Understanding how UK GDPR and PECR affect SMS

You will learn

Learn how local compliance laws including GDPR and PECR affect SMS marketing in the UK. SMS in the EU is regulated by the General Data Protection Regulation (GDPR), and SMS in the UK is regulated by the UK General Data Protection Regulation (UK GDPR). Additionally, in the UK, the Public and Electronic Communications Regulations 2003 (PECR) applies to the sending of marketing texts to individuals. While these laws are most commonly associated with data protection, they also dictate how to gather proper consent and what to include in your SMS messages. 

This information is not legal advice. Klaviyo recommends that you consult with your legal counsel to make sure that you comply with the GDPR, UK GDPR, PECR, and all other applicable laws in connection with your text message marketing.

Consent

When collecting consent in the EU and UK, you must provide a clear and detailed explanation of how you plan to use the subscriber’s information. Under GDPR and UK GDPR, consent needs to be “freely given, specific, informed, and unambiguous.” PECR has the same consent requirements under UK GDPR for obtaining valid consent.

When asking for consent:

• Make it easy to opt out (e.g., via an unsubscribe link)
• Provide links to your privacy policy and terms of service
• Be clear about what information you are collecting and how you are going to use it 
• Be clear about what subscribers are subscribing to 
• Ask for consent for each specific purpose (e.g., if you collect consent for both SMS and email, use separate fields for these channels so that someone has the option to subscribe to one and not the other)
• Make sure the subscriber has to take an active step (e.g., checking an unchecked box)
• Make sure consent is not conditional to receiving a good or service
• Do not accept consent from children under 16 unless you have permission from the holder of parental responsibility over the child 
• Keep records of when, where, how, and for what someone gave you their consent

Under GDPR and UK GDPR, there are other bases (like “legitimate interest”) that may be relied on instead of consent, but when using Klaviyo SMS to send text messages to subscribers, you need to ensure that you have obtained proper consent from recipients using the guidelines mentioned above. 

To learn more, read this article on collecting GDPR-compliant consent. 

Transparency

Each text message you send to recipients in the EU and UK should identify you as the sender of the message. Many companies do this by either customizing their sender ID or including their organization name at the start of each message. When using Klaviyo SMS, you can customize your sender ID under Settings > SMS and automatically add your organization’s name to the start of each message using the option in the Compliance tab.

Opt-out

Each text message you send to recipients in the EU and UK must also include an opt-out mechanism. Many companies do this by including an unsubscribe link in their messages. When using Klaviyo SMS, you can automatically add this unsubscribe link to your messages via the option in the Compliance tab. 

Additional Resources

• Learn more about what express consent means
• See other GDPR-related articles:
  • Guide to collecting GDPR compliant consent
  • Frequently asked questions about GDPR
  • How to handle GDPR and CCPA requests