UK SMS marketing compliance checklist

What “compliant SMS marketing” means in the UK (PECR + UK GDPR in plain English)

In the UK, “compliant SMS marketing” means you only text people promotional messages when you have the right permission (or a very limited exception), you’re clear about who you are, and you respect people’s choices. Two main rulesets apply: PECR (which covers electronic marketing like SMS) and the UK GDPR (which governs how you collect, use, and store personal data such as phone numbers).

PECR in plain English: for most marketing texts to individuals, you need prior consent—a clear opt-in. You must also include a simple way to opt out in every message (e.g., “Reply STOP”). There’s a commonly used exception called the “soft opt-in”: if someone bought from you (or negotiated to buy), you can market similar products by SMS only if you gave them a chance to opt out at collection and in every message.

UK GDPR in plain English: you need a valid reason (a “lawful basis”) to process the phone number and send the texts—typically consent for SMS marketing. Consent must be freely given, specific, informed, and easy to withdraw. You should keep evidence of consent (what they agreed to, when, and how), use data minimisation (only collect what you need), and set sensible retention rules.

• Get explicit opt-in (or confirm soft opt-in conditions).
• Say who you are in the SMS (brand identity).
• Include opt-out instructions every time (“STOP”).
• Record consent and preference changes.
• Screen against suppression/opt-out lists before sending.
• Use compliant suppliers and secure data handling.

Consent checklist: when you need opt-in, when soft opt-in applies, and what counts as valid consent

Use this checklist to decide whether you can text someone marketing messages in the UK and what evidence you should keep.

• Do you need opt-in consent? You generally need a clear “yes” before sending marketing SMS to individuals (including sole traders and many partnerships). If you’re unsure whether a number is personal or business-only, treat it as personal and get opt-in.
• Can you rely on soft opt-in? Soft opt-in may apply only if all of these are true: (1) you got the person’s number during a sale or negotiations to sell your product/service; (2) you’re marketing your own similar products/services (not third parties); (3) you gave a simple opt-out at the time you collected the number; and (4) you include an opt-out in every text. If any condition fails, use opt-in instead.
• What counts as valid consent? Consent should be freely given, specific, informed, and unambiguous. Good examples: an unticked checkbox labelled “Yes, send me marketing texts from [Brand]” or a clear keyword opt-in (e.g., “Text JOIN to…”). Not valid: pre-ticked boxes, bundled consent hidden in terms, “by providing your number you agree…”, or consent that doesn’t name who will text.
• What proof should you keep? Store the date/time, method (web form, keyword, paper), wording shown, the phone number, and the source page/location. Keep suppression lists for opt-outs and apply them promptly.

How to build a compliant SMS opt-in journey (web, checkout, lead gen, offline capture)

Design your SMS opt-in so consent is clear, specific, and easy to prove later. Start by deciding what people are signing up for (e.g., “marketing texts about offers and product updates”) and keep that wording consistent across every capture point.

• Web forms: Use an unticked checkbox (or equivalent) that sits next to the phone field, not hidden in terms. State who will message, what type of messages, and that message frequency may vary. Add “Msg & data rates may apply” only if relevant to your audience, and always include a simple opt-out line (e.g., “Reply STOP to opt out”).
• Checkout: Separate SMS marketing consent from order updates. Customers should be able to complete purchase without opting into marketing. Avoid pre-ticked boxes and avoid bundling email + SMS under one consent statement.
• Lead gen (ads/landing pages): Match the ad promise to the SMS content. If the lead magnet is a discount code, say you’ll text the code and also send future marketing (if you will). If it’s one-off fulfilment only, don’t treat it as ongoing marketing consent.
• Offline capture (in-store, events, paper): Use short, readable consent text near the number field and capture a timestamp/location. If using tablets, display the same wording as your web form and store the exact version shown.

Proof and controls: Log the phone number, consent wording, source (URL/store), date/time, and any double opt-in confirmation. Provide an unsubscribe mechanism in every message and suppress numbers immediately after STOP. Keep a preference centre so people can change topics without fully opting out.

Opt-out and preference management: STOP keywords, unsubscribe flows, and suppression lists

Make opting out as easy as opting in. Every UK marketing SMS should include a clear opt-out instruction (for example: “Reply STOP to opt out”). Use common keywords and variants (STOP, STOPALL, UNSUBSCRIBE, CANCEL, END, QUIT) and treat them consistently. If you use short codes or virtual mobile numbers, test opt-outs across UK networks and ensure replies are free or clearly priced.

Build an automated unsubscribe flow that acts immediately. When a recipient texts a STOP keyword, your system should: (1) recognise the keyword reliably (case-insensitive, ignores extra spaces), (2) suppress the number from future marketing sends, and (3) send a single confirmation message such as “You’re unsubscribed and won’t receive marketing texts from us. For help, reply HELP.” Avoid sending further promotional content after an opt-out, including “win-back” messages.

Maintain a suppression list (also called a do-not-contact list) that is separate from your marketing list and cannot be overwritten by imports. Store the mobile number, opt-out date/time, source (STOP reply, link click, customer service request), and campaign identifier where available. Apply suppression across all brands or sender IDs you control, unless the customer has clearly opted in separately to a different brand.

Add preference management where practical: let people opt down (e.g., fewer messages) or choose categories (offers, delivery updates, events). If you use links to a preference centre, keep it mobile-friendly, minimal steps, and don’t require login.

Message content rules: identification, transparency, timing, frequency, and avoiding misleading copy

Identify yourself clearly. Put your brand name at the start of the SMS so recipients instantly know who’s contacting them (e.g., “Yerman:” or your trading name). If you use a short code or unfamiliar number, add a brief identifier in every message, not just the first one.

Be transparent about why they’re receiving it. Reference the consent context in plain English (“You opted in on our website”) and keep the purpose consistent with what was agreed. If the message is promotional, make that obvious—don’t disguise ads as “service updates” or “account alerts” unless it genuinely is one.

Include an easy opt-out every time. Add a simple instruction such as “Reply STOP to opt out”. Avoid complicated steps, links only, or requiring a login. If you use keywords (STOP/UNSUBSCRIBE), make sure they’re monitored and actioned promptly.

Respect timing expectations. Send at reasonable hours and avoid early mornings, late nights, and sensitive dates unless the customer expects it (e.g., delivery updates). If you operate across the UK, assume local time and avoid weekend blasts unless your audience has shown engagement then.

Control frequency and set expectations. Match your actual send rate to what you stated at sign-up (“up to 4 msgs/month”). If you need to increase frequency for a campaign, consider re-confirming preferences or offering a “pause” option.

Avoid misleading copy. Don’t imply urgency, scarcity, or “official” status unless it’s true. Be careful with “free”, “guaranteed”, “last chance”, and “winner” language—qualify offers clearly (key terms, eligibility, end date) and avoid bait-and-switch wording.

Data protection essentials for SMS: lawful basis, minimisation, retention, and security controls

UK SMS marketing must meet UK GDPR and PECR requirements, so your checklist should start with a clear lawful basis and evidence to match. For most promotional texts, this will be consent (freely given, specific, informed, unambiguous) or, in limited cases, the soft opt-in for existing customers where you collected details during a sale/negotiation, market similar products, and offered an opt-out at collection and in every message. Record what you relied on, when, how, and what wording was shown.

Apply data minimisation: only collect what you need to send and manage SMS campaigns (typically mobile number, consent status, timestamp, source, and suppression/opt-out status). Avoid collecting sensitive data and don’t use inferred attributes unless you can justify necessity and transparency. Keep segmentation proportionate and explain it in your privacy information.

Set retention rules that are practical and defensible. Keep active subscriber data only while you market to them, and retain suppression lists (opt-outs) for as long as needed to ensure you don’t text them again. Define time limits for inactive contacts and logs (e.g., consent records), and document deletion routines.

Implement security controls across people, process, and tech: role-based access to your SMS platform, MFA, strong passwords, audit logs, encrypted exports, secure API keys, and least-privilege permissions for agencies. Use Data Processing Agreements with providers, check UK/international transfer safeguards where relevant, and have an incident process to handle mis-sends, data leaks, and prompt suppression updates.

Record-keeping and audit readiness: what to log (consent proof, source, timestamps, wording)

Build an “evidence trail” for every number on your SMS list so you can quickly show how and why you’re messaging. Keep records in a central CRM or consent log that’s searchable by phone number, campaign, and date.

• Consent proof: Store the exact method used (web form, checkout tick box, keyword text-in, paper form). Save a screenshot/PDF of the form or page state, plus the consent statement shown at the time.
• Source and context: Log where the contact came from (URL, landing page name, in-store location, event name) and what they were signing up for (brand name, product line, “offers and updates”, etc.). Avoid vague labels like “marketing”.
• Timestamps: Record date/time of opt-in, confirmation (if you use double opt-in), and first message sent. Include timezone and system clock source where possible.
• Wording and versioning: Keep the exact opt-in wording, privacy notice link, and any “soft opt-in” notice used. Version your consent text so you can prove what was displayed on a specific date.
• Identity and metadata: Capture IP address, user agent, order ID (if applicable), and the staff member or system that collected consent.
• Preference and suppression history: Log opt-outs (STOP), unsubscribe timestamps, and any “do not contact” flags. Keep suppression lists indefinitely to prevent re-messaging.
• Message logs: Store SMS content, sender ID, send time, delivery status, and the campaign name. Keep templates and approvals for each campaign.

Set a retention schedule (e.g., keep consent and suppression evidence for as long as you market to the contact, plus a reasonable period after) and restrict access to logs to reduce accidental changes.

Working with an SMS platform: due diligence checklist (DPA, sub-processors, UK/EU hosting, features)

When comparing SMS platforms for UK marketing, use this checklist to quickly spot compliance-friendly options and reduce operational risk.

• Data Processing Agreement (DPA): Confirm a signed DPA is available, clearly defining roles (controller/processor), processing purposes, retention, security measures, and breach notification timelines. Check whether the provider supports your required lawful basis workflows (e.g., consent capture and proof).
• Sub-processors: Request a current sub-processor list (carriers, routing partners, cloud providers, analytics tools). Look for change-notification commitments and the ability to object. Verify where each sub-processor operates and what data they receive (phone numbers, message content, metadata).
• UK/EU hosting and transfers: Ask where data is stored and where it is accessed from (support, engineering). If any data leaves the UK/EU, check what transfer safeguards are offered (e.g., contractual protections) and whether you can choose UK/EU-only data residency.
• Security and access controls: Evaluate encryption in transit, role-based access, SSO/2FA, audit logs, IP allowlisting, and least-privilege admin controls. Confirm how long logs are retained and whether you can configure retention.
• Compliance features: Prioritise built-in opt-out keywords, suppression lists, consent/time-stamped records, quiet hours, frequency caps, and automatic handling of “STOP” across campaigns. Check support for sender ID/number management and content templates.
• Operational fit: Review deliverability tooling (link tracking options, short link domains), webhooks/API, CRM integrations, and reporting that separates transactional vs marketing messages.