Understanding compliance requirements

To create and maintain compliant text-messaging campaigns, follow these standard practices:

• Stay up to date (United States and Canada)
• Stay up to date (United Kingdom)
• Obtain written consent
• Review content carefully
• Protect privacy and security

Tip: Messaging services are subject to a number of legal and regulatory requirements. Be sure to consult an attorney before implementing a text-messaging campaign.

Staying up to date (United States and Canada)

For more information on text-messaging requirements:

• Go to the FCC website (https://www.fcc.gov) to stay abreast of messaging regulations.

• Go to the CTIA website (https://www.ctia.org) and search for the Messaging Principles and Best Practices guide, which provides voluntary guidelines for text-messaging programs.

• Go to the CTIA's Short Code Registry website (https://www.usshortcodes.com), where you can find the Short Code Monitoring Handbook in the Learn more - Resources section.

• Go to the Canadian Radio-television and Telecommunications website (https://crtc.gc.ca), select a language, and then search for "anti-spam" or "anti-pourriel" to locate the Canada's Anti-Spam Legislation (CASL) or La Loi canadienne anti-pourriel (LCAP) page, which provides links to comprehensive information about compliant text-messaging in Canada.

Note: The use of short codes is monitored by WMC Global, the auditing arm of the CTIA. Penalties for violations include correcting or changing a company's message content and suspending a company’s use of assigned short codes. If you are audited by CTIA, you can contact your customer success manager for assistance.

Staying up to date (United Kingdom)

In the United Kingdom, mobile text messaging is regulated by several agencies.

To stay up to date on messaging requirements:

• Go to Short-Codes.com (https://www.short-codes.com/)

• Review the Data Protection Act (https://www.gov.uk/data-protection) for your customers in the United Kingdom.

• Review the General Data Protection Regulation (https://gdpr.eu/) for your customers in the European Community.

• Understand the Privacy and Electronic Communications Regulations (https://ico.org.uk/for-organisations/guide-to-pecr/)

• Go to the Information Commissioner's Office (https://ico.org.uk/)

• Go to the Advertising Standards Authority (https://www.asa.org.uk/) .

Obtaining written consent

Your text messaging campaign must have a process for obtaining written consent to receive your messages (opt-in 1) and a written confirmation of consent (opt-in 2). This process is referred to as a double opt-in path.

Note: The double opt-in path is required for all messages in the United States but only for marketing messages in the United Kingdom.

After users have opted in to your campaign, your messages must also offer a process for refusing or canceling messages from your promotional campaign (opt-out).

Your customer success manager can help you design a messaging campaign that complies with the opt-in/opt-out requirements and maintains accurate records of opt-in and opt-out requests. This ensures that your campaign always distributes messages to mobile users who are currently opted in to the campaign and prevents you from sending unwanted messages to users who have opted out or who have not fully opted in.

Your carrier may have additional requirements designed to protect users from unwanted messages.

Reviewing content carefully

Even after you have secured the user's consent and established a relationship for your promotion, the content of your messages continues to be regulated by the messaging guidelines for your region.

Note: Some carriers have special requirements for programs marketing to children under 13 and prohibit contests and sweepstakes.

You'll want your messages to be impactful and entertaining but, to remain compliant, avoid explicit references to violence, profanity, hate speech, gambling, illegal drugs, etc.

Tip: Establish review processes to ensure that you avoid messages with non-compliant content. If you're unsure of what to look for, think SHAFT: sex, hate, alcohol, firearms, and tobacco. Penalties for violations include correcting or changing a company's message content and suspending a company’s use of assigned short codes.

For more information:

• In the United States, go to the CTIA's Short Code Registry website (https://www.usshortcodes.com) and consult the Short Code Monitoring Handbook in the Learn more - Resources section.

  Note: In the United States, your content must comply with state and federal laws. Where there is a conflict, the federal law applies. Be sure to consult an attorney before implementing a text-messaging program.

• In Canada, go to the Canadian Wireless Telecommunications Association website (https://www.cwta.ca/) to learn about the Canadian Anti-Spam Legislation (CASL) or La Loi canadienne anti-pourriel (LCAP).

• In the United Kingdom, go to Short-Codes.com (https://www.short-codes.com/) and consult the Code of Practice for Service Delivery of Common Shortcodes in the UK for all Communications Media for guidance on services that operate on short codes.

Be mindful that non-compliant messages may spark an audit from the CTIA or other regulatory bodies. If you like to keep it edgy, you may want to review your messaging with your customer success manager.

Avoid common mistakes

Review your content to ensure that you avoid common mistakes:

• Double-check links added to your messages, to ensure that they are correct. Don't conceal your company’s identify as the source of the message.
• If you use a URL shortener, make sure that the web address and IP address are dedicated to the exclusive use of your company, identify the name of the site owner, and include accurate contact information for the site owner. If you include a phone number, be sure to clearly identify the owner or company owner of the number within the message.

  Note: Public link-shorteners like bit.ly are prohibited by US carriers.

• If you have an age requirement for your campaign, make sure your opt-in options include age verification. For more information, see Age Verification.

Protecting privacy and security

To protect your customers from unwanted intrusion by spammers and spoofers, have a security policy in place that protects users’ data from unauthorized access or disclosure.

• Develop a privacy policy that clearly describes how you will collect, use, and share information from users and make your policy available to users in your campaign’s initial messages.
• Consult with an attorney to ensure that your privacy policy is consistent with the applicable law.
• Check with your carrier, which may have additional privacy requirements.

  Note: For example, Verizon will not approve a program submission where the privacy policy discloses the sharing of information with third-parties or affiliates, which they view as a TCPA violation, without the following pre-approved disclosure (usually added to the bottom of a How we share your information section): "All above categories exclude originator opt-in data and consent; this information will not be shared with any third-party."

Tip: Schedule a regular risk assessment of your privacy and security policies.