SMS Marketing Guide

SMS Compliance for E-commerce (TCPA & GDPR)

A plain-English guide to the rules that govern marketing texts — TCPA in the US, GDPR and PECR in the EU and UK — covering consent, opt-out, quiet hours, and record-keeping, with a pre-send checklist you can actually use.

Start Free Trial
No credit card required
·
Try for Free

By The CartBoss team · Updated July 15, 2026

This guide is general information, not legal advice. SMS rules differ by country and industry and change over time. Confirm your own obligations with a qualified attorney or your national data protection authority before you rely on anything here.
SMS compliance for e-commerce — TCPA and GDPR

Is SMS marketing legal?

SMS marketing is legal when you have proper consent. In the US, the TCPA requires prior express written consent for promotional texts. In the EU and UK, GDPR and PECR require a lawful basis — usually explicit opt-in. Every message must identify the sender and offer an easy opt-out.

Compliance isn't a legal footnote bolted onto SMS marketing — it's the thing that keeps the channel working at all. Get consent right and your list stays clean, your delivery stays high, and your legal exposure stays low. Get it wrong and you risk carrier filtering, spam complaints, opt-out spikes, and — in the US especially — lawsuits. This guide walks the rules that matter for an online store: the US framework (TCPA), the EU and UK framework (GDPR and PECR), what counts as valid consent, and how to handle opt-outs and records. It's organized so you can read the region you sell into and skip the rest.

TCPA essentials (US)

The TCPA governs marketing texts to US numbers and requires prior express written consent. You need a signed, written agreement authorizing promotional SMS to a specific number — not a condition of purchase. Send only within quiet hours, 8 a.m. to 9 p.m. in the recipient's local time, and honor every opt-out.

The Telephone Consumer Protection Act (TCPA) is the US federal law behind most SMS marketing rules, implemented through the Federal Communications Commission's regulations (47 C.F.R. § 64.1200). For promotional texts it demands prior express written consent: a clear, written agreement — an electronic signature is fine — in which the recipient specifically agrees to receive marketing messages at a given number, after a conspicuous disclosure, and without being forced to consent as a condition of buying anything.

Two more TCPA mechanics matter for e-commerce. First, timing: marketing messages should only go out during permitted hours, generally 8 a.m. to 9 p.m. in the recipient's local time zone — which means sending by their location, not yours. Second, enforcement. The TCPA is enforced both by the FCC and, notably, through a private right of action: individuals can sue, and class actions are common. Statutory damages run to $500 per violating message, rising to as much as $1,500 for willful or knowing violations (47 U.S.C. § 227(b)(3)). On top of the law itself, US wireless carriers apply their own messaging rules through the CTIA's guidelines — sender registration, content standards, and mandatory STOP handling — and they will filter or block traffic that ignores them.

GDPR & PECR (EU/UK)

If you text people in the EU or UK, GDPR and PECR apply. You need a lawful basis — for marketing, that usually means freely given, specific, informed consent. Tell people how their data is used, let them withdraw consent as easily as they gave it, and keep records.

Two regimes stack here. The General Data Protection Regulation (GDPR — Regulation (EU) 2016/679, in force since 2018, with a near-identical UK GDPR after Brexit) governs the personal data behind every phone number: you need a lawful basis to process it, and for direct marketing that basis is almost always consent. GDPR consent has a high bar — it must be freely given, specific, informed, and unambiguous, given by a clear affirmative action, and it must be as easy to withdraw as to grant (Articles 4, 7). Alongside it, the ePrivacy rules — the UK's Privacy and Electronic Communications Regulations (PECR), and equivalent national laws across the EU — set the specific rule that electronic marketing, SMS included, generally requires prior consent.

There's one narrow relaxation worth knowing. Under PECR's "soft opt-in," a store may text its own existing customers about its own similar products if it collected the number during a sale, gave a simple way to opt out at that moment, and includes an opt-out in every message (UK ICO guidance on direct marketing). It does not cover prospects, bought lists, or unrelated products. Enforcement in this regime sits with national data protection authorities — the ICO in the UK, and each member state's regulator in the EU — and the potential penalties are large: GDPR sets a maximum fine of up to €20 million or 4% of global annual turnover, whichever is higher (GDPR Article 83).

Consent & opt-in requirements

Consent must be explicit, specific to SMS marketing, and actively given. Use an unchecked box the shopper ticks, with clear wording about what they'll receive and that message rates apply — never a pre-checked box or consent bundled into your terms. Consent for order updates does not cover promotional texts.

The practical test is the same on both sides of the Atlantic even though the statutes differ: could you show, later, that this specific person actively agreed to receive marketing texts from you at this number? That means an affirmative action — a box the shopper ticks, a keyword they text to a short code, a form they submit — paired with plain-language disclosure of who's messaging, what kind of messages, roughly how often, and that standard message and data rates apply. Pre-checked boxes fail. Consent buried in your terms of service fails. "Enter your number to get 10% off" without a clear statement that it also subscribes them to marketing is a grey area you don't want to test.

The most common e-commerce mistake is conflating transactional and promotional consent. A customer who gives you their number for order and shipping updates has not agreed to promotional blasts — those are legally distinct, and messaging the transactional list with a sale is exactly the kind of step that draws complaints and, in the US, lawsuits. Collect a separate, explicit marketing opt-in, and keep it separate.

Opt-out & record-keeping

Every promotional text must offer an easy opt-out, honored promptly and permanently. "Reply STOP to unsubscribe" is the standard; keep a suppression list so opted-out numbers are never messaged again. Separately, store proof of every consent — who opted in, when, from where, and the exact wording shown.

Opt-out is non-negotiable and should be automatic. The near-universal convention is "Reply STOP to unsubscribe," and carriers in the US honor STOP (and its variants like UNSUBSCRIBE, CANCEL, END, and QUIT) at the network level. When someone opts out, the request must be respected promptly and permanently: the number goes onto a suppression list and is never messaged again unless the person re-subscribes. Under GDPR, withdrawing consent has to be as easy as giving it was — so a working opt-out in every message isn't just polite, it's a legal requirement.

Record-keeping is the other half of compliance, and the half stores forget. If a regulator or a plaintiff ever challenges you, "we're sure they opted in" is worthless — you need evidence. For each subscriber, store the timestamp, the source (which form, popup, or checkout), the IP or device where available, and the exact consent wording that was shown at the moment they agreed. Keep that proof for as long as you message the person and for a reasonable period afterward. Good records turn a compliance dispute from a crisis into a lookup.

Sources: US TCPA and FCC rules, 47 C.F.R. § 64.1200 and 47 U.S.C. § 227 (consent, quiet-hours, and statutory-damages provisions); CTIA messaging principles for STOP/opt-out and carrier handling; EU General Data Protection Regulation, Regulation (EU) 2016/679, in force 2018 (Articles 4, 7, 83); UK Privacy and Electronic Communications Regulations (PECR) and UK ICO direct-marketing guidance. Rules vary by country and change over time — last reviewed July 2026.

Compliance checklist

Before you send, confirm the essentials in one pass. The checklist below covers consent, sender identification, opt-out, quiet hours, and record-keeping — the requirements that apply across both US and EU/UK rules. Treat it as a pre-send gate, not a one-time setup; run it for every campaign.

Requirement What it means Applies to
Explicit marketing consent Active opt-in specific to SMS marketing, separate from order updates US & EU/UK
Clear disclosure Who's texting, message type and frequency, and that message rates apply US & EU/UK
Sender identified The recipient can tell who is messaging them US & EU/UK
Easy opt-out "Reply STOP to unsubscribe" in every promotional message, honored automatically US & EU/UK
Suppression list Opted-out numbers stored and never messaged again US & EU/UK
Quiet hours Marketing sent only 8 a.m.–9 p.m. in the recipient's local time US (TCPA)
Consent records Timestamp, source, and exact wording stored for every opt-in US & EU/UK
Privacy transparency Privacy notice explains how the number and data are used EU/UK (GDPR)

General checklist for common e-commerce scenarios, last reviewed July 2026. It is not exhaustive and does not replace advice for your specific business, products, or countries.

Where CartBoss and BuzzBlaster fit

Both CartBoss and BuzzBlaster automatically process STOP requests and keep suppression lists — but your consent and content stay your responsibility. CartBoss handles automated cart recovery and lifecycle texts; BuzzBlaster sends bulk promotional campaigns. Neither collects consent for you, so the opt-in and records above are still yours to get right.

It helps to be clear about the boundary. A sending tool can take care of the mechanics it controls — honoring STOP replies, maintaining the suppression list, and helping you keep the send inside sensible hours. What no tool can do for you is manufacture valid consent: that comes from the checkout box, the popup, and the records your store keeps. CartBoss covers the automated, behavior-triggered leg — abandoned-cart recovery and lifecycle flows, billed per message. For one-to-many promotional blasts, BuzzBlaster, from the same team, sends bulk campaigns to 30+ countries. Both handle opt-outs automatically; both still rely on you to collect consent properly and keep the records this guide describes.

From the makers of CartBoss

Need bulk SMS campaigns too?

BuzzBlaster runs promotional SMS campaigns to 30+ countries for about half what Klaviyo charges — from the makers of CartBoss.

Frequently Asked Questions

Recover Carts with CartBoss

Pay-as-you-go SMS cart recovery — no monthly platform fee. Start free.
Start Free Trial
No credit card required
·
Try for Free