Who Regulates SMS Messages?
The Federal Communications Commission (FCC) passed the Telephone Consumer Protection Act (TCPA) in 1991 in response to growing complaints about telemarketing calls, especially those that used robo-dialers. Over time, the legislation has expanded to include SMS and email marketing. In addition, the industry has developed guidelines and best practices to help marketing companies navigate the world of digital and cyber marketing.
The Mobile Marketing Association (MMA) issued the U.S. Consumer Best Practices, which summarizes the TCPA provisions, and expects members of the MMA to adhere to the best practices and the regulations. While there are no legal enforcement provisions, members who do not adhere to the code of conduct can be removed from the association, and face reputational damage. And because people can shop from anywhere now, if you do business with consumers in the European Union, you also need to be aware of the EU’s General Data Protection Regulation, (GPPR), the strictest privacy and data security regulations in the world.
SMS Compliance Checklist: 7 Tips
To sum up, here is a quick list of things to keep in mind:
- Consent: Before you send so much as a smiley face, you need to have written consent from your customer that you can send messages via SMS or MMS. It’s not enough for them to provide their phone number--they need to agree in writing how you may use it.
- Transparency: Be very clear about what customers are signing up for, how you will use their information, how often they will receive messages, and that there could be additional charges.
Accuracy: Make sure you keep track of who opted in and just as important, who opted out. If the GDPR comes calling, you need to be able to prove compliance on the spot. Remember, providing a phone number is not consent. You must have written consent that they agreed to receive marketing messages.
- Opt-out: You must tell customers they have the option to opt-out at any time, even after they have opted in. In addition, every SMS message needs to include an opt-out keyword they can reply to a message with to stop receiving messages.
- Timing: The TCPA allows you to send SMS texts from 8 a.m. to 6 p.m. Pacific Time only.
- Integrity: This is a GDPR requirement, but it’s a good rule of thumb: Treat the customers’ information with respect and safeguard it. If there is a breach (and it happens), take ownership and tell people right away.
- Limitation: Another best practice that will make you GDPR compliant: Your customers are entrusting you with their information. Do not sell it to others, don’t use it for anything other than what they are agreeing to, and if they opt-out, do not keep the information forever.
- Double Opt-In: You can partake in the double opt-in process requiring the subscriber to verify that they wish to receive SMS marketing content from the specific company.
SMS Compliance Laws You Need to Know
In simple terms, the TCPA states before a business can send marketing messages to a consumer, that business must get express written consent from the consumer. Consumers can specify what kind of communications they want to receive. They can also opt out, and that wish must be respected.
1. Opt-In: Consumers must give written consent before anything can be sent by SMS/MMS. Consent can come in different ways, for example:
- Consumers respond to a call to action (CTA). Something like “TEXT 123 to join our VIP program and receive 10% off your purchase today.”
- Customers scan a widget or QR code that allows them to opt-in by providing their phone number.
- Consumers provide a phone number in response to an email, a pop-up on the website or a prompt during a physical or digital purchase.
2. Confirmation: Once the initial opt-in has occurred, it is important to send a response that requires the consumer to confirm they are aware they are opting in to receive marketing messages, that they can unsubscribe at any time and there may be additional charges to receive SMS/MMS messages.
(In practice, every provider across the globe allows SMS messages, but not all of them accept MMS. Both SMS/MMS are considered text messages, so it won’t eat into data plans.)
3. Timing: The TCPA states SMS campaigns can be sent from 8 a.m. to 9 p.m. in the recipient’s timezone. It can be difficult to know a user’s location, and area codes are not a reliable indicator. So, practically this means 8 a.m. to 6 p.m. Pacific Time. That includes weekends and holidays.
4. Opt-Out: Consumers have the right to opt-in for all, some or none of the marketing messages. For example, they can opt in for delivery notifications and order updates or appointment reminders and opt-out of the marketing messages. They can opt-in for SMS and opt-out of email or vice versa. They can also change their minds and opt-out at any time. Businesses must honor consumers’ wishes.
Every SMS message should include instructions that give consumers a way to opt-out just by replying to the message with “STOP,” “CANCEL”, “END” or a similar keyword. Opt-out should be immediate. Consumers also have the right to be placed on a “do not contact” registry, and businesses must comply with that request as well.
5. GDPR: People shop from all over the world, and area codes may not tell the full story, so it’s good to be aware of the EU guidelines, especially if you allow international orders.
The GDPR applies to all personal identifiable information that could allow a person to be directly or indirectly identified. That includes name, address, phone number, customer number, etc.
If you process data you must follow seven principles, including transparency, only using the data for what you need it for and for what the person agreed to, ensure that data is kept safe and secure and you must be able to show compliance at any time on demand. There are also strict rules about what constitutes consent and opt-in, and under what circumstances you can use the data in the first place. If you adhere to GDPR guidelines, you will be compliant with any regulations anywhere else in the world.
The regulations themselves are more than 88 pages, so take some time to study them. Not only are they the most comprehensive, they are also expensive if you mess up: “There are two tiers of penalties, which max out at €20 million or 4% of global revenue (whichever is higher), plus data subjects have the right to seek compensation for damages.”
What is the Double Opt-In Process?
Radiance Commerce recommends that companies partake in the double opt-in process as a great practice for SMS marketing campaigns. There are a variety of methods to have users subscribe to the marketing mailing lists. In essence, a user fills in their contact information such as email and/or SMS on the site and immediately receives a confirmation text after filling it out to confirm their new subscription. If the user confirms the subscription, the user can now receive marketing messages until they opt out.
Overall, the double opt-in process allows for the user to subscribe by the specific format on the website/platform then have to confirm that they do indeed want to opt into receiving marketing messages. It is important to note that the user will not receive any marketing messages until they confirm that they have indeed subscribed. However, their information may be cached and used for analytical marketing purposes.