Every other market in this compliance series treats non-compliant marketing SMS as a regulatory matter: the regulator investigates, the regulator fines. Germany has an additional mechanism that most markets do not. Under the Gesetz gegen den unlauteren Wettbewerb, Germany's Act Against Unfair Competition, competitors can bring their own legal action against organizations sending marketing messages without valid consent. An unsolicited marketing SMS may trigger an Abmahnung, a formal cease-and-desist letter from a competing business, with associated legal costs and an injunction demand that must be resolved before the next campaign runs. Regulators are not the only enforcement risk. Competitors are.
Business SMS in Germany operates under three overlapping frameworks: the Act Against Unfair Competition (UWG §7), the Federal Data Protection Act (BDSG), and GDPR, enforced by the Bundesnetzagentur (BNetzA) for telecommunications and by federal and state data protection authorities for personal data. Explicit prior consent is required for all marketing SMS. German courts have consistently treated double opt-in as the strongest and most reliable way to demonstrate valid consent, and organizations relying on single opt-in assume significantly greater evidentiary risk if their consent is challenged. There is no national do-not-call registry for SMS: the previous Bel-me-nicht register was replaced by a mandatory opt-in requirement for all marketing communications. WhatsApp reaches around 80% of Germans and is the most widely used messaging platform in the country alongside SMS.
Germany's consumer protection orientation on direct marketing is among the strictest in Europe. Understanding what drives the strictness is useful for designing programs that will hold up, because the legal architecture creates enforcement incentives that most other markets do not have.
The UWG consent requirement and why single opt-in is not sufficient
UWG §7 prohibits sending marketing communications by electronic means, including SMS, to recipients who have not given prior express consent. This is the same principle that applies across the EU under GDPR and the ePrivacy Directive. What distinguishes Germany is how courts have interpreted the proof of consent requirement.
Germany's Federal Court of Justice (Bundesgerichtshof, BGH) has ruled that a single opt-in, where a recipient enters their phone number on a form but receives no confirmation step, is insufficient to prove valid consent. The reasoning is that any third party could have entered someone else's phone number without their knowledge. Without a confirmation step that requires the actual phone number owner to take a positive action, the sending organization cannot prove the person whose number was submitted is the same person who consented.
Double opt-in, where the recipient submits their number, receives a confirmation message asking them to verify, and actively confirms by responding or clicking a link, creates the documented round-trip that satisfies the BGH's evidentiary standard. Double opt-in is not explicitly named in UWG or GDPR as a legal requirement, but in practice it is the only mechanism that consistently withstands legal challenge in German courts. Programs that rely on single opt-in are operating with consent documentation that may not survive an Abmahnung or a regulatory inquiry.
The Abmahnung mechanism adds a practical urgency that goes beyond regulatory risk. Under German competition law, any business competitor that operates in the same market can send an Abmahnung to an organization sending non-compliant marketing messages. The Abmahnung demands an injunction undertaking, legal costs, and cessation of the non-compliant practice. The Abmahnung framework also creates an economic incentive for competitors to enforce compliance, because successful actions may allow recovery of certain legal costs while preventing unfair competitive advantage. This creates a market-level enforcement pressure that operates independently of regulator action.
The regulatory layer: BNetzA, BDSG, and GDPR
The Bundesnetzagentur (BNetzA) regulates telecommunications in Germany and has enforcement authority over telecom-specific provisions including sender identification requirements. BNetzA enforces the prohibition on anonymous or disguised sender IDs and investigates complaints about unsolicited commercial communications. Unlike France's CNIL or South Africa's Information Regulator, much of BNetzA's enforcement activity on SMS begins with complaints rather than proactive monitoring, but the model means that a high-volume non-compliant campaign generating recipient complaints can attract enforcement response relatively quickly.
GDPR applies to the collection, storage, and use of phone numbers as personal data. The Federal Data Protection Act (BDSG) supplements GDPR with German-specific provisions and designates the federal and state data protection commissioners as enforcement authorities. Germany's approach to GDPR enforcement is distributed across state-level data protection authorities (Datenschutzbeauftragter der Länder), which means the enforcement posture can vary by federal state. Bavaria's data protection authority (BayLDA) and Baden-Württemberg's (LfDI) are among the more active enforcement bodies.
For SMS programs, the practical GDPR obligations cover: documenting the lawful basis for processing (consent for marketing), maintaining consent records with timestamps and source, honoring data subject rights including access, correction, and deletion, and ensuring that opt-out requests are processed promptly and that the contact is removed from all subsequent marketing sends.
What varies from the UK and France
Teams already operating in the UK or France often assume Germany is broadly similar because all three share a GDPR and ePrivacy Directive foundation. The foundations are the same but the operational differences are real.
The UK PECR soft opt-in, which allows contacting existing customers about similar products without fresh consent, has a German equivalent in UWG §7(3). But German courts apply UWG §7(3) very strictly: only genuine purchasers qualify (not registered accounts or leads), only similar products are covered (not the broader product range), and the existing customer must have been clearly informed at the time of data collection that their details might be used for future marketing with an easy opt-out at that point. The German version of the soft opt-in is more restrictive in practice than its UK equivalent.
France's CNIL enforces GDPR aggressively. Germany's BNetzA and state data protection authorities are also active, but the Abmahnung mechanism from competitors creates an enforcement layer that France and the UK do not have in the same way. In Germany, consent documentation is the defense against two separate categories of risk: regulatory enforcement and competitor litigation.
WhatsApp and the German channel landscape
WhatsApp is used by around 80% of Germans in recent surveys, making it the country's dominant personal messaging channel and an increasingly important business communication platform. For organizational programs where the audience is German consumers or German-based business contacts, WhatsApp Business API is the companion channel that most of the audience will engage with.
The consent requirements for WhatsApp marketing in Germany are the same as for SMS: explicit, specific, documented consent. WhatsApp's own template approval process adds an additional channel-specific compliance layer, but the underlying GDPR and UWG obligations apply regardless of channel. The double opt-in principle that German courts require for SMS proof of consent applies equally to WhatsApp marketing program documentation.
For transactional and operational programs, the channel architecture in Germany is the same as in other high-WhatsApp-penetration markets: WhatsApp for richer communications where the audience is reachable, SMS for guaranteed delivery of critical messages where channel availability cannot be assumed. Transactional SMS for OTPs, account alerts, and service notifications carries a different consent basis from marketing SMS across Germany and the EU, which means operational programs are substantially simpler to design than marketing programs in this environment.
Germany has three major carriers: Deutsche Telekom with approximately 37% market share, Vodafone with approximately 31%, and Telefónica O2 with approximately 32%. Germany generally supports alphanumeric sender IDs without a formal nationwide pre-registration process, although individual providers or routes may have their own onboarding requirements. Sending between 8 AM and 8 PM is generally regarded as standard industry practice for promotional SMS, and Sunday and public holiday sends are generally avoided.
Two-way SMS is supported across German networks. Opt-out keywords should be supported in both German and English: STOP and STOPP, END and ENDE, HILFE for HELP. Processing opt-out requests as quickly as practical, ideally within 24 hours, is considered good operational practice for Germany as for most other EU markets covered in this series.
Germany is a market where documentation matters as much as consent itself. Many organizations already obtain valid consent. The challenge is being able to demonstrate when it was collected, how it was confirmed, and which specific message it covered months or years later. Good consent records are not just a compliance exercise. They are the primary defense if a regulator or competitor questions a campaign.
Germany in the European compliance picture
For organizations already operating in France or the UK, adding Germany means adding the Abmahnung risk layer and the BGH's double opt-in interpretation to an otherwise familiar GDPR and ePrivacy foundation. The consent documentation discipline required for Germany is more demanding than France or the UK in practice, even though the statutory frameworks are structurally similar.
BYOC architecture means that the consent records, suppression lists, and delivery logs that satisfy German requirements travel with the organization rather than sitting inside a specific carrier or provider relationship. Adding Germany to an existing European program means connecting a German-compliant route and applying the double opt-in consent standard to the German contact segment, without rebuilding the program that handles France or the UK.
Frequently asked questions
Is double opt-in legally required for SMS in Germany? Not explicitly named in legislation, but German courts have consistently treated double opt-in as the strongest and most reliable way to demonstrate valid consent. Germany's Federal Court of Justice has ruled that single opt-in cannot prove valid consent because a third party could have entered someone else's phone number. Organizations relying on single opt-in assume significantly greater evidentiary risk if their consent is challenged in court or in an Abmahnung proceeding.
What is an Abmahnung and why does it matter for SMS programs? An Abmahnung is a formal cease-and-desist notice that any competitor can send to an organization sending non-compliant marketing messages under German competition law. It demands an injunction undertaking, legal costs, and cessation of the non-compliant practice. The Abmahnung mechanism means that consent documentation in Germany protects against two enforcement risks: regulatory action and competitor litigation. This is unique to Germany in the markets covered in this series.
Does the German UWG soft opt-in allow contacting existing customers without fresh consent? Yes, under strict conditions. UWG §7(3) permits contacting existing customers about similar products or services if their details were collected during a genuine purchase transaction, they were informed at collection that their details might be used for marketing with an easy opt-out, and they have not subsequently objected. The German courts apply this provision more narrowly than equivalent soft opt-in rules in the UK, requiring a genuine prior purchase rather than account registration or inquiry.
Do I need to pre-register a sender ID in Germany? No. Germany supports alphanumeric sender IDs without pre-registration, which is more permissive than markets like India, Vietnam, or Australia. The sender ID must be clearly identifiable and not random or disguised, but formal carrier-level pre-approval is not required for standard business SMS.
This article provides general operational information and should not be considered legal advice. Organizations should consult qualified legal counsel regarding their specific obligations under German telecommunications and competition law.
Talk to our team about building a messaging program for Germany and across your European markets from one platform.