Texting Laws for Business (UK & GDPR): What You Must Know in 2026

Texting Laws for Business Article Summary

1. Business SMS is a powerful engagement channel, but texting laws for business like PECR and UK GDPR impose strict consent, transparency, and data protection requirements.
2. Compliance depends on obtaining clear opt-in consent, providing opt-out options, and following ICO guidance, while mobile networks enforce additional standards that impact deliverability.
3. By applying best practices and maintaining strong data governance, businesses can reduce legal risk, build customer trust, and run effective, compliant SMS campaigns.

Business text messaging is an unparalleled tool for customer engagement, yet it operates within a stringent and complex legal framework. As of May 2026, non-compliance with these business texting laws carries severe financial penalties and can cause irreparable damage to a brand's reputation [7]. Businesses must navigate a multi-layered system of rules, including UK legislation such as the Privacy and Electronic Communications Regulations (PECR), the UK General Data Protection Regulation (UK GDPR), and guidance from the Information Commissioner’s Office (ICO). This guide provides a definitive overview of the texting laws for business and outlines the practical steps required to build a compliant, effective, and trustworthy SMS strategy.

The UK Regulatory Foundation: PECR, UK GDPR, and ICO Guidance

A core set of regulations and regulatory guidance governs all business texting in the United Kingdom. Mastering these rules is the foundational step toward developing a compliant and successful SMS communication programme.

Privacy and Electronic Communications Regulations (PECR)

PECR is the primary legislation governing electronic marketing communications in the UK, including SMS messaging [9]. It requires businesses to obtain prior consent before sending marketing text messages to individuals. This consent must be knowingly given and must meet the standards set out under UK GDPR.

For marketing messages, consent must be clear, specific, and informed. Businesses must provide a clear explanation of what the individual is signing up for and who is sending the messages [5].

For non-marketing messages, such as service updates or appointment reminders, consent may still be required depending on context, particularly where personal data is involved. In all cases, individuals must have been given a reasonable expectation that such communication would occur.

PECR also includes a limited exception known as the "soft opt-in", which allows businesses to send marketing messages to existing customers if:

• The contact details were obtained during a sale or negotiation for a sale
• The messages relate to similar products or services
• The individual was given a clear opportunity to opt out at the time of data collection and in every subsequent message

UK General Data Protection Regulation (UK GDPR)

UK GDPR complements PECR by governing how personal data, including phone numbers, is collected, stored, and used [8]. It requires businesses to process data lawfully, transparently, and securely.

Key requirements include:

• Having a lawful basis for processing personal data
• Providing clear privacy notices explaining how data is used
• Allowing individuals to exercise rights such as access, deletion, and objection
• Maintaining accurate records of consent

Failure to comply can result in significant financial penalties and enforcement action from the ICO.

ICO Guidance

The Information Commissioner’s Office provides detailed guidance on direct marketing practices. While not legislation, ICO guidance is authoritative and actively enforced. It emphasises consent, transparency, and accountability in all marketing communications [6].

UK SMS Compliance and Sender Requirements

Unlike the United States, the UK does not operate under A2P 10DLC or The Campaign Registry. Instead, compliance is enforced through legal obligations and mobile network standards.

Mobile network operators and messaging providers actively monitor traffic for spam and non-compliant behaviour. Messages that fail to meet compliance standards may be filtered or blocked, affecting deliverability.

Businesses must ensure that:

• Consent has been properly obtained and recorded
• Messages clearly identify the sender
• Opt-out mechanisms are always included
• Data protection obligations are upheld

Failure to meet these expectations can result in service disruption as well as regulatory penalties.

Navigating UK-Specific Legal Requirements

In the UK, compliance is determined by the recipient’s location and governed primarily by PECR and UK GDPR rather than regional or state-based variations.

Key requirements include:

Explicit Consent: Businesses must obtain clear opt-in consent before sending marketing SMS messages, unless the soft opt-in applies [1].

Transparency: Organisations must clearly explain how personal data will be used and who is sending the messages [4].

Right to Opt Out: Every message must provide a simple and effective way to unsubscribe [3].

Data Protection Compliance: Phone numbers and related data must be handled in accordance with UK GDPR, including secure storage and lawful processing [6].

This framework requires businesses to adopt a consent-first approach and maintain strong data governance practices.

Actionable Best Practices for SMS Compliance

Implementing a clear and disciplined set of best practices is the most effective way to manage legal risk and build a high-performing SMS programme.

Step 1: Secure and Document Consent

The golden rule of SMS compliance is to obtain valid SMS opt in before sending the first message. Consent must meet UK GDPR standards and be clearly recorded.

Compliant opt-in methods include:

• Keyword campaigns such as "Text START to join"
• Website forms with unticked checkboxes and clear disclosure language
• Sign-up forms at events or checkout processes

Businesses must maintain a verifiable record of when and how each contact provided consent. This documentation is essential for demonstrating compliance if challenged.

Step 2: Craft and Send Compliant Messages

Every message must adhere to key standards to maintain trust and compliance.

Identify Your Brand: Always clearly state who is sending the message.

Provide a Clear Opt-Out: Every message must include simple instructions such as "Reply STOP to unsubscribe."

Observe Appropriate Timing: Messages should be sent during reasonable hours, typically between 8 a.m. and 9 p.m. local time, in line with industry best practice.

Avoid Prohibited Content: Messages must not include misleading, harmful, or unlawful content, and should comply with advertising standards.

Step 3: Automate Opt-Outs and Uphold Data Privacy

A compliant system must process opt-out requests automatically and without delay. When a user replies with a standard keyword such as STOP or UNSUBSCRIBE, they must be removed from the marketing list immediately.

A single confirmation message may be sent to confirm the opt-out, but it must not contain any promotional content.

Businesses must also respect data usage limitations. Personal data collected for one purpose cannot be reused for another without obtaining additional consent. These obligations align with broader contractual and compliance principles, such as those outlined in Ringover’s general terms and conditions of sale and services.

Conclusion

Successfully leveraging business text messaging in 2026 requires a disciplined and proactive approach to compliance. The essential pillars are a firm understanding of PECR and UK GDPR, strict adherence to ICO guidance, and consistent implementation of best practices centred on consent and transparency.

By treating compliance not as a regulatory burden but as a fundamental component of customer trust, businesses can confidently use SMS as a sustainable and highly effective communication channel. To start sending text campaigns for your business, start your free Ringover trial today!

Texting Laws for Business FAQ

Are texts between 9pm and 8am illegal?

Texting is not strictly illegal during these hours in the UK, but it is strongly discouraged. Under ICO guidance and good practice, businesses should avoid sending marketing messages outside reasonable hours to prevent complaints and reputational damage.

How many times does someone need to text you before it's harassment?

There is no fixed number. In the UK, repeated unwanted messages can be considered harassment under the Protection from Harassment Act 1997 if they cause distress or alarm.

What is the new text message law in Texas?

This does not apply in the UK. UK businesses must instead follow PECR and UK GDPR, which govern consent, data use, and electronic marketing communications.

Can you get in legal trouble for texting someone?

Yes, businesses can face legal consequences if they send unsolicited marketing texts without proper consent or fail to comply with PECR and UK GDPR requirements.

Is it illegal for a business to text you?

It is not illegal if the business has obtained valid consent or qualifies under the soft opt-in rule. Without consent, marketing texts are unlawful under PECR.

Is texting acceptable in business?

Yes, texting is widely accepted in business when used professionally and in compliance with data protection and marketing regulations.

Is B2B cold texting illegal?

B2B cold texting is more flexible than B2C, but businesses must still identify themselves clearly and provide an opt-out option. Data protection rules still apply when handling personal data.

Citations

• [1]https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guide-to-pecr/direct-marketing/
• [2]https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/consent/
• [3]https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guide-to-pecr/marketing-by-electronic-means/
• [4]https://www.gov.uk/data-protection
• [5]https://ico.org.uk/for-organisations/direct-marketing/checklist/
• [6]https://ico.org.uk/for-organisations/guide-to-data-protection/
• [7]https://ico.org.uk/action-weve-taken/enforcement/
• [8]https://www.legislation.gov.uk/eur/2016/679/contents
• [9]https://www.legislation.gov.uk/uksi/2003/2426/contents

Published on May 11, 2026.