Skip to main content

How to Build a Compliant SMS Opt-In Process With Dripcel

SMS messaging is an excellent tool for keeping in touch with your customers and delivering timely, relevant messages. However, you must obtain their consent before sending any texts, a process known as opting in.

There are several ways to obtain opt-ins for your SMS program. A popular approach is having customers sign up on your website or app. Additionally, opt-ins can be gathered at in-person events or through phone calls handled by your customer service team, though these are just a few of the available options.

Regardless of the method you select, it's crucial to ensure that your opt-in process is clear, concise, and fully compliant with the relevant local laws and regulations in the countries where you send messages. Here are some best practices to follow:

  1. Obtain explicit consent: Ensure that users intentionally agree to receive specific messages from your service. Explicit consent is a deliberate action taken by the end-user to request communication.

  2. Provide clear instructions: Clearly inform users on how to opt-in, what they are subscribing to, and how they can opt-out of your program. Include your contact information at the opt-in location for any questions or concerns they may have.

  3. Offer message preferences: Allow users to choose the types of messages they want to receive, such as OTP/2FA messages, shipping notifications, or both. This customization enhances user experience and ensures relevance.

  4. Respect user privacy: Protect users' phone numbers by never selling or sharing them with third parties without permission. Third-party data sharing is often prohibited by mobile carriers and violates privacy regulations in many countries.

  5. Simplify opt-out options: Make it easy for users to opt out of your program at any time by responding with a simple text message, such as "STOP." Refer to relevant documentation on opting out and managing self-service opt-outs for more guidance.

By implementing these guidelines, you'll cultivate a strong audience of engaged subscribers eager to hear from you, which also enhances your chances of successfully registering for a dedicated number. Adhering to these best practices ensures that your SMS opt-in process is both compliant and effective.

What carriers require for a compliant opt-in workflow and call-to-action

The primary goal of the opt-in workflow is to clearly demonstrate that the end-user has explicitly consented to receive text messages and fully understands the nature of the program. Your application will be reviewed by one or more third-party reviewers, so it's crucial to provide detailed and transparent information about your opt-in process, including any associated fees or charges. If the reviewer cannot clearly understand how your opt-in process works or if it does not meet compliance standards, your application will be denied and returned.

[!NOTE] It's important to note that Dripcel does not review or approve your use cases. Instead, it is a telecom industry standard in most countries for third parties to review and approve your use case before you begin sending messages.

Even if your use case is internal to your business, you must still demonstrate explicit opt-in consent from the recipients. There are no exceptions - an opt-in workflow and explicit consent are always required. If your opt-in process involves a login, is not yet public, uses verbal consent, or occurs through printed forms or fliers, you must thoroughly document how the process is completed by the end-user receiving the messages. Remember, these are third-party reviewers, and if they can't directly access the opt-in location, they will need detailed information through other means, such as text descriptions or screenshots.

Case when Opt-in is not publicly accessible

For cases where the opt-in is not publicly accessible, provide a screenshot of the Call to Action (CTA). If consent is obtained verbally, such as in a contact center scenario, include the verbal scripts to ensure that the entire CTA is clearly communicated. Host any screenshots on a publicly accessible platform (e.g., S3, OneDrive, Google Drive) and include the URL in your submission. Note that for toll-free number registrations, you can attach files directly, so a public URL is not required.

Regardless of the medium used to collect end-user information - whether it's a web form, point of sale, flier, or verbal opt-in - the requirements remain the same. For online and printed materials, the information would be displayed as text to the end-users, while for verbal opt-ins (such as over the phone), the required information should be read aloud to the end-user.

Call-to-Action/Opt-In Requirements

To ensure your SMS program is compliant, the following items must be presented to the end-user at the time of opt-in:

  1. Program (Brand) Name: Clearly state the name of the program or brand associated with the SMS messages.

  2. Message Frequency Disclosure: Inform the end-user about how often they can expect to receive messages. For example, "Message frequency varies" or "One message per login."

  3. Customer Care Contact Information: Provide a way for users to get support, such as "Text HELP or call 1-800-111-1235 for support."

  4. Opt-Out Information: Make it clear how users can opt out of receiving future messages, e.g., "Text STOP to opt-out of future messages."

  5. Message and Data Rates Disclosure: Include a statement such as "Message and data rates may apply" to inform users of potential charges.

  6. Link to a Publicly Accessible Terms & Conditions Page: Ensure there is a link to your Terms & Conditions page that is easily accessible to the public.

  7. Link to a Publicly Accessible Privacy Policy Page: Similarly, provide a link to your Privacy Policy page that is accessible to the public.

Now lets break the above bullet points down into more detail:

Program, service, brand name

All SMS originator types that require registration must clearly disclose the program name, product description, or both in service messages, within the call-to-action, and in the terms and conditions. The program name refers to the sponsor of the messaging program, typically the brand name or company name linked to the sending use case. The product description should provide a clear explanation of the product being advertised by the program.

tip

Here’s a template for the boilerplate terms of service, including placeholders for the necessary information:

  • Program Name

  • Program Description: {Insert a brief description of the types of messages users can expect to receive when they opt-in.}

  • Opt-Out Instructions: You can cancel the SMS service at any time by texting “STOP” to the short code. After you send the “STOP” message, we will send a confirmation SMS to let you know that you have been unsubscribed. After this, you will no longer receive SMS messages from us. If you wish to rejoin, simply sign up again, and we will resume sending SMS messages to you. Support Information: If you experience issues with the messaging program, you can reply with the keyword HELP for more assistance, or contact us directly at {support email address or toll-free number}.

  • Carrier Liability: Carriers are not liable for delayed or undelivered messages.

  • Message and Data Rates: Message and data rates may apply for any messages sent to you from us and for messages you send to us. You will receive {message frequency}. For questions about your text or data plan, please contact your wireless provider.

  • Privacy Policy: If you have any questions regarding privacy, please review our privacy policy: {link to privacy policy}

This template covers the minimum requirements from the carriers. Be sure to fill in the placeholders with the appropriate information for your program before including it in your registration submission.

Message frequency disclosure

The message frequency disclosure informs end-users about how often they can expect to receive messages from you. For example, a recurring messaging program might specify, "one message per week." In contrast, for a one-time password (OTP) or multi-factor authentication (MFA) use case, the disclosure might state, "message frequency varies" or "one message per login attempt." This ensures users are aware of the expected frequency of communications.

Customer care contact information

Customer care contact information must be clear and easily accessible to help Consumers understand program details and their current status within the program. This information should ensure that Consumers receive the assistance they need.

Customer care numbers should always respond to inquiries, regardless of whether the person making the request is subscribed to the program. At a minimum, Message Senders must respond to messages containing the HELP keyword with the program name and additional details on how to contact the Message Sender.

SMS programs should prominently promote customer care contact instructions during the opt-in process and at regular intervals in content or service messages, at least once per month. Example: “For more information, text ‘HELP’ or call 1-800-123-1234.”

Opt-Out Information

Opt-out mechanisms are crucial for allowing Consumers to terminate communications from text messaging programs, and Message Senders must adhere to the following guidelines:

  1. Opt-Out Availability: Ensure that Consumers can opt out of the program at any time.
  2. Multiple Opt-Out Mechanisms: Support various opt-out methods, including phone call, email, or text message.
  3. Acknowledgment of Opt-Out Requests: Upon receiving an opt-out request, Message Senders should send a final confirmation message to inform the Consumer that they have successfully opted out. After this confirmation message, no further messages should be sent.
  4. Inclusion of Opt-Out Information: Include opt-out details in the call-to-action, terms and conditions, and the opt-in confirmation. 2FA/OTP Programs: These programs must adhere to the same requirements as other use cases. End-users are required to opt-in initially when requesting an OTP. If a user opts out by texting “STOP,” a confirmation message must be sent acknowledging their request. However, if the SMS program complies with all applicable regulations, the sender does not need to explicitly opt-out the number when the user texts “STOP” to the business’s number. This is because a new request for an OTP code by the end-user is considered a new opt-in. Despite this, the sender must still respond with a compliant opt-out message, such as: "You are unsubscribed from {{BRAND NAME}} OTP. Opt back in by replying '{{OPT-IN KEYWORD}}' or requesting a new code to log in. Reply HELP for help or call {{xxx-xxx-xxxx}}." This message must be under 160 characters. The example provided meets this requirement, but if you modify it, ensure there are no special characters and that it remains within the 160-character limit.

“Message and data rates may apply” disclosure

All SMS programs must include, or read aloud (in the case of a verbal opt-in), the exact disclosure: “Message and data rates may apply.” This requirement by US mobile carriers ensures that consumers are informed about the potential costs associated with sending and receiving text messages. It also ensures that consumers have given their consent to receive such messages before they are sent. This disclosure is essential for maintaining transparency and compliance with carrier requirements.

Publicly accessible terms & conditions page

The terms must be live and publicly accessible. For verbal scripts, you must either read a URL to the end-user during their enrollment in the SMS program or include the full terms directly in the script. When submitting your registration, be sure to provide a compliant screenshot, link, or mockup of the SMS Terms of Service. This ensures that the terms are clearly communicated and accessible to both end-users and reviewers.

Publicly accessible privacy policy page

Message Senders are responsible for safeguarding Consumers' information and must adhere to applicable privacy laws. It is essential for Message Senders to maintain a privacy policy for all programs and make it accessible from the initial call-to-action. The privacy policy should be clearly labeled, and in all cases, both the terms and conditions and privacy policy disclosures must provide up-to-date, accurate information about the program’s details and functionality. For verbal scripts, the URL to the privacy policy must be read to the end-user during their enrollment in the SMS program, or the full terms must be included directly in the script. One critical element that carriers look for in a Privacy Policy is the handling of end-user information, particularly regarding sharing with third parties. If your privacy policy mentions sharing or selling data to non-affiliated third parties, there is a concern that customer data could be shared for marketing purposes. Since express consent is required for SMS, sharing such data is strictly prohibited. Your privacy policy must explicitly state that SMS opt-in data and consent are excluded from any data-sharing practices. Privacy policies can be updated or draft versions provided to ensure compliance. Here's an example of a compliant statement: "The above excludes text messaging originator opt-in data and consent; this information will not be shared with any third parties." This statement clearly communicates that SMS opt-in data is protected and will not be shared, aligning with carrier requirements for privacy protection.