Skip to main content

Consumer Consent for SMS Messages: Marketing vs. Transactional Messages

Julio de Villasante
Updated

This is an area where there's genuine nuance and some evolving regulatory interpretation. This also varies significantly in each jurisdiction. Here's some guidance:

In the United States

The general rule under TCPA: For messages sent to a mobile number using an autodialer or pre-recorded voice, express consent is required for all commercial SMS messages — including transactional ones. However the type of consent required differs:

  • Marketing/promotional messages — require express written consent, which is the higher bar. This must be a clear, affirmative opt-in specifically for marketing messages.
  • Transactional messages (order confirmations, shipping updates, appointment reminders, etc.) — require express consent, but it can be implied or part of an existing business relationship. For example, a customer providing their phone number during checkout can reasonably be considered to have consented to receive order-related messages about that transaction.

The practical distinction: If a customer gives you their phone number to place an order, sending them an order confirmation or shipping update is generally considered permissible under the existing business relationship. However, you still need to:

  • Have a clear privacy policy stating you may send SMS messages
  • Provide an easy opt-out mechanism
  • Not use that number to send marketing messages without explicit opt-in

The carrier/10DLC layer adds another dimension: Carriers and the CTIA (the wireless industry association) have their own guidelines that in some cases go beyond TCPA requirements. They generally recommend explicit opt-in for all SMS programs including transactional ones, which is part of why 10DLC registration asks you to document your opt-in method regardless of use case.

The bottom line:

  • Strictly transactional messages tied to a specific customer action — generally permissible with implied consent from the existing relationship
  • Any message with a promotional element, even if also transactional — requires explicit opt-in
  • Best practice regardless — always get explicit opt-in and document it, as it protects you under both TCPA and carrier guidelines and reduces the risk of complaints

Canada — CASL (Canada's Anti-Spam Legislation)

CASL is considered one of the strictest anti-spam laws in the world and applies to all commercial electronic messages including SMS.

Express consent is required for all commercial messages — there is no implied consent exception for transactional messages the way there is under US TCPA. However CASL does recognize two forms of consent:

  • Express consent — the customer explicitly opts in, ideally in writing with a clear description of what they're consenting to receive
  • Implied consent — exists only in specific narrow circumstances, such as an existing business relationship where the customer made a purchase within the last 24 months, or made an inquiry within the last 6 months. Implied consent is time-limited and expires.

Key differences from the US:

  • The implied consent window is strictly time-limited and expires automatically
  • The burden of proof is on the sender to demonstrate consent was obtained
  • Penalties are severe — up to $10 million CAD per violation for businesses
  • Even transactional messages must include identification of the sender and an unsubscribe mechanism

European Union — GDPR and ePrivacy Directive

The EU operates under two overlapping frameworks that together create very strict requirements.

For SMS marketing — explicit opt-in consent is required under the ePrivacy Directive, and that consent must meet GDPR standards meaning it must be freely given, specific, informed, and unambiguous. Pre-checked boxes and bundled consent do not qualify.

For transactional SMS — there is slightly more flexibility. Transactional messages that are strictly necessary to fulfill a contract the customer entered into (e.g. an order confirmation) can be sent under the legitimate interest or contractual necessity legal basis under GDPR without requiring separate SMS opt-in consent. However:

  • The message must be genuinely transactional with no promotional content whatsoever
  • You must still have a lawful basis documented
  • You must provide an opt-out mechanism
  • Your privacy policy must clearly describe SMS communications

Key differences from the US:

  • GDPR applies to any business processing data of EU residents regardless of where the business is located
  • Right to erasure — customers can request deletion of their data including opting out permanently
  • Data processing must be documented with a lawful basis for each type of communication
  • Fines up to €20 million or 4% of global annual revenue, whichever is higher

Note: Individual EU member states may have additional national rules that layer on top of GDPR, so requirements can vary slightly country by country within the EU.

Australia — Spam Act 2003

Australia's framework sits somewhere between the US and Canada in terms of strictness.

Express consent is required for all commercial electronic messages including SMS. Like CASL, Australia does not have a broad transactional exemption, but it does recognize:

  • Express consent — explicit opt-in from the recipient
  • Inferred consent — can be inferred from a business relationship, the conspicuous publication of a contact number, or the conduct of the parties. This is broader than CASL's implied consent but still requires a reasonable inference that the person would expect to receive messages.

Key differences from the US:

  • All commercial messages must include a functional unsubscribe mechanism
  • The sender must be clearly identified in every message
  • Inferred consent is recognized but is a judgment call — relying on it carries risk
  • The Australian Communications and Media Authority (ACMA) enforces the Spam Act with fines up to $1.1 million AUD per day for serious or repeated violations
  • Australia also has the Privacy Act 1988 which governs how personal data including phone numbers can be collected and used

Summary Comparison

 USACanadaEUAustralia
Transactional SMSImplied consent OKImplied consent time-limitedContractual basis may applyInferred consent possible
Marketing SMSExpress written consentExpress consent requiredExplicit opt-in requiredExpress consent required
Consent burdenOn recipient to opt outOn sender to prove consentOn sender to prove lawful basisOn sender to prove consent
Unsubscribe requiredYesYesYesYes
Max penaltiesVaries$10M CAD€20M / 4% revenue$1.1M AUD/day

 

We recommend consulting with legal counsel for your specific use cases, as the line between transactional and promotional can be blurry and the regulatory landscape continues to evolve.

Related to

Related articles

Comments

0 comments

Article is closed for comments.

Powered by Zendesk