The Information Commissioner's Office (ICO) has issued millions of pounds in fines to businesses that sent SMS messages without proper consent. Understanding UK GDPR and PECR requirements isn't optional — it's essential for any business using SMS marketing or automated text messaging.
The Legal Framework
SMS marketing in the UK is governed by two overlapping regulations:
- UK GDPR: Governs how you collect, store, and process personal data (including phone numbers)
- PECR (Privacy and Electronic Communications Regulations): Specifically governs electronic marketing, including SMS. PECR requires explicit opt-in consent before you send marketing messages
The distinction matters. Even if you have a GDPR-compliant reason to hold someone's phone number (e.g., for order fulfilment), you cannot use that number for marketing without separate PECR consent.
What Counts as Consent?
Under PECR, valid consent for SMS marketing must be:
- Freely given: Not buried in general terms and conditions
- Specific: The person must know they're agreeing to receive SMS marketing specifically
- Informed: They must know who will be messaging them and what about
- Unambiguous: Pre-ticked boxes don't count. The person must take a positive action to opt in
Recent ICO Enforcement Actions
The ICO has been increasingly active in penalising SMS marketing violations:
- £200,000 fine to a company that sent 2.7 million unsolicited marketing texts without valid consent
- £170,000 fine for a business that purchased phone number lists and sent marketing SMS without opt-in
- £100,000 fine to a firm that failed to properly record and store consent evidence
- Multiple enforcement notices against companies that made it difficult for recipients to opt out
The pattern is clear: the ICO targets businesses that send high volumes of unsolicited messages, use purchased contact lists, or fail to honour opt-out requests.
How to Stay Compliant
Before You Send
- Collect explicit opt-in consent — a separate checkbox or action specifically for SMS marketing
- Record when and how consent was given — you need to prove it if challenged
- Never buy phone number lists — purchased lists almost never include valid PECR consent
- State your identity clearly — recipients must know who is messaging them
In Every Message
- Include an opt-out mechanism — typically "Reply STOP to unsubscribe"
- Honour opt-outs immediately — process STOP requests within 24 hours at most
- Don't re-add opted-out numbers — maintain a suppression list
The Soft Opt-In Exception
PECR includes one important exception: the "soft opt-in". You can send marketing SMS to existing customers who:
- Gave you their number during a sale or negotiation
- The messages relate to similar products or services
- Were given the chance to opt out when their number was collected
- Are offered an opt-out in every message
This exception is useful but narrow — it doesn't cover prospects, leads, or contacts from third-party sources.
How Faretext Helps With Compliance
Faretext provides tools and guidance to help you stay on the right side of ICO regulations:
- Automatic STOP handling: Our platform processes opt-out keywords automatically
- Suppression list management: Opted-out numbers are blocked from future campaigns
- Consent guidance: Our team advises on compliant opt-in wording and processes
- Audit trails: Message logs provide evidence of consent and opt-out handling
Read our anti-spam policy or connect with us to discuss compliant SMS marketing.
Sources: ICO — Enforcement Actions · ICO — Direct Marketing Guidance (PECR)
