Have you ever scratched your head wondering what are the laws in the U.S. for SMS Opt-in and Opt-out when sending text messages as a business?
Since the U.S.’s CAN-SPAM Act. was accepted in 2003, many organizations have been trying to comply with the data privacy laws. This resulted in more businesses understanding the importance of being up to date as more privacy laws are passed on a global scale. However, we can consider that the percentage of scam reports is growing every year with 216 086 reports already for 2022, and 10.6% of them with financial losses. People more than ever are conscious of their privacy.
Before we dive deeper into it, it is crucial to understand the legal requirements. When people are giving their consent to a business, they must be informed about the information processing activities to which they consent. Any consent that has been obtained through ambiguous or coercion, vague terms would be considered Invalid.
Opt-in is a process describing a positive action taken by the website visitor or business’s customer, which they should take before the company is legally allowed to collect and process their data (giving consent).
Opt-out is when the consent is withdrawn from the user’s side. As we mentioned previously the CAN-SPAM specifically allows people to opt-out after they’ve opted-in.
It protects customers from commercial marketing and advertisement text messages from companies that they haven’t set up a relationship with yet. For instance, it is okay for companies to send you transaction text messages. But it is illegal for companies to send you any commercial marketing or advertisement messages without your consent.
The CAN-SPAM Act’s requirements include:
As one of the primary law’s in the U.S. after 1991 as a reaction to the increase in unregulated and harassing telemarketing calls and faxes. Therefore, its purpose is to limit telephone solicitations and the use of automated mobile equipment. The Act restricts the use of automatic dialing, SMS, fax use, and pre-recorded voice messages without companies obtaining explicit written consent before sending text messages.
Even if there is a relationship between the company and the recipient, the company can only send text messages if the recipient has opted in. Recipients can sue a company that is not following the TCPA guidelines.
As part of the U.S. laws for SMS Opt-in and Opt-out, the CCPA provides California residents with more control over the personal information that businesses are collecting. It also provides guidance on how to implement the law.
The privacy rights of the CCPA include:
To comply with CCPA, businesses should provide them with a “notice of collection” and a clear SMS opt-in and opt-out process for their customers. Your notice of collection should cover the type of personal information you are collecting and how you will use it.
You can include your consent wherever you collect your information. You would normally create a TCPA complaint form, email, or paper, and you can set up a keyword for your audience to text your organization over WhatsApp or SMS. For a consent form to be validated, your organization must disclose a few pieces of information:
For instance, a form could include a checkbox that reads “Subscribe to receive text messages from [name of the organization]” with a hyperlink to all necessary disclosures.
However, if you plan on selling personal data the CCPA regulation requires a separate opt-in checkbox that reads “Check to permit the sale of information”.
For example, customers of ValueText, a Salesforce native messaging app, often prefer to use a keyword query form “START” to conduct a consent. What you can do is create a call to action on any digital and traditional channels (one of them being your website) inviting people to send a text message (keyword) to your organization’s address.
For instance, “Text [insert word] to [insert number] for more information about [insert product name]”.
We also recommend you to set up a double-opt-in by responding with “We would like to send you helpful information each month regarding “Y”. Is this okay with you? Please, respond with YES or NO”.
This type of active consent expires every 18 months. However, you can use apps like ValueText to automate this whole process of obtaining consent every 18 months.
If the person doesn’t respond to your opt-in and double-opt-in request, consider that an opt-out. It is important to make the opt-out process easy. Firstly, your customers should be able to opt-out by texting you “STOP”, “UNSUBSCRIBE”, “OPT-OUT”, or “CANCEL”.
To make it easier, ValueText provides opt-out backup automation in Salesforce. This automation includes a checkbox that can be found on any Record, effectively blocking any text messages in Salesforce from being sent to that specific Contact.
If you are interested in more details regarding the topic, we have written a separate guide which you can access here.
What about if your company uses also other messaging channels like WhatsApp? Well, WhatsApp allows us to initiate text conversations only by sending messages using a pre-approved template.
When your customer replies, this is considered an opt-in and the session will be active for the next 24 hours. If your customer sends you a text message first, a 24-hour session will be activated without you having to gain consent.
We understand that this whole process of following the U.S. laws for SMS Opt-in and Opt-out might be scary. That is why we have prepared a checklist for you to follow, in order to build trust between you and your customers.
Once you’ve set up your processes for SMS Opt-in and Opt-out, we encourage you to get familiar with other best tips for sending SMS from Salesforce.
Do not send a text message to request an opt-in, it is Illegal. You can receive a fine between $500-$1500 for each interaction. This depends if the message was sent knowingly and if there was an abuse of information. An unsolicited text or call counts as a violation of the law, which can quickly end up costing you millions of dollars in penalty fines. For example, Amazon paid a fee of $877 million, Google paid out $56.6 million, the telecom company Wind paid a fee of $20 Million, and Domino’s Pizza paid nearly $10 Million all for consent violations.
Navigating through Salesforce and complying with all the laws and regulations might be stressful sometimes. At ValueText, we understand your pain and we would love to give you a hand in your endeavors. You can contact us at email@example.com or on our website here.