Legal Policies for SMS Marketing

Legal Policies for SMS Marketing

If your business uses SMS marketing to target potential customers on mobile devices, then you need certain legal policies in place to comply with global privacy laws. Specifically, you will require a Privacy Policy and a Terms & Conditions Agreement (T&Cs).

If you're unfamiliar with drafting legal policies, you may be unsure what the law requires. Below, we explain why you need these policies, and we demonstrate how you can generate your own legal policies for SMS marketing purposes.

Get compliant today with

Select one of our generators to create the required legal agreements for your business:

Integrate a free Cookies Notice and Cookie Consent banner to comply with the EU ePrivacy Directive and the new GDPR law regarding cookies.

What is SMS Marketing?

Short message service (SMS) marketing allows companies to send promotional and marketing content, via text message, to consumers' mobile phones.

SMS marketing is a form of direct marketing. Direct marketing means that you contact the consumer directly to advertise or promote your business. The opposite is indirect marketing, which is when you're focused on growing your brand's presence and building trust with prospective customers.

As SMS marketing lets you directly advertise your services, it's an "opt-in" type of marketing. Meaning, you will normally require informed consent before you can send SMS marketing texts. We'll explore the legal implications of this below.

What Laws Apply to SMS Marketing?

What Laws Apply to SMS Marketing?

The exact laws which apply vary depending on where your business is located and where your audience resides. However, let's break down some of the most significant SMS marketing laws you should be aware of.

General Data Protection Regulation (GDPR) (EU)

The EU's General Data Protection Regulation (GDPR) is one of the world's most comprehensive privacy laws. If you send SMS messages to any individual located in the EU, you must comply with its terms.

The GDPR works to protect personal data. Personal data includes telephone numbers and online account details, so it covers SMS marketing.

If you obtain consent to send SMS messages, you can also only rely on consent granted for that specific purpose. If you want to do something else with the data, for example, share it with third parties for marketing purposes, you need consent to do this.

You must also provide a simple means to opt-out of marketing content. And for clarity, you should set out your marketing (and privacy) practices in both a Privacy Policy and Terms and Conditions Agreement.

Various exceptions apply. For example, you might be able to send messages if you have a legitimate business interest in doing so. But these exceptions do not typically apply to marketing content such as SMS messages.

CAN-SPAM (Canada)

Under Canada's Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM), you can't send "commercial electronic messages" to any electronic addresses without:

  • Identifying your business
  • Obtaining express consent
  • Offering a means to unsubscribe

Under Section 1 of the Act, electronic messages include texts, and electronic addresses include telephone accounts, meaning CAN-SPAM applies to SMS messages:

CAN-SPAM Definition of electronic message

As with the GDPR, express consent means the recipient takes some positive step or proactively opts in to marketing SMS messages. Implied consent is unlikely to be sufficient.

Telephone Consumer Protection Act (U.S.)

The U.S. Telephone Consumer Protection Act (TCPA) treats SMS text messages like phone calls. This means you can't send unsolicited SMS messages just as you can't make unsolicited calls. You need express written consent before doing so.

In terms of what counts as "written" consent, it's similar to what's required by other laws. Namely, the individual must expressly provide their details, or consent, before you can send marketing SMS.

Here's an example from Old Navy. It's obvious that the individual is providing a phone number in exchange for marketing messages. The company outlines a clear process for opting out and includes links to its core policies:

Old Navy SMS marketing sign-up form

If a person chooses to provide their cellphone number after reading the statement, we can take this as express and "written" consent.

SMS marketing laws in the U.S. are complicated, with various states having their own restrictions. It's best to seek legal advice before sending SMS marketing messages in the U.S. if you're unsure which laws apply.

Privacy and Electronic Communications Regulations (UK)

The UK's Privacy and Electronic Communications Regulations (PECR) sits alongside the GDPR.

According to Section 2 of the PECR, the Regulations apply to "electronic mail." "Electronic mail" includes texts sent over a "public communications network":

PECR definition of electronic mail

The rules only apply to "unsolicited" messages, meaning marketing SMS messages you want to send. If a user directly approaches your business and asks them to send you information, this would be a solicited message and the Regulations would not apply.

For business, the key takeaway from these Regulations is that spam texts, or marketing SMS texts sent without consent, are prohibited in the UK. You must obtain express, freely given, and informed consent before sending marketing SMS messages to UK phones. And you must make it easy for individuals to opt-out without prejudice.

Here's an example from Gymshark. The SMS message includes a clear option to "stop" marketing messages, and it includes a clickable link to follow:

Gymshark SMS marketing screenshot

In practical terms, this means informing individuals about their privacy rights through a Privacy Policy, and setting out your data handling practices in Terms and Conditions.

What Legal Policies Do You Need for SMS Marketing?

Whichever privacy laws apply, it's clear that you will typically need the following before sending SMS marketing messages:

  • Clear and informed consent,
  • Sufficient explanation of your data handling practices, and
  • A simple process for opting out of SMS marketing

To meet these requirements, you need at least two core legal policies: a Privacy Policy, and a Terms and Conditions Agreement. Let's briefly consider why.

Why Do You Need a Privacy Policy for SMS Marketing?

Drafting a Privacy Policy can seem time-consuming, but there are various benefits to having a carefully drafted policy in place.

  • Most obviously, you're supporting your compliance with privacy laws around the world by clearly setting out your data handling practices and explaining what rights individuals have over their data.
  • Nowadays, consumers typically expect more information regarding a company's privacy practices before they share data.
  • A Privacy Policy shows that you're a professional business which takes its customers' data seriously. This builds trust in your business.

Why Do You Need a Terms and Conditions Agreement for SMS Marketing?

Although Terms and Conditions agreements are not legally required, you're highly encouraged to have such an agreement if you use SMS marketing. Here are three of many reasons why.

Provide legal certainty: Terms and Condition Agreements can be legally binding if they're drafted appropriately and both parties understand that they're entering the equivalent of a contract. In this way, your Terms agreement provides both you and your users with certainty and clarity for how disputes may be resolved.

Avoid legal disputes: Terms and Conditions don't just explain how you will resolve disputes. They can help you avoid disputes by explaining, in detail, what rights and obligations you and your users have, and what they can expect from you.

Build transparency and professionalism: As with Privacy Policies, customers increasingly expect higher levels of professionalism from the businesses they use. A Terms and Conditions Agreement is your opportunity to demonstrate professionalism, transparency, and commitment to good business practices.

How Do You Create a Privacy Policy for SMS Marketing?

How Do You Create a Privacy Policy for SMS Marketing?

Every Privacy Policy for SMS marketing should have specific clauses. You must explain:

  • The types of data you collect
  • How you collect the data
  • How you use the data you collect
  • How you store the data
  • What rights and choices consumers have
  • Whether you share or sell data to third parties

You can have a separate Privacy Policy for SMS marketing, but it's still best to have a more general Privacy Policy for your wider site.

Green Paper Products, for example, has an SMS Privacy Policy, but it should be read alongside its general Privacy Policy:

Green Paper Products SMS Marketing Policy: Intro section

Type of Data Collected and How

Be specific about the types of personal information you collect. If you use SMS marketing, this will typically include a person's phone number and perhaps digital user or screen names.

UNICEF USA, for example, explains what information they collect and when it is collected, which is a helpful extra disclosure to add:

UNICEF USA SMS Privacy Statement: What Personal Information is collected about you clause

Here's another example of how you can let users know that you collect information such as a phone number, and that you do so when they sign up for your SMS service:

SMS Privacy Policy: Collection of Information clause excerpt

How the Data is Used

Explain how you use the personal data you collect. Again, try to be specific without overly limiting what you can use the data for. Green Paper Products, for example, includes the word "primarily" to imply that there may be other uses for the data collected:

Green Paper Products SMS Marketing Policy: Use of Phone Numbers for SMS clause

Here's another short example that gets right to the point of how the data is used:

SMS Privacy Policy: Use of Information clause excerpt

How Data is Stored and Secured

Declare how long you retain a customer's data and how you keep it safe.

Codeless, for example, stores data for a maximum of one year. It uses reasonable safeguards to keep data safe while stored, but can't guarantee complete protection:

Codeless Privacy Policy: How do we keep your information safe clause

Here's another example, with this information divided between two separate clauses:

SMS Privacy Policy: Protection of Information and Retention of Information clauses

Privacy Rights and Choices

Explain to users what rights and choices they have around what data they share and how they can opt out of data sharing.

Cash Inn Ltd., for example, sets out a user's privacy rights in a clear bullet point list. it also invites users to contact the company to change preferences or exercise these rights:

Cash Inn Ltd Privacy and Cookie Policy: Your Rights clause

Here's an example of how you can note a consumer's right to opt out while providing instructions for how to do so:

Privacy Policy: Opt-Out Options cause with SMS messages section highlighted

How Do You Create a Terms and Conditions Agreement for SMS Marketing?

How Do You Create a Terms and Conditions Agreement for SMS Marketing?

Terms and Conditions agreements for SMS marketing should contain certain clauses:

  • How to opt in and out of SMS marketing
  • SMS charges
  • Warranties
  • Limitation of liability
  • Message frequency

Opt In and Out

Specify how users can opt in and out of SMS marketing. Make sure these sections will be easily understood by readers.

Caterpillar, for example, clearly explains the steps involved in two short paragraphs:

Caterpillar SMS Terms and Conditions: Opt in and Opt out clauses

Data Charges

Declare that charges might apply for receiving SMS marketing messages. This ensures that you're not held responsible for unexpected charges.

Here's an example of this from Stonewood Grill and Tavern:

Stonewood Grill and Tavern: SMS Marketing Terms and Conditions and Privacy Policy: Cost and Frequency of messages excerpt

Warranty Disclaimer and Limitation of Liability

Include a warranty disclaimer and explain that you don't warrant the service will be available all the time, or that it will meet a user's expectations. Otherwise, you could be held liable for issues caused by undelivered messages.

Here's a short but effective clause from Stonewood:

Stonewood Grill and Tavern: SMS Marketing Terms and Conditions and Privacy Policy: Disclaimer of warranty

Having a limitation of liability clause will help reduce the burden you may have for liability.

Cash Inn, for example, accepts liability only so far as it's bound by law. In other words, it isn't liable for anything it isn't legally required to accept responsibility for:

Cash Inn Ltd Privacy and Cookie Policy: Our Liability clause

Frequency of SMS Marketing Messages

Retain your right to send SMS messages frequently by keeping the clause as general as possible.

Caterpillar notes that it sends SMS messages at a frequency depending on the specific program the user signed up for:

Caterpillar SMS Terms and Conditions: Message Frequency clause

Next let's look at how to display your legal agreements so people can find them easily.

How Should You Display an SMS Marketing Privacy Policy and Terms and Conditions Agreement?

Your legal policies are only effective if they're visible and users have a clear opportunity to read them before using your services. The three best places to display your policies are the website's footer or sidebar, and at the point of the data collection.

Most users expect to find links to your core policies in the footer, header, or sidebar, so place links there.

Here's an example:

Generic website footer with SMS Privacy Policy links highlighted

At the Point of Data Collection

Give users a clear opportunity to read your legal policies immediately prior to sharing their data with you.

Take Walmart, for example. In the website footer, it invites users to subscribe to email marketing content by providing an email address (but this would work just as effectively for SMS marketing).

It's obvious from the description what the individual is signing up for, and can unsubscribe at any time. There's also a link to the Privacy Notice to better inform the individual:

Walmart Subscribe form

Stonewood Grill and Tavern clearly explains what's involved in its e-club signup and also includes an obvious link to its Terms and Privacy Policy:

Stonewood Grill and Tavern: E-club signup excerpt


Every business using short message service (SMS) marketing should have a Privacy Policy and Terms and Conditions agreement. These policies help you comply with global privacy laws, increase transparency, and promote consumer trust in your business.

Your Privacy Policy for SMS marketing should include, at a minimum, clauses explaining:

  • What data you collect and why
  • How your business uses this collected data
  • How you store the data securely
  • What rights individuals have over their personal information
  • If you sell data to third parties

Your Terms and Conditions agreement for SMS marketing should include, at a minimum, the following clauses:

  • How to opt out of SMS marketing
  • Fees and charges
  • Warranties
  • Limitation of Liability
  • Message frequency

Display your Privacy Policy and Terms and Conditions agreements prominently. The best places to position these policies are at the point before data collection, within your website header, footer or sidebar.