SMS Regulations: What You Need To Know
Articles - 4 min read

SMS Regulations: What You Need To Know

In recent years, the go-to mode for personal communication has shifted dramatically from email and phone call to short message service (SMS), better known as text. So, it’s no surprise that businesses have also followed this transition to engage with their customers via SMS -- in fact, business to consumer (B2C) text marketing grew by 92% from 2015 to 2017.
SMS is an attractive choice for B2C communication for three key reasons:
1. SMS has higher engagement rates than email
  • Email open rates are about 20%, while SMS rates are 98%.
  • 95% of all text messages are read within 90 seconds.
2. SMS offers versatile use cases across industries. Here are some examples:
  • Enhanced Customer Support
  • Sales Acceleration
  • Customer Engagement
  • Ticketing
  • Notifications and Alerts
  • Two Factor Authentication
3. SMS is easy to scale
The popularity of application-to-person (A2P) SMS, which automates the process of sending messages locally and globally to mobile subscribers, has made it possible to scale quickly and send thousands of messages per minute.

The purpose of SMS Regulations

With the widespread use of SMS and the massive number of messages being sent out daily, it’s no surprise that legislation has been put into place to protect consumers from unwanted SMS. Additionally, since phone numbers are considered personally identifiable information (PII) consumer data protection laws limit what businesses can do with this information.
Violating these regulations is bad news for your business -- in addition to reputational damage, the fines can put your business in a tough spot financially -- the average cost of a Telephone Consumer Protection Act (TCPA) lawsuit $6.6 was million dollars in 2019.

Here’s an overview of the specific regulations your business needs to comply with to avoid trouble:


The General Data Protection Regulation, or GDPR, is the European Union’s set of consumer data protection laws. Fines are based on business revenue, and can be up to 20 million Euros or 4% of a business’s global revenue.
The GDPR is one of the strictest sets of data protection laws, and has three core principles: consumer consent, opt-out information, and customer data management.
Consumer Consent - Customer permission, preferably provided in writing, is necessary before you can contact them through any channel. Opt-Out Information - You must include opt-out links or key words in every piece of communication.
Customer Data Management - Sharing data with third parties and other companies is prohibited, unless consent has been given by the customer beforehand. While data encryption is not explicitly required, it’s a best practice because businesses can be held liable in the event of a data breach if measures weren’t taken to protect consumer data.


The Telephone Consumer Protection Act (TCPA) is enforced by the Federal Communications Commision, and it’s the U.S. equivalent of the GDPR. The Cellular Telecommunications Industry Association (CTIA) isn’t an enforcement agency, but gives guidance for businesses using SMS. Each non-compliant call or text message counts as a violation, and fines can cost anywhere from $500 to $1500 per violation. Furthermore, class action lawsuits can be filed under the TCPA so businesses can be fined for multiple violations for every customer that may have been affected. The main points of the TCPA are customer permission and identifying automated communication.
Customer Permission - Similar to the GDPR, the TCPA states that you must receive permission from customers before contacting them, and primarily emphasizes SMS, calls, and email.
Identify Automated Communication - It is required that you tell customers if you are contacting them through an automated system, so this must be specified when collecting consent.


The Personal Information Protection and Electronic Documents Act (PIPEDA) is the set of consumer data protection laws enforced by the Office of the Privacy Commissioner of Canada. Although similar to the GDPR and TCPA, PIPEDA has some unique requirements including identifying purposes and limiting collection and use.
Identifying Purposes - You must receive consent before contacting customers, and you must also explicitly explain why you are asking for a phone number or email address.
Limiting Collection and Use - You can only collect and store customer information necessary for a specific purpose.

Best Practices For Staying Compliant

It may be difficult to know how to translate the guidelines above, into concrete actions that your business should take. Luckily, we’re here to help with some best practices for remaining compliant. Have customer consent before engaging in SMS communication Make sure that the messages sent to consumers include opt-out options Establish standardized SMS compliance policies Use automated consent forms and data validation Work with a telecom carrier that encrypts data from end to end
For further information on how to implement these best practices, be sure to check out Telnyx’s eBook, Your Complete Guide to SMS Regulations.
Share on Social

Worth checking out

By using the site, you agree to our use of cookies. Accept and close Find out more here.