SMS marketing regulation protects consumers from spam while allowing legitimate businesses to communicate with customers via text. Regulations vary significantly by country — governing bodies, consent standards, enforcement mechanisms, and penalties differ across markets. This guide covers the major frameworks your business is most likely to encounter, with US requirements covered in depth given their complexity and enforcement activity.
This content is for general informational purposes only and does not constitute legal advice. See full disclaimer below and Sakari’s Terms of Service here.
Why SMS Marketing Compliance Matters
The financial risk is real. Regulatory penalties for non-compliant business messaging exist in virtually every major market. In the US, TCPA violations carry $500–1,500 per message. In the UK, the Information Commissioner's Office (ICO) can issue fines up to £500,000 for serious breaches of PECR. Under the EU's GDPR, fines can reach €20 million or 4% of global annual turnover — whichever is higher. The scale varies, but the exposure is real regardless of where you operate.
Carriers enforce their own rules too. Mobile network operators in every market monitor messaging patterns. High complaint rates or guideline violations can get your number blocked — sometimes permanently — independent of any regulatory action.
Customer trust is the bigger picture. Texting without permission or ignoring opt-outs damages relationships. Compliance frameworks exist because consumers across every market dislike unsolicited texts.
The Key Regulatory Frameworks by Region
United States
TCPA (Telephone Consumer Protection Act) Administered and enforced by the FCC (Federal Communications Commission), but most enforcement comes through private class action lawsuits. Requires prior express written consent for marketing messages, clear business identification in every text, an opt-out mechanism in every marketing message, and immediate processing of opt-out requests. Penalties: $500–1,500 per message, per violation.
10DLC Registration A carrier-mandated requirement governed by US mobile network operators (AT&T, Verizon, T-Mobile) and administered through The Campaign Registry (TCR). If you're sending business SMS from a standard 10-digit US number, brand and campaign registration is required before sending at scale. Unregistered traffic is subject to filtering and blocking. Registration is the account holder's responsibility.
CTIA Guidelines Industry standards set by the CTIA (Cellular Telecommunications Industry Association) and enforced by US wireless carriers — not a government body. Non-compliance results in message filtering or number blocking. Key requirements: a clear opt-in process, functional STOP and HELP commands, and no deceptive or illegal content.
State Laws Several US states have requirements beyond federal law. California (via the CCPA and related statutes), Florida, and others impose stricter consent language, additional timing restrictions, or data disclosure obligations. Following the strictest applicable standard across your US recipient base is the safest approach. See the SMS marketing laws by state guide for a full breakdown.
European Union and EEA
GDPR (General Data Protection Regulation) Enforced by national Data Protection Authorities (DPAs) in each EU/EEA member state — for example, the CNIL in France, the BfDI in Germany, and the Data Protection Commission (DPC) in Ireland. GDPR governs the collection, storage, and use of personal data including phone numbers. Sending marketing SMS requires a lawful basis — typically explicit consent — and recipients have the right to withdraw consent and have their data erased. Fines up to €20 million or 4% of global annual turnover.
ePrivacy Directive (and national implementations) Often called the "Cookie Law" but also governs electronic direct marketing including SMS. Requires prior opt-in consent for marketing messages to individuals. Each EU member state has implemented this differently — requirements vary in specifics. Check the rules in each country where your recipients are located.
United Kingdom
PECR (Privacy and Electronic Communications Regulations) The UK equivalent of the ePrivacy Directive, enforced by the ICO (Information Commissioner's Office). Requires prior consent for marketing SMS to individuals. The UK GDPR (retained post-Brexit) applies alongside PECR for data handling obligations. ICO fines for serious PECR breaches can reach £500,000; UK GDPR fines up to £17.5 million or 4% of global turnover.
Canada
CASL (Canada's Anti-Spam Legislation) Enforced by the CRTC (Canadian Radio-television and Telecommunications Commission), the Competition Bureau, and the Office of the Privacy Commissioner. One of the stricter regimes globally — requires express or implied consent before sending commercial electronic messages (CEMs) including SMS, clear sender identification, and an unsubscribe mechanism that must be honored within 10 business days. Penalties up to CAD $1 million per violation for individuals, CAD $10 million for organizations.
Australia
Spam Act 2003 Enforced by the ACMA (Australian Communications and Media Authority). Requires consent (express or inferred), sender identification, and a functional unsubscribe mechanism in every commercial message. Penalties up to AUD $1.98 million per day for serious or repeated violations.
Other Markets
Sakari supports messaging to more than 100 countries. Most markets have some form of electronic communications or data protection regulation governing business SMS — ranging from PDPA frameworks in Southeast Asia (Thailand, Singapore, Malaysia) to POPIA in South Africa and similar national statutes across Latin America and the Middle East. If you operate in markets not covered above, you are responsible for understanding and complying with the applicable local regulations. Consult qualified legal counsel familiar with each relevant jurisdiction.
Consent: The Most Important Requirement Across All Markets
Regardless of jurisdiction, valid consent is the foundation of compliant business SMS. While the specific standard varies — express written consent under TCPA, explicit consent under GDPR, express or implied consent under CASL — the practical requirements are consistent: the recipient must have meaningfully agreed to receive messages from your business, you must be able to prove it, and you must make it easy for them to stop.
Pre-checked boxes, consent buried in terms of service, and verbal-only agreements generally do not meet the standard in any major market. Document every opt-in — the date, method, and source — because you may need to prove it.
Message Content Requirements
Every marketing message should clearly identify your business by name and include opt-out instructions. Content must be truthful. Phishing, illegal products, and harassing or repeated unwanted contact violate both regulatory requirements and carrier guidelines across all markets.
On timing: Many jurisdictions restrict when marketing messages may be sent — commonly prohibiting contact before 8am or after 9pm in the recipient's local time zone, with some markets more restrictive. Managing this is your responsibility. You need to know where your recipients are located and schedule sends accordingly. Sakari's scheduling tools operate on your account timezone — recipient timezone management is entirely your responsibility as the sender.
Opt-Out Handling
Across virtually every market, opt-out requests must be honored promptly and permanently. In the US under TCPA, "immediately" is interpreted as minutes. Under CASL, the deadline is 10 business days. Under GDPR, withdrawal of consent must be as easy as giving it and acted upon without undue delay.
Your system must recognize common opt-out keywords (STOP, UNSUBSCRIBE, CANCEL, QUIT, END, and variations) automatically. After processing an opt-out, a single confirmation message is generally permitted. Opt-out records must be maintained permanently — a contact who opted out cannot be re-subscribed without explicit renewed consent. Opt-out requests made via phone, email, or any other channel must also be honored.
Common Violations to Avoid
- No valid consent — texting purchased lists or assuming a customer relationship equals SMS permission.
- Continuing after opt-out — automated campaigns sending messages because opt-out processing wasn't properly configured or verified.
- Misleading opt-in — pre-checked boxes, vague consent language, or consent not specific to SMS.
- Reassigned numbers — texting a recycled number now belonging to someone who never consented. Scrub lists regularly.
- Missing opt-out path — marketing messages with no unsubscribe instruction.
- Missing 10DLC registration (US) — sending A2P traffic from an unregistered US number, resulting in carrier filtering.
- Cross-border compliance gaps — applying US-only compliance thinking to recipients in Canada, the EU, UK, or Australia, where different and often stricter rules apply.
Compliance Checklist
Before sending:
- [ ] Explicit consent documented for all recipients, meeting the standard required in each recipient's jurisdiction
- [ ] 10DLC brand and campaign registration complete (US senders)
- [ ] Opt-out processing active and tested
- [ ] HELP and STOP auto-responses configured
- [ ] Recipient locations identified and send timing scheduled to comply with local restrictions
In every marketing message:
- [ ] Business name included
- [ ] Opt-out instructions included
- [ ] Content truthful and non-deceptive
Ongoing:
- [ ] Opt-out list maintained permanently
- [ ] Phone list scrubbed regularly for reassigned or inactive numbers
- [ ] Delivery and opt-out rates reviewed monthly
- [ ] Staff trained on consent collection and documentation
Sakari supports business messaging across more than 160 countries. Start your free trial and explore how Sakari's platform can support your SMS program — wherever your customers are.
Disclaimer
This content is provided for general informational purposes only and does not constitute legal, regulatory, or compliance advice. Nothing in this material should be relied upon as a substitute for consultation with qualified legal counsel familiar with the laws applicable to your specific business and jurisdiction. SMS marketing laws — including the TCPA, CASL, GDPR, PECR, the Australian Spam Act, and applicable state, provincial, and national regulations — are subject to change and vary significantly by use case, industry, and recipient location. Sakari makes no representations or warranties regarding the accuracy, completeness, or current applicability of any information presented here. Use of Sakari's platform is governed solely by Sakari's Terms of Service. Compliance with all applicable laws and regulations is the sole responsibility of the account holder.
