You will learn
Learn best practices for SMS compliance in your privacy policy. Note that unlike with terms of service, Klaviyo cannot host privacy policies.
This information is intended solely for educational and informational purposes and should not be construed as legal advice. The content provided is general in nature and may not reflect the most up-to-date information. Klaviyo strongly advises consulting with a qualified legal counsel to ensure your compliance with applicable laws and regulations in connection with your use of our services.
Why do I need a privacy policy for SMS?
Before beginning with SMS marketing, you must update your privacy policy to include key information on SMS sending. In particular, if you ever want to apply for a short code, you need to include certain information in your privacy policy in order to be considered for approval.
SMS privacy policy best practicesSMS privacy policy best practices
As a best practice, your privacy policy should include an accurate description of your program and how you will handle data in connection with that program. We also recommend including information regarding what you do with the phone numbers you collect, how you use them, who you share them with, etc. The privacy policy should be accessible from the opt-in method (e.g., sign-up form).
We also recommend including disclosures if any of the following apply to your business:
The sections below provide examples; however, Klaviyo cannot provide legal advice, so please check with your legal counsel before making changes to your privacy policy.
SMS abandoned cart disclosureSMS abandoned cart disclosure
Privacy policies must explicitly state how information is captured by the website to determine when a customer’s cart has been abandoned (e.g., website cookies, plugins, etc). If you are using SMS in an abandoned cart, include a disclosure about this in your privacy policy.
Example language
"The website uses cookies to help keep track of items you put into your shopping cart including when you have abandoned your cart and this information is used to determine when to send cart reminder messages via SMS."
Third-party data sharing
Many wireless carriers have specific requirements about how you describe data-sharing provisions in your privacy policy. While the carriers may differ in what specific language they approve or deny, their overall objective is to assure consumers that their opt-in data and SMS consent status will not be shared in an impermissible or unlawful way. To be clear, these carrier guidelines function independently of any restrictions on data “sharing” or “selling” as defined by the various data privacy laws (such as the GDPR, CCPA, or other similar legislation) that may apply to your business.
If your privacy policy already provides for data sharing or selling to nonaffiliated third parties, you need to clarify that such data sharing or selling will not include a user’s SMS opt-in data or consent status (because explicit, one-to-one consent is required for SMS). If your privacy policy does not currently mention data sharing, you need to insert a similar clarification that you will not share SMS opt-in or consent status for non-service-related purposes.
Example language
"We will not share your opt-in to an SMS campaign with any third party for purposes unrelated to providing you with the services of that campaign. We may share your Personal Data, including your SMS opt-in or consent status, with third parties that help us provide our messaging services, including but not limited to platform providers, phone companies, and any other vendors who assist us in the delivery of text messages."
Location tracking and location-based services
If your privacy policy mentions location tracking or location-based services, it must fully describe how that data is collected and for what purpose.
Additional resourcesAdditional resources
- Create a mobile terms of service in Klaviyo
- Collect SMS consent at checkout:
- Get advice for building your SMS program: