SMS compliance: A guide to SMS marketing regulations

In the UK, there are three regulations marketers need to comply with when sending texts to customers: The Data Protection Act, UK GDPR and the Privacy and Electronic Communications Regulations (PECR). These regulations apply to all types of texts a business might send, such as marketing and transactional messages like alerts and reminders. 

It’s important that businesses know the rules because non-compliance can lead to negative reputational and business damage, and financial penalties. For example, fines under UK GDPR can be up to £17.5m or 4% of your annual turnover. It also has serious implications for your customers if their data is lost or stolen. 

In 2025, retailer M&S was targeted by hackers, which saw its customers’ data, potentially including mobile numbers, stolen. In the same period, Co-Op and Harrods were also targeted. Hackers can sell or share numbers, risking fraudulent activity like identity theft. 

Quick summary 

• Businesses that send SMS need to comply with three key regulations: The Data Protection Act (2018), UK GDPR and Privacy and Electronic Communications Regulations (2003)
• To comply, businesses need customers to opt-in to receive SMS marketing, and they need to provide an easy opt-out 
• Use an SMS provider like Esendex, which is fully compliant with UK laws like GDPR and it’s ISO27001 accredited for further peace of mind 

What regulations are there for SMS marketing?  

Online communication, including SMS is subject to three main regulations to protect customers’ privacy and personal data. And while there is some overlap between them, complying with one doesn’t mean you’ll have the other two covered. 

It’s also worth noting the Data (Use and Access) Act (DUAA) was introduced in 2025 – and while it doesn’t replace the three SMS regulations – it will result in some changes to help make the rules simpler for organisations. 

The Data Protection Act (DPA)

The Data Protection Act (DPA) came into effect in 2018 to regulate how businesses collect and store consumers’ personal information, such as their names, mobile numbers and addresses. It updated the 1998 act, helping to modernise it as many businesses moved online. 

Businesses sending SMS messages collect sensitive data such as mobile numbers, so they are bound by the DPA. This includes only collecting data such as mobile numbers if they have permission – and not holding onto it for longer than needed. 

Part 2, chapter 2 of the DPA supplements the UK-GDPR.

UK GDPR 

When the UK left the EU in 2020, GDPR was transposed into UK law. Now called UK GDPR, the regulation gives consumers more control over their personal data. 

Businesses can process personal data for marketing purposes if they meet the following two requirements: 

1. The data subject (the customer) has given specific, unambiguous consent to process their information (in other words, they’ve opted in to your marketing SMS list).
2. You have a legitimate interest in processing someone’s data. This is more flexible, with several factors to consider – see the guidance from the UK Information Commissioner’s Office. It’s important to note that the customer’s own rights will always override those of your business. 

Learn more: GDPR and Text Messaging: What You Need to Know

Privacy and Electronic Communications Regulations (PECR)

The Privacy and Electronic Communications Regulations (PECR) recognises that digital technology opens up new privacy risks, and puts extra rules in place to protect consumer data. It applies to businesses that market by phone call, email or text. 

There are rules on:  

• Marketing calls, emails and texts
• Cookies and similar technologies
• Keeping communications services secure
• Customer privacy regarding traffic and location data, itemised billing, line identification, and directory listings

“Cybersecurity risks are increasing every year, especially with AI used to create fraudulent emails, websites and texts to steal consumers’ personal information. Mobile communications like SMS and WhatsApp are really personal, so hackers could be inclined to target customers using these channels. As we’ve seen over the last year, cybercriminals are sending fraudulent texts to parents claiming to be their child to encourage them to transfer money to a bank account. 

“Sectors like financial services and insurance are also often targeted because they collect sensitive and financial data like debit card numbers. Businesses sending SMS need to ensure they’re up to date with data protection laws like GDPR, while keeping clear records of compliance.”

Vivek Dodd, CEO at Skillcast 

7 best practices for SMS compliance

Our report, The Connected Consumer Report 2024, revealed that over half (51%) of consumers would trust a message from a business if they used sender ID, sent clear and concise messages (39%) and linked to a secure and reputable website (37%).

1. Get clear consent 

It’s important that you have explicit permission before sending marketing text messages. There are two ways to do this – either get consent in writing through a physical or a digital signature, or include an opt-in tick box on the form customers fill in when they make a purchase or sign up with you. Make it clear that consent is optional. 

Be aware however, that you can’t make opt-in the default – your customer has to tick the box themselves. You also need to include a note explicitly asking for consent to send text messages. 

Fortunately, more than half (53%) of consumers are willing to share contact details with an organisation, with 94% stating they’re likely to reply to an SMS.  

If you aren’t sure how to get consent, check out our creative and compliant ways to grow your SMS opt in list.

2. Provide easy opt-outs

It’s not just signing up that needs to be crystal clear. GDPR and PECR regulations mean it’s a legal requirement to offer customers a simple way to opt out.

For marketing SMS, you should include an opt-out message in every text, reminding customers they can unsubscribe at any time by responding with the word ‘STOP’ or ‘UNSUBSCRIBE’. Don’t forget to send a follow-up text message to confirm the update.

Thanks for signing up to receive updates from us! Text HELP if you have any questions and STOP to opt out.

3. Be transparent about data protection

UK regulations state that customers need to understand exactly what they’re signing up for, with a clear description and a full privacy policy. This should include a specific SMS policy that explains what information is gathered, how data will be used, and what sorts of communications customers can expect from you. 

4. Make it clear who you are 

The law – and common sense – requires you to make it clear who each message is from. It tells customers your message isn’t spam and means they’re more likely to engage with you.

The UK government states that emails or text messages must clearly indicate:

• Who you are
• That you’re selling something
• What the promotions are, and any conditions.

Businesses can include sender ID for texts, which helps to demonstrate that it’s a legitimate business. 

5. Don’t send customers messages without their consent

Just because you have your customers’ contact information it doesn’t mean you should use it. You should only send marketing SMS to people who have agreed to receive them. The only exception to this is where there is a clearly defined customer relationship.

The Privacy and Electronic Communications Regulations 2003 cover the sending of text message marketing. This legislation says that organisations must only send marketing text messages to individuals if you have agreed to receive them, except where there is a clearly defined customer relationship.

6. What are the quiet hours for SMS?

Sending your messages out at the wrong time can cause you to lose even the most loyal of customers. SMS marketing is all about timing, so stick to business hours – between 9am and 6pm.

Learn more about When To Send Marketing SMS.

7. Don’t spam your customers

Similarly, as we’re constantly bombarded with marketing messages it’s important that you’re not simply adding to the noise. We recommend you monitor engagement and unsubscribe and be sensitive to how your customers are responding. 

Customer case study: Rotherham Council 

Local councils are bound by stricter data protection laws because they collect sensitive information about residents such as financial data, which is why Rotherham Council approached Esendex. The council needed to send secure SMS for payment reminders, so Esendex helped it adopt the channel and collect payments on time. 

“By combining SMS and the Esendex mobile payment solution, we have a faster, more secure and convenient way for customers to make Council tax payments. We’ve increased payments through the Esendex mobile journey and have also reduced the staff time needed to administer them.”

Rob Cutts, head of service, revenues, benefits and payments at Rotherham Council

Read the full case study. 

Getting started with SMS marketing

Laws around SMS can be complex, which is why it’s important to work with an SMS provider that is fully compliant. Esendex is compliant with laws including GDPR and DPA, and is ISO27001 accredited, which means it meets the highest standards of data security. 

Get started with secure SMS marketing. 

SMS regulations FAQs

Who do SMS regulations apply to?

UK SMS regulations apply to all businesses that communicate with UK customers by text, whether those customers are individual consumers or other businesses. Marketing, promotional, transactional, and customer service messages are all covered by regulation.

How many messages can you send a day?

SMS marketing tools let you automate your messages, helping you work efficiently, minimise mistakes and see exactly what’s going out. You’ll also be able to set up workflows depending on specific customer actions. The frequency of the messages you send should depend on your audience and content.

How can I make sure all messages are received?

Your bulk SMS provider should be able to give you insights into this within the platform that you are using. As well as using a reliable bulk SMS platform, be sure to use the appropriate sender ID and avoid bombarding customers with repetitive messages. Also, keep mobile numbers up to date. 

Does GDPR apply to text messages? 

GDPR does apply to text messages because businesses will need to have collected personal data like mobile numbers and names, to send them. 

Can you send an SMS without consent? 

You shouldn’t send an SMS without consent from your customer otherwise you could be in breach of multiple laws. Customers also won’t appreciate being contacted without permission, so you could lose trust. 

Is 10pm too late to send a text? 

It’s generally not best practice to send text messages out of hours unless for emergencies such as alerts. Although SMS is a more personal channel, keep texts within business hours, which is generally 9am and 6pm. Contacting customers at anti-social times could reduce trust and you risk coming across as spam.