Key Regulation Overview
United States FCC TCPA
The SMS-applicable rules adopted by the Federal Communications Commission (FCC) under the Telephone Consumer Protection Act (TCPA) became effective on October 16th of 2013. Aerialink advises all customers to discuss these regulations with their legal counsel and take any and all necessary actions to comply.
The purpose of the TCPA is to protect the privacy interests of phone subscribers. SMS messages are subject to these regulations. Section 227(b)(1)(A) of the Act specifically protects wireless users, among others, from auto-dialed or prerecorded “calls” (that includes mobile messages) to which they have not consented.
These Federal rules apply to marketing-related content for all SMS and MMS routes as well as phone call telemarketing and are not mobile carrier, CTIA, or MMA-regulated. It is therefore up to each individual customer to implement these rules to comply with the FCC. Failure to comply with any and all revisions to the TCPA could result in federal investigation.
The following is a list of the requirements which must be met by mobile programs in order to satisfy the FCC TCPA.
- Opt-In: Express “written” consent is obtained prior to sending messages, and only after clear and conspicuous opt-in instructions have been provided which detail the method and circumstances under which the user is providing their consent so that all end-users are completely aware of what they are agreeing to.
- Consent Records: To protect your organization from future disputes, it’s advisable to maintain each contact’s consent for at least four years from that date in which it was given, which is the federal statute of limitations for bringing an action under the TCPA.
- Opt-Out: Clear and accessible unsubscribe instructions must be provided.
- “Do-Not-Call”: A record and listing of opted-out users must be kept for a minimum of four years, during which time those users cannot be contacted.
- Dark Hours: Messages cannot be sent between 9pm and 8am at the subscriber’s local time. (If your service sends messages to users in different time zones, contact your account manager about the various options we can provide to manage this requirement.)
- “Consent is not a requirement of purchase,” must be stated either at point of opt-in or in a Terms & Conditions page linked from that opt-in point.(see below)
- Terms & Conditions: All mobile programs must provide a mobile messaging T&Cs page.
Express “Written” Consent
There are two crucial points to consider with regard to obtaining consent.
- Content Providers, Sellers, etc. can no longer rely on “Established Business Relationship Exemption” as a basis for making robocalls and prerecorded telemarketing calls without prior express “written” consent.
- “Written” consent must be obtained.
Regarding compliance with the E-SIGN Act, a form of “written” consent:
“Because it greatly minimizes the burdens of acquiring written consent, commenters generally support using electronic signatures consistent with the E-SIGN Act. We conclude that the E-SIGN Act significantly facilitates our written consent requirement, while minimizing any additional costs associated with implementing the requirement.”
(FCC 12-21 section 34)
All methods of obtaining consent must adhere to the above guidelines by providing clear opt-out instructions and access to relevant information. They must be presented to the end-user clearly and conspicuously, and the end-user must be aware that they are not required to consent in order to purchase goods or otherwise interact with your business. The following methods of obtaining consent are therefore acceptable:
- Web Form or Widget
- Mobile App
- Digital Signature
- Verbal via phone
- Verbal in-person
**While most use-cases will utilize keyword-initiated SMS consent, organizations qualifying for exemptions to the “established relationship” ruling, such as Non/Not-for-Profit organizations, may send “invitation” messages to existing contacts. Please see the TCPA report for a list of applicable exemptions.
According to the TCPA Rules, violators may have action taken against them in a court of law for:
A. actual monetary losses suffered by the plaintiff as a result of the violations
B. $500 in damages for each violation.
Additionally, those found to have willfully or knowingly violated the TCPA or its prescribed regulations may be additionally fined - at the court’s discretion - for up to three times the amount available under item B.
Canada’s Anti-Spam Legislation
What is CASL?
CASL—Canada’s Anti-Spam Legislation—seeks to reduce unwanted spam and malware by regulating Commercial Electronic Messages (CEMs). CASL requires all CEMs to include detailed contact information of a message’s sponsors and content providers and robust and conspicuous opt-out options within every message sent.
What are CEMs?
According to CASL’s government website,
“A commercial electronic message is any electronic message that encourages participation in a commercial activity, regardless of whether there is an expectation of profit.”
When does CASL take effect?
CASL legislation goes into force on July 1st of 2014. All CEM campaigns must be CASL-compliant at that time.
What types of messages are excluded from CASL?
Exclusions from CASL exist for several types of messages. Those applicable specifically to SMS use-cases are messages which are:
- Sent within a single organization
- Sent between multiple organizations with an existing business relationship, in which the message itself is relevant to the organization to which it is sent
- Sent in response to complaints, inquiries and requests
- Sent due to or in enforcement of a legal or juridicial obligation, court order, judgment, tariff or to enforce a legal right of Canada, its provinces or municipalities, or of a foreign state.
- Sent by or for registered charities or political parties or organizations for fund-raising purposes.
If you are an Aerialink customer and believe your SMS use-case falls under one of the above exclusions, please contact your Aerialink account manager to verify whether CASL applies to you.
How do I know if my campaign messages are considered CEMs?
CEMs are messages whose purpose is or includes promoting or encouraging the message’s recipient to engage in new commercial activity. If a message’s purpose is not to encourage commercial activity but to carry out pre-agreed commercial activity, then the message is not considered a CEM.
What must CEMs include in order to be CASL-compliant?
All campaigns, both short and long-code alike, must provide the following:
- An express initiation or agreement by the end-user to receive messages.
- Full contact information of senders and associated parties.
- Clear and conspicuous opt-out methods.
How do I send CASL-compliant CEMs via SMS?
Because it is not practicable to include identification, contact and long-form unsubscribe information within the 136-character limit of Canadain text messages, SMS CEMs can instead provide their contact information via web page “readily accessible and at no cost to the recipient.” The link to this web page must be in the SMS.
Please remember: Even if your campaign runs on a CWTA-certified short code, you are not automatically CASL compliant.
EU General Data Protection Regulation
The GDPR was approved and adopted by the European Union parliament in April of 2016 ad will take effect May of 2018. The intent of the GDPR is to create one unified data privacy law for EU countries.
Some key facts:
- The GDPR applies not only to EU organizations, but any organization that interacts with the personal data of EU citizens.
- “Personal data” refers to any information which could be used to directly or indirectly identify an individual (e.g. name, phone number, address, email address)
- There are different responsibilities based on whether you are a “data controller” or a “data processor.”
- Data controllers determine how and why data is collected and how that data is processed.
- Data processors simply perform the function of processing the data on behalf of the controller.
- GDPR violations come with a fine of up to 4% of annual global turnover or a maximum of €20 Million.
More information about Aerialink’s role and GDPR compliance can be found in our Terms of Service.
This page was last updated 1523475751329