Blog | Hatch

How to Create an SMS Privacy Policy (with Template)

Written by Kristen McCormick | September 15, 2023

In case you missed it, as of August 31, 2023, business text messages  from unregistered 10DLC numbers are being blocked by all mobile carriers.

Businesses are trying to get registered, but their applications are getting rejected because of TCPA compliance reasons—one of which is not having a proper SMS privacy policy. 

This article will help you meet the legal requirements on your SMS privacy policy page so your 10DLC application can get accepted and your campaigns can run smoothly.

Legal disclaimer (but of course!)

This information is not legal advice. We have provided this information to use as a starting point—but your country/state, industry, business practices, and more impact what you need to include in your privacy policy. Please clear all legal verbiage with your legal counsel to ensure that you're being compliant with any applicable regulations.

Table of contents

Quick summary of 10DLC

10DLC stands for 10-digit long code number, and businesses use them to text their customers (as opposed to a toll-free, 800, or shortcode number).

Starting in 2022, all major mobile carriers (AT&T, Verizon, T-Mobile) began requiring that all 10DLC numbers be registered with an agreed-upon third party called The Campaign Registry.

With registration, TCR vets and verifies you as a legitimate business and makes sure you meet all texting compliance laws (as stated in TCPA). Toll-free and shortcode numbers already have a registration process in place, so this was pretty inevitable.

Key areas of compliance include:

Legal verbiage is a pain in the rear side of the bod, we know. Not to mention making changes on your website. So this post and the resources in it are aimed at making it as easy as possible for you to come up with a TCPA/10DLC-compliant SMS privacy policy for your business.  

What is an SMS privacy policy?

An SMS privacy policy clearly outlines how you gather, use, disclose, and manage any personal data or information you collect on people when they opt into and/or participate in your SMS program.

You need to have a clear SMS policy, which means you either need to create a dedicated page for your SMS privacy policy, or add an SMS section to your existing privacy policy page.

What’s the difference between terms and conditions and a privacy policy?

Terms and conditions outline the rules of engagement for a particular asset, such as your website, product/service, or in this case, your SMS program.  They explain what your business can and cannot do as well as what your visitors can and cannot do, but they are primarily in place to protect your business's rights. Your privacy policy, on the other hand, discloses how you collect, store, and distribute user data and it primarily protects your visitors' rights.

SMS privacy policy requirements

It is not possible to provide a blanket list or template for an SMS privacy policy, since these are highly specific to your business and processes.  But we can give you some minimum requirements, courtesy of Twilio and Constant Contact:

Your SMS privacy policy must:

  • Accurately describe the SMS program/service, including when and what type of messages users will receive. 
  • List the type of personal information you collect (name, email, phone, etc).
  • List the methods you use to collect personal data (a form, cookies, etc). 
  • Explain how you're using this personal data (to send emails or text messages, etc).
  • Explain how you store, maintain, and protect the personal information you're collecting.
  • Explain if, how, and why you share personal data with third parties.
  • Provide clear options for customers/visitors to correct, verify, change, or remove their personal information.

Remember, the full list for your business may include other components, so please consult your legal representative.

SMS privacy policy template

Again, only your legal rep can help you generate a fully compliant privacy policy. But for a starting point, we recommend using Constant Contact’s privacy policy template

Important notes from Constant Contact:

  • You must customize this template according to your actual data collection, usage, and disclosure practices. Review each section carefully and add/remove information as necessary.
  • Be sure to fill in the yellow/highlighted sections with your own information, and remove all brackets and drafting notes before publishing.

Constant Contact disclaimer: THIS SAMPLE PRIVACY POLICY IS NOT LEGAL ADVICE AND IS FOR INFORMATIONAL PURPOSES ONLY. This sample privacy policy may not meet all the legal requirements applicable to you. For example, if you are subject to privacy legislation such as the California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK GDPR), or similar privacy legislation, you may be required to provide additional disclosures and rights to your users. Privacy legislation is also continuously evolving and you should review your privacy policy and privacy obligations regularly. Additionally, a privacy policy that does not accurately or adequately disclose your practices can expose you to legal risks. We recommend consulting with your legal counsel before adopting this privacy policy.

 

Additional FAQs about SMS privacy policy

How do I add or edit my website's privacy policy page?

This varies depending on your website platform as well as whether you outsourced your website creation. If you rely on a third party to edit your website, you can use this template to reach out to them:

Hi [name],

Due to new text messaging rules and regulations, we need to make changes to our forms, terms and conditions page, and privacy policy page as soon as possible. Could we set up a meeting to discuss the changes needed?

Thank you!

[name]

What happens if my campaign is rejected?

If your 10DLC registration is rejected for any reason, your CSP will let you know and once the fixes are made, will resubmit your application. 

What happens if I don’t comply?

Not only will your 10DLC registration be rejected and not only will you not be able to run text campaigns, but there may also be legal consequences. After all, TCPA is federal law. Here are three key reasons you need to take your SMS privacy policy seriously:

  • Big fines: If you violate the TCPA, you could be charged fines for each violating text.
  • Retention and revenue: Blocked or throttled campaigns mean missed opportunities and/or poor experiences with customers, which impact your retention and revenue.
  • Lose access to mobile networks. Violating the TCPA can also result in losing access to mobile networks, and therefore the customers that use them.
  • Reputation risks: Not following these rules can upset customers which can result in negative press, especially through review sites.

Additional resources for creating your SMS privacy policy

From Hatch

From the FCC (Federal Communications Commission)

From the CTIA (Cellular Telecommunications and Internet Association) 

From The Campaign Registry (the third party that registers 10DLC numbers)