You may or may not be aware of changes to the Privacy and Electronic Communications Regulation 2003 ('PECR') from 6th April 2015.
These changes are very important and affect every business contacting customers and potential customers by telephone or SMS communication that could be defined as direct marketing.
The reason for the change
To tackle non-compliant unsolicited direct marketing by electronic means, which has become prevalent in the UK, by making it easier to levy fines against non-compliant organisations or businesses that are repeat offenders.
Previously, the law required the Information Commissioner's Office ('ICO') to prove a company caused 'substantial damage or substantial distress' by their conduct before action could be taken. Following a public consultation, the Government removed this legal threshold, giving the ICO the power to intervene in more cases. This change came into effect on 6th April 2015.
A copy of the Consultation Response can be downloaded from: www.gov.uk/government/uploads
Who does it affect?
These changes directly address companies undertaking unsolicited direct marketing activities via SMS that conform to the definition of SPAM. Learn more about our anti-spam policy.
These changes do not affect any companies sending texts as notifications to end-users as part of their service parameters. However, they will affect anyone undertaking direct SMS marketing. The core requirements are:
- Data must be correctly and appropriately opted-in
- Messages must contain a clear opt-out mechanism
- Customer consent wishes must be adhered to at all times
- Companies should keep clear, accessible records of when end-users opted in and opted out
What the changes mean in practice
The removal of the 'substantial damage' threshold significantly lowered the bar for ICO enforcement. This means the ICO can now issue fines for nuisance marketing even when the impact on individual recipients might have been considered minor under the old rules.
Fines for serious breaches of PECR can reach up to £500,000. Since the changes took effect, the ICO has issued numerous fines against companies sending unsolicited marketing texts without proper consent, including several cases involving SMS messages.
For businesses using SMS legitimately — sending appointment reminders, order confirmations, or marketing to properly opted-in customers — these changes are positive. They help clean up the SMS channel by penalising the bad actors whose spam messages erode consumer trust in business texting.
What you can do to make sure you're compliant
The ICO provides a useful direct marketing checklist to ensure your messaging complies with the legislation: ICO Direct Marketing Checklist
Key compliance steps include:
- Audit your consent records — ensure you can demonstrate when and how each contact opted in to receive marketing SMS
- Review your opt-out process — recipients must be able to opt out easily, and their preferences must be actioned promptly
- Check your data sources — if you purchase contact lists, verify the data has been collected with appropriate consent for SMS marketing
- Train your staff — ensure anyone involved in marketing campaigns understands PECR requirements
- Use a compliant provider — your SMS provider should support opt-out management, consent tracking, and suppression lists as standard
GDPR and beyond
Since these PECR changes, the introduction of GDPR in 2018 has added further requirements around data processing, consent, and individual rights. Businesses sending SMS marketing must now comply with both PECR and GDPR — ensuring lawful basis for processing, maintaining records of consent, and responding to data subject access requests.
At Faretext, we take compliance seriously. Our platform includes automatic opt-out management, and our fraud prevention measures help protect both your business and your customers from misuse of the SMS channel.
Useful links
- Guide to PECR — www.ico.org.uk/guide-to-pecr/
- Direct Marketing Guide — www.ico.org.uk/direct-marketing
- GDPR Guide — ICO Guide to GDPR
Frequently asked questions
Do I need consent to send transactional SMS messages?
Transactional messages — such as order confirmations, delivery updates, and appointment reminders — are generally not classified as direct marketing under PECR. However, they must still comply with GDPR data processing requirements.
Can I use the 'soft opt-in' for SMS marketing?
Yes. PECR allows a 'soft opt-in' where you can send marketing to existing customers who gave their details during a sale or negotiation, provided you give them an opportunity to opt out at the time and in every subsequent message.
What happens if I receive a complaint from the ICO?
The ICO will typically investigate the complaint, request evidence of consent, and assess whether your marketing complied with PECR. If you can demonstrate proper consent and opt-out processes, complaints are usually resolved without enforcement action.
