SMS regulations in the UK
We break down UK-GDPR, PECR, and DPA regulations that affect businesses sending SMS to customers.
By Risa Takenaka
SMS regulations can be a hassle to follow, and the transition to Brexit has brought some confusion as to whether EU policies apply to the UK or not. We’re here to help you navigate this space and explain the key regulations that affect SMS in the UK, namely:
- Data Protection Act
While there is some overlap between the three, it is important to realize that there are differences. Let us walk you through these differences and explain what you need to do to ensure you’re in compliance.
Take advantage of insights from 1 billion+ messages with our '2023 Guide to SMS and MMS'. Download your copy to learn from Telnyx experts and shape your ideal SMS/MMS strategy.
The Data Protection Act
The Data Protection Act (DPA) is a domestic law that governs the use of personal data and information in the UK. Following Brexit, it was amended to accommodate these changes, and its latest version took effect on January 31, 2020. The DPA is split into several different sets of data protection laws; part 2 pertains to “General processing,” which supplements the UK-GDPR.
The General Data Protection Regulation, or GDPR, replaced the previous legislation for data protection in every EU country when it came into effect in 2018. After Brexit, a new set of domestic privacy laws in the UK, called the UK-GDPR, took effect on January 31, 2020. While it is almost identical to the GDPR, there are some differences which make it relevant to the UK-only context. The UK-GDPR applies to all processing of personal data from individuals located in the UK. If your business plans to collect personal data and send SMS to EU residents, you must also follow the guidelines of the EU GDPR.
1. UK-GDPR on explicit opt-ins for consent
The UK-GDPR states that businesses must give consumers the opportunity to express explicit consent to receive promotional content via SMS. The best way to collect this consent is through opt-ins, and there are specifications on how this should be done. While some organizations provide opt-in boxes that are ticked in by default, the UK-GDPR does not consider this as valid consent.
As a best practice, we recommend that you use unticked opt-in boxes to ensure that you are receiving explicit and affirmative consent.
Furthermore, when asking for consent, it is critical that it is done individually for each channel. For example, if the registration form on your website opt-in for email and SMS marketing, each channel must be a separate unchecked box.
2. UK-GDPR on explicit opt-ins for consent
The UK-GDPR states that individuals must be able to easily withdraw their consent. This means that you must provide a way to opt-out of future SMS sent to end users, and they must be stated in the end users’ local language. Furthermore, it is important to act on withdrawals as soon as possible.
3. UK-GDPR on customer data management
Phone numbers are considered personal data, and the UK-GDPR requires that businesses implement measures to ensure that this data is processed securely. While the GDPR doesn’t specifically require that you encrypt data, it is a best practice to make sure that customer phone numbers are securely managed. In the event of a data breach, businesses can be held liable if they did not have proper measures implemented to protect customer data. For more information on how to protect your data by design and by default, please read this resource by the Information Commissioner’s Office, the UK’s independent authority on information rights.
PECR in the UK
The Privacy and Electronic Communications Regulations, or PECR, sits alongside the GDPR and helps to protect consumers’ privacy rights in relation to electronic communications. PECR covers several areas, but there are the two regulations which apply to businesses using SMS.
1. PECR on unsolicited electronic marketing
This regulation overlaps with UK-GDPR, and PECR places restrictions on unsolicited marketing through any of these channels, or other electronic messages. There are different rules for different types of communication, and they are generally stricter when marketing to individuals rather than marketing to companies.
An unsolicited message is any message that has not been specifically requested. In order to send unsolicited direct marketing, the PECR states that you will often need to obtain specific consent -- the best way to do this is to ask customers to opt-in to confirm that they are aware and willing to receive marketing communications.
There are no PECR restrictions against solicited marketing, which is when a message is actively requested. For example, if an individual specifically requests a piece of information, you can send them this without worrying about PECR.
In both solicited and unsolicited cases, the sender of the message must state who they are, display a number if making calls, and provide a contact address.
2. PECR on opt-outs in unsolicited electronic marketing
As stated in the UK-GDPR, you must also offer a simple way to opt out when you first collect a customer’s details, and with every subsequent message.
3. PECR on regulations for compiling a telephone directory (or a similar public directory)
There are specific rules that you must follow if you want to compile a directory which includes any personal information such as name, telephone numbers, fax, approximate address or email addresses. In order to remain compliant with PECR you must:
- Tell individual subscribers that their information is being collected
- Give them the chance to choose to opt-out
- Get their express consent for reverse searches
- correct or withdraw entries on request, without charge
SMS Regulations in the UK vs U.S.
In comparison, data privacy and consumer protection laws are slightly stringent in the U.S. The main set of laws governing SMS regulations in the U.S. is the The Telephone Consumer Protection Act (TCPA), which is enforced by the Federal Communications Commision.
The three main regulations in the TCPA which relate to SMS are:
- Consent and Opt-In - Similar to the UK-GDPR and PECR, businesses must collect consent before contacting consumers via SMS. However, unlike the UK laws, the TCPA does not specify that pre-checked boxes do not count as valid consent.
- Opt-outs - Similar to the UK-GDPR and PECR, the U.S. laws require that every SMS sent to customers includes a clear, easily understood option for opting out of future messages.
- Identify Automated Communication - It is required that you tell customers if you are contacting them through an automated system, so this must be specified when collecting consent.
Each non-compliant call or text message counts as a violation, and fines can cost anywhere from $500 to $1500 per violation. Furthermore, class action lawsuits can be filed under the TCPA so businesses can be fined for multiple violations for every customer that may have been affected.
Telnyx Is the SMS Provider for UK-GDPR and PECR Compliance
Although the legislation around sending SMS in the UK may feel daunting, following these best practices will help you remain compliant with these regulations. Telnyx is a certified carrier across the globe, and we are committed to helping businesses navigate the regulatory environment in different geographies. Whether you’re a UK based business or US-centric business looking to expand SMS into this region, we’re here to make the process easier.