Your simplified guide to SMS regulations and compliance in the UK

A good SMS marketing strategy in the UK starts with compliance.

SMS is a powerful marketing channel for UK brands. And, as they say, with great power comes great responsibility. If you want to send marketing texts to your UK customers, there are a few critical compliance requirements you should be aware of.

Just as we see for email, there are specific rules and requirements for sending marketing texts that keep brands accountable and customers safe.

Sending an unsolicited text message to your audience can result in fines and punitive action for breaching data protection laws for example. Plus, customers expect extra consideration from brands trying to reach them via such a personal channel.

Want to provide a compliant and memorable customer experience over text? You came to the right place.

Before I go on, a quick disclaimer: This guide should not be relied on as legal advice. Klaviyo encourages you to work with your legal counsel to make sure your SMS program is compliant with the laws that apply to it.

Consumer insights

See the results from our latest consumer survey on how over 5,000 Europeans across 13 countries want to engage over text.

Read now

UK SMS compliance laws: an overview

In the UK, there are several organisations and regulations that influence SMS compliance laws:

• General Data Protection Regulation
• The Data Protection Act 2018
• Information Commissioner’s Office
• Privacy and Electronic Communications Regulations
• Advertising Standards Authority
• Mobile networks

Each of these 6 regulatory powers have their own compliance requirements, some unique and some overlapping.

Sound like a lot to keep track of? There’s no way around it: SMS regulations in the UK are nuanced and can seem overwhelming.

Fortunately, we’ve collected a list of the main requirements you need to be aware of to keep everything straight.

Working with SMS providers with deep SMS compliance knowledge also helps—which is why over 8,000 brands rely on Klaviyo SMS.

Klaviyo builds local regulations into the platform to help you create smarter, already-compliant segments so you can focus on your customers, not ever-changing laws.

Regardless of what technology you use, having a solid understanding of what SMS compliance looks like in the UK helps you establish better, safer relationships with your customers.

5 key SMS compliance requirements in the UK

At a high level, to send marketing messages compliantly to UK recipients, brands must:

1. Get consent

Your recipients must give express written consent to receive SMS and/or display legitimate interests. All opt-in language must clearly convey what the subscriber is signing up for.

When collecting consent, brands must also include relevant links to the Privacy Policy and Terms of Service that disclose what parties will have access to the data they’re sharing.

I’ll go into more detail on what qualifies as consent—but for now, it looks something like the disclaimer text in this welcome pop up from SkinnyTan:

One note here: If your business already collected a contact’s mobile number without explicit consent, you can still use that data for non-marketing messages—and only non-marketing messages. These messages can be for informational purposes and must be considered helpful to the recipient.

For example, if someone gives you their mobile phone number at checkout but doesn’t opt into marketing texts, you can send them transactional texts, like:

• Order confirmation message
• Shipping confirmation message
• Shipping delivery updates

But since that customer didn’t explicitly opt into marketing text messages, you can’t send promotional texts, like:

• Recommended product information
• New product releases
• Upcoming sale information

Does this distinction between a marketing message and a transactional message sound familiar? It’s also a component of email marketing compliance, where you can usually send someone an order confirmation email even if they’re not opted into your regular newsletter messages.

2. Provide timely opt out

If a user revokes their consent to receive SMS communications, you’re obligated to process it in a timely manner. The most common ways brands offer opting out are when customers:

• Reply STOP (for SMS with a numeric sender ID)
• Click an unsubscribe link (for SMS with an alphanumeric sender ID)
• Contact customer service for a manual unsubscribe

A numeric sender ID uses only numbers, so recipients see the sender as something like 0123456789.
An alphanumeric sender ID uses letters instead of numbers, so recipients see your brand name as the sender.

3. Offer clear sender identity

As a business, you must clearly share your identity when sending SMS messages to your customers.

This is slightly different for brands with an alphanumeric versus numeric header.

• With an alphanumeric sender ID, customers can easily see that your brand is messaging them, like in SkinnyTan’s message above.
• If you use a numeric sender ID, your brand identifier automatically shows at the beginning of the text.

4. Only send during approved hours

Finally, for both compliance and your customers’ full night of rest, there are “quiet hours” that all UK brands must adhere to for SMS marketing. In the UK, brands cannot send SMS marketing messages after 8:00 p.m. or before 9:00 a.m.

5. Take extra compliance measures if you’re using a short code

As the name suggests, SMS short code campaigns come from a shorter numeric sender (usually 5-6 digits). In the UK, using short codes means you have to comply with an additional set of compliance regulations—some of which overlap with the above, like:

• Have clear consent during opt in
• Allow recipients to opt out
• Clearly identify your brand
• Openly share Terms of Service and Privacy Policy

However, some are slightly different from the standard regulations:

• Some industries have additional regulations. Certain content such as alcohol, gambling, adult, and CBD products require additional measures before launching.
• Regularly ask recipients if they’d like to opt out. Campaigns must display opt-out instructions in the message or Terms & Conditions at regular intervals.

While you only need to comply with these regulations when using short codes, some of them also might improve your SMS performance, like culling your SMS list with regular opt out opportunities.

Now that you have a high level understanding of the 5 factors that make up SMS compliance in the UK, take a deep breath. Next, we’re digging deeper into the details of consent and what that means for UK brands.

What qualifies as SMS consent?

Consent language must be legible, prominent and in close proximity to the opt-in CTA.

Consent only needs to be given once, but some brands choose to use a double opt-in. Using Klaviyo’s Smart Opt-in feature, you can ensure that all of your SMS subscribers truly meant to sign up for texts—which keeps SMS engagement high and your sending compliant.

For consent to be valid for UK compliance, it must also meet all 3 of these criteria:

• Freely given
• Specific
• Informed

Still not sure what that means? You’re not alone. Let’s break it down.

What’s freely given consent?

Freely given consent means your customers have a genuine choice over whether to opt into your marketing. If you use a check box to collect consent, it can’t be pre-checked—or your customers might not be truly choosing to opt in.

Businesses also can’t coerce or unduly incentivise people to consent—or penalise anyone who refuses. If consent to marketing is necessary to a business’s service, that business still has to show that users freely gave their consent to marketing.

A numeric sender ID uses only numbers, so recipients see the sender as something like 0123456789. What about that 10% off new subscriber discount? As long as you meet all other consent criteria, a small welcome offer to thank a subscriber for opting into text marketing is fine—and likely to get you more subscribers, so go for it.

What’s specific consent?

In ‌direct marketing, consent must be specific to the type of marketing—for example, email and SMS each require unique consent.

That means if someone opts into email marketing, a business can’t consider that consent to be able to text that person marketing messages. Similarly, a user who’s consented to SMS marketing is not by default opted into email marketing.

What’s informed consent?

Informed consent means the person must understand what they are consenting to. Ensuring you get informed consent is as easy as clearly and prominently explaining what the person is agreeing to.

Sneaking information in a dense privacy policy or hidden in hard-to-find—or hard-to-understand—small print does not qualify as informed consent.

Consumers ultimately need to be clear on what they are consenting to and knowingly accept it. Avoid convoluted and ambiguous wording and keep clear records of:

• What an individual has consented to
• When they opted in
• How you obtained their consent

A ready-to-use template for SMS consent language

To ensure your SMS opt-in language meets all the important criteria, we just covered, here’s an easy, already-compliant template:

I consent to receiving customised SMS marketing offers and transactional SMS updates from <YOUR BRAND NAME> until I withdraw my consent by contacting customer service at <URL or CONTACT DETAILS>, clicking on the unsubscribe link within the text or replying to an SMS with STOP, sending a message costs standard local network rate. For further information on the processing of your personal data please see <Privacy URL>

In addition to this opt-in language, you’ll also need to craft a Terms of Service, which can also be built off a template. Klaviyo makes creating one simple—all you need to do is fill in the relevant information so the template can do the rest of the work.

Where do SMS compliance regulations come from?

Can’t get enough of SMS compliance? Keep reading for a closer look at the groups that defined the compliance laws we’ve covered—with enough acronyms to fill up several notebooks.

The General Data Protection Regulation

The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though the European Union (EU) drafted and passed it, it imposes obligations onto organisations anywhere, so long as they target or collect data related to people in the EU.

The regulation was put into effect across the EU on May 25, 2018. Following Brexit, the UK implemented its own version of GDPR, called UK-GDPR.

The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.

Here are some of the largest GDPR fines from the last several years:

• Amazon: €746m ($877m) for problematic cookie consent
• Meta: €225m ($255m) for overly complicated privacy policy language
• Google: €150m ($120 for problematic cookie consent
• Facebook: €60m ($68m) for problematic cookie consent
• H&M: €35m ($41m) for violating employee privacy

The Data Protection Act 2018

The Data Protection Act 2018 is the UK’s implementation of the GDPR and controls how organisations, businesses, and the government can use people’s personal data.

The Privacy and Electronic Communications Regulations

The Privacy and Electronic Communications Regulations (PECR) sit alongside the DPA and the UK GDPR. They give people specific privacy rights in relation to electronic communications.

Even if your company has no presence in the UK or the EU, these regulations apply if you’re engaged in commercial activity in the UK.

What’s the difference between GDPR, DPA, and PECR?

The GDPR and DPA cover the rules around how personal data can be processed, whereas the PECR focuses specifically on electronic marketing and outlines rules around SMS texts, emails, marketing calls, faxes and cookies.

The Information Commissioner’s Office

The Information Commissioner’s Office (ICO) is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

The Advertising Standards Authority

The Advertising Standards Authority (ASA) is the UK’s independent regulator of advertising across all media. They apply the Advertising Codes, which are written by the Committees of Advertising Practice (CAP).

The ASA CAP Code regards “electronic mail” as text, voice, sounds or image message, including e-mail, SMS, and MMS. Section 3 of the CAP Code sets clear expectations around the transparency of campaigns and the importance of giving consumers key information to make an informed decision about purchasing products and services.

Under ASA, alcohol and gambling are acceptable but must be socially responsible and require age-gating to responsibly deter underage users from purchasing the product.

Please note: Tobacco and e-cigarettes containing nicotine are prohibited from SMS marketing campaigns on Klaviyo.

What UK mobile networks feed into compliance laws?

The short code management group is made up of 4 major UK mobile carriers:

• Hutchison 3G Ltd
• EE
• Vodafone UK Ltd
• Telefonica UK Ltd

This group ultimately approves all short code activation requests with GDPR and Advertising Standards in mind. To avoid delayed approvals, it pays to work with a platform provider with a deep knowledge of local regulations and a team with years of direct experience working with them.

Start sending compliant SMS messages that convert

Ready to send text messages that inspire your customers to make more purchases? Combine your newfound compliance knowledge with an SMS provider that offers:

• Optimised boilerplate opt-in language
• Easy quiet hours sending
• Segmentation that double checks for consent
• Alphanumeric sender IDs that automatically include mandatory opt-out

Start sending texts to your UK audience today. Try Klaviyo SMS