Blog

UK SMS Compliance: PECR, UK GDPR and DUAA 2025 Rules Explained

Written by Insights by Telerivet | May 29, 2026

There is a compliance assumption embedded in most UK business SMS programs that the law does not support. It goes like this: we are messaging businesses, not consumers, so the stricter consent rules do not apply to us. For some recipients that is correct. For a meaningful portion of any commercial contact list, including sole traders, certain partnerships, and individuals at corporate addresses, it is wrong in ways that now carry penalties of up to £17.5 million.Business SMS in the UK is governed by the Privacy and Electronic Communications Regulations 2003, enforced by the Information Commissioner's Office, and sits alongside UK GDPR obligations on data processing. The Data Use and Access Act 2025, which received Royal Assent on 19 June 2025, raised maximum PECR fines from £500,000 to £17.5 million or 4% of global turnover. Three requirements apply to all commercial SMS: consent or a recognized exemption, sender identification in every message, and a working opt-out mechanism.

The penalty change is the most significant shift to the UK SMS compliance landscape in over a decade. It aligns PECR enforcement with UK GDPR levels and signals that the ICO intends to treat messaging violations as seriously as data protection ones. For programs that have been relying on informal practices or assumptions that have never been tested, this is the moment to fix the architecture rather than wait for an enforcement letter.

PECR: what it covers and what it does not

PECR applies to any unsolicited commercial electronic message sent to a UK recipient. SMS sits within the category PECR calls electronic mail, alongside email, instant messages, and messages sent via social media direct messaging. The same consent rules apply to all of them.

The regulations cover unsolicited messages. A solicited message, one that the recipient specifically requested, falls outside PECR's consent requirements, though it must still identify the sender and comply with UK GDPR if personal data is involved. The practical implication is that inbound-led programs, where a customer texts first and you respond, operate in a different compliance space from outbound broadcast campaigns. Two-way messaging architecture is therefore not just an operational benefit in the UK. It is a compliance-relevant design decision.

Operational messages, including delivery confirmations, appointment reminders, account alerts, and dispatch notifications, are transactional in nature and not typically classified as direct marketing under PECR. But the boundary is not as clean as it first appears. A delivery notification that includes a promotional offer becomes a marketing message. An account alert that prompts a cross-sell is commercial. The ICO's guidance on direct marketing makes clear that if any part of a message promotes products, services, aims, or ideals, the ICO generally considers the message to constitute direct marketing and consent requirements apply. Teams that add promotional content to operational messages to improve engagement are inadvertently reclassifying those messages and triggering consent requirements they may not have documented.

The B2B exemption: what it actually says and where it stops

This is the section most UK SMS guides get wrong, and it is worth reading carefully.

Under PECR, the consent requirement for electronic mail marketing does not apply to corporate subscribers. A corporate subscriber is a legal entity with separate legal status: a limited company, a limited liability partnership, a Scottish partnership, or a government body. If you are sending marketing SMS to the registered business number of a limited company and the message does not identify a named individual, you do not need prior consent under PECR. You still need to identify yourself and include an opt-out, and UK GDPR applies if personal data is involved, but the consent hurdle does not apply.

The exemption stops in several places most teams do not expect. Sole traders are not corporate subscribers. Under PECR they are treated as individuals, which means you need their consent or a valid soft opt-in before sending them marketing SMS, exactly as you would for a consumer. The fact that they have a business-looking phone number or a company name does not change their legal status under PECR. The same applies to certain partnerships. You cannot tell from a phone number whether the recipient is a limited company or a sole trader, and the ICO expects organizations to have taken reasonable steps to establish this before relying on the corporate subscriber exemption.

Where messages are directed to identifiable individuals within organizations, organizations should carefully assess whether they can rely on the corporate subscriber exemption or whether PECR consent requirements apply. This is the grey area where a significant proportion of B2B outreach programs operate, and where assuming the exemption applies without checking creates quiet exposure.

The practical consequence is that any organization running outbound SMS programs in the UK needs to segment its contact list by recipient type and apply different consent standards to each. Corporate entities contacted at generic numbers get the lighter-touch treatment. Sole traders, certain partnerships, and named individuals require consent or soft opt-in documentation.

The soft opt-in: what it allows and where it ends

The soft opt-in is a limited exception to the consent requirement for existing customers. It allows you to send marketing SMS to someone who bought or discussed buying a similar product or service from you, provided you gave them a clear chance to opt out when you collected their details and in every subsequent message, and provided the marketing relates to your own similar products or services.

Four conditions all need to be met simultaneously. They cannot be mixed and matched, and no single condition overrides the others.

Contact details must have been obtained in the course of a sale or negotiations for a sale, not from a general enquiry alone, a webinar registration, or a tradeshow badge scan. The marketing must relate to your own similar products, not a third party's, and not a different product category. You must have given a clear opt-out opportunity when you collected the details, not buried in a privacy policy, not implied by the absence of an opt-out box. And you must include an opt-out in every subsequent message.

The soft opt-in does not apply to prospective customers, to contacts bought from a third-party list, or to anyone who has not had a prior commercial transaction or negotiation with your organization. It also does not apply to charities under the standard rule, though the DUAA 2025 introduced a separate charitable purposes soft opt-in that came into force in February 2026 for charities specifically.

For many B2C programs, the soft opt-in is the practical basis for messaging existing customers without a fresh consent request. The mistake is treating it as a general license to message anyone who has ever interacted with the business.

Consent is only part of the compliance picture. Many organizations focus on whether they can send a message and overlook whether they can later demonstrate why they believed they could. Maintaining records showing how consent was obtained, when a contact qualified for the soft opt-in, or why a recipient was classified as a corporate subscriber can become just as important as the message itself if the ICO investigates. The record is the compliance asset, not the message.

Sender ID in the UK: no mandatory register, but meaningful carrier enforcement

The UK does not operate a mandatory sender ID registration system equivalent to Australia's ACMA register or Nigeria's per-operator approval process. Under the current framework, organizations can generally use brand-appropriate alphanumeric sender IDs, up to 11 characters, subject to carrier policies and anti-spoofing controls, provided the ID is clearly associated with their brand and does not impersonate another organization.

What carriers do enforce is a blocklist of restricted sender IDs. UK networks including EE, O2, Vodafone, and Three block sender IDs that impersonate banks, government agencies, major retailers, and other known brands, to combat smishing. The restricted list is not published, because publishing it would help fraudsters work around it, but it is maintained by the Mobile Ecosystem Forum's SMS Sender ID Protection Registry. If your sender ID matches or closely resembles a restricted name, messages may be blocked or rejected during carrier screening rather than generating a consent or compliance notification.

International long codes, standard phone numbers from outside the UK, are blocked by UK carriers for A2P traffic. Messages to UK recipients must use either an alphanumeric sender ID or a domestic UK long code. This catches international organizations sending into UK audiences from their home country numbers, and it is a common deliverability failure for global programs that have not been adapted for the UK market.

Ofcom published a consultation in late 2025 on binding obligations for mobile operators and messaging aggregators to combat SMS scams, with a final decision expected in summer 2026. The direction of travel is toward more structured anti-scam requirements, potentially including mandatory sender verification, though the consultation specifically considered and rejected a mandatory centralized sender ID registry as too burdensome. Organizations should monitor Ofcom's final guidance as this framework develops.

UK GDPR: the data layer that sits beneath PECR

PECR governs whether you can send the message. UK GDPR governs how you handle the personal data involved in sending it. Both apply simultaneously, and satisfying one does not satisfy the other.

For SMS programs, UK GDPR requires a lawful basis for processing the phone number. Where PECR requires consent for the message, consent under UK GDPR is typically the appropriate lawful basis as well, and that consent must be freely given, specific, informed, and unambiguous, with a clear affirmative action to opt in. Pre-ticked boxes, implied consent, and broad bundled consent that does not specifically mention SMS do not satisfy the standard.

Where PECR does not require consent for the message, such as marketing to a corporate subscriber, UK GDPR still requires a lawful basis for processing the contact's personal data. Legitimate interests can apply in B2B contexts, but it must be documented, balanced against the individual's rights, and supportable if challenged.

Retention, accuracy, and data subject rights obligations under UK GDPR apply regardless of the channel. Contact lists need a documented retention policy. Individuals have the right to access their data, correct it, and object to processing for marketing purposes. An objection to marketing processing must be honored without undue delay and respected for future marketing communications, unless valid consent is subsequently obtained again.

The ICO enforces both PECR and UK GDPR and has made clear that SMS marketing violations typically engage both regimes. A fine for a PECR breach does not foreclose a separate action under UK GDPR for the same conduct.

The DUAA 2025: what actually changed

The Data Use and Access Act received Royal Assent on 19 June 2025, and its provisions are being phased in through 2026. The headline change for SMS programs is the fine ceiling: maximum PECR penalties moved from £500,000 to £17.5 million or 4% of annual global turnover, whichever is higher. This is not a theoretical maximum. The ICO's enforcement strategy has shifted toward fewer but substantially larger penalties, and the regulator has signaled it will use the new powers for egregious or repeated violations.

Other changes relevant to SMS operators include the alignment of the direct marketing definition between PECR and the Data Protection Act 2018, the introduction of the charitable purposes soft opt-in from February 2026, and updates to breach notification timelines. The ICO is updating its guidance across multiple areas through 2026, and organizations that have not reviewed their SMS consent processes since before June 2025 are working from an outdated compliance baseline.

Operational SMS: the field workforce and logistics angle

One category of SMS program in the UK sits largely outside PECR's marketing provisions. Operational messages between an organization and its own workers, including dispatch alerts, welfare check messages, safety notifications, and shift communications, are generally not commercial electronic messages in the PECR sense, because they are not advertising or promoting a product or service.

For UK logistics operators, courier companies, field service businesses, and construction and utilities firms, this is where SMS delivers its highest operational value. A driver who receives a route change notification, a field worker who confirms receipt of a safety alert by replying to an acknowledgment prompt, a dispatcher who knows within seconds whether a crew member has confirmed a job, these workflows are built on SMS precisely because SMS is the one channel that reaches every device on every network without requiring data connectivity, app installation, or smartphone ownership.

Field force communication at scale breaks down in predictable ways when the tools are not designed for it. WhatsApp groups fragment into separate threads. Personal phone numbers mix personal and operational messages. There is no delivery record when something goes wrong and a worker later claims they were not notified. The pattern across UK logistics and field services mirrors what we have documented for Australian operators and Canadian fleet operators: organizations that manage dispersed workforces need a communication system that provides acknowledgment logging and delivery confirmation, not just a broadcast channel.

For UK employers, the Health and Safety at Work Act 1974 and sector-specific regulations create obligations around communicating safety information that make acknowledgment records operationally necessary. A safety alert sent from a personal phone with no delivery confirmation may be considerably more difficult to demonstrate as an effective safety communication when a regulator or insurer asks what steps were taken to notify workers.

How logistics operators use SMS for fleet coordination covers the operational architecture. The compliance framing for UK field operations specifically is distinct from the PECR marketing story, but both require the same underlying platform capability: two-way messaging, delivery receipts, and a record that travels with the organization rather than living inside a connectivity provider's system.

Building a compliant UK SMS program

The structural requirements are not complicated. What makes compliance hard in practice is that organizations make assumptions about which category their contacts fall into and which exemptions apply, without documentation to support those assumptions, and without suppression lists maintained well enough to survive an ICO information notice.

Express consent, properly collected, covers most scenarios cleanly. A consent capture that names your organization, specifies SMS as the channel, explains what the recipient will receive, uses an unticked opt-in box, and records the timestamp and source is defensible under both PECR and UK GDPR. Starting from that foundation and layering the B2B and soft opt-in exemptions onto genuinely qualifying contacts is a much lower-risk approach than starting from the exemptions and working backward.

Suppression list hygiene is where most enforcement cases originate. A STOP reply that is not processed, an opt-out that goes to an unmonitored inbox, or a former customer who opted out and later receives a new campaign because they were re-added from a different list, each of these is a PECR breach regardless of the validity of the original consent. Automated opt-out handling is not optional at any meaningful send volume. It is the mechanism that makes the unsubscribe obligation consistently enforceable.

Route and platform choice matters here too. A program that keeps consent records, suppression lists, and delivery logs inside a connectivity provider's system is a program whose compliance assets disappear if the provider relationship changes. The architecture that protects a UK SMS program long-term keeps those records above the connectivity layer, accessible and portable regardless of which UK carrier routes the messages. Twilio and Vonage both carry UK routes, and domestic number options are available for programs that need two-way capability.

Frequently asked questions

Does PECR apply to my organization if I am based outside the UK? Yes. PECR applies to commercial electronic messages sent to recipients in the UK regardless of where the sending organization is located. Post-Brexit, UK PECR is domestic UK law and enforced by the ICO. EU ePrivacy rules apply separately to EU recipients. If you market to UK audiences by SMS, PECR applies to you.

Can I send marketing SMS to UK businesses without consent? To corporate subscribers, meaning registered limited companies and LLPs, contacted at generic business numbers, yes, without PECR consent, though you must identify yourself and include an opt-out, and UK GDPR still applies to any personal data you process. Sole traders and certain partnerships require consent or a valid soft opt-in. Named individuals at corporate numbers may also require consent depending on circumstances. Do not assume all B2B contacts qualify as corporate subscribers.

What is the soft opt-in and when can I rely on it? The soft opt-in allows you to send marketing SMS to existing customers without fresh consent if four conditions are all met: you collected their details during a sale or negotiations for a sale, you gave them a clear opt-out opportunity at that time, you include an opt-out in every subsequent message, and the marketing relates only to your own similar products. All four must apply simultaneously. It does not cover prospects, bought-in lists, or customers of a third party.

What changed with the DUAA 2025 for SMS programs? The maximum fine for PECR breaches increased from £500,000 to £17.5 million or 4% of global annual turnover. The charitable purposes soft opt-in was introduced for charities from February 2026. The ICO is updating guidance through 2026. If your SMS consent processes have not been reviewed since before June 2025, review them now.

Do I need to register my sender ID with a UK authority? There is no mandatory sender ID registration system in the UK equivalent to Australia's ACMA register. However, UK carriers block international long codes and maintain a restricted list of sender IDs associated with known brands to prevent impersonation. Your sender ID must be clearly associated with your organization. Using a domestic UK number or a brand-appropriate alphanumeric ID, submitted through a UK-connected provider, is the baseline requirement for reliable delivery.

This article provides general operational information and should not be considered legal advice. Organizations should consult qualified legal or data protection professionals regarding their specific obligations under PECR, UK GDPR, and the Data Use and Access Act 2025.

Talk to our team about building a two-way SMS program for your UK operation.