GDPR compliance for SMS Marketing

gdpr sms marketing

You’ve gone through all the process of identifying your target audience, collecting their phone numbers, crafting the copy for your campaigns, and setting all your preferences.

But before sending your SMS, take a moment to check your campaign and answer one very important question: are you 100% GDPR compliant?

We’ve got together with our lawyers, Sophie Soubelet-Caroit and Perrine Salagnac from the SSC Avocats to understand the implications of GDPR and Data Protection.

To be concise, in this section we’ll only focus on the GDPR foundations, data collection, and consent for specifically for SMS Marketing campaigns. However, we encourage you to also read our guide on Cybersecurity & SMS Marketing: keep your data safe in which we explore in-depth how to keep our data secure, prevent attacks and breaches, and what to do in case we experience one.

What is the GDPR?

The General Data Protection Regulation (GDPR) is a “privacy and security law that enforces obligations to any type of institution collecting data from users that belong to the European Union”, even when the institution itself does not belong to the EU. For example, if you’re based in Brazil but you’re processing data from European customers or visitors, then you have to be GDPR compliant.

This regulation was instituted in 2016 and enforced in 2018 to put an end to the lousy mambo-jumbo Terms & Conditions that neither users could understand, nor companies wanted to explain.

The goal here is to make companies inform properly and in a way that people can comprehend to freely decide whether they want to engage or not with them. It also implies taking data protection as a core element of all the processes of the business.

  • What is the GDPR’s goal? That users can understand what they’re being offered to freely choose when to opt-in or out at will, having full authority over their data and its usage by third parties.
  • Who must obey the GDPR? All institutions processing data from EU citizens, even if the institution itself doesn’t belong to the EU.
  • Can you get fined for violating the GDPR? Yes, you can get fined and the fines are very high. They go to as much as €20 million or 4% of global revenue (whichever is higher), plus compensation for damages to the subjects involved.

Is it all about consent?

“When you read on the internet in marketing sites they only focus on consent. Is it all about consent? The answer is NO”, explains Perrine.

“Consent is not always necessary when you deal with GDPR. It’s a common misconception. In fact, in article 6 of the GDPR you will see that there are other legal bases. Consent is just one of them”, she says. Each data controller has to choose the right and feasible bases for him.

“But if you take into account the other regulations, for example, the “Code des postes et des communications électroniques” (French Post and Electronic Communications Codes) and its application regulated by the entity called ARCEP, you’ll see that in some cases but not in all cases, you must request for consent. But it’s not the same consent: one is for collecting data, the other one is for sending SMS. They’re two different things”, indicates Sophie.

So what can we do to be 100% sure if we comply with the regulations? “It is dangerous to have a unilateral approach,  as you need a case by case analysis of the legal requirements“, says Sophie. Each case is different and the answer to this question will depend on the local laws that apply for your customers and for your business.

How to ask for consent?

The GDPR states that consent must be:

  • Freely given: it must be voluntary
  • Informed: tell the individual what information you will keep and how you intend to use it
  • Unambiguous: stated in clear and plain language
  • Specific: clearly distinguishable from other matters
  • Expressed: you can’t imply it, individuals must give affirmatively expressed consent, like “I understand and accept…”

Examples of GDPR-compliant forms

Regulations in France

At Octopush, 70% of our customer base is French, so it made sense to include a dedicated analysis about the different types of consent here. Here’s a quick summary of what we discussed with Sophie and Perrine that can serve as a guide.

Requirements to send commercial SMS

According to the CNIL, every text-message must include:

  • The sender’s identity: make it clear for the recipients who is sending the SMS
  • Offer an easy and clear opt-out option: like STOP au XXXX, or noPUB=STOP

Expedition times

Most of the SMS and MMS providers quote the same information coming from the ARCEP:

In order to avoid any abuse and nuisance, shipping times are limited. For the majority of operators, mobile sms is forbidden between 8pm and 8am during the week. Shipments are also prohibited on Sundays and public holidays all day long. Any breach of the rule is punishable by a fine of €1,000 excl. tax per offence.

However, and after consulting with our lawyers, this information must be tempered. There is no law in France that provides the hours and days on which you can or cannot send SMS. Accordingly, you cannot be fined on this basis. 

Nonetheless, forbidding to send an SMS/MMS between 8 pm and 8 am or on Sundays and bank holidays is a good practice observed by concerned companies in France. Thus, these rules are often stipulated in the terms and conditions of SMS and MMS providers and must be respected by Octopush and, therefore, by its customers.

Useful links

Commercial prospecting for SMS-MMS. (CNIL)

Advertising messages by SMS or MMS: is it legal? (CNIL)

Art. 8 (GDPR)