The day has finally come: You have decided to use SMS in your company. You want to send booking confirmations, appointment reminders or pick-up notices to customers to improve internal processes. Or do you want to use the personal character of SMS and give direct marketing a try? That is a great idea! But there is one thing that makes you hesitate: How does data protection work when it comes to SMS? We would like to take away your uncertainty by showing you the most important facts at a glance. Here is what you can expect: The most important information about consent, double opt-in and the agreement on commissioned data processing in relation to sending SMS to your customers.
Does the GDPR apply to SMS?
Basically, we need to differentiate between two forms of SMS sending at this point. You can use SMS for advertising purposes or to offer your customers a crucial service (transactional SMS). If you (or a third party) process or store personal data of your customers, the GDPR applies. Some laws concerning data protection in the sending of SMS also originate from the BDSG-neu, an extension of the GDPR, which is valid in the Federal Republic of Germany.
As you surely know, you need a legal basis if you want to use personal data of your customers. This also applies, as mentioned above, if you store data related to SMS messages. In most cases, obtaining consent is the most sensible solution here. It enables you to prove, physically, that you are allowed to send SMS to an individual person. What is important here is that your customers must give you this consent voluntarily. Also, you must inform your customers about what exactly you will use their number for – BEFORE they give their consent. Essentially this means: If you ask for the number to send booking confirmations, you may not send marketing SMS and certainly not e-mails without explicit consent. Although there are certain exceptions to this rule, it can serve as a basic guideline.
Furthermore, you should be aware that consent is not necessarily valid forever. If you do not contact the recipients in the specified manner for a long time, the consent may expire. Furthermore, you must be able to provide information about the consent at any time and be able to prove that you have it.
How do I gather my customers’ number?
You have different possibilities to get the mobile phone number of your customers. Usually, you will probably request the number via a form, possibly also via an online form. If you use online forms, you can request the consent to use the data with a checkbox. It is important here that this box is NOT pre-selected, as customers must give their consent explicitly and independently. The pre-selected consent is not allowed (Privacy by Default applies).
You should also make sure that you inform your recipients of the purpose for which you will use their number. Not only is incorrect use prohibited, if you do not need the number for a specific purpose, you could be violating the principle of data minimization.
What is a double opt-in?
Here is what happens in a double opt-in procedure: Customer Anna enters her mobile phone number in a form on your website and agrees to receive an SMS from you. You then send an SMS to the received number and ask her to confirm that she would like to receive SMS from you in the future. This is to prevent that someone misuses Anna’s number, and that she receives unwanted messages as a result.
It is particularly important to inform your customers that they can withdraw their consent at any time. You should also note that revocation must be as simple as consent. This means: If only one click is required for registration, it must also be possible to cancel the subscription with a single click. It also has to be very simple, and easy to access for subscribers.
Especially for companies with very young target groups there is another important fact to consider. Minors under the age of 16 can only give their consent with the consent of a parent or guardian. In this case it is difficult to verify the age of the recipient with legal certainty. If you want to be on the safe side, consider offering your services only to people who have already reached the age of 16.
Do you need a double opt-in?
Currently, a double opt-in is not legally required and not legally secure. However, it is definitely advisable to make use of it nevertheless. There are three reasons for this: Firstly, past disputes were often decided in favour of the double opt-in. This is because, secondly, the double opt-in is the only way to ensure that the number you have received was really given by the respective recipient.
How to double opt-in via SMS?
You have decided to use a double opt-in procedure and now ask yourself: How do I integrate a double opt-in into SMS? Basically, there are two possibilities. The reply via SMS using an inbound number or the integration of a link. Both variants have advantages and disadvantages. You should make sure that the double opt-in is done via the channel you want to use in the end. If you want to contact your customers on their mobile phones, they should also have confirmed the double opt-in on their mobile phones. It is also important to tell the recipients who is contacting them, explicitly. Furthermore, a clear indication of the possibility to unsubscribe should not be missing in this first SMS.
No matter which variant you choose: It is your responsibility to ensure that the customer’s consent is processed correctly. This means that they cannot receive any further SMS if they have not given their consent or if they objected. Moreover, the confirmation message for the double opt-in must not yet contain any advertising or other offers. Instead, it is advisable to provide details about the SMS messages that will be sent, such as how often you will send messages and that it will cost money to reply to the SMS (this last note is mandatory in some countries).
The Flexible Legal Basis: Legitimate Interest
As you have probably already inferred from the beginning: There are other legal bases for the processing of personal data, which are just as valid as obtaining consent. One of them is the so-called legitimate interest. In this case, the (economic) interests of your company must be weighed against the interest of the recipient (e.g. privacy). If a business relationship exists already, it can be assumed that your customers expect their data to be processed to a certain degree. However, this only applies if you have informed the customers in advance that their data will be processed. This is done, for example, in the data protection declaration. You also need to consider these questions: Is the invasion of privacy acceptable? Do you have to send the respective message to pursue your legitimate interest? If you can answer both of these questions with “Yes”, there is nothing that prevents you from sending SMS. However, you should note that, again, if the recipients are minors (younger than 16), a decision would always be made in favour of the interests of the minors before a court.
Agreement on Commissioned Data Processing
Since the GDPR came into force in May 2018, the need for commissioned data processing emerged. When it comes to German law, the specifications have become more comprehensive, compared to the law that had been in place before. The most important fact at this point:
In some rare instances, an agreement on commissioned data processing is not needed to send SMS via an SMS gateway, because the processing of data is necessary to provide the service (§88 (3) TKG). However, anything that goes beyond the mere sending of SMS always necessarily requires an agreement. This also includes the storage of data in a cloud.
What has to be included in your agreement with the respective service provider depends on the type of further use of the data, your company and the external service providers. Please consult your data protection officer or a legal advisor.
Our overview for you
To help you keep track, we have summarized the most important points from this article in an overview for you. A click on the picture opens the PDF.
Important! The article you have just read is only informative. This article does not constitute legal advice and can in no case replace individual legal advice. We do not guarantee that the information is up-to-date, complete and correct. Furthermore, this article deals with legal regulations in Germany. While the GDPR is valid in the EU, other laws may apply in other countries. This is also true for cases in which the GDPR is not applicable.