SMS WhatsApp Viber Voice Push Email 2FA / OTP FlashCall Number Lookup Number Validation Email Validation URL Tracking REST API SDKs WordPress Zapier Make All integrations
Pricing Developers Company Start building
Back to blog
Compliance

UK GDPR and SMS marketing: what your business needs to know

June 2026 · 7 min read

SMS marketing is one of the most effective channels available to UK businesses — but it is also one of the most regulated. The combination of UK GDPR, the Privacy and Electronic Communications Regulations (PECR), and ICO enforcement activity means that getting this wrong carries real consequences. This guide covers what you need to know to run compliant SMS campaigns in the UK.

Most businesses focus on GDPR when they think about data compliance — but for SMS marketing specifically, PECR is equally important and often overlooked. Both apply simultaneously and have different requirements.

UK GDPR governs how you collect, store, and process personal data — including phone numbers. You need a lawful basis to hold a phone number in your database.

PECR specifically governs the act of sending electronic marketing communications. It sets stricter requirements than GDPR alone for direct marketing messages sent to individuals.

PECR requires that you have prior consent before sending marketing SMS messages to individual subscribers (B2C). This means:

  • Consent must be freely given, specific, informed, and unambiguous
  • Pre-ticked boxes do not constitute valid consent
  • Bundled consent (agreeing to T&Cs that include a marketing opt-in buried in small print) is not valid
  • The consent must specifically mention SMS marketing — general “communications” consent is not sufficient

For B2B marketing (messages to corporate subscribers), PECR allows use of soft opt-in or legitimate interests as alternatives to explicit consent — but only where the contact is being reached in their business capacity at a business number.

The ICO has fined businesses hundreds of thousands of pounds for sending marketing messages without valid consent. In 2023-2024, SMS marketing enforcement was one of the ICO’s stated priorities.

Soft opt-in — a limited exception

PECR includes a soft opt-in provision that allows marketing to existing customers without explicit consent, provided:

  • The contact details were collected during a sale or negotiation of a sale
  • The marketing is for similar products or services
  • The customer was given a clear opportunity to opt out at the point of collection
  • Every subsequent message includes an easy opt-out

This is useful for transactional businesses — a retailer can message existing customers about similar products without collecting fresh consent each time. It does not apply to prospecting new contacts.

What every compliant SMS campaign requires

  1. Valid consent or soft opt-in documented and auditable
  2. Clear sender identification — the recipient must know who sent the message
  3. A working opt-out mechanism — typically STOP keyword routing
  4. Immediate and permanent processing of opt-out requests
  5. No marketing during unsociable hours (ICO guidance: avoid before 8am and after 9pm)
  6. Accurate suppression lists maintained and applied before every send

The STOP keyword requirement

Every marketing SMS should include opt-out instructions. The industry standard is “Reply STOP to unsubscribe.” When a recipient sends STOP, their number must be added to your suppression list and must never receive a marketing message again — even if they later re-subscribe under a different list segment.

Failure to honour STOP requests is one of the most common grounds for ICO complaints and enforcement.

Record keeping

You must be able to demonstrate consent if challenged. This means:

  • Storing when and how consent was collected for each contact
  • Recording the exact consent wording presented to the user
  • Maintaining suppression lists with timestamps
  • Being able to produce this evidence within 30 days of a subject access request

Consent records are your evidence if the ICO investigates. ‘We think they opted in’ is not an acceptable answer — you need to be able to produce the exact consent record.

ICO registration

Any business that processes personal data for marketing purposes must be registered with the ICO as a data controller. Registration costs £40-60 per year depending on organisation size. Non-registration is itself a criminal offence under the Data Protection Act 2018.

Stay compliant by default.
See compliance features →