PECR & UK GDPR for SMS, Text & WhatsApp from Salesforce
Your UK business sends SMS, text and WhatsApp marketing to 8,000 contacts. Under PECR and UK GDPR, every single recipient needs a lawful basis and an unambiguous opt-out path. ICO fines for getting this wrong run up to £17.5 million or 4% of global turnover, and they do enforce.
The two laws that govern UK messaging
Your two regulations apply to your SMS, text and WhatsApp traffic as a UK sender:
- PECR (Privacy and Electronic Communications Regulations), governs electronic marketing, including SMS and texts. Regulator: the ICO. Requires prior consent for most marketing.
- UK GDPR, governs processing of personal data generally. Requires a lawful basis (consent, legitimate interest, contract, etc.) and transparent privacy information.
Your PECR sits on top of UK GDPR for messaging, you need both a lawful basis under UK GDPR AND the specific consent or soft opt-in under PECR. The combined effect: most business SMS, text and WhatsApp marketing in the UK requires explicit consent.
Soft opt-in and when it applies
Your PECR allows a “soft opt-in” for existing customers in narrow circumstances: the contact gave you their details during a sale or negotiation of a sale, your marketing is about similar products or services, and they were given a clear opt-out at the point of data collection and in every subsequent message.
Your soft opt-in does NOT apply to new prospects, doesn’t apply to referrals, and doesn’t apply to non-customer enquiries. Your Salesforce consent field should record explicitly which basis applies, explicit opt-in, soft opt-in (with supporting evidence), or no basis. Your messenger blocks sends where no basis is recorded.
Opt-out handling the ICO audits
Your PECR requires every marketing message you send to include a “simple means” to opt out. For SMS and text, STOP is the accepted standard. For WhatsApp, the opt-out has to be equivalent, typically a reply keyword or a tap link. Once someone opts out, further marketing to them is unlawful.
Your messenger processes UK opt-outs (STOP, UNSUBSCRIBE, NO MORE, and localised variants), updates the Salesforce consent field, and blocks future marketing. Transactional messages can still go, PECR doesn’t block service messages, but marketing stops, permanently.
Data minimisation and privacy notices
Your UK GDPR requires data minimisation, collect and process the minimum personal data needed for the purpose. For SMS, text and WhatsApp, this means templates and AI agents should pull the minimum PHI, PII or personal context into each message. It also means retention, old consent records and old messages should be purged on your documented schedule.
Your Salesforce data retention rules apply automatically to the messenger. When a Contact record is archived or deleted per your policy, the associated messages go with it. Your admin configures retention once; the messenger honours it automatically.
What the ICO actually checks
Your ICO investigations following a complaint typically ask for four things: (1) proof of consent with timestamp and wording, (2) proof of opt-out handling, (3) evidence of data minimisation, (4) evidence of retention policy application. Your Salesforce audit reports produce all four in standard Salesforce format.
Your compliance isn’t sending fewer messages. It’s being able to demonstrate clearly, on demand, that every message you did send had a lawful basis and was handled correctly. AI SMS House bakes that evidence into every send from day one.