Are you confused about the regulations governing text messaging? It would be easy if one set of rules governed the states and countries you text regularly. Unfortunately, the more places you text, the more regulations you’ll have to consider.

Here’s a beginner’s guide to compliance for companies using business-to-person texts in the United States, the European Union and the United Kingdom. And even if you’re an old hand at text messaging, we may have some good advice for you, too.

TCPA – the Federal Regulation in the U.S.

The U.S. Congress originally created the Telephone Consumer Protection Act (TCPA) to combat unsolicited phone calls, and it has expanded to include new technologies like text messaging. It contains specific restrictions and penalties that companies ignore at their peril. The fines can be as much as $1,500 per message sent. In one of the first class-action lawsuits concerning texting, Papa John’s settled the case against it for $16.5 million in 2013.

Perhaps the most important portion of the TCPA concerns acquiring permission to text. You must have express written consent before your company can legally send text messages to anyone. Before that first text goes out, your customer must say it’s okay or “opt in” to receiving your text messages.

That generally means the first contact must made by a different type of communication. Email, online applications, online communication preferences, direct mail, comment cards, and point-of-purchase materials are some of the most common. Some companies ask customers to text them first, and that action starts an automated chain of messages that allows the customer to opt in.

When a company responds to a request to text, the first text they send must contain a few elements. Here they are:

• Company name.
• Customers agree to receive texts from your company.
• Customers don’t have to receive texts to purchase anything from you.
• Frequency of messages. Be up front about how often you plan to text.
• Message and data rates may apply.
• How to reach customer service.
• How to opt out. For example, “Reply STOP to unsubscribe.”
• Provide a link to your privacy policy.

That’s quite a bit to include in 160 characters, so you can design a series of automated texts that contain the information. Your second text can explain any coupons, discounts or other promotions you’re offering.

GDPR Sets Regulations for EU & UK

In the years since the General Data Protection Regulations (GDPR) hit the streets in the European Union, it’s become clear that all businesses, regardless of size, need to understand what the GDPR requires. The EU is serious about enforcing its provisions.

Fines have ranged from €2.5 million to €225 million for non-compliance. Although these fines may be negligible to multinationals, smaller companies could be devasted by them. Smaller companies and individuals are not exempt from harsh penalties and the costs associated with defending the charges.

The same rules apply in the United Kingdom as they do in the European Union. The UK agreed to GDPR and Brexit has not changed anything.

Who is Affected by GDPR?

Of course, companies that conduct business in the EU and the UK are directly affected by the GDPR rules. But so are companies with customers there. That could be you. Also, your company might be affected if someone living in the EU or UK visits your website and allows you to install cookies on their computer. The more contact you have with people in the EU, the more risk you assume.

GDPR’s Seven Principles for Privacy Rights

The GDPR is based on seven basic tenets:

1. Lawfulness, Fairness, and Transparency: personal data shall be processed lawfully, with fairness to the data subject, and fully transparent. 
2. Purpose Limitation: The organization shall process personal data concerning the contract or business operation, which are explicit or specified before processing. 
3. Data Minimization: data shall not be held or processed further than is required for the purpose.
4. Accuracy: data must be updated, rectified, or erased if inaccurate. 
5. Storage Limitation: you cannot keep personal data longer than necessary; your data retention must have a deletion time. 
6. Integrity and Confidentiality: all personal data must be kept secure and protected against theft, accidental loss, unlawful processing, or damage.
7. Accountability: Organizations must be able to demonstrate that they put appropriate technical and organizational safeguards in place.

What’s New with the GDPR in 2021?

As the EU has updated the GDPR, you need to know what’s changed:

1. All parties who have access to customer data are responsible for data security. When data leaves your company, the company that receives it becomes a “joint controller.”
2. Special data-collection rules between the EU and US have expired. If you handle EU data, you must include standard GDPR contractual clauses in your terms and conditions.
3. When collecting data, you must have clear and explicit consent for which data you collect and process.

Privacy Regulations Are Here to Stay

If you thought you could simply wait out the implementation of TCPA and GDPR and fly under the radar, you might need to rethink your strategy. They are not going away, and privacy regulations are growing.

Tracking Explicit Consent

You must track who opts in and who opts out of your text marketing campaigns, and you must have explicit consent to collect and process a customer’s personal information. You’ll also need to track who is already in the system to keep one person from opting in multiple times, and you’ll need to be able to erase a person’s data from all parts of your system, if requested.

SMS-Magic can make compliance easy, particularly if you’ve tied your text messaging campaigns into your CRM. We can help you keep up with customer permissions as they opt-in (and perhaps opt-out) of your messaging campaigns.

Our back-end systems are structured so that we can display individual requests, and we can prove you’ve complied with customer requests. You won’t have to worry about regulators asking to see your records. We use on-going processes to collect and store information about distribution and can share it with regulators, if necessary.

Protecting privacy is a complicated question, but with the right partner, the answer can be simple. Let SMS-Magic help you reach your customers while you’re protecting their privacy.

Contact us to answer your questions, set up a demo or start your free trial. Let us show you why your compliance worries will disappear with SMS-Magic!