Learn the Best Practices for SMS Compliance in Your Privacy Policy

Please note that Klaviyo, unlike its terms of service, cannot host a privacy policy. This is not legal advice. Klaviyo recommends consulting your legal advisor to ensure compliance with applicable laws regarding your marketing activities.
‍

The Importance of a Privacy Policy for SMS

Before you start with SMS marketing, it’s crucial to update your privacy policy to include essential information about SMS communications. Specifically, if you ever plan to apply for a “short code,” you will need to include certain information in your privacy policy to be eligible for approval.
‍

Best Practices for SMS Privacy Policy

As a best practice, your privacy policy should contain an accurate description of your program and how you handle data in relation to that program. We also recommend including details about how you use the collected phone numbers, how you process them, with whom you share them, etc. The privacy policy should be accessible from the opt-in method (e.g., signup form).

Additionally, we recommend including disclosures if any of the following apply to your business:

• SMS abandoned cart
• Third-party data sharing
• Location tracking or location-based services

The sections below provide examples; however, Klaviyo and Polaris Growth cannot provide legal advice, so please consult with your legal advisor before making changes to your privacy policy.
‍

SMS Abandoned Cart Disclosure

Your privacy policy must explicitly state how information is collected by the website to determine when a customer’s cart is abandoned (e.g., website cookies, plugins, etc.). If you use SMS for abandoned carts, include a statement about this in your privacy policy.

Example:

"The website uses cookies to track which items you place in your cart, including when you abandon your cart. This information is used to determine when cart reminder messages should be sent via SMS."
‍

Sharing Data with Third Parties

If your privacy policy states that data is shared or sold to non-affiliated third parties, there is concern that customer data might be shared with third parties for marketing purposes. Third parties do not include subsidiaries and affiliates (i.e., companies under common control, as well as service providers acting on behalf of the customer).

For SMS, express consent is required; therefore, data sharing is prohibited. Your privacy policy must specify that this excludes SMS opt-in data and consent. Privacy policies can be updated (or drafts provided) to explicitly omit the practice of sharing personal data with third parties from the short-code program.

Example:

"The above does not apply to opt-in data and sender consent for SMS messages; this information is not shared with third parties."
‍

Location Tracking and Location-Based Services

If your privacy policy mentions location tracking or location-based services, it must fully describe how this data is collected and for what purpose.

‍

Do you have any questions after reading this article about SMS privacy policy best practices? Get in touch with Polaris Growth for more advice