SMS privacy policy best practices

Last updated at:

You will learn

Learn best practices for SMS compliance in your privacy policy. Note that unlike with terms of service, Klaviyo cannot host privacy policies.

This information is not legal advice. Klaviyo recommends that you consult with your legal counsel to make sure that you comply with applicable laws in connection with your marketing activities. 

Importance of privacy policies for SMS

Before beginning with SMS marketing, you must update your privacy policy to include key information on SMS sending. In particular, if you ever want to apply for a short code, you need to include certain information in your privacy policy in order to be considered for approval.

SMS privacy policy best practices

As a best practice, your privacy policy should include an accurate description of your program and how you will handle data in connection with that program. We also recommend including information regarding what you do with the phone numbers you collect, how you use them, who you share them with, etc. The privacy policy should be accessible from the opt-in method (e.g., signup form).

We also recommend including disclosures if any of the following apply to your business:

The sections below provide examples; however, Klaviyo cannot provide legal advice, so please check with your legal counsel before making changes to your privacy policy. 

SMS abandoned cart disclosure

Privacy policies must explicitly state how information is captured by the website to determine when a customer’s cart has been abandoned (e.g., website cookies, plugins, etc). If you are using SMS in an abandoned cart, include a disclosure about this in your privacy policy. 

Example language

"The website uses cookies to help keep track of items you put into your shopping cart including when you have abandoned your cart and this information is used to determine when to send cart reminder messages via SMS."

Third-party data sharing

If your privacy policy mentions data sharing or selling to nonaffiliated third parties, there is a concern that customer data will be shared with third parties for marketing purposes. Here, third parties do not include subsidiaries and affiliates (i.e., companies under common control, as well as service providers who provide services on behalf of the customer).

Express consent is required for SMS; therefore, sharing data is prohibited. Privacy policies must specify that this data sharing excludes SMS opt-in data and consent. Privacy policies can be updated (or draft versions provided) where the practice of sharing personal data to third parties is expressly omitted from the short code program.

Example language

"The above excludes text messaging originator opt-in data and consent; this information will not be shared with any third parties."

Location tracking and location-based services

If your privacy policy mentions location tracking or location-based services, it must fully describe how that data is collected and for what purpose.

Additional resources


Was this article helpful?
179 out of 241 found this helpful