-Mobile, it is mandatory to use this service.

Your business must:

  • Register your brand with The Campaign Registry
  • Submit your campaign use case
  • Use an approved SMS provider or messaging platform

10DLC registration is required even for simple alerts or reminders. If you skip this step, your messages will be blocked or heavily throttled.

However, on the plus side, registering with TCR means your messages are pre-verified and benefit from higher delivery and throughput rates (more messages will be delivered per second). Using TCR also legitimizes your business and ensures you have an opt-in feature, which, as we will see, is the most critical component of SMS marketing compliance.

Wherever your business is based and wherever your customers reside, obtaining valid consent is the single most important step in SMS marketing compliance. Almost every jurisdiction requires some form of consent before sending marketing texts, but not all consent is equal.

US (TCPA and CTIA)

Under the TCPA, you need prior express written consent before a single marketing text is sent. As seen below, the TCPA requires "express consent," before communications are initiated. As the law came into effect before the first SMS was sent, the FCC later clarified that written consent must be obtained.

A passage from the TCPA emphasizing on necessary express consent before initiating communications

For consent to be valid under the TCPA, your business must ensure:

  • The user knowingly agrees to receive marketing texts
  • Consent is provided in a written form (includes ticking a checkbox, SMS confirmation, or signed form)
  • Consent is not bundled with other terms

This means that pre-checked boxes and hidden opt-ins are out. It's crucial to keep accurate consent logs that record how consent was obtained and when. Update them immediately when a customer unsubscribes or withdraws consent in another way.

Unlike the TCPA, CTIA guidelines are not law, and consumers cannot sue your business for failing to follow them. However, these guidelines are still best practices, and violations could result in the CTIA either shutting down a campaign or suspending a business's SMS short code.

The CTIA's Messaging Principles and Best Practices include:

  • Including multiple opt-out mechanisms that are promptly honored
  • Maintaining a clear and accessible Privacy Policy
  • Data privacy measures, including physical, administrative, and technical controls to secure customer data
  • Content must be free from prohibited content, and embedded links must be safe and not misleading

Canada (CASL)

You must get express consent before sending commercial messages. Legal SMS marketing messages must include:

  • Your business name and contact info
  • Clear statement that the recipient agrees to receive texts
  • Method to unsubscribe at any time

Under CASL, users must give consent through an opt-in mechanism that requires a positive action, such as checking a box, to indicate consent. As shown below, the onus is on businesses to maintain accurate records to demonstrate they obtained written consent.

A part of the CASL suggesting businesses to maintain accurate records to prove written consent

EU/UK (GDPR + PECR)

PECR requires opt-in consent for marketing texts. Additionally, the GDPR requires businesses to comply with the following standards:

  • A lawful basis for processing (usually "consent")
  • Proof of when and how consent was given
  • The right to withdraw consent easily

The gold standard is to use a double opt-in system. For example:

  • User fills form → gets confirmation SMS
  • User replies "YES" → consent is logged

As seen in the example below from Weird Fish, a UK clothing retailer, customers must take positive action "in writing" - checking the SMS checkbox - to provide consent. The sign-up form also clearly states the purpose for which the data is being collected - "to receive exclusive offers... to use online and in stores."

A sign-up form from the UK retail company, Weird Fish, mandating customers to provide written consent

Brazil (LGPD)

Before using the personal data of Brazilian consumers, such as their telephone numbers, you must obtain consent. This must be:

  • Freely given
  • Informed
  • Unambiguous

You also need to document it and give recipients clear rights (like deletion and access). If you're outside Brazil but targeting Brazilian users, you may need a local data protection representative.

Step 4: Include the Right Disclosures Up Front

In SMS marketing, transparency is often a legal requirement. Even when it is not, it is still best practice and builds customer confidence.

Your opt-in message should always include:

  • Who you are (company name)
  • What you're sending (promos, updates, alerts)
  • How often you'll send messages
  • How to stop (e.g., "Reply STOP to unsubscribe")

Let's look at a US TCPA-compliant example from Stubble & Co.

A US TCPA-compliant sign-up form by Stubble & Co providing customers with thorough information about their services

Their sign-up form may be brief, but it ticks all the boxes:

  • Company name is clearly highlighted – Stubble & Co
  • Types of text messages explained – marketing, promos, and cart reminders
  • How often they will send messages – "Msg frequency varies"
  • How to unsubscribe – reply STOP or click the unsubscribe link

It's also best practice to include a link to your Privacy Policy and Terms & Conditions, so the customer can see exactly how their data will be handled.

Continue these best practices to continue strengthening the customer relationship. As seen in the PECR/GDPR-compliant example from Naked Wines, a UK-based wine retailer, the customer understand who is contacting them, why they are being contacted, and how they can unsubscribe.

An example of a promotional message with important details sent by UK-based retailer, Naked Wines

Step 5: Use a Platform That Supports Compliance

It's crucial to use a marketing platform that makes compliance easy. Look for platforms that offer:

  • Consent tracking (timestamps, opt-in logs)
  • Built-in opt-out logic (STOP to unsubscribe)
  • Rate limits and throttling
  • Privacy controls (data deletion, suppression lists)
  • Audit logs (for legal disputes)

Remember, if you're targeting customers in other parts of the world, you will need to choose on that supports more than just US TCPA. This includes ensuring you comply with state laws that have more stringent regulations, such as Florida, California, and Oklahoma.

Step 6: Automate Your Data Privacy Duties

If you're subject to GDPR (most of Europe and the UK), LGPD (Brazil), or CPRA (California), you must be ready to fulfill data subject requests. Under these laws, a data subject is anyone about whom you hold personal data - in this case, a person whose cell phone number you hold.

That includes:

  • Access requests ("What data do you have about me?")
  • Deletion requests ("Delete my data from your SMS list")
  • Portability requests ("Send my data to someone else")

Your SMS platform or CRM should let you:

  • Export user data quickly
  • Delete or suppress contacts
  • Track opt-outs and re-consents

Using a privacy dashboard or customer portal lets users manage their SMS consent and data directly. This means less work for you and reduces the chances of human error creeping into data subject request processing.

Step 7: Maintain an Easy and Ongoing Opt-Out System

Without exception, every message must include a way to unsubscribe.

At minimum, include:

  • "Reply STOP to unsubscribe"
  • Option to rejoin (if user unsubscribes by mistake)
  • Auto-confirmation message when unsubscribed

This can be seen in the PECR/GDPR-compliant example below from the UK Government's system for issuing annual vehicle safety check reminders by SMS. The user sends STOP and the vehicle license plate number, and receives an acknowledgment, including the option to subscribe again.

An example of the UK Government's system demonstrating an easy method to unsubscribe from SMS notifications

Make sure your opt-out system works across all carriers and countries you text. Failing to honor opt-outs is one of the top reasons companies get fined under TCPA and CASL, so don't take the chance of a hefty fine for every SMS you send out.

Step 8: Review Your Privacy Policy

If you're collecting phone numbers for marketing, your Privacy Policy must reflect that.

Your policy should include:

  • What data you collect (e.g., phone number)
  • What you use it for (SMS marketing)
  • Whether third parties process your messages
  • How users can opt out or delete their data

Make your Privacy Policy easily accessible during the sign-up process, and clearly display a link to it on your website. Make sure that it complies with every jurisdiction you operate in.

Step 9: Localize Your Approach

Privacy laws are not one-size-fits-all. If you market across borders, customize your opt-in process per region.

For example, when marketing to EU customers, the following applies:

  • No pre-checked boxes
  • Separate checkbox for SMS consent
  • Link to privacy policy at point of collection
  • Double opt-in confirmation

Keep a record of all consent interactions for each region. You may need them if you are ever investigated by a regulator.

Step 10: Train Your Team

Your compliance risk increases when:

  • Sales staff add numbers manually
  • Customer service staff text customers directly
  • Marketing team creates new flows without legal review

Compliance is a whole organization effort, and every team member needs to understand the part they play. Provide training so everyone is aware of the following:

  • What consent is needed
  • How opt-outs work
  • What laws apply to which customers

Penalties for Non-Compliance

Penalties can be steep if your business fails to follow data privacy laws and other SMS marketing-specific regulations. Let's take one example - TCPA violations in the United States.

Under TCPA, individuals have the right to sue companies that violate it. Each violation could result in a $500 claim for damages. If the unlawful action was intentional, this could be tripled to $1,500.

An excerpt from TCPA outlining the penalty for violations.

Suppose an SMS campaign illegally messages 500 customers just one time. If the violation was deemed unintentional, it could cost $250,000 at $500 per message. If it were an intentional breach, this could rise to $750,000. And remember, this is per SMS, not per campaign.

The takeaway: Compliance is not optional. If you want to stay in business and remain profitable, it pays to implement the steps above to run a compliant campaign from day one.

Summary

SMS marketing is still one of the most effective tools in your digital arsenal, but if you follow the rules. Getting consent right, documenting everything, and staying transparent can protect you from lawsuits. Additionally, registering 10DCL campaigns with The Campaign Registry ensures messages are pre-verified, reducing your legal exposure.

SMS compliance also builds trust with your customers and allows you to extend your company's reach beyond the state or country in which you currently do business.

The global privacy landscape is getting stricter, not looser, so choose your marketing platform carefully. Look for one that embeds compliance into its processes and allows you to localize your approach. Setting up your SMS marketing program to be compliant from the start will save you time, money, and risk in the long run.

Privacy Policy Generator
The first step to compliance: A Privacy Policy.

Stay compliant with our agreements, policies, and consent banners — everything you need, all in one place.

Generate Privacy Policy