SMS marketing and GDPR: consent, opt-out and campaigns without fines

Direct marketing by SMS requires the recipient's consent — under GDPR and telecom law. Consent must be freely given (not forced as a condition of service), specific (the recipient knows what they agree to and who the sender is) and unambiguous (an active action, not a pre-ticked box). Crucially, you must be able to prove consent: record when, how and to what wording the user agreed.

The most common mistake is one "consent to everything". Separate channels (SMS, email, phone) and purposes (own marketing vs partners) into distinct, optional checkboxes. Do not block sign-up or checkout with a marketing consent — that makes it non-voluntary and therefore invalid. Paradoxically, separated optional consents give a higher-quality base: the people who stay actually want your SMS.

Every marketing campaign must allow easy opt-out. The standard is the word STOP — the recipient replies and is unsubscribed. Our SMS marketing module recognizes STOP automatically, records the opt-out and maintains the suppression list so you never message them again. Ignoring opt-out is one of the most-fined violations, so automating it is a necessity, not a convenience.

An alphanumeric Sender ID (your brand name instead of a number) raises trust and open rate, and clearly states who the sender is — supporting the "specific" requirement of consent. It needs a one-time verification that prevents brand impersonation. As a UKE-registered carrier, ACTIO handles it. More in our Sender ID guide.

GDPR is not only about consent — it is also data minimization and security. Keep numbers only as long as you need them, and only for purposes you have a basis for. We process data exclusively on EU servers, under a processing agreement, and keep technical SMS logs to a limited, lawful extent. The rules are in our privacy policy — a ready argument for your client's legal team.