Must-Know Regulations for SMS Marketing in EMEA

Act-On
SMS Marketing

There are currently 5.29 billion unique mobile phone users globally, giving businesses an opportunity to reach 68% of the world through SMS marketing. Like email, SMS is regulated with requirements that change depending on the region. Although many countries follow U.S. SMS marketing regulations as a standard, regions like Europe, Middle East and Africa (EMEA for short) have become more assertive in regulating how businesses can market to consumers. Take a look at these must-know regulations for SMS marketing in EMEA.

Why SMS Marketing Regulations Are So Important

Following SMS marketing regulations is necessary, because they create a safe advertising environment for businesses and consumers. Telecommunications and privacy regulations are designed to ensure that consumers control how they are being advertised to and if they want to be contacted at all. Any marketer should care about compliance, not only because of the legal implications, but even more importantly, because of high expectations for an amazing customer experience at every touchpoint. 


In EMEA, SMS marketing regulations are designed to give consumers comfort in knowing companies respect their time and right to consent. Your company can get blacklisted from future sending, or even face fines and legal consequences for noncompliance. 

Like email marketing, SMS marketing involves heavy regulation around consent. In EMEA, such guidelines are often stricter than in the United States. No matter where a company is sending SMS globally, there is no faster way to lose subscribers than to send SMS without explicit consent. 

Are you ready to send compliant, valuable SMS marketing messages to your favourite audiences? Check your knowledge with this summary of the most important SMS marketing regulations in EMEA.

SMS Marketing Regulations in the EU

The General Data Protection Regulation (GDPR) regulates SMS marketing in the European Union (EU), a region with some of the world’s strictest privacy and security regulations. 

Under GDPR, companies must build privacy settings into their digital products and websites – and have them turned on by default. Companies also need to regularly conduct privacy impact assessments, strengthen the way they seek permission to use the data, document the methods by which they use personal data, and improve how they communicate data breaches.

The right to privacy has been a pillar of European business discourse since 1950, slowly progressing with the growth of technology and the Internet. In 1995, the European Data Protection Directive established minimum data privacy and security standards, but lacked any considerations for social media, smartphones, or even advanced web technology… because those things didn’t exist yet. The EU recognised the need for modern protections that were not covered, updating the 1995 Directive into the GDPR in 2016. 

The EU’s updated approach to online privacy puts individuals first, believing they should be protected and empowered rather than exploited or ignored. The law focuses on data permission, data access, and data focus, and applies to businesses of all sizes.

Under GDPR, consent requires a positive opt-in, and therefore cannot be obtained by default or pre-ticked boxes. It also gives individuals a method to gain more control over how their data is collected and used, including access or removal. Focused on data privacy, the GDPR requires businesses to justify processing personal data collected from consumers legally.

How Does GDPR Impact Businesses in the EU?

If you are a business operating from or sending SMS messages to the European Union, your business is impacted by GDPR. Prior to GDPR, many EU companies lacked transparency on how consumer data was used, but increased focus on regulatory compliance and SMS marketing best practices has improved consumer experiences. 

Data Permission

Businesses need to ensure they’ve actively sought (and not assumed) permission from prospects and customers. A pre-ticked box that automatically opts people in when they make a purchase won’t cut it anymore. Opt-ins need to be a deliberate choice.

Data Access

As a business, it’s your responsibility to ensure that your users can easily access their data and remove consent for its use. When using email, an unsubscribe link is used to allow customers to opt-out. In SMS marketing, a ‘STOP’ prompt can be used in the same way. 

Data Focus

GDPR requires businesses to show why they are obtaining and processing specific data. This means focusing on the data collected without asking for things outside the scope. Paring down forms is also a best practice in terms of customer experience. Compliance depends on the specific ways you use personal data, as there is often more than one way to comply, so taking responsibility by ascertaining the risks keeps you accountable.

SMS Marketing Regulations in the Middle East

Similar to EU and U.S. markets, mobile device usage in the Middle East has continued to grow to nearly 280 million users at the end of 2020. This has prompted businesses to increase their SMS marketing efforts on a global scale. 

As with any form of marketing, businesses need to be aware of the differences across cultures and governments. For SMS marketing, expectations in the Middle East vary from those in the EU and U.S.

In the Middle East, regulations are based heavily on moral and personal values, including political, religious, and cultural views. Marketing efforts that may prove successful in other markets can easily fail in MEA because the regulations are so dynamic.

There is a large focus on the intent of messaging, identifying factors within the message, and time constraints on when messages can be delivered.

SMS Marketing in United Arab Emirates (UAE)

As with the majority of middle eastern countries, the UAE has established a considerably rigorous SMS marketing regulation system. It’s important for companies to be aware of these rules, as they imply added compliance to EU and U.S. regulations.

The major SMS regulations in UAE include:

  • Registration and activation of the from address (sender ID)
  • An opt-out message that must comply with the regulations set by the TRA
  • SMS messages can only be delivered between 7 AM and 9 PM according to UAE standard time
  • SMS character lengths must adhere to: first message 160, second message 306, third message 459, fourth message 612 characters

When implementing a global SMS marketing campaign, it’s crucial always to be aware of the time differences across regions to ensure compliance with the regulations listed above.

Role of the TRA in Regulating SMS Marketing in the Middle East

The Telecommunications Regulatory Authority (TRA) was established to oversee the telecommunication sector in the UAE, including SMS marketing. The TRA carries out the following activities in the UAE:

  • Monitoring activities in the telecom sector
  • Approving telecom equipment
  • Overseeing the telecommunications sector and licensees
  • Issuing the required authorisations to use spectrum frequency and wireless equipment
  • Issuing regulations and policies governing the importation, use, and dealing of telecommunications equipment

The TRA focuses on protecting consumers by creating a safe and secure environment for any SMS-related practice in the UAE. It regulates the length, type, content, and delivery of all SMS messages.

Messaging Types

When designing an SMS message, there are two categories it can fall into: transactional and promotional.

Transactional messages do not require any prior consent, as they are only sent after a relationship has been established. These types of messages include shipping notifications and appointment reminders.

Promotional messages are just that, promotional. To be compliant, they must include the sender, type of campaign, and content type.

Forbidden Messaging Content

In the UAE, forbidden SMS marketing content includes information about mobile gambling, illicit language, adult themes, political speech, and religious topics. 

SMS Marketing Regulations in South Africa

Like much of the world, South Africa has a strict regulatory environment for SMS marketing efforts.

The Electronic Communications and Transactions Act (ECTA), along with the Consumer Protection Act (CPA) and the Protection of Personal Information Act (POPIA), work together to regulate electronic marketing, including SMS messaging, in South Africa. In conjunction, these laws help define how consumers give consent and how they can opt-out from receiving marketing messages when they’d like.

In South Africa, the general SMS guidelines include:

  • Get opt-in consent from users before sending any communication to them.
  • Only communicate during an end user’s daytime hours unless it is urgent.
  • SMS campaigns should support HELP/STOP messages, and similar messages, in the end-user’s local language.
  • Do not contact end-users on do-not-call or do-not-disturb registries.

POPIA and the Regulation of Direct Marketing

The Protection of Personal Information Act (POPIA) was designed to protect consumers from harm by protecting their personal information—including identity theft, stolen funds, and privacy protection. 

POPIA has outlined conditions for personal information to be lawfully collected and processed in South Africa. These include:

  • Accountability – the responsible party takes full responsibility for how personal information is processed.
  • Processing Limitation – the processing of personal information is limited to the consent of the consumer or allowed by law.
  • Purpose Specification – the purpose for why personal information is required must be identified.
  • Further Processing Limitation – restrictions on the further distribution of personal information to anyone else or for any other purpose.
  • Information Quality – Businesses must ensure that personal information remains correct and up to date.
  • Openness- the responsible party must inform the consumer if there is a breach of their information, including what information was obtained and where it’s stored.
  • Security Safeguards – Businesses must put physical and digital security measures to protect personal information in place.
  • Data Subject Participation – Consumers must have access to and control over their personal information.

Put Customer Experience First for Compliant, Successful SMS

Awareness of the customer experience is the starting point for effective and compliant SMS marketing, no matter the geography or culture. Getting a clear opt-in, and sending appropriate content at the right time are best practices that will add to a great experience with your brand, at the same time it helps your business remain compliant with regulations. 

Get our ebook for more on SMS marketing best practices, and plenty of ideas on how to start using SMS as a channel in your larger marketing strategy. 

*Please note that this article is not intended to provide legal advice.  Be sure to consult with your legal team for compliance within your SMS marketing efforts.