Must-Know SMS Marketing Regulations in the U.S.

Act-On
SMS Marketing

SMS marketing can be a powerful component of your growth strategy, no matter what vertical you’re conquering. However, before you keep going on SMS, make sure you’re set up for ongoing compliance. Like email, SMS is a regulated channel with its own specific rules and requirements. To be successful, it is important to take a look at these must-know regulations for SMS marketing in the US, including TCPA, CTIA, ADA, and global regulations.

Why Following SMS Marketing Regulations is So Important

Regulations are in place to protect people from unwanted messages. They make the SMS landscape safer, more predictable, and less intrusive for individual consumers. SMS marketing regulations ultimately ensure the consumer is in control of whether, how and how much to receive text messages from anyone they choose. 

As with other automated marketing channels, like email, the use of SMS for marketing is regulated. Legal requirements vary depending on global regions and national laws, and the consequences for failing to comply can result in severe reputation damage at best and criminal lawsuits at worst. 

Without an understanding of legal requirements and proper protocol, including consent, businesses may unknowingly send unsolicited SMS messages. The last thing any marketing team wants to do is spam their audience with irrelevant information, offers, products, or services.

Following regulations will ensure your business is marketing to consumers ethically, purposefully, and effectively. Plus, compliance is mandatory if you don’t want to get blacklisted, so make sure to consult with your legal team. Use this short summary of the most important SMS marketing regulations to get started on your thought process for compliance. 

The specifics behind consent are designed to eliminate subscriber confusion. If the subscriber is confused, it is very likely he/she will opt out, and in most cases that opt-out translates to lost revenue. Smart SMS marketers need to take significant steps to educate the subscriber on precisely what they are getting themselves into when they consent to messaging. 

SMS consent must be explicit and detailed. Subscribers must grant consent to be opted-in to receive SMS messages from a business. You must keep records of how the consent was gained, with message history and time stamps. It’s important to note that a prior business relationship does not constitute consent, and that a secure place to house this data is crucial. 

Those who opt-in must have access to legal documentation including privacy policies, and terms of service should be updated to include:

  • How the subscriber’s mobile number will be stored and used
  • Details on the types of messaging that the subscriber will receive
  • Frequency of messaging and originating senders
  • How to opt-out of messaging and how to get help

Remember, the consumer can revoke consent at any time, and it is a best practice to include an opt-out opportunity with every message.

SMS Marketing Regulations In the United States

In the United States, two Acts control what you can and can’t do with SMS marketing.

  1. The Telephone Consumer Protection Act (TCPA)
  2. The Can-Spam Act

Each of these laws were created to protect the consumer from unwanted solicitation. The TCPA hones in on the consent needed to advertise to consumers via SMS. The Can-Spam Act helps protect consumers from receiving unwanted advertisements. Coupled together, they provide a solid foundation for businesses to build their advertising efforts in a respectful and compliant manner while always keeping the consumer in mind. 

Telephone Consumer Protection Act

The Telephone Consumer Protection Act (TCPA) is a United States federal law that requires businesses to get expressed written consent from consumers using mobile devices before sending them marketing text messages. 

It’s important to know in order to be compliant with TCPA, you must clarify to potential SMS subscribers that they’re signing up to receive recurring automated text messages by joining your text program. You can’t hide this consent language at the bottom of your sign-up, on a landing page, or a page that users have to click through to see. It needs to be clearly visible and close to the call to action.

As consumers opt into SMS marketing campaigns, there must be clear, conspicuous disclosure of the messages they will receive. They must also agree to receive these messages on their mobile device in order to begin. 

Here are some TCPA compliant ways to collect SMS marketing opt-ins: 

  • Keyword text: Consumers must text a keyword from their mobile device to join the database.
  • Paper form: Customers give consent on a paper form that clearly states they agree to receive text messages through their phone number from your business.
  • Online form: An online form must explicitly state that the consumer subscribes to receive text messages through their phone number from your business.
  • Website popups: A popup form on your website can invite consumers to subscribe by sharing the details of your SMS program and providing an opt-in option.

A best practice for any SMS sign-up method you choose to use is to enable double opt-in, and send a welcoming message to confirm. For example, once a potential subscriber has provided their phone number, they can be automatically sent an SMS message stating, “Welcome to XYZ product reminders. Reply with a Y, so we can make sure to keep you updated in real time as we make updates.”

It’s important to be transparent with your subscribers. Consider sending messages that cover: 

  • A brief description of the type of content to which they’ve subscribed.
  • The average number of messages they should expect to receive in a specific period.
  • A link to your privacy policy in full detail.
  • Instructions on how to opt-out from receiving messages (STOP instructions) and how they can get help information (HELP instructions) with a simple link. 

TCPA Exceptions

You should always be careful about the subject matter and how you send your text messages, because marketing messages sent via SMS are regulated differently than other types of messages. 

Examples of TCPA text message exemptions include:

  1. Prior relationships: If you are sending SMS messages to an existing customer, you’ve already established a relationship. This is defined by a consumer requesting information about your business within the past three months or if they’ve used your services within the past 18 months.
  2. Specific types of businesses: You are exempt from requirements if business information is sent on behalf of someone covered under a specific healthcare plan, or your business is a non-profit that doesn’t sell goods or services.
  3. Emergency purposes: If you’re using an automated text message for emergency purposes, it’s exempt from TCPA. 

CAN-SPAM Act

The CAN-SPAM Act reflects the rules in the TCPA and is the primary text spam law in the US. Under the CAN-SPAM Act, the FCC regulates commercial text messages sent to mobile devices, making sending unwanted text messages to cell phone numbers illegal. These unwanted messages are also known as robotexts. Messages must also be easily identifiable by the reader as an advertisement.

Similar to email, companies must provide clear information that easily allows consumers to unsubscribe to the messages. It’s important to note this Act only applies to commercial messages (advertisements) and not to any messages relating to an existing transaction or relationship.

Emails sent by businesses have different purposes, which generally fall into the categories of commercial and transactional (relationship). Commercial content advertises or promotes a commercial product or service, including content on a website operated for a commercial purpose. Transactional facilitates an already agreed-upon transaction or updates a customer about an ongoing transaction such as an order confirmation, warranty or safety production information, account balances, employee benefits, or shipping information. If the message you’re sending is purely commercial, it must comply with the requirements of CAN-SPAM

While this act originally pertained to emails, as it was designed before SMS existed, the FCC has since recognized the importance of SMS marketing compliance and extended the CAN-SPAM Act regulations to text messages. 

Protecting Children With COPPA

The Children’s Online Privacy Protection Act (COPPA) is a federal law made to limit the collection and use of personal information about children from operators of websites. 

COPPA requires the operators of websites to include a clearly written privacy notice on their homepage and anywhere else on their site where user data is collected. The privacy policy must outline who is collecting and maintaining the information supplied to the website and provide their contact information, explain how the information will be used, and state if it will be made available to third parties. In addition, COPPA requires website operators to get “verifiable parental consent” before collecting or using personal information from children. Even if parental consent has been granted once, the site operators must seek consent again when they change any part of their privacy policies.

Exceptions to COPPA’s parental consent requirements are allowed when collecting personal contact information to seek consent, protect a child’s safety, or respond to a child’s one-time request (provided that the personal information is deleted immediately afterward).

According to the FTC, “Most companies that run websites directed to children under 13 are aware of their responsibilities under the COPPA Rule. But if you run a site directed to a general audience or operate an ad network, plug-in, or other third-party service used by kid-directed sites, you may have COPPA compliance obligations, too.” 

It’s also important to be aware of best practices when using SMS marketing to communicate with parents about things such as kids’ products, as COPPA also applies.

SMS Marketing Regulations in Canada

Canada passed the anti-spam law, Canada Anti-Spam Legislation, otherwise known as CASL, in 2014. It is similar to the U.S. Telephone Consumer Protection Act (TCPA). 

Under the CASL, businesses that use electronic messages to communicate with consumers must obtain consent, provide identification information, and provide a way to unsubscribe. 

Consent falls under two categories; implied and expressed. Implied refers to a consumer providing or disclosing their information to a business, implying consent. Expressed refers to a consumer explicitly agreeing to receive electronic communications from a business, including SMS marketing. 

SMS Best Practices To Remain Compliant

One of the best sources of information on best practices for SMS marketing is the Cellular Telecommunications Industry Association (CTIA). The CTIA guidelines align with TCPA rules, and have been devised via consultation with key industry stakeholders. The guidelines are not legally binding, but provide a great foundation for doing SMS marketing the right way. Detailed CTIA recommendations are provided in their Short Code Monitoring Handbook and Messaging Principles and Best Practices.

Like the TCPA, the CTIA also requires explicit opt-in consent, and privacy details can’t be hidden or buried on the site. Other recommendations include:

  • All messages should convey a clear call to action. 
  • Users must understand precisely what they’re signing up to receive.
  • Clearly labeled Terms & Conditions and Privacy Policy links must be displayed in the opt-in message.
  • Once a subscriber joins your SMS program, you must send them a message that includes the description of the recurring program, the message frequency, a disclaimer that message and data rates may apply for each message, and information about getting help or opting out.
  • Subscribers must be able to opt-out at any time by responding with language like: “stop,” “end,” “cancel,” “unsubscribe,” or “quit.”
  • Subscribers should be able to get help by responding with the message “help,” which should automatically respond with the program name and information on getting help.
  • All outgoing text messages must clearly include your business’s name.
  • Content such as (but not limited to) hate speech, certain firearms, and violence cannot be promoted via SMS messaging.
  • Programs must display opt-out instructions at regular intervals in SMS messages.
  • Opt-out information must be clearly displayed in the message or within the Terms & Conditions.

SMS Marketing Regulations in EMEA, APAC, and CSA Regions

As SMS marketing continues to be a global strategy, businesses must be aware of laws across regions when using the channel. For most intents and purposes, the USA rules on SMS messaging are applicable throughout most developed nations. In addition, some regions have specific compliance requirements businesses must follow.

EMEA

While many of the US regulations apply globally, the regions of Europe, the Middle East, and Africa do adhere to additional e-communication rules.

General Data Protection Regulation (GDPR)

GDPR requirements govern each member state of the European Union to create more consistent consumer and personal data protection across EU nations. Some of the critical requirements of the GDPR include:

  • Requiring consent of subjects for data collection
  • Making any data collected anonymous to protect privacy
  • Providing data breach notifications
  • Safely handling the transfer of data across borders
  • Requiring companies to appoint a data protection officer to oversee GDPR compliance when applicable

The GDPR mandates a benchmark set of standards for companies that handle EU citizens’ data to safeguard citizens’ personal data processing and collection.

Privacy and Electronic Communications Regulations (PECR) and Data Protection Act 

The U.K. has regulations that support and work with the GDPR. They are the Privacy and Electronic Communications Regulations (PECR) and the Data Protection Act.

The PECR applies to electronic marketing methods, website tracking (such as cookies), security measures, and privacy rights. 

The Data Protection Act regulates how businesses can store and use consumers’ personal data. Under this act, personal information must be used “fairly, lawfully and transparently.” Businesses can only use data when appropriate and can’t store the data any longer than deemed necessary. 

Layering on the GDPR principles, customers have the right to know how their data is being used or have data updated or erased. 

Australian Communications and Media Authority (ACMA)

The ACMA is tasked with ensuring media and communications work for all Australians. It is responsible for the regulation of broadcasting, internet, radio communications, and telecommunications, including regulations for SMS marketing.

In ACMA, there are two types of consent. Compared to many other countries, the interesting nuance here is that a prior business relationship can constitute consent. However, it is not a recommended practice.

Express Consent, on the other hand, is consent gained from various opt-in methods such as web forms, contracts, IVR, or keyword campaigns.

Implied Consent is consent that constitutes a prior existing relationship with the subscriber where it can be implied that it is reasonable to assume that subscriber would be interested in communicating with the business via SMS.

  • Observe quiet hours of 8PM-9AM locally
  • Clear opt-out methods that are honored
  • Identity of the sender is required either in the form of alpha-numeric sender ID or in the body of the SMS
  • Compliant opt-in forms

Regulations for SMS Marketing in APAC

In China and the Asian Pacific, laws governing SMS marketing include the Consumer Rights Protection Law, the Decision on Strengthening Online Information Protection, and the Administrative Provisions on Short Message Services.

Consent may be requested via SMS, but it is not a best practice for this region. The compliance rules that do apply include:

  • Observe quiet hours of 8 PM-9 AM locally
  • Clear opt-out methods that are honored
  • Identity of the sender is required either in the body of the SMS

CSA

The regions of Central and South America (CSA) are generally still considered the wild west of SMS with little to no laws or enforcement of standard North American rules and best practices. In most CSA countries, the sending of religious or political content is prohibited. 

When marketing in a region with few compliance regulations, like Latin America, it’s essential to follow the general rules of thumb to ensure you are protected. 

Complying with Regulations for SMS Marketing is Easy with Act-On

SMS marketing regulations are created to protect consumers across the globe. Customers have the right to know what they are subscribing to, and know that businesses are using their personal information with respect and responsibility. As long as your business is attentive in keeping up with these guidelines, you’ll be successful in your SMS compliance. 

As a recap, these general rules include gaining written consent, keeping thorough records of consent, observing quiet hours, clearly communicating op-out and help options, and posting privacy policies in clear view for the consumer. 

Act-On’s SMS marketing tool provides easy-to-implement elements for adding proper SMS opt-in to your forms and maintaining recommended best practices.  

Remember, this article is not intended to provide legal advice. Much of the laws surrounding SMS marketing are muddled because of contradictory decisions made on the Federal Courts level. As the laws continue to be defined be sure to consult with your legal team or consult with a lawyer before launching your SMS marketing strategy. 
For more information on designing and implementing SMS in your overall marketing efforts, check out Act-On’s SMS automation platform. We believe in being compliant with all regulations, understanding your business purpose, and aim to be a strategic partner in creating an effective and safe way to use SMS marketing automation.