SMS Regulations That Your Business Should Be Aware Of
An overview of GDPR, TCPA, PIPEDA, and why it’s important to stay SMS compliant.
Fun fact of the day: Did you know that 6 billion text messages are sent each day worldwide?
In our digital world — especially now with the COVID-19 pandemic where previously face-to-face interactions have become digitized — the odds that you have contributed to this daily text count are pretty high.
In recent years, the go-to mode for personal communication has shifted dramatically from email and phone call to short message service (SMS), better known as text. So, it’s no surprise that businesses have also followed this transition to engage with their customers via SMS — in fact, business to consumer (B2C) text marketing grew by 92% from 2015 to 2017.
Here are some key factors that play into the mass adoption of SMS:
1. SMS has higher engagement rates than email
Are you more likely to pay attention to SMS rather than phone call or email? Well, looks like you’re not alone.
A marketing study conducted by Cellit — where 1,180 campaigns by national retailers were analyzed in their use of SMS to growing databases, retain subscriber loyalty, and drive sales — found that SMS produced engagement rates 6~8 times higher than the standard for email marketing. Email open rates lie around 20%, whereas SMS open rates are 98%; furthermore, 95% of all text messages are read within 90 seconds.
These stats are attributed to the fact that text messages tend to be concise and to the point and that people see texts sooner because they show up immediately on mobile phone screens.
2. SMS Offers Versatile Use Cases Across Industries
When it comes to SMS usage, there’s no one way to use them to drive value for your business. Here’s how some industries are leveraging SMS to their advantage:
Health Care Companies are using SMS for HIPAA-compliant communication to promote personalized care for patients.
Insurance Companies are using SMS to quickly receive information from customers about accidents to expedite the claims process.
Political Organizations are using SMS to reach thousands of voters with personalized messages, political resources and friendly event reminders to increase civic engagement.
Other SMS use cases include:
- Enhanced Customer Support
- Sales Acceleration
- Customer Engagement
- Ticketing
- Notifications and Alerts
- Two-Factor Authentication
3. The Ease of Scaling SMS
Last but not least, the ease of deploying thousands of messages quickly makes SMS a practical solution, especially as your business needs grow. This has become even easier with the rise of application-to-person (A2P) SMS, which automates the process of sending messages locally and globally to mobile subscribers.
_________________________________________________________________
All of these factors have contributed to massive growth in the B2C SMS space; with all things considered, it’s not difficult to see why SMS seems to be a clear winner for many businesses as a favorable mode of communication.
But with so many upsides, what’s the catch?
That’s a great question and one that your business absolutely should be asking.
In response to so many businesses using SMS, regulators have created legislation to protect consumers from unwanted messages and calls. In addition, since phone numbers are considered personally identifiable information (PII), consumer data protection laws are enforced to protect consumer information from breaches and to place limits on how businesses can use and store this data. These laws are important, especially in the wake of recent events involving Facebook and other big names using consumer data in ethically questionable ways.
Violating these regulations also come with a pricey consequence — in 2019, the average cost of a Telephone Consumer Protection Lawsuit (TCPA) cost businesses $6.4 million dollars, and Rack Room Shoes recently paid $25.97 million for sending non-compliant text messages to customers. These fines can quickly rack up, resulting in massive payouts or even bankruptcy.
Stakes are high, both from an ethical and financial perspective, and it’s important for your business to stay informed about these three key sets of data protection laws in the EU, US and Canada:
1. GDPR
The General Data Protection Regulation, or GDPR, is the European Union’s set of consumer data protection laws. Fines are based on business revenue and can be up to 20 million Euros or 4% of a business’s global revenue.
The GDPR is one of the strictest sets of data protection laws and has three core principles: consumer consent, opt-out information and customer data management.
Consumer Consent — Customer permission, preferably provided in writing, is necessary before you can contact them through any channel.
Opt-Out Information — You must include opt-out links or keywords in every piece of communication.
Customer Data Management — Sharing data with third parties and other companies is prohibited, unless consent has been given by the customer beforehand.
While data encryption is not explicitly required, it’s a best practice because businesses can be held liable in the event of a data breach if measures weren’t taken to protect consumer data.
2. TCPA / CTIA
The Telephone Consumer Protection Act (TCPA) is enforced by the Federal Communications Commision, and it’s the U.S. equivalent of the GDPR. The Cellular Telecommunications Industry Association (CTIA) isn’t an enforcement agency but gives guidance for businesses using SMS.
Each non-compliant call or text message counts as a violation, and fines can cost anywhere from $500 to $1500 per violation. Furthermore, class action lawsuits can be filed under the TCPA, so businesses can be fined for multiple violations for every customer that may have been affected.
The main points of the TCPA are customer permission and identifying automated communication.
Customer Permission — Similar to the GDPR, the TCPA states that you must receive permission from customers before contacting them, and primarily emphasizes SMS, calls, and email.
Identify Automated Communication — It’s required that you tell customers if you are contacting them through an automated system, so this must be specified when collecting consent.
3. PIPEDA
The Personal Information Protection and Electronic Documents Act (PIPEDA) is the set of consumer data protection laws enforced by the Office of the Privacy Commissioner of Canada. Although similar to the GDPR and TCPA, PIPEDA has some unique requirements including identifying purposes and limiting collection and use.
Identifying Purposes — You must receive consent before contacting customers, and you must also explicitly explain why you’re asking for a phone number or email address.
Limiting Collection and Use — You can only collect and store customer information necessary for a specific purpose.
_________________________________________________________________
These data protection laws are not comprehensive, and you should always check to see your local legislation regarding data privacy. However, staying compliant with these guidelines greatly improves your chances of not violating other additional regulations.
If you’re looking to learn more about how to protect your business in staying compliant with SMS regulations, be sure to check out Telnyx’s eBook, Your Complete Guide to SMS Regulations. Inside, you’ll find extensive information including:
- A deeper look into opt-in and opt-messages
- How to send messages that meet regulation
- Using automated consent forms and data validation
- What to look for in an SMS carrier
Questions about using the Telnyx platform for compliant SMS? Talk to us!
