Build up an SMS database with customers’ cell phone numbers in compliance with the law

There are many reasons why companies choose to use SMS: Whether it’s to send booking confirmations, appointment reminders or pick-up notifications to customers, to improve internal processes or to take advantage of the personal nature of SMS and try direct marketing.

Building an SMS database of real, interested customers is critical to the success of an SMS campaign.

So how do you properly build an SMS database? Companies need to create an incentive for customers before they can start building a contact list. The easiest way is to offer them value with content that interests you such as special offers, regular product updates, discount codes, invitations, daily tips, etc. By providing valuable information that generates genuine interest among customers, the mobile list will grow organically.

But there are a few things to consider beforehand: What about privacy when it comes to SMS? Here’s an overview with the most important information on consent, double opt-in and the commissioned data processing agreement in relation to sending SMS to customers.

Does the GDPR also apply to SMS?

Basically, a distinction must be made at this point between two forms of SMS sending: SMS can be used for advertising purposes or to offer a crucial service to customers. If companies (or a third party) process or store personal data of your customers, the GDPR applies. Some laws on data protection when sending SMS also come from the „BDSG-neu“, an extension of the GDPR that applies in the Federal Republic of Germany.

Consent must be voluntary

Companies need a legal basis if they want to use personal data of their customers. As mentioned above, this also applies if data is stored in connection with SMS messages. In most cases, obtaining consent is the most sensible solution here. This provides physical proof that SMS messages may be sent to an individual person. The mandatory requirement here is that customers must give this consent voluntarily.

In addition, companies must inform their customers exactly what their number will be used for – and BEFORE they give their consent.

Essentially, this means: If the number is asked for in order to send booking confirmations, no marketing SMS and certainly no emails may be sent without explicit consent. Although there are certain exceptions to this rule, it can serve as a basic guideline.

In addition, companies should be aware that consent is not necessarily valid forever. If they do not contact recipients in the manner specified for an extended period of time, consent may expire. They must also be able to provide information about consent at any time and prove that they have it.

sms marketing endkunde

How do I obtain my cus­to­mer’s number?

There are several ways to obtain a customer’s cell phone number:


Usually, numbers are requested via a (registration) form, such as those used in restaurants, retail outlets or gyms, and quite often also via an online form on the company’s own website. If an online form is used, consent to use the data can be requested with a checkbox. It is important that this box is NOT pre-selected, as customers must give their consent explicitly and independently. Pre-selected consent is not allowed.


If companies send regular emails or newsletters, a big step has already been taken. This channel offers the perfect opportunity to get customers’ cell phone numbers for the SMS database. This can happen, for example, with a special keyword like “RABATT” for an online store and a shortcode or a special mobile number in the email signature. Alternatively, an email campaign can be created asking customers to sign up to receive SMS from the company.

Social media

It is also possible to use social platforms to build an SMS database of customers’ mobile numbers. With regular posts and the indication, for example, to receive discount codes for the online store via SMS using the keyword mentioned above and thus not to miss any more promotions, customers will be more encouraged to sign up to the list.

In addition, companies should make sure that they inform their recipients about the purpose for which they are using their number. It’s not just the wrong use that is prohibited. If the number is not needed for a specific purpose, companies could be in violation of the data minimization principle.

double opt in verfahren

Double Opt-In: What is it?

Here’s what happens in a double opt-in process: A customer enters their mobile number into a form on a company’s website and agrees to receive an SMS. The company then sends an SMS to the number received and asks the customer to confirm that they want to receive SMS in the future. In this way, the company wants to prevent someone from misusing the number from the customer and thus receiving unwanted messages.

It is significant to inform the customer that he can revoke the consent at any time. In addition, the company should note that the revocation must be kept as simple as the consent. This means that if only one click is required to subscribe, it must also be possible to revoke the subscription with a single click. In addition, this must be easily accessible for subscribers.

Especially for companies with very young target groups, there is another important point to consider. Minors under the age of 16 can only give their consent with the approval of a parent or guardian. In this case, it is difficult to verify the age of the recipient with legal certainty. If companies want to play it safe, they should only offer their services to people who have already reached the age of 16.

Do companies need a double opt-in?

A double opt-in is currently not required by law and is also not legally secure. However, it is definitely advisable to use it anyway. There are two reasons for this: First, disputes in the past have often been decided in favor of the double opt-in. Secondly, the double opt-in is the only way to ensure that the number received was actually provided by the recipient in question.

Double opt-in via SMS?

The company has opted for a double opt-in procedure and is now asking itself: How do I integrate a double opt-in into an SMS? Basically, there are two possibilities. Responding via SMS using an inbound number (it allows messages to be received on the company’s platforms) or integrating a link. Both variants have advantages and disadvantages. It is indispensable that the double opt-in is done through the channel that the company intends to use in the end. If customers are contacted on mobile, they should have confirmed the double opt-in on mobile as well. It is also important to explicitly tell recipients who is contacting them, and this first SMS should not lack a clear indication of the option to unsubscribe.

No matter which option the company chooses: It is its responsibility to ensure that the customer’s consent is processed correctly. This means that he cannot receive any further SMS if he has not given his consent or has objected. In addition, the confirmation message for the double opt-in must not yet contain any advertising or other offers. Instead, it is advisable to provide details about the SMS to be sent, such as how often SMS will be sent and that responding to the SMS will cost money (this last note is mandatory in some countries).

sms messaging datenschutz

Legitimate interest

There are other legal grounds for processing personal data that are just as valid as obtaining consent. One of them is the so-called legitimate interest. In this case, the (economic) interests of the company must be weighed against the interest of the recipient (e.g., data protection). If a business relationship already exists, it can be assumed that customers expect their data to be processed to a certain extent. However, this only applies if the company has informed the customers in advance that their data will be processed. This is done, for example, in the privacy policy. In addition, these questions must be considered: Is the intrusion into privacy acceptable? Does the company need to send the relevant SMS in order to pursue its legitimate interest? If both questions can be answered with “yes”, nothing stands in the way of sending the SMS. However, it must be noted that even here, if the recipients are minors (younger than 16), a court would always rule in favor of the interests of the minors.

Agreement on commissioned data processing

Since the entry into force of the GDPR in May 2018, the need for commissioned data processing has arisen. In German law, the requirements have become more extensive compared to the previous law. The most important fact at this point:

In rare cases, a commissioned data processing agreement is not required for sending SMS via an SMS gateway, as the processing of the data is necessary to provide the service (§88 (3) TKG). However, anything that goes beyond the mere sending of SMS always requires a mandatory agreement. This also includes the storage of data in a cloud. If the SMS gateways of Message Networks are used, however, an agreement is always necessary, as this allows third party data to be processed in a legally secure manner.

What must be included in the agreement with the respective service provider depends on the type of further use of the company’s data and the external service providers. However, this is where the data protection officer or a legal advisor can help.

As an experienced mobile messaging provider that places the highest value on data protection and security, all SMS messages reach users’ mobile devices without delay via the Message Networks messaging gateways. We enable security and reliability through a direct connection to the messaging gateways of the mobile network operators as well as the use of security features such as IPsec and HTTPS.