It is challenging to uphold a compliant text messaging program, but it is not as difficult as it may seem when you have the right partner by your side. With Directful’s platform, which is designed with best practices in mind, you can run your SMS program with confidence, knowing that compliance is being taken care of.
Directful’s in-house legal team focuses on TCPA, CCPA, CTIA, GDPR, CASL, ADA compliance, and more to provide the tools you need to protect yourself from potential risk.
Disclaimer: The information contained in this article is provided for educational and informational purposes only. This article is not intended to provide legal advice and should not be relied upon as such.

Before getting started with this effective marketing channel, it is essential to acquaint yourself with regulations and key requirements on privacy and compliance. Below we outline the current text message compliance regulations, and how we, at Directful, keep our customers compliant with their SMS marketing.
How to stay compliant?
With the ever-changing legal landscape and strictly enforced regulations that vary across states, provinces and countries, it’s essential for hoteliers and marketers to embrace the changes. Failure to do so can lead to costly legal consequences and damages to your hotel’s reputation.
How can hoteliers and marketing teams can stay on top of constantly changing regulations on privacy that seem to overwhelm the digital marketing industry today?
💡 Hint: it’s important to partner with experts who will keep you up-to-date and help navigate the complex legal landscape, or a platform that will keep you compliant.
Let’s familiarize you with key terms, requirements, laws, organizations and upcoming changes on privacy and compliance.
Protecting Guest Privacy in the Digital Age
What You Need To Know
Privacy in the digital age is a significant concern, particularly with the rise of data breaches and cyber-attacks. Hotels collect a vast amount of personal information from their guests, this also means that hotels have a responsibility to ensure the safety and privacy of their guests’ information.

Digital marketing allows hotels to target specific customer segments with personalized offers and promotions, that have a significant impact on hotel revenue.
However, these advancements come with privacy concerns that hoteliers need to address to ensure that they are not violating their guests’ privacy rights.
Key Organizations Setting Privacy Laws
To protect consumers’ privacy these are the most important organizations that determine privacy laws in the USA, Canada, and Europe:
GDPR
General Data Protection Regulation
A regulation in the European Union that governs data protection and privacy. The GDPR applies to all businesses that process personal data of individuals located in the EU, regardless of where the business is located.
This means that even businesses located outside the EU that process personal data of EU residents are subject to GDPR compliance requirements.
PIPEDA
Personal Information Protection and Electronic Documents Act
A Canadian law that governs the collection, use, and disclosure of personal information, except for provinces that have their own substantially similar privacy laws.
For example, British Columbia has Personal Information Protection Act (PIPA), Alberta – Personal Information Protection Act (PIPA), Quebec – An Act Respecting the Protection of Personal Information in the Private Sector (Quebec Privacy Act).
CCPA
California Consumer Privacy Act
A law aims to give California residents more control over their personal information and to ensure that businesses are transparent about how they collect, use, and share that information.
Under the CCPA, consumers have the right to know what personal information a business has collected about them, the right to request that the information be deleted, and the right to opt-out of the sale of their personal information.
However, the year 2023 will witness significant changes to privacy regulations in the U.S., as more states begin enforcing new GDPR-inspired statutes. Here is a list of the new state data privacy statutes slated to come online in 2023:
California Privacy Rights Act (CPRA)
On January 1, 2023, many of the provisions outlined in the California Privacy Rights Act (CPRA) came into effect. CPRA had already established various individual rights, inspired by the General Data Protection Regulation (GDPR). CPRA also created a state agency responsible for enforcing privacy regulations, similar to data protection agencies found in EU nations that enforce GDPR.
Virginia Consumer Data Privacy Act (VCDPA)
Effective from January 1, 2023, the Virginia Consumer Data Privacy Act (VCDPA) came into effect, introducing GDPR-inspired individual rights. The VCDPA applies to businesses that conduct business in Virginia or target Virginia residents and meet certain revenue or data processing thresholds.
Colorado Privacy Act (CPA)
Effective from July 1, 2023, the Colorado Privacy Act (CPA) will come into force. Along with creating individual rights akin to those outlined in the GDPR, the CPA mandates data security, vendor contract provisions, and evaluations for “high-risk” processing.
Connecticut Data Privacy Act (CDPA)
Similar to Colorado’s recently passed privacy law, the Connecticut Data Privacy Act (CDPA) will come into effect on July 1, 2023. The CDPA also establishes a range of individual rights similar to those of the GDPR, in addition to mandating data minimization, security, and evaluations for “high-risk” processing.
Utah Consumer Privacy Act (UCPA)
Effective from December 31, 2023, the Utah Consumer Privacy Act (UCPA) will take effect. The UCPA provides for specific individual rights similar to those found in the GDPR, and also mandates data security and vendor contract provisions. However, unlike other privacy laws, the UCPA does not explicitly require risk assessments.
Key Terms Related to Privacy
As you learn more about privacy, it’s helpful to be familiar with key terms related to privacy laws:
- Personal data: Information that relates to an identified or identifiable natural person.
- Data protection: The process of safeguarding personal data from unauthorized access, use, or disclosure.
- Privacy policy: A statement that outlines how an organization collects, uses, and protects personal data.
- Consent: The voluntary agreement given by a data subject to the processing of their personal data.
- PII: Personally identifiable information – Any data that can be used to identify a specific individual.
- Data breach: An incident in which personal data is exposed or stolen by unauthorized parties.

Essential Privacy Requirements for GDPR, PIPEDA, CCPA, and CPRA
Here is a list of some of the most important requirements related to privacy. Please note that this list is not exhaustive, and there may be other privacy requirements beyond those outlined below:
- Individuals have the right to access, correct, and delete, and limit the use of their personal information
- Companies must obtain explicit consent before collecting and processing an individual’s personal data
- Companies must disclose the categories of personal information they collect, sell, or disclose about individuals
- Companies must report data breaches within 72 hours
- Companies must take reasonable security measures to protect personal information
- Companies must provide a clear and understandable explanation of their privacy policies and practices
- Companies must disclose the length of time they plan to keep personal information
SMS Compliance, Texting Laws & Regulations
The most essential thing to understand is that texting is a form of permission-based marketing. When planning a compliant text messaging campaign that adheres to best practices, it’s essential to remember the ultimate objective of the compliance frameworks: safeguarding individuals against unsolicited SMS communications.
As your partner in SMS campaign success, we’ve outlined the major governing rules and regulations for text message marketing below.
Navigating the Legal Landscape of Text Messaging & SMS Compliance
Text messaging marketing and SMS compliance are affected by the regulatory bodies and regulations listed below:
CTIA
Cellular Telecommunications Industry Association
is a trade organization representing the wireless communications industry in the United States. CTIA’s guidelines cover a wide range of topics, including message content, sender identification, and message frequency.
One of the most significant contributions of CTIA to the wireless industry is its development of industry guidelines and standards that ensure compliance with regulatory requirements and best practices.
FCC
Federal Communications Commission
is an independent agency of the United States government that regulates and oversees communications-related industries.
The FCC has a significant impact on the daily lives of Americans, as it regulates the availability and affordability of communication services, protects consumers from fraud and abuse, and ensures the free flow of information.
TCPA
Telephone Consumer Protection Act
states that consumers have the right not to receive unsolicited marketing communications via telemarketing calls or text messages (SMS), and companies should obtain a consumer’s prior express written consent before sending automated SMS marketing text messages.
The law also prohibits telemarketers from calling phone numbers listed on the National Do Not Call Registry, with penalties which can range from $500 to $1,500 per violation.
CASL
Canadian Anti-Spam Legislation
is a law created to protect Canadians from unwanted spam emails, text messages, and other electronic communications. It is considered one of the toughest anti-spam laws in the world.
CASL applies to anyone who sends commercial electronic messages (CEMs) to Canadians. Violations of CASL can result in severe penalties, including fines of up to $10 million for businesses and up to $1 million for individuals.
CAN-SPAM Act
The Can-Spam Act helps protect consumers from receiving unwanted advertisements. Under the CAN-SPAM Act, the FCC regulates commercial text messages sent to mobile devices, making sending unwanted text messages to cell phone numbers illegal.
It’s important to note this Act only applies to promotional messages (advertisements) and not to any messages relating to an existing transaction or relationship
State-Specific Legislation
National TCPA standards serve as the minimum requirement for messaging compliance. However, as SMS marketing becomes more prevalent, there is a growing trend towards state-specific standards that exceed federal requirements.
There are 13 states with laws governing consumer solicitation by text message: Arizona, California, Colorado, Connecticut, Florida, Indiana, New Jersey, North Dakota, Oklahoma, Rhode Island, Utah, Washington and Wisconsin.
SMS Compliance: Key Terms to Know
As you navigate further in text messaging compliance, it’s helpful to be familiar with key terms and acronyms related to privacy laws and subscriber actions:
- Compliance: ensuring that text messaging practices follow applicable laws and regulations, including obtaining express written consent, providing an opt-out option or being added to the do not call list, and avoiding spam or unsolicited messages.
- Express written consent refers to obtaining explicit and written permission from guests, indicating their agreement to receive specific types of communications, such as marketing messages via SMS, email, or other forms of electronic communication.
- Opt-in: refers to a customer’s express written consent to receive marketing text messages from a brand in SMS marketing. It is for a limited time period, and in order to avoid asking for consent repeatedly, companies should always obtain express written consent.
- Opt-out (unsubscribe): describes the action of a subscriber indicating they no longer wish to receive text messages from a company, typically by replying with a recognized opt-out keyword “STOP”.
- Promotional messages: are types of SMS marketing messages that brands send to drive revenue, often containing marketing, discount coupon or sales promotions.
General SMS Compliance Requirements
Below are several key requirements that hoteliers and marketers should be aware of regarding compliance with TCPA, CTIA, CCPA, GDPR as they relate to text messaging. Please note that this list is not exhaustive:

- Do not send text messages to phone numbers listed on the National Do Not Call Registry.
- Obtain prior express written consent before sending promotional text messages to guests.
- Include your hotel’s name in all outgoing text messages.
- Include clear opt-out instructions in every text message and respect opt-out requests.
- Follow the CTIA Messaging Principles and Best Practices for messaging content and frequency.
- Only send text messages at permitted days and times to avoid disturbing guests.
Never bypassing regulations, always up to industry standards
Our team does our best to help hotels remain compliant while they are engaging with guests and boosting hotel revenue with text message marketing.
Additionally, we have an in-house legal team and a partnership with the Privacy & Compliance Defense Force, Twilio, Brandwidth to track industry changes and what they mean to valuable customers like you.
The best thing is, our team continuously tracks updates in regulations and implements all the required changes in Directful’s platform, making it easier for you to remain compliant automatically.