SMS Laws, Regulations, & Abuse Prevention

Because SMS messages are one of the most direct ways to reach customers and users, going directly to the user’s phone, regulations must exist that prevent brands from abusing or over-using this relationship, and fines for violations could cost thousands of dollars.

General Guidelines

In general, we encourage using your best judgment when approaching SMS sending. Braze, as well as our sending partners, have checks in place that prevent most SMS abuses.

There are a few general rules you should follow:

  1. Build a compliant database and maintain all consent records. Braze suggests that you document and save program opt-ins and messaging permissions. Anytime a user provides consent, it is your responsibility to log that information and hold onto it. According to basic legal guidelines, the most important information you need to retain regarding consent is:
    • The time and date the user gave consent.
    • The type of SMS messaging they consented to. (e.g. marketing or transactional messaging)
    • The users phone number
    • The language in which they opted-in.

  2. Clearly communicate to your users what they are signing up for (what sort of content, frequency, etc.) up-front to ensure customer satisfaction. Follow through on your promise and send what you said you would send to your customers.

  3. Add your SMS marketing privacy policy to your website for easy access by program participants.

  4. Work with your legal team to ensure your program offerings are legally compliant.

  5. Only send messages to legally obtained opted-in numbers.

  6. Follow laws (e.g. SHAFT Compliance) for marketing based around alcohol, tobacco, sex, firearms, hate, and marketing directed towards children under 13. These topics are generally regarded as “illegal”. Keep in mind that you may still be charged for messages even if they are blocked by various carriers.


Here are some links you might need to consult as you build up your SMS campaign:

Considerations for Compliance

Data and Privacy

A customer’s privacy is key to a meaningful and respectful relationship. Respecting a customer’s privacy and information is just another opportunity to create a bond between them and your brand. Sometimes, using marketing tools can put data and privacy last.

Luckily for you, Braze follows the guidelines of many security regulations, including GDPR.

The CTIA recommends that you maintain and conspicuously display a clear and easy-to-understand privacy policy.

Opt-in, help, and opt-out options are an absolute must when creating SMS campaigns.

The TCPA (Telephone Consumer Protection Act) mandates that a business must receive “express written consent” to send customers messages - you can do this in a multitude of ways, including web or mobile. You must be clear with the customer about how you intend to use SMS to communicate with them.

Remember to comply with the National Do Not Call Registry.

Braze uses Subscription Groups to manage groups of users based on their level of consent.

Spam and Cadence

Similar to email, your users or customer can experience inbox burnout. But this is only one reason not to relentlessly message your customers. You should look specifically at Section 5 of the FTC Act to ensure compliance (in the U.S.).

Some spam considerations are built into SMS capabilities in general (long and short code sending limits), as well as Braze’s rate limits. However, you should still consider the compliance laws when planning your campaigns.


This can be a tricky one, but when in doubt, avoid topics that involve violence, sex, drugs, tobacco, or other paraphernalia. Be wise when sending messages regarding these topics - you may still be charged for messages that are blocked by various carriers.

The CTIA (a trade association representing the wireless communications industry in the United States) recommends that you follow SHAFT Compliance, which defines the following topics as generally “illegal” when messaging in the United States:

  • Sex
  • Hate
  • Alcohol
  • Firearms
  • Tobacco

You can read more about the CTIA’s Messaging Principles and Best Practices for 2019 here.


Please ensure you comply with the TCPA (Telephone Consumer Protection Act), which dictates that you shouldn’t send messages during late hours (see the regulation’s contents for exact hours). However, you shouldn’t send messages that late anyway - don’t you want high engagement?


Most of these best practices apply to guidelines set forth in the United States of America. If you are reaching customers outside of U.S. regions, please research best practices and laws in those areas. It is always best practice to act in a way that adheres to the most stringent regulations, which are usually applied in the United States, Canada, and countries part of the European Union.

Better to be safe than sorry!

New Stuff!