SMS Marketing Rules UK: PECR, GDPR & Compliance Guide (2026)

SMS marketing is one of the most effective channels available to UK small businesses. But unlike posting on social media or sending a newsletter, texting customers is directly regulated. The rules are clear, and the consequences for ignoring them are real.

The good news: compliance is not complicated. This guide explains exactly what you need to do — in plain English, not legal jargon — to run SMS marketing legally in the UK.

Back to the SMS marketing hub | Read the full SMS marketing guide

The two regulations you need to know

UK SMS marketing compliance is governed by two overlapping pieces of legislation:

PECR (Privacy and Electronic Communications Regulations)

PECR is the primary regulation for SMS marketing. It specifically covers electronic marketing messages — including texts, emails, and automated calls. The key PECR rules for SMS:

• You must have consent before sending marketing texts
• You must identify yourself as the sender
• You must provide an opt-out mechanism in every message
• You must process opt-outs without delay

PECR is enforced by the ICO (Information Commissioner's Office) and carries fines of up to £500,000.

UK GDPR (General Data Protection Regulation)

UK GDPR applies to any personal data you hold — and a phone number is personal data. GDPR requirements for SMS marketing:

• You need a lawful basis for processing phone numbers (consent for marketing, legitimate interest for transactional)
• You must have a privacy policy covering how you handle phone number data
• You must respect data subject rights (access, erasure, portability)
• You must keep records of consent and processing activities

GDPR carries fines of up to £17.5 million or 4% of global turnover — though small business fines are typically much lower.

How they work together

Think of it this way: PECR tells you when you can send a marketing text. GDPR tells you how you must handle the phone number data. You need to comply with both.

Consent: the foundation of SMS marketing compliance

Consent is the single most important concept in SMS marketing compliance. Get it right and almost everything else falls into place.

What counts as valid consent?

Under PECR, valid consent for marketing SMS must be:

• Freely given — the customer must actively choose to receive texts, not be tricked or pressured into it
• Specific — the consent must specifically cover SMS marketing, not be buried in general terms and conditions
• Informed — the customer must know what they are signing up for (who will text them, what about, how often)
• Unambiguous — a clear affirmative action like ticking an unticked checkbox, submitting a sign-up form, or texting a keyword

What does NOT count as consent

• Pre-ticked checkboxes — a checkbox that is already ticked when the form loads does not count as consent
• Silence or inactivity — "If you don't reply, we'll assume you want to receive texts" is not valid
• Bundled consent — "By using our service, you agree to receive marketing messages" buried in T&Cs does not count
• Verbal consent without records — you may have asked, but if you cannot prove it, you do not have consent
• Having someone's phone number — just because a customer gave you their number for one purpose (e.g. a delivery) does not mean you can use it for marketing

The soft opt-in exception

There is one important exception to the explicit consent rule. The "soft opt-in" allows you to send marketing texts to existing customers without fresh consent, if all three conditions are met:

1. You collected their number during a sale or negotiation — the customer gave you their phone number as part of buying something or enquiring about buying something
2. You are marketing similar products or services — you can only promote products similar to what they originally bought or enquired about
3. You gave them a simple way to opt out — both at the point you collected their number and in every subsequent message

Example: A salon collects a customer's phone number when they book a haircut. The salon can later text that customer about haircut offers, styling products, or new services — because these are similar to what they originally bought. But they could not text about a completely unrelated service without separate consent.

Important: The soft opt-in does not apply to prospective customers who have never bought from you. For prospects, you need explicit consent.

How to collect and record consent

Practical methods for collecting SMS marketing consent:

Website form: A dedicated sign-up form with clear language: "Sign up for exclusive offers by text. We'll send you 2-3 messages per month. You can opt out at any time by replying STOP."

Checkout/booking opt-in: An unticked checkbox during purchase: "Yes, send me offers and updates by text." Do not pre-tick it.

In-store: A sign-up sheet or tablet with: "Join our text list for exclusive offers. We'll text you [frequency]. Opt out any time."

Keyword opt-in: "Text JOIN to [your number] to receive offers." The act of texting the keyword is the consent.

For all methods, record:

• When the customer opted in (date and time)
• How they opted in (which form, which page, in-store, keyword)
• What they were told they would receive
• Any preference information they provided

Keep these records. If the ICO investigates, you need to demonstrate that you had valid consent for every person you texted.

Opt-out requirements

Every marketing SMS must include a way for the recipient to unsubscribe. This is non-negotiable under PECR.

Standard opt-out language

The most common approach is: "Reply STOP to opt out" or "Reply STOP to unsubscribe."

Other acceptable variations:

• "Text STOP to [number] to unsubscribe"
• "To stop receiving texts, reply STOP"
• "Opt out: reply STOP"

Processing opt-outs

When someone opts out, you must:

• Stop sending marketing texts immediately — there is no grace period
• Confirm the opt-out (optional but good practice) — "You've been unsubscribed. You won't receive marketing texts from us."
• Keep a suppression list — maintain a record of opted-out numbers so you do not accidentally re-add them later
• Do not make it difficult — requiring someone to call, email, or visit a website to opt out is not acceptable if your initial opt-out instruction was "reply STOP"

With Line, STOP replies are processed automatically — the contact is removed from marketing sends without manual intervention.

Can you still send transactional messages after opt-out?

This is a grey area. If a customer opts out of marketing texts but still has an appointment booked with you, most guidance suggests you can still send a transactional appointment reminder (under legitimate interest). However, best practice is to respect the customer's communication preference and consider alternative channels (email, phone call) for transactional messages after an opt-out.

Sender identification

Under PECR, you must not conceal your identity when sending marketing messages. For SMS, this means:

• Use a real, identifiable phone number — not an anonymous or withheld number
• Or use a recognisable sender name — though alphanumeric sender IDs prevent recipients from replying

Using a real UK business number (as Line provides) satisfies this requirement and has the added benefit of allowing two-way conversations.

Privacy policy requirements

Under UK GDPR, you need a privacy policy that covers SMS. Your privacy policy should include:

• What data you collect — phone numbers, names, consent records
• Why you collect it — to send marketing messages, appointment reminders, etc.
• Your lawful basis — consent (for marketing), legitimate interest (for transactional)
• How long you keep data — specify a retention period for phone numbers and consent records
• Who you share data with — if you use a third-party SMS platform (like Line), mention it
• Data subject rights — how customers can access, correct, or delete their data
• How to complain — include ICO contact details

You do not need a 20-page legal document. A clear, concise privacy policy that covers these points is sufficient.

Transactional vs marketing messages

The distinction between transactional and marketing messages matters for compliance, because they have different consent requirements.

Transactional messages (lower consent bar)

Messages that are necessary for a service the customer has requested:

• Appointment confirmations and reminders
• Order confirmations and delivery updates
• Password resets and security notifications
• Payment confirmations and receipts

These can be sent under legitimate interest without explicit marketing consent, provided the customer reasonably expects to receive them.

Marketing messages (explicit consent required)

Messages that promote products, services, or offers:

• Flash sales and discount codes
• New product announcements
• Loyalty offers and rewards
• Re-engagement campaigns
• Event invitations (promotional)

These require explicit opt-in consent (or soft opt-in for existing customers).

The hybrid danger zone

Adding a promotional element to a transactional message turns it into a marketing message. Examples:

• "Your appointment is tomorrow at 10am" = transactional
• "Your appointment is tomorrow at 10am. P.S. 20% off your next booking!" = marketing
• "Your order has shipped" = transactional
• "Your order has shipped. Check out our new range: [link]" = marketing

If you want to combine transactional and marketing content, you need marketing consent.

ICO enforcement: what happens if you break the rules

The ICO actively enforces PECR for SMS marketing. Recent enforcement actions include fines for:

• Sending marketing texts without consent
• Failing to process opt-out requests
• Buying contact lists and texting them
• Not identifying the sender
• Making false or misleading claims in texts

Typical penalties

Beyond fines, the ICO can issue enforcement notices requiring you to stop processing data — effectively shutting down your SMS marketing.

Carrier-level consequences

Even without ICO involvement, mobile carriers monitor for spam. If your number generates complaints, carriers can:

• Block your number — messages stop being delivered entirely
• Filter your messages — texts are silently dropped or delayed
• Blacklist your sender — making it difficult to get a new number approved

Using a legitimate platform like Line and following the rules protects your sender reputation.

Compliance checklist

Use this checklist before launching any SMS marketing campaign:

• Consent: Do all recipients have valid opt-in consent (or qualify under soft opt-in)?
• Opt-out: Does the message include "Reply STOP to opt out" or equivalent?
• Sender ID: Are you sending from a real, identifiable UK number?
• Content: Is the message accurate and not misleading?
• Timing: Are you sending at a reasonable time (9am-8pm)?
• Privacy policy: Does your privacy policy cover SMS marketing?
• Records: Do you have records of when and how each contact opted in?
• Suppression list: Have you checked against your opt-out/suppression list?
• Data handling: Is your SMS platform compliant with UK GDPR?

If you can tick every box, you are compliant.

How Line helps with compliance

Line is designed with UK compliance in mind:

• Real UK numbers — satisfies sender identification requirements. Customers can see, save, and reply to your number.
• Automatic opt-out processing — when someone replies STOP, they are automatically unsubscribed from marketing sends. No manual work.
• Conversation history — every message is logged in your shared inbox, providing a clear audit trail.
• Contact management — manage your subscriber list, groups, and suppression list in one place.
• No purchased lists — Line's terms prohibit sending to purchased or scraped contact lists.

Compliance does not need to be complicated. Follow the rules, use a platform that supports them, and focus on sending texts that your customers actually want to receive.