[deliver]
Deliver article · 2026-07-16 · Charlotte Rodrigues

SMS and GDPR in France: a compliance guide

Short answer. A French SMS program must satisfy both data protection and electronic prospecting rules. For B2C promotional SMS, prior consent is the principle. A defined existing-customer exception can apply to similar products or services from the same company if information and easy opposition were provided. B2B prospecting has a different regime when the message relates to the recipient's professional activity. In every case, document purpose, evidence, rights, opt-out, vendors, retention, security, and market-specific sending controls.

GDPR does not operate alone. France applies the EU data protection framework, national data protection law, electronic communications rules, consumer rules, and carrier or provider constraints. The message purpose, recipient, collection method, and product determine the correct controls.

The CNIL updated its electronic communications guidance on June 10, 2026. It is the primary operational reference used here. This article is educational and should not replace advice from qualified counsel or the organization's data protection team.

Separate the legal questions

For every SMS program, answer:

  1. What is the purpose of the processing?
  2. Is the message promotional, transactional, or relationship communication?
  3. What is the legal basis under GDPR for processing the phone number and related data?
  4. Does electronic prospecting law require prior consent?
  5. Does an exception apply, and can the organization prove every condition?
  6. What information and rights must be provided?
  7. Which vendors, countries, and transfers are involved?
  8. How long is each record needed?
  9. How will opt-out, access, deletion, and objection propagate?
  10. Which sender and carrier rules apply?

Do not use legitimate interest as a generic replacement for SMS marketing consent. GDPR legal basis and the separate rule for electronic prospecting must both be satisfied.

B2C promotional SMS: consent is the principle

The CNIL states that commercial prospecting by electronic means, including SMS, to individuals generally requires prior consent. Consent should be freely given, specific, informed, and unambiguous.

Operationally:

A phone number entered for delivery or account security is not automatically promotional consent. A customer account or checkout start without purchase is not automatically an existing-customer relationship that allows prospecting.

Klaviyo's own SMS consent documentation follows a conservative platform rule: people must explicitly agree to SMS, separately from other channels, and consent cannot be forced as a purchase condition.

The existing-customer exception

CNIL guidance describes an exception where:

Each condition matters. Do not generalize customer to any profile in a store database. Do not treat a partner offer as a similar product from the same company. Do not add a notice only after collection and claim the exception retroactively.

Create an exception assessment:

Question Evidence
What purchase or paid or qualifying service created the relationship? Order or contract ID and date
Why is the promoted product or service similar? Documented category analysis
Is the sender the same company? Legal entity and brand relationship
What information was shown at collection? Form or checkout version
How could the person object at collection? Unchecked opposition choice or equivalent
How can the person object now? Working link and suppression workflow

Have counsel approve the interpretation. The exception should be narrow and auditable.

For a Klaviyo program, explicit SMS consent is often simpler and safer operationally than encoding a complex exception in segments, especially for international databases.

B2B SMS prospecting

The CNIL says prior consent is not systematically required for B2B prospecting when:

This is not permission for untargeted scraping or consumer offers sent to work phones. The role, professional relevance, source, reasonable expectations, and opposition matter.

Document:

If a sole trader or employee uses one number for personal and professional contexts, apply careful qualification. A database label B2B is not conclusive evidence.

Transactional and relationship communication

The CNIL distinguishes:

These normally rely on contract performance or, for some relationship communication, a legitimate interest subject to privacy safeguards. They must not disguise promotion.

Examples:

If the message adds a coupon, upgrade, cross-sell, or intent to increase consumption, it may become commercial prospecting. Classify the full content and landing page.

Read the transactional versus marketing SMS guide for operational examples.

Create a valid consent record

Consent evidence should connect the person to the exact choice.

Recommended fields:

Avoid relying on screenshots alone. Store immutable or controlled versions of the disclosure and form configuration.

If a vendor collects consent on the company's behalf, the controller remains accountable for the collection design and evidence. Test exports and data portability before launch.

Write a clear collection notice

Near the phone field and choice, explain in plain language:

Do not use prechecked boxes, silence, continued browsing, or a purchase button as marketing SMS consent.

If the same form collects email and SMS, give separate controls. If it collects cookie or retargeting consent too, distinguish those purposes. One carefully designed consent can sometimes cover multiple legal requirements for the same defined purpose, but it must remain informed, specific, and provable.

Respect data minimization

Collect only what the program needs:

Do not add full order content, sensitive health data, financial data, or precise location to an SMS profile without a justified purpose and safeguards.

SMS appears on lock screens. Keep message content minimal and use secure authenticated destinations for sensitive account details.

Profile enrichment and segmentation also need a lawful purpose. A consent to receive SMS is not universal permission to combine all available customer data for any targeting.

Define retention and deletion

Do not copy a universal number of months from another organization. Set periods by purpose, legal requirements, claim or evidence needs, customer relationship, and current CNIL guidance.

Maintain separate retention for:

Some minimum suppression information may need to remain to ensure the person is not contacted again, even when broader marketing data is removed. Limit access and purpose.

Document what happens in Klaviyo, the ecommerce platform, data warehouse, customer service, and backups after deletion or objection.

Make withdrawal and opposition easy

Every marketing SMS should provide the supported easy method. Klaviyo currently lists branded sender ID as the France sender type. Branded IDs cannot receive replies or keywords, so a message should not say Reply STOP if the sender cannot process it.

Use a working unsubscribe link or other current supported method. The destination should:

Do not require a paid call or complex email request. Do not continue promotion while waiting for a periodic batch sync.

Test resubscription separately. Removing a suppression without new valid evidence can create an unlawful or unwanted send.

Apply data subject rights

The privacy process must support:

Customer support should know how to identify and route SMS requests. Use secure identity verification proportional to the request. Do not disclose a profile to someone who only controls a recycled phone number.

Track request deadlines, systems searched, actions taken, exceptions, and response evidence through the organization's broader GDPR process.

Govern vendors and international transfers

Map every processor and subprocessor:

Review:

Do not assume that using a European phone destination keeps all profile and analytics processing in France or the EU. Verify the actual vendor architecture.

Secure the SMS program

Controls should include:

SMS accounts are attractive targets because attackers can send high-volume phishing from a trusted brand. Restrict who can upload lists, change consent, edit links, and schedule campaigns.

Apply France sending controls

Klaviyo's current operational guidance lists quiet hours for France before 8 a.m., after 10 p.m., all Sundays, and public holidays, and says carriers enforce these windows.

The sender should:

Do not treat technical platform ability as legal permission. Conversely, a legally qualified message may still be blocked by sender or carrier constraints.

Manage third-party and partner data

A partner cannot simply hand over a phone list with a statement that contacts agreed to marketing.

Verify:

CNIL guidance requires transparency and valid conditions when data is transmitted for prospecting. For SMS, direct brand-specific collection is the safer pattern.

Audit checklist

FAQ

Does GDPR alone govern SMS marketing in France?

No. GDPR governs personal data processing, while electronic communications and French rules add specific prospecting requirements. Consumer, provider, and carrier rules can also apply.

Is consent always required for B2C marketing SMS?

It is the principle. A narrow existing-customer exception may apply to similar products or services from the same company with prior information and easy opposition. Document and review every condition.

Is B2B SMS exempt?

Not completely. Prior consent is not systematic when the message relates to professional activity, but source information, transparency, relevance, easy objection, and GDPR duties remain.

Can I buy a French SMS list?

A purchased list is highly risky and normally cannot prove direct, brand-specific SMS permission. Klaviyo says purchased, affiliate, and lead-generation lists do not constitute valid SMS consent.

How can French recipients unsubscribe from a branded sender ID?

Because branded sender IDs cannot receive replies, use the current supported unsubscribe link or method. Do not instruct recipients to reply STOP when the sender cannot process it.

Make evidence part of the implementation

Deliver helps brands map purpose, consent, forms, vendors, Klaviyo states, suppression, and operational controls for France. Request a France SMS compliance implementation review.

CR
Charlotte Rodrigues · CRM Lead at Deliver. Questions about this article? charlotte@agence-deliver.com

Want to apply this to your stack?

Spend 30 minutes with Charlotte to review your CRM setup, size the opportunity and leave with a practical action plan.

Book a 30-minute call →