Home » Blog » GDPR compliance for SMS Marketing

GDPR compliance for SMS Marketing

gdpr sms marketing

You’ve gone through all the process of identifying your target audience, collecting their phone numbers, crafting the copy for your SMS marketing campaigns, and setting all your preferences.

But before sending your text messages, take a moment to check your campaign and answer one very important question: are you 100% GDPR compliant?

We’ve got together with our lawyers, Sophie Soubelet-Caroit and Perrine Salagnac from the SSC Avocats to understand the implications of GDPR legislation and personal Data Protection.

To be concise, in this section we’ll only focus on the GDPR foundations, processing personal data, data collection, and consent for specifically for SMS Marketing campaigns.

However, we encourage you to also read our guide on Cybersecurity & SMS Marketing: keep your personal data safe in which we explore in-depth how to keep our personal data secure, prevent attacks and breaches, and what to do in case we experience one.

What is the GDPR?

The General Data Protection Regulation (GDPR) is a “privacy and security law that enforces obligations to any type of institution collecting data from users that belong to the European Union”, even when the institution itself does not belong to the EU.

For example, if you’re based in Brazil but you’re processing data from European customers or visitors, then you have to be GDPR compliant.

This regulation was instituted in 2016 and enforced in 2018 to put an end to the lousy mambo-jumbo Terms & Conditions that neither users could understand, nor companies wanted to explain.

The goal here is to make companies inform properly and in a way that people can comprehend to freely decide whether they want to engage or not with them. It also implies taking data protection as a core element of all the processes of the business.

What is the GDPR’s goal?

That users can understand what they’re being offered to freely choose when to opt-in or out at will, having full authority over their personal data and its usage by third parties.

What is personal data?

As defined by the GDPR, personal data is characterized by relating to any information in regards to an identified individual or multiple individuals that can be used directly or indirectly.

It can indicate the physical attributes of a person (height, weight, gender, etc.), but also their location (current city), political opinion, religious opinion, data regarding health or genetics, and even their sexual orientation.

Who must obey the GDPR?

All institutions processing data from EU citizens, even if the institution itself doesn’t belong to the EU.

Can you get fined for violating the GDPR?

Yes, you can get fined and the fines are very high.

The UK GDPR, which, with the DPA (Data Protection Act) 2018 processes UK residents’ personal data,  set a maximum fine of £17.5 million or 4% of annual global turnover for infringements.

While the EU GDPR, which continues to apply to the processing of EU residents’ personal data, go as much as €20 million (about £18 million) or 4% of global revenue, plus compensation for damages to the subjects involved.

Nonetheless, a GDPR breach can derive in different non-economic punishments.

If the ICO determines that your organization was responsible for a data breach, it will take action to protect citizens-from issuing warnings and reprimands all the way up to suspending data transfers.

Is it all about consent?

“When you read on the internet in marketing sites they only focus on consent. Is it all about consent? The answer is NO. Consent is not always necessary when you deal with GDPR. It’s a common misconception.”

Perrine Salagnac, SSC Avocats

According to Perrine, in fact, in article 6 of the GDPR you will see that there are other legal bases. Consent is just one of them. Each data controller has to choose the right and feasible bases for him.

“But if you take into account the other regulations, for example, the “Code des postes et des communications électroniques” (French Post and Electronic Communications Codes) and its application regulated by the entity called ARCEP, you’ll see that in some cases but not in all cases, you must request for consent, she says.

But it’s not the same consent: one is for collecting data, the other one is for sending SMS messages. They’re two different things.”

Sophie Soubelet-Caroit, SSC Avocats

So what can we do to be 100% sure if we comply with the regulations?

“It is dangerous to have a unilateral approach,  as you need a case by case analysis of the legal requirements“, says Sophie. “Each case is different and the answer to this question will depend on the local laws that apply for your customers and for your business”.

The GDPR states that consent must be:

Freely given:

In SMS marketing, consent must be given voluntary. An example of voluntary consent is when a user responds to your SMS messages agreeing to subscribe to your newsletter.

In this example, the user was never conditioned or forced receive these marketing material from you.

As it had been a voluntary act, the user must be able to withdraw consent at any time.

This is why you should keep records of all the previous consent requests.

Specific:

Consent must be clearly distinguishable from other matters.

When you’re asking for consent, it should be given specifically for SMS marketing campaigns (i.e., not “any marketing or product” but for a specific activity, like receiving your SMS marketing notifications).

Informed:

Tell the individual what information you will keep and how you intend to use it.

So it has to be clear what they’re consenting to: the personal data they share, the consent request’s purpose and its length of processing, for example.

Be sure to include a link where the user can read the full of your terms and conditions.

Unambiguous:

Stated in clear and plain language. Consent should be given by an action that solely involves giving consent.

Consent that is included in other activities like collecting data or taking a survey runs the risk of being ambiguous, because someone can claim they did not notice it and thought they were simply getting started with what they wanted.

Expressed:

You can’t imply it, individuals must give affirmatively expressed consent, like “I understand and accept…”

You can also use a “double-opt-in” process, where users need to click on a link inside your messages in order to confirm their registration for your SMS marketing.

Granular:

You can only claim consent for the specific processing purposes. So if you want to process your client’s data in a different way, you’d need to ask for consent again.

Consent request form must be easy and quick to fill out and shouldn’t be an obstacle or a barrier. Remember that it’s an opt-in process.

Examples of GDPR-compliant forms

Regulations in France

At Octopush, 70% of our customer base is French, so it made sense to include a dedicated analysis about the different types of consent here. Here’s a quick summary of what we discussed with Sophie and Perrine that can serve as a guide.

The meaning of “opt-in” and “opt-out”

Now that you’ve collected personal data from a user, what can you do with it? The GDPR says: only use it for the original purpose for which they have been consented .

For example, if you collected someone’s email address. And you specified it was to inform them of a new blog post, then keep it strictly for that purpose. If later on you want to send another campaign for a different product, then ask again for consent before anything. This process is called the ” Opt-in “.

On the other hand, for those that have given you their consent to send them text messages regarding a campaign from your company, then use it as long as you’ve got their consent. But if they want to opt-out at any time, then do so immediately. This process is called the “Opt-out”.

Requirements to send commercial SMS

According to the CNIL, every text-message must include:

  • The sender’s identity: make it clear for the recipients who is sending the SMS
  • Offer an easy and clear opt-out option: like STOP to XXXX, or noPUB=STOP

Expedition times

Most of the text messages providers quote the same information coming from the ARCEP:

In order to avoid any abuse and nuisance, shipping times are limited. For the majority of operators, mobile SMS is forbidden between 8pm and 8am during the week.

Shipments are also prohibited on Sundays and public holidays all day long.

Any breach of the rule is punishable by a fine of €1,000 excl. tax per offence.

However, and after consulting with our lawyers, this information must be tempered. There is no law in France that provides the hours and days on which you can or cannot send SMS. Accordingly, you cannot be fined on this basis. 

Nonetheless, forbidding to send an SMS/MMS between 8 pm and 8 am. Also on Sundays and bank holidays, is a good practice observed by concerned companies in France.

Thus, these rules are often stipulated in the terms and conditions of text messages providers and must be respected by Octopush and, therefore, by its customers.

Useful links

Develop in compliance with the GDPR (CNIL)

ICO’s information about Spam text

Guide to the UK GDPR (ICO)

Art. 8 (GDPR)

Share this post: