A guide to global SMS compliance laws

Did you know that in France, businesses can’t send SMS messages on Sundays? And that in Malaysia, the message header must clarify that recipients won’t be charged for receiving it?

When sending SMS to customers, staying compliant is crucial, but it’s not straightforward. Each country and state may have its own laws, and mobile carriers add another layer of complexity. While achieving 100% compliance might seem impossible, the risks of non-compliance—blocked messages, reputational damage, lost business, and fines—are too significant to ignore.

To help you stay informed, we’ll start this guide by summarizing the most common aspects of A2P SMS compliance globally, and then move on to specific regions.

Please note: This content is provided for information purposes only and should not be relied on as legal or compliance advice.

A summary of global SMS rules

• Opt-in (and out): In most countries you can only send SMS messages to customers that have opted-in to receiving them. Beware that that the definition of ‘opt-in’ has matured and usually has to be explicit, usually through a sign-up form or by sending a keyword. Implied opt-in because a customer bought a product or service and forgot to uncheck a tick-box is no longer acceptable. Opt-out allows customers to stop receiving messages by following a simple process, such as replying ‘STOP’.”
• Sender ID: A Sender ID refers to the name of the sender in the recipient’s inbox. In some markets, you can use alphanumeric senders, meaning that you can send SMS messages using your own brand name rather than a number your customers don’t recognize. However, this option is not available everywhere, and you might need to pre-register your Sender ID due to rules that prevent duplication and SMS fraud.
• Message content: Most countries differentiate between transactional and marketing messages and apply different restrictions. A delivery notification or a weather alert would be classed as transactional, while any promotional or sales message would come under marketing. Even in regions where marketing messages are allowed, there are usually additional restrictions on content related to gambling, drugs and alcohol, adult-themed products, and both political and religious topics.
• Message length: It is commonly accepted that 160 characters is the limit for SMS messages, but this can be less in some countries. It is up to individual carriers in each country whether to support truncation (concatenated messages). Be warned that some carriers will only send the first 160 characters, with the rest being discarded.
• Sending time: In many countries, you are only allowed to message customers between certain hours, such as 8am and 8pm, and sometimes not at all on certain days, for example on Sundays in France.
• ‘Do not contact’ registries: In many countries, consumers can opt out of receiving business communications by signing up to do-not-contact or do-not-disturb registries. If you ignore this, you run the risk of service suspensions or fines.

Next, we will provide you with a summary of the rules in each region. For information on specific countries please have a look at our SMS coverage and connectivity guide with details on just about every country in the world.

SMS regulations in the US

These are the most important elements of SMS compliance in the United States.

• Registration required: In the US all messaging programs must be registered. Unregistered traffic is not allowed. Businesses must register their messaging programs with mobile carriers to ensure compliance with legal and carrier-specific guidelines. This process includes providing information about the type of messages being sent and ensuring adherence to opt-in rules.
• Content restrictions: Certain types of content, such as gambling, drugs, alcohol, firearms, and adult content, are prohibited from being promoted. Promotion of some financial products, such as certain loans, debt relief, and credit repair, is also prohibited. Lead-generation campaigns that involve sharing collected information with third parties are also disallowed.
• Opt-in requirement: Both marketing and transactional messaging are allowed, but only to subscribers who have opted to receive them.
• Two-way messaging: All commercial text messages must be two-way, which enables customers to opt out of receiving further messages and obtain support by texting “HELP”.
• Multiple sender types: In the US businesses can use short codes or 10-digit long codes (10 DLCs).
• Legislation: The key legislation covering SMS messaging in the US is the Telephone Consumer Protection Act (TCPA). The Cellular Telecommunications Industry Association (CTIA), a trade group representing wireless carriers and others in the telecom industry, lays out additional guidelines for SMS marketing in its Short Code Monitoring Handbook. Also, each individual carrier network is privately owned and operated, and as such, they reserve the right to approve, reject, question, or disable any campaign on their network. Some carriers have their own individual Code of Conduct.
• The Federal Communications Commission (FCC) plays an active role in regulating SMS in the United States and reports directly to Congress. The FCC adopts rules and regulations to address issues related to SMS, such as requiring providers to maintain a point of contact for reporting erroneously blocked texts and proposing measures to extend the National Do-Not-Call Registry’s protections to text messages. The FCC also enforces compliance with these regulations to ensure that consumers are protected from fraudulent and unwanted text messages.

SMS compliance checklist for the US

Before diving into the specific steps, it’s crucial to understand the distinction between legal requirements and carrier guidelines in the United States.

• The TCPA sets the legal framework, prohibiting the sending of unsolicited text messages (SMS) to consumers without their consent. Non-compliance can lead to hefty class-action lawsuits and fines of up to $1500 per text.
• CTIA guidelines are carrier-specific rules that further protect consumers. Adhering to them is essential to avoid fines, maintain a positive reputation and ensure uninterrupted sending capabilities.

With that explained, here are the steps you need to take to keep your SMS program compliant in the US:

Additional information about SMS compliance in the US

The following is a summary of a 45-minute live session we at Infobip organized for marketing platforms and agencies on the topic of SMS and MMS compliance. A panel of mobile messaging experts answered the questions.

1. Shared short codes no longer allowed

Shared short codes are no longer permitted in the US. Each brand must have a dedicated short code. If another customer wants to use your messaging services, obtain a new source (dedicated short code, 10DLC, or text-enabled toll-free number) for their messaging.

Even if your front-end customer is the sole user of a short code, it may still be considered shared if they share it with other brands or clients. All messaging on a short code must be controlled by a single entity and dedicated to a specific brand.

2. Why we insist on CTA compliance

The CTIA (Cellular Telecommunications Industry Association) established CTA guidelines agreed upon by all mobile carriers. Specific elements within a CTA ensure best practices and transparency and inform subscribers about what they’re signing up for.

To get your campaign approved as Infobip’s customer, including all necessary elements in your CTA is crucial. We adhere to contractual agreements with mobile carriers, ensuring compliance with their code of conduct.

3. Third-party data sharing is strictly prohibited

Lead generation and affiliate marketing campaigns are prohibited as they involve third-party data sharing and can lead to spam. This also applies to customer requests to use 10DLC numbers for collecting opt-in and forwarding to lead generation agencies.

4. Requirements for specific use cases

Donation campaigns: These have additional requirements and must conform to the CTIA Messaging Principles and Best Practices.

Abandoned cart reminders: Carriers have specific requirements for abandoned cart reminders to protect consumers. You must ensure the program name explicitly states that customers are signing up for cart reminders (not just generic marketing alerts). Also, keep in mind:

• Cart reminders need to be mentioned in your T&C.
• Program name, description, T&C, and cart reminders should align.
• You should use a double opt-in process for added security.
• You should explain how information is captured (e.g. via cookies or webhooks) in the privacy policy.

Missing information may lead to campaign rejection.

Fraud alerts: There is a TCPA exception for fraud alerts with an implied opt-in, but you must remember that approval is at the carrier’s discretion and that there are additional requirements.

CBD messaging: CBD is not federally legal. Any messaging must meet federal laws. Just because many states have legalized cannabis, it is not legal at the federal level, so the carrier networks have disallowed this messaging content.

You can find more info about messaging use cases in the US here.

5. TCPA compliance does not guarantee approval

TCPA requirements are the bare minimum requirement. Programs must also meet CTIA and carrier guidelines and ultimately the carriers are privately owned and operated networks and can approve/deny any program.

6. Why stop menus are no longer used

Stop menus are only necessary when a short code is being shared but shared short codes are no longer permitted. If a customer requests to opt-out of a short code program, then they must be completely removed from receiving messages from the short code. No further message can be sent unless another opt-in occurs. This includes short codes with multiple use cases for the same brand.

SMS regulations in Europe

There are 27 countries in the European Union and a further 3 countries in the European Economic Area (EEA) that are also covered by European rules that apply to privacy and electronic communication (Norway, Lichtenstein, and Iceland).

GDPR is the mostly widely recognized Europe-wide legislation, but there are others like the E-privacy Directive. The GDPR protects consumer data privacy, requiring explicit consent for data use, while the E-privacy Directive focuses specifically on electronic communications, including SMS, ensuring messages are sent legally and ethically.

There are also specific regulations in individual countries. For example, some EU countries allow one-way commercial SMS messages to be sent, and others do not.

On the whole however, SMS regulations in Europe are some of the tightest and strictly enforced in the world, especially when it comes to opt-in and crucially opt-out.

• Consumers must explicitly opt-in to receive marketing communication – it must be clear and unambiguous, and all the information required for them to understand what they are signing up for must be easily available, for example via a link to the company’s privacy policy.
• All marketing messages sent from a business, including SMS, must include a simple and free method of opting out, for example replying with the text STOP. Removing consent has to be as easy as granting it in the first place.

GDPR is definitely not toothless legislation. Just ask British Airways who were fined £20 million after the personal data of over 400,000 customers was stolen by hackers. Hotel chain Marriott International took an even bigger hit of nearly £100 million when it had to pay compensation to millions of people whose private data was stolen from the organization.

While fines for not complying with SMS regulations are nowhere as high, they are still significant enough that businesses have to be very careful to not break any rules.

SMS regulations in APAC (Asia-Pacific)

The Asia-Pacific region is the largest SMS market in the world. In the list of countries with the most active mobile phone users, the top three spots are occupied by APAC nations: China, India, and Indonesia. Have a more detailed look into the regulations for the most significant APAC markets below:

China

In China, the following types of marketing/promotional messages are strictly prohibited: real estate, stocks, loans, investment banking, education, immigration, politics, adult supplies, pornography, violence, gambling, and other illegal information.

Business SMS messaging is restricted to long codes, which are are standard phone numbers used for business messaging, offering a recognizable format for recipients and ensuring compliance with local regulations.

To send SMS messages, businesses need to register message templates and a business license, along with company details:

• Official website
• Company (entity) name
• Type of traffic
• Message content
• Sender name and signature

Learn more about SMS registration and guidelines for China here.

India

To send commercial SMS in India, businesses must register with telecom authorities or service providers using Distributed Ledger Technology (DLT).

DLT uses blockchain technology to stop unsolicited communication. In short, it synchronizes mobile subscriber data who opted for Do Not Disturb (DND) services with all Mobile Network Operators (MNOs). It is used keep a record of every SMS sent, specifying the business sending the SMS, the actual sender name displayed, the main content of the SMS, and the nature of the consent that the SMS recipient has agreed to.

When registering on a DLT platform, you will need to provide the business’s name along with the templates (messages that will be sent), headers (Sender IDs), and consent templates.

Clickable links in SMS messages

There have been recent updates regarding clickable links in SMS messages in India.

Under the new regulations, any clickable links in SMS messages, such as URLs, short links, or CTAs (Call-to-Action links), must now be whitelisted on the DLT (Distributed Ledger Technology) platform.

If a message contains a link that has not been whitelisted, it will fail the DLT scrubbing process and will not be delivered to the recipient.

Example: If your SMS includes a link like: https://www.xyz.com/, you must whitelist it in advance on the DLT platform. Without this, the message will not pass regulatory checks and will fail delivery.

Content restrictions

• Window for sending promotional messages: between 10 AM and 9 PM.
• Gambling and cryptocurrency messages are forbidden.

You can learn more about the process of registering an SMS sender in India here.

Indonesia

These are the most important aspects of SMS compliance in Indonesia:

• Gambling, religious, adult, and racial content is prohibited.
• It is mandatory to register a sender with Indonesian network operators.
• To register a sender, you must provide a Letter of Authorization (LOA).
• Different requirements apply for local and international senders.
• Sender name should not exceed 11 characters (including spaces and punctuation).
• You can only register one sender ID per company. For multiple IDs, you need to provide a statement.
• Only alphanumeric sender IDs are allowed. You must use brand-related sender IDs; generic senders are not allowed.

You can learn more about SMS guidelines for Indonesia here.

Australia

No adult, religious, or political content is allowed when sending SMS to customers in Australia. There are certain restrictions regarding gambling:

• Anyone providing a regulated interactive gambling service in Australia must hold a license under Australian State or Territory laws.
• Gambling promotional messaging is strictly prohibited for new users unless the user specifically opts in with the gambling company before the actual SMS termination.
• Inducing new or existing users to gamble is prohibited in the message content.
• Opt-in/opt-out is required for all promotional or transactional gambling messages.
• Online sports betting is legal through licensed operators, with numerous additional restrictions.

You can use an alphanumeric sender ID, a virtual long number, or a short code. To register as a business sender, you must provide a Letter of Authorization (LOA). You can learn more about SMS guidelines for Australia here.

SMS regulations in MENA (Middle East & Northern Africa)

Our latest Messaging Trends report shows an increasing demand for SMS and CPaaS solutions due to a wider adoption of CRM systems across industries, investments in customer experience, and growing cybersecurity demands.

Here is an overview of SMS regulations in some of the largest markets in MENA.

Saudi Arabia

Saudi Arabia is a highly regulated country in terms of SMS. Here are the most important aspects to consider:

• A2P SMS traffic is categorized into local and international traffic (by origin), and transactional and promotional (by type).
• Your company must have a local presence and provide relevant documentation for local SMS termination.
• Alphanumeric senders are allowed.
• Gambling, betting, Spam, loan traffic, crypto, Forex, and adult content are likely to be blocked by Saudi Arabian operators.
• URL shorteners (e.g., bit.ly, goo.gl) are strictly forbidden. Other URLs in message content need to be safelisted beforehand.
• Promotional traffic can only be sent between 8 AM and 10 PM local KSA time zone.
• When sending promotional traffic, companies should add a suffix “-AD” to the sender name.

Morocco

In Morocco, A2P SMS traffic is categorized into local and international (by origin), and sender registration is mandatory for both types, with proper documentation.

Sender IDs must adhere to the following rules:

• Maximum length: 11 characters
• Generic senders, special characters, spaces, and numbers are not allowed

Two-way messaging is available for local traffic only, meaning that recipients can only respond to messages sent by businesses located within Morocco.

Promotional (marketing) traffic is allowed only between 10 AM and 8 PM local time. This corresponds to 9:00 to 19:00 UTC.

There are no specific content restrictions.

Algeria

In Algeria, you can use a dynamic alphanumeric sender. However, numeric senders might get blocked on some networks. Two-way SMS is currently unavailable.

These are the only restrictions for A2P messaging:

• Gambling traffic is forbidden.
• Traffic with illegal, adult, religious, and political content is prohibited and will be blocked.

SMS regulations in LATAM (Latin America)

Here is a summary of the most important aspects of SMS compliance in the some of the biggest LATAM markets:

Brazil

• Dedicated and shared short codes allowed: Short codes are commonly used for SMS communication in Brazil. Both dedicated and shared short codes are allowed, but it’s crucial to comply with local regulations and obtain the necessary approvals.
• Alphanumeric sender IDs allowed only for local customers: Alphanumeric sender IDs are only allowed for local companies that have a local presence in Brazil. When using alphanumeric sender IDs, we advise our customers to consult with their dedicated Account Manager, who can provide guidance on the specific requirements and restrictions.
• Virtual Long Numbers are not allowed: Virtual Long Numbers (VLNs) are prohibited for SMS messaging in Brazil. If you plan to use long numbers, ensure they are physical and comply with local regulations.
• Messages with bank and MNO names need authorization: Messages containing references to banks or mobile network operators (MNOs) must be authorized by the respective companies. Unauthorized use of their names may lead to compliance issues.
• Political and gambling content not allowed: SMS messages related to political campaigns or gambling activities are prohibited.
• Marketing messages require opt-in: You need to obtain explicit opt-in consent before sending marketing messages.
• Opt-out (unsubscribe) is mandatory: You need to include an opt-out option in your SMS messages, allowing recipients to unsubscribe easily.
• DND (Do Not Disturb) registry available: A DND registry is available in Brazil. However, end-users must explicitly request it. You must respect their preferences and avoid sending messages during restricted hours.
• Messaging time windows: Messages can be sent between 8 AM and 8 PM on workdays (Monday to Friday), and from 8 AM to 2 PM on Saturdays. No SMS messages are allowed on Sundays.
• Keywords recommended for MO (Mobile Originated) messages: When setting up MO messages, use specific keywords to ensure that the right customer receives the message. Generic keywords may lead to misdirected messages.

Colombia

• Short codes allowed (shared or dedicated): Short Codes (shared or dedicated) are allowed for sending SMS notifications (transactional, marketing, debt collectors, etc.).
• Virtual Long Numbers not allowed: Virtual Long Numbers (VLNs) are prohibited for SMS messaging in Colombia.
• Opt-in required: You need to collect explicit opt-ins from end users before sending any messages.
• Restrictions for debt collectors and marketing content: The CRC (Telecommunications Regulator) imposes restrictions on debt collectors and marketing content. These types of messages are allowed only between 8:00 AM and 9:00 PM.
• Restrictions for political content: You must have opt-ins to send political content. Every political message must contain a Spanish version of the text “paid political ad.”
• NLI not supported: NLI (Non-Latin Identifiers) are not supported.
• Short codes must be active: If short codes are not being used, the regulator may remove them. Ensure that your short codes remain active and relevant.

How to ensure SMS compliance globally

To summarize, there are some best practices that are common across most global regions that you should follow to ensure SMS compliance:

• Obtain clear consent: Always get explicit consent from customers before sending text messages.
• Send appropriate content: Check and respect the legal restrictions in the country regarding message content.
• Respect time windows: Send texts at appropriate times and avoid spamming.
• Register your sender: Use a verified business sender for messaging, according to country-specific regulations.
• Ensure an opt-out mechanism: Provide an easy way for subscribers to opt out of receiving further messages.

Maintaining SMS compliance across countries can pose quite a challenge. There is little doubt that to succeed, you will need the help of an experienced and proven enterprise SMS provider.

We would love to help. We have years of hard-won experience in global SMS delivery and compliance capability is actually built into our platform. And we certainly know our rules – we have staff on the ground on every continent keeping on top of local legislation and maintaining relationships with the biggest network of providers of any SMS supplier.

The end result? Our customers remain compliant in every territory and get the best possible delivery rates.