SMS Compliance (UK PECR & GDPR)

Quick Reference: Legal requirements for sending SMS in the UK - avoid £500,000 fines

📋 TL;DR - Quick Start

UK Law Requirements:

✅ Marketing consent required - Get explicit opt-in before sending promotional SMS
✅ Opt-out option required - Every marketing message must include "Reply STOP to opt out"
✅ Identify sender - Include business name in message
✅ Respect opt-outs - Stop sending immediately when client opts out
✅ Keep consent records - Document when/how consent was obtained

Appointment Reminders Exempt: Don't need marketing consent (legitimate interest), but client can still opt out

Penalties for Non-Compliance: Up to £500,000 ICO fine + reputation damage

UK SMS Regulations Overview

Two Key Laws

1. PECR (Privacy and Electronic Communications Regulations 2003)

What It Covers: Marketing communications via SMS, email, phone calls

Key Rules:

Explicit consent required for marketing SMS
Opt-out mechanism in every marketing message
No calling TPS-registered numbers for marketing
Identify your business in message

Regulator: ICO (Information Commissioner's Office)

Penalties: Up to £500,000 fine per violation

2. GDPR (General Data Protection Regulation)

What It Covers: How you store, process, and protect client data (including phone numbers)

Key Rules for SMS:

Lawful basis for processing phone numbers (consent or legitimate interest)
Right to erasure (delete data on request)
Data minimization (only collect necessary data)
Secure storage of phone numbers

Regulator: ICO

Penalties: Up to £17.5 million or 4% of annual turnover (whichever is higher)

Marketing SMS vs Transactional SMS

Marketing SMS (Requires Consent)

Definition: Any message promoting products, services, or offers

Examples:

✅ "Spring Special: 20% off Botox this week!"
✅ "We miss you! Book any treatment and get 10% off"
✅ "New service: We now offer Profhilo treatments!"
✅ "Happy Birthday! 15% off this month"

Consent Required: YES - Explicit opt-in needed

Transactional SMS (No Consent Required)

Definition: Messages related to existing relationship or service delivery

Examples Under "Legitimate Interest":

✅ "Reminder: Botox appointment tomorrow at 2PM" (appointment reminder)
✅ "Your appointment has been rescheduled to Tue 16th March" (service update)
✅ "Payment receipt: £250 for lip filler treatment" (transaction confirmation)
✅ "Aftercare instructions: Avoid makeup for 24h after treatment" (service-related info)

Consent Required: NO - But client can still opt out

HOWEVER: Client can request to stop receiving even transactional SMS. You must respect this request.

Obtaining Marketing Consent

Valid Consent Requirements

PECR Defines Valid Consent As:

Freely given: Not coerced or conditional
Specific: Clear what client is consenting to ("marketing SMS")
Informed: Client knows who will send messages and what about
Unambiguous: Active opt-in (checkbox ticked, verbal "yes")

Consent Methods

Method 1: Checkbox on Signup Form (Recommended)

Compliant Example:

☐ Yes, I would like to receive special offers and updates via SMS

(Unchecked by default - client must actively tick)

Non-Compliant Example:

☑ Send me offers via SMS (Pre-ticked - INVALID)

Why Pre-Ticked Fails: Client must take active action to consent. Pre-ticked = assumed consent = invalid under PECR.

Aestheticc Implementation:

Client signup form includes unchecked SMS consent checkbox
Consent status saved in database with timestamp
Date/time of consent recorded for audit trail

Method 2: Verbal Consent During Appointment

How to Obtain:

Ask client directly: "Would you like SMS updates about special offers?"
Client responds: "Yes, that's fine"
IMPORTANT: Document in client profile notes

Documentation Example:

Client Profile → Notes:
"2025-03-15 10:30 AM: Verbal consent given for marketing SMS during appointment with Sarah. - Dr. Smith"

Why Documentation Matters: ICO can audit consent records. Verbal consent is valid IF documented.

Method 3: SMS Opt-In (Double Opt-In)

How It Works:

After first appointment, send SMS: "Reply YES to receive exclusive offers from Glow Aesthetics. Reply STOP to decline."
Client replies: "YES"
System records consent with timestamp
Send confirmation: "Thanks! You're now signed up for special offers. Reply STOP anytime to opt out."

Benefits:

✅ Clear, documented consent
✅ Client-initiated (strong evidence of consent)
✅ Timestamp automatically recorded

Consent Scope

Specific vs Broad Consent: | Consent Wording | Scope | Compliant? | |----------------|-------|------------| | "I consent to receive marketing SMS from Glow Aesthetics" | ✅ Specific to your business | ✅ Yes | | "I consent to receive marketing communications via SMS" | ✅ Clear about SMS channel | ✅ Yes | | "I consent to marketing" | ❌ Vague (email? Phone? Post?) | ❌ No | | "By booking, you agree to communications" | ❌ Ambiguous (marketing or just appointment reminders?) | ❌ No |

Aestheticc Consent Wording (default):

"I consent to receive marketing messages and special offers from [Clinic Name] via SMS. I understand I can opt out by replying STOP at any time."

Consent Management in Aestheticc

View Consent Status

Per Client:

Open client profile
Communication Preferences section shows:
- SMS Marketing Consent: ☑️ YES or ☐ NO
- Consent Date: "15th March 2025 at 10:30 AM"
- Consent Method: "Signup form checkbox"

Update Consent

Enable Consent (Client requests SMS offers):

Open client profile
Toggle SMS Marketing Consent to ON
Add note: "Client requested SMS offers on [date]"
Save

Disable Consent (Client opts out):

Happens automatically when client replies STOP
Or manually: Open profile → Toggle SMS Marketing Consent to OFF → Save

Consent Audit Trail

Aestheticc Records:

Date/time consent given
Method of consent (form, verbal, SMS opt-in)
User who recorded consent (for verbal consent)
Date/time of opt-out (if applicable)
Reason for opt-out (if recorded)

View Audit Trail:

Client profile → Communication History tab
Shows all consent changes with timestamps

Why This Matters: If ICO audits your SMS practices, you can prove consent was obtained legally.

Opt-Out Management

Legal Opt-Out Requirements

PECR Mandates:

Every marketing SMS must include opt-out instructions
Opt-out must be FREE (client doesn't pay to reply STOP)
Opt-out must be EASY (single keyword like STOP, not complex process)
Respect opt-out immediately (stop sending within 24 hours max)

Opt-Out Keywords

Automatically Recognized by Aestheticc: | Client Replies | System Action | |----------------|---------------| | STOP | Opt-out from marketing SMS | | UNSUBSCRIBE | Opt-out from marketing SMS | | OPT OUT | Opt-out from marketing SMS | | CANCEL | Opt-out from marketing SMS | | END | Opt-out from marketing SMS | | QUIT | Opt-out from marketing SMS |

Case-Insensitive: "stop", "STOP", "Stop" all work

What Happens When Client Opts Out

Immediate Actions:

Client's SMS consent status → FALSE
Excluded from all future marketing campaigns
You receive notification: "Sarah Johnson has opted out of marketing SMS"
Confirmation sent to client: "You have been unsubscribed from marketing SMS. You will still receive appointment reminders."

What Continues:

✅ Appointment reminders (transactional, not marketing)
✅ Appointment confirmations
✅ Aftercare instructions
✅ Client can still book appointments

What Stops:

❌ Marketing campaigns
❌ Special offer SMS
❌ Re-engagement campaigns
❌ Birthday offers (if promotional)

HELP Keyword

Client Replies: "HELP"

Auto-Response:

Glow Aesthetics: For help, call 020-1234-5678 or email info@glowaesthetics.co.uk. Reply STOP to unsubscribe from marketing SMS.

Required by PECR: Marketing SMS senders must provide support contact method.

Message Content Requirements

Mandatory Elements

Every marketing SMS must include:

Business Name: "- Glow Aesthetics" or "From Glow Aesthetics"
Opt-Out Instructions: "Reply STOP to opt out" or "Text STOP to unsubscribe"

Example Compliant Message:

Spring Special: 20% off Botox this week! Book: 020-1234-5678. Reply STOP to opt out. - Glow Aesthetics

Example Non-Compliant Message:

Spring Special: 20% off Botox this week! Book: 020-1234-5678.

❌ Missing: Business name, opt-out instructions

Prohibited Content

Do NOT Send:

❌ Misleading claims: "Botox cures wrinkles permanently" (exaggerated)
❌ Unsubstantiated medical claims: "Lose 10 years in 10 days" (not evidenced)
❌ Spam trigger words: "FREE!!!!", "ACT NOW!!!", "LIMITED TIME!!!!" (excessive)
❌ Sensitive health details: "Your STI test results..." (SMS not secure)

ASA Advertising Standards:

Must not mislead consumers
Must be truthful and evidence-based
Aesthetic treatments must comply with UK advertising guidelines

Example ASA-Compliant Claim: ✅ "Botox reduces appearance of wrinkles for 3-4 months (results vary)"

Example Non-Compliant Claim: ❌ "Botox eliminates wrinkles forever!"

Data Protection (GDPR)

Lawful Basis for Processing Phone Numbers

Two Lawful Bases for SMS:

Consent (for marketing SMS)
Legitimate Interest (for appointment reminders)

Aestheticc's Approach:

Marketing SMS: Consent required (explicit opt-in)
Appointment reminders: Legitimate interest (service delivery)

Client Rights Under GDPR

Clients Can Request: | Right | What It Means | How to Handle in Aestheticc | |-------|---------------|----------------------------| | Right to Access | "Show me what data you have about me" | Export client profile data (Settings → Export Client Data) | | Right to Erasure | "Delete all my data" | Delete client profile (removes phone number, SMS history) | | Right to Rectification | "Update my phone number" | Edit client profile → Update phone | | Right to Object | "Stop sending me marketing SMS" | Opt-out (client replies STOP or you disable consent) | | Right to Data Portability | "Give me my data in portable format" | Export client data as CSV |

Data Storage Security

Aestheticc's Protection Measures:

Encryption in Transit: All SMS sent via HTTPS/TLS
Database Encryption: Phone numbers encrypted at rest (AES-256)
Access Controls: Only authorized team members can access client phone numbers
Audit Logging: All SMS sends logged with user, timestamp, content
Twilio Compliance: Twilio is GDPR-compliant, Data Processing Agreement (DPA) available

Data Retention

How Long to Keep SMS Records:

UK Guidance: No specific requirement for SMS marketing records
Best Practice: 6 years (matches business accounting retention)
Consent Records: Keep for duration of relationship + 6 years (audit trail)

Aestheticc Default Retention:

SMS message history: 2 years
Consent records: Lifetime (while client profile exists)
Deleted client profiles: 30-day soft delete (then permanent erasure)

Penalties for Non-Compliance

ICO Enforcement Actions

Real UK Cases:

Case 1: Spam Texts (2019)

Company: Home improvement firm
Violation: Sent marketing SMS without consent to 500,000 people
Penalty: £80,000 fine
Lesson: Always obtain consent

Case 2: No Opt-Out (2020)

Company: Debt management service
Violation: Marketing SMS with no opt-out instructions
Penalty: £50,000 fine
Lesson: Include "Reply STOP" in every message

Case 3: Bought Phone Number List (2021)

Company: Double glazing company
Violation: Bought phone list from third party, sent marketing SMS without verifying consent
Penalty: £120,000 fine
Lesson: Only send to clients who directly consented to YOUR business

Maximum Penalties

PECR Violations:

Up to £500,000 fine per serious violation
Unlimited for extreme cases (ICO discretion)

GDPR Violations:

Up to £17.5 million OR 4% of annual global turnover (whichever is higher)

Additional Consequences:

Reputation damage (publicity of ICO fine)
Client trust loss
Legal costs defending against ICO investigation
Potential civil lawsuits from affected clients

Aestheticc Compliance Features

How Aestheticc Helps You Stay Compliant

Automatic Compliance Checks: | Feature | How It Protects You | Result | |---------|---------------------|--------| | Consent Filtering | Campaign SMS only send to clients with consent = TRUE | Cannot accidentally send to non-consenting clients | | Auto Opt-Out Footer | If message missing "Reply STOP", Aestheticc appends it | All messages include opt-out | | Consent Audit Trail | Records date/time/method of consent | Prove compliance if ICO audits | | Opt-Out Automation | Client replies STOP → Auto-removed from future campaigns | Immediate compliance with opt-out | | HELP Auto-Response | Client replies HELP → Receives support contact | Meets PECR support requirement |

Compliance Checklist

Before Sending Marketing Campaign:

[ ] All recipients have marketing consent = TRUE
[ ] Message includes business name
[ ] Message includes "Reply STOP to opt out"
[ ] Message content is truthful (no exaggerated claims)
[ ] Send time is reasonable (not before 8AM or after 8PM)
[ ] Twilio account active and compliant (A2P 10DLC registered)

Aestheticc Auto-Checks First 2 Items (consent, recipient filtering)

💡 Pro Tips

Consent Best Practices

Do:

✅ Ask clearly: "Would you like SMS updates about special offers?"
✅ Document verbal consent: Add note to client profile with date/time
✅ Make opt-in easy: Single checkbox on signup form
✅ Explain value: "Get exclusive offers sent directly to your phone"

Don't:

❌ Pre-tick checkboxes: Invalid consent under PECR
❌ Bury consent in T&Cs: "By booking, you agree to marketing" = ambiguous
❌ Assume consent: Just because client gave phone number doesn't mean marketing consent
❌ Make opt-out difficult: "Call during business hours to opt out" = non-compliant

Re-Engagement Strategy (Dormant Consents)

Scenario: Client consented 2 years ago, hasn't received marketing SMS in 12+ months

Question: Is consent still valid?

ICO Guidance: Refresh consent if dormant >12 months

How to Refresh:

Send re-engagement SMS: "Hi Sarah! It's been a while. We'd love to send you special offers. Reply YES to continue receiving SMS or STOP to unsubscribe."
If client replies YES → Consent refreshed
If client replies STOP → Opt-out
If no reply after 7 days → Disable consent (treat as inactive)

Benefit: Maintains compliant consent records + cleans up list

Handling Complaints

If Client Complains "I Didn't Consent!":

Apologize immediately: "We're sorry for the inconvenience"
Opt them out: Disable SMS consent in profile
Investigate: Check consent audit trail
- If consent exists: Show proof to client
- If no consent exists: Internal review of how client was added to list
Document resolution: Add note to client profile

Escalation: If client threatens ICO complaint, contact legal advisor immediately.

❓ Common Questions

Q: Do I need consent to send appointment reminders? A: No. Appointment reminders fall under "legitimate interest" (service delivery), not marketing. However, client can still opt out of ALL SMS if they want.

Q: Can I send birthday SMS offers without asking for consent? A: No. Birthday offer SMS = marketing (promoting a special offer). Requires marketing consent even if it's their birthday.

Q: Client gave phone number when booking - can I add to marketing list? A: No. Providing phone number ≠ marketing consent. Must separately ask for SMS marketing permission.

Q: What if I buy a phone list from a lead generation company? A: Dangerous. Unless you can verify each contact explicitly consented to YOUR business sending SMS, sending is illegal. ICO has fined many businesses for this exact practice.

Q: Can I send SMS to clients who subscribed to email marketing? A: No. Email consent ≠ SMS consent. They're separate channels requiring separate consent.

Q: Client verbally consented but I didn't document it. Is it valid? A: Legally yes, but practically no. If ICO audits or client complains, you have no proof. Always document verbal consent immediately.

Q: How long after consent can I send marketing SMS? A: No time limit, BUT best practice is to refresh consent if dormant >12 months (see "Re-engagement Strategy" above).

Q: Can I send marketing SMS to business landlines? A: No. Landlines cannot receive SMS. Plus, PECR rules apply to business contacts too.

Q: What if client replies "Maybe later" instead of YES or STOP? A: Treat as no response. Don't send marketing until clear YES received. Log reply as "Undecided" in client notes.

Q: Can I charge client to opt out (e.g., premium-rate number)? A: Absolutely not. Opt-out must be free under PECR. Use standard SMS replies (free for client).

Q: Do I need separate consent for SMS appointment reminders vs marketing? A: Not legally required (reminders = legitimate interest), but best practice: Ask separately. Example: "Appointment reminders: YES, Marketing offers: NO" gives client choice.

🎯 Next Steps

After understanding SMS compliance:

SMS Templates - Create compliant message templates
Campaign SMS - Send compliant marketing campaigns
Twilio Setup - Configure A2P 10DLC for compliance
Privacy Policy Generator - Update privacy policy to include SMS data processing

🆘 Need Help?

Aestheticc Support (for platform features): 📧 support@aestheti.cc

ICO (for legal guidance): 🌐 ico.org.uk 📧 casework@ico.org.uk 📞 0303 123 1113

Legal Advice (for specific compliance concerns): Consult a UK solicitor specializing in data protection/marketing law

📚 Additional Resources

ICO Guidance:

Aestheticc Resources:

Privacy Policy Template (Settings → Legal → Privacy Policy)
Consent Form Examples (Settings → Templates)
GDPR Compliance Checklist (Settings → Compliance)

Last Updated: 2025-11-10 Related Documentation: SMS Overview, Campaign SMS, GDPR Compliance