SMS and GDPR in France: a compliance guide
Short answer. A French SMS program must satisfy both data protection and electronic prospecting rules. For B2C promotional SMS, prior consent is the principle. A defined existing-customer exception can apply to similar products or services from the same company if information and easy opposition were provided. B2B prospecting has a different regime when the message relates to the recipient's professional activity. In every case, document purpose, evidence, rights, opt-out, vendors, retention, security, and market-specific sending controls.
GDPR does not operate alone. France applies the EU data protection framework, national data protection law, electronic communications rules, consumer rules, and carrier or provider constraints. The message purpose, recipient, collection method, and product determine the correct controls.
The CNIL updated its electronic communications guidance on June 10, 2026. It is the primary operational reference used here. This article is educational and should not replace advice from qualified counsel or the organization's data protection team.
Separate the legal questions
For every SMS program, answer:
- What is the purpose of the processing?
- Is the message promotional, transactional, or relationship communication?
- What is the legal basis under GDPR for processing the phone number and related data?
- Does electronic prospecting law require prior consent?
- Does an exception apply, and can the organization prove every condition?
- What information and rights must be provided?
- Which vendors, countries, and transfers are involved?
- How long is each record needed?
- How will opt-out, access, deletion, and objection propagate?
- Which sender and carrier rules apply?
Do not use legitimate interest as a generic replacement for SMS marketing consent. GDPR legal basis and the separate rule for electronic prospecting must both be satisfied.
B2C promotional SMS: consent is the principle
The CNIL states that commercial prospecting by electronic means, including SMS, to individuals generally requires prior consent. Consent should be freely given, specific, informed, and unambiguous.
Operationally:
- use an unchecked, SMS-specific choice;
- identify the company that will send;
- explain the purposes;
- keep SMS separate from email;
- do not make marketing SMS necessary to purchase;
- record source, time, method, and disclosure version;
- allow easy withdrawal;
- stop promotional sends promptly after withdrawal.
A phone number entered for delivery or account security is not automatically promotional consent. A customer account or checkout start without purchase is not automatically an existing-customer relationship that allows prospecting.
Klaviyo's own SMS consent documentation follows a conservative platform rule: people must explicitly agree to SMS, separately from other channels, and consent cannot be forced as a purchase condition.
The existing-customer exception
CNIL guidance describes an exception where:
- the person is already a customer;
- prospecting concerns products or services similar to those already purchased;
- the same company supplies the offers;
- the person was informed about this use at collection;
- the person could easily object at collection;
- every communication provides an easy opposition mechanism.
Each condition matters. Do not generalize customer to any profile in a store database. Do not treat a partner offer as a similar product from the same company. Do not add a notice only after collection and claim the exception retroactively.
Create an exception assessment:
| Question | Evidence |
|---|---|
| What purchase or paid or qualifying service created the relationship? | Order or contract ID and date |
| Why is the promoted product or service similar? | Documented category analysis |
| Is the sender the same company? | Legal entity and brand relationship |
| What information was shown at collection? | Form or checkout version |
| How could the person object at collection? | Unchecked opposition choice or equivalent |
| How can the person object now? | Working link and suppression workflow |
Have counsel approve the interpretation. The exception should be narrow and auditable.
For a Klaviyo program, explicit SMS consent is often simpler and safer operationally than encoding a complex exception in segments, especially for international databases.
B2B SMS prospecting
The CNIL says prior consent is not systematically required for B2B prospecting when:
- the communication relates to the recipient's professional activity;
- the person is informed about the source of the data and message purpose;
- the person can easily object to future solicitation.
This is not permission for untargeted scraping or consumer offers sent to work phones. The role, professional relevance, source, reasonable expectations, and opposition matter.
Document:
- professional identity and role;
- source of the number;
- relationship to the person's activity;
- message purpose;
- information provided;
- opposition mechanism;
- suppression after objection;
- retention and review period.
If a sole trader or employee uses one number for personal and professional contexts, apply careful qualification. A database label B2B is not conclusive evidence.
Transactional and relationship communication
The CNIL distinguishes:
- transactional messages necessary to manage or perform a requested contract or service;
- relationship messages that help customers use a product or service without direct promotion.
These normally rely on contract performance or, for some relationship communication, a legitimate interest subject to privacy safeguards. They must not disguise promotion.
Examples:
- authentication code;
- order or delivery update;
- appointment change;
- account security notice;
- practical settings guidance for a current service.
If the message adds a coupon, upgrade, cross-sell, or intent to increase consumption, it may become commercial prospecting. Classify the full content and landing page.
Read the transactional versus marketing SMS guide for operational examples.
Create a valid consent record
Consent evidence should connect the person to the exact choice.
Recommended fields:
- normalized phone number;
- internal profile ID;
- SMS program or purpose;
- brand and controller;
- consent status;
- timestamp and time zone;
- source URL, store, QR code, or integration;
- form and disclosure version;
- confirmation state where used;
- market and language;
- technical log appropriate to evidence;
- withdrawal timestamp and source;
- prior suppression history.
Avoid relying on screenshots alone. Store immutable or controlled versions of the disclosure and form configuration.
If a vendor collects consent on the company's behalf, the controller remains accountable for the collection design and evidence. Test exports and data portability before launch.
Write a clear collection notice
Near the phone field and choice, explain in plain language:
- who sends;
- that the choice covers SMS;
- main purposes;
- frequency if relevant or required;
- how to withdraw;
- link to privacy information;
- any shared-controller or partner arrangement;
- cost language required for the relevant market.
Do not use prechecked boxes, silence, continued browsing, or a purchase button as marketing SMS consent.
If the same form collects email and SMS, give separate controls. If it collects cookie or retargeting consent too, distinguish those purposes. One carefully designed consent can sometimes cover multiple legal requirements for the same defined purpose, but it must remain informed, specific, and provable.
Respect data minimization
Collect only what the program needs:
- phone;
- country or market;
- language;
- consent evidence;
- relevant preference;
- necessary lifecycle state.
Do not add full order content, sensitive health data, financial data, or precise location to an SMS profile without a justified purpose and safeguards.
SMS appears on lock screens. Keep message content minimal and use secure authenticated destinations for sensitive account details.
Profile enrichment and segmentation also need a lawful purpose. A consent to receive SMS is not universal permission to combine all available customer data for any targeting.
Define retention and deletion
Do not copy a universal number of months from another organization. Set periods by purpose, legal requirements, claim or evidence needs, customer relationship, and current CNIL guidance.
Maintain separate retention for:
- active SMS subscriber data;
- consent evidence;
- marketing suppression or opposition evidence;
- delivery and campaign logs;
- transactional records;
- inactive prospect data;
- security and incident logs.
Some minimum suppression information may need to remain to ensure the person is not contacted again, even when broader marketing data is removed. Limit access and purpose.
Document what happens in Klaviyo, the ecommerce platform, data warehouse, customer service, and backups after deletion or objection.
Make withdrawal and opposition easy
Every marketing SMS should provide the supported easy method. Klaviyo currently lists branded sender ID as the France sender type. Branded IDs cannot receive replies or keywords, so a message should not say Reply STOP if the sender cannot process it.
Use a working unsubscribe link or other current supported method. The destination should:
- identify the brand;
- confirm the phone or use a secure token;
- require minimal steps;
- avoid login where unnecessary;
- apply promptly;
- update connected systems;
- show confirmation and support.
Do not require a paid call or complex email request. Do not continue promotion while waiting for a periodic batch sync.
Test resubscription separately. Removing a suppression without new valid evidence can create an unlawful or unwanted send.
Apply data subject rights
The privacy process must support:
- access;
- rectification;
- deletion;
- restriction where applicable;
- objection;
- withdrawal of consent;
- portability where applicable;
- complaint information.
Customer support should know how to identify and route SMS requests. Use secure identity verification proportional to the request. Do not disclose a profile to someone who only controls a recycled phone number.
Track request deadlines, systems searched, actions taken, exceptions, and response evidence through the organization's broader GDPR process.
Govern vendors and international transfers
Map every processor and subprocessor:
- CRM or SMS platform;
- carrier and aggregator;
- ecommerce platform;
- consent management or form provider;
- analytics;
- link and domain provider;
- data warehouse;
- agency or implementation partner.
Review:
- data processing agreement;
- processing instructions;
- security measures;
- subprocessor list;
- storage and access locations;
- international transfer mechanism;
- breach notification;
- deletion and return;
- audit evidence;
- role-based access.
Do not assume that using a European phone destination keeps all profile and analytics processing in France or the EU. Verify the actual vendor architecture.
Secure the SMS program
Controls should include:
- individual accounts and multifactor authentication;
- least-privilege roles;
- separate production and test access;
- secret management for APIs;
- approval for bulk sends;
- anomaly alerts;
- change log for forms, segments, and flows;
- link and domain protection;
- incident pause procedure;
- prompt agency and employee offboarding.
SMS accounts are attractive targets because attackers can send high-volume phishing from a trusted brand. Restrict who can upload lists, change consent, edit links, and schedule campaigns.
Apply France sending controls
Klaviyo's current operational guidance lists quiet hours for France before 8 a.m., after 10 p.m., all Sundays, and public holidays, and says carriers enforce these windows.
The sender should:
- identify the brand;
- use a valid France-supported configuration;
- provide the applicable opt-out;
- avoid prohibited or filtered content;
- schedule in the recipient's local time;
- respect public holidays and carrier rules;
- monitor delivery and filtering.
Do not treat technical platform ability as legal permission. Conversely, a legally qualified message may still be blocked by sender or carrier constraints.
Manage third-party and partner data
A partner cannot simply hand over a phone list with a statement that contacts agreed to marketing.
Verify:
- identity of controllers named at collection;
- exact purposes and channels;
- whether the recipient brand was identified;
- consent evidence;
- transfer information;
- right to object;
- age and freshness of data;
- suppression matching.
CNIL guidance requires transparency and valid conditions when data is transmitted for prospecting. For SMS, direct brand-specific collection is the safer pattern.
Audit checklist
- message purposes classified and approved;
- B2C consent or narrow exception documented;
- B2B professional relevance and information documented;
- transactional templates contain no hidden promotion;
- SMS and email choices are separate;
- form and disclosure versions retained;
- phone, market, and consent data are normalized;
- opt-out works with the actual France sender type;
- withdrawal propagates to all senders;
- quiet hours, Sundays, and public holidays are controlled;
- retention and suppression periods are documented;
- rights request workflow includes SMS systems;
- vendors, subprocessors, and transfers are reviewed;
- roles, access, and incident pause are tested;
- evidence is sampled before every major campaign.
FAQ
Does GDPR alone govern SMS marketing in France?
No. GDPR governs personal data processing, while electronic communications and French rules add specific prospecting requirements. Consumer, provider, and carrier rules can also apply.
Is consent always required for B2C marketing SMS?
It is the principle. A narrow existing-customer exception may apply to similar products or services from the same company with prior information and easy opposition. Document and review every condition.
Is B2B SMS exempt?
Not completely. Prior consent is not systematic when the message relates to professional activity, but source information, transparency, relevance, easy objection, and GDPR duties remain.
Can I buy a French SMS list?
A purchased list is highly risky and normally cannot prove direct, brand-specific SMS permission. Klaviyo says purchased, affiliate, and lead-generation lists do not constitute valid SMS consent.
How can French recipients unsubscribe from a branded sender ID?
Because branded sender IDs cannot receive replies, use the current supported unsubscribe link or method. Do not instruct recipients to reply STOP when the sender cannot process it.
Make evidence part of the implementation
Deliver helps brands map purpose, consent, forms, vendors, Klaviyo states, suppression, and operational controls for France. Request a France SMS compliance implementation review.
Want to apply this to your stack?
Spend 30 minutes with Charlotte to review your CRM setup, size the opportunity and leave with a practical action plan.
Book a 30-minute call →