SMB Messaging Compliance: TCPA, CASL, GDPR Cheat Sheet

Disclaimer: This is general educational information, not legal advice. Consult a lawyer for advice specific to your business.

If you're messaging customers via WhatsApp, SMS, or email, you're subject to messaging regulations. Violating them can result in fines from $500 to $1,500 per violation (TCPA) or up to €20 million (GDPR).

This cheat sheet covers the four regulations most SMBs need to know.

---

TCPA (United States)

Telephone Consumer Protection Act — enforced by the FCC. Governs phone calls, SMS, and fax to US consumers.

What It Covers

• Automated or prerecorded calls to cell phones
• Text messages to cell phones using auto-dialing technology (ATDS)
• Calls to residential numbers using prerecorded voice messages

The Key Rules

1. Prior Express Written Consent Required

Before sending marketing SMS to a US number, you need prior express written consent. "Written" in this context includes digital — a checkbox on a web form, a text message opt-in keyword, or an in-app consent flow.

The consent must be:

• Voluntary (not a condition of purchase)
• Clear about what they're consenting to
• Specific about who is sending messages

❌ Bad consent: "By creating an account, you agree to receive messages." ✅ Good consent: "By checking this box, I agree to receive marketing text messages from [Business Name] at the number provided. Message and data rates may apply. Msg frequency varies. Reply STOP to opt out."

2. Opt-Out Must Work Immediately

STOP must unsubscribe the number within 10 business days (in practice, immediately). You must honor opt-outs for 5 years.

Required opt-out keywords: STOP, QUIT, CANCEL, UNSUBSCRIBE, END

3. Calling Hours

Phone calls (not SMS): between 8 AM and 9 PM local time of the recipient.

4. Transactional vs. Marketing

Transactional messages (order confirmations, appointment reminders, shipping notifications) have lighter consent requirements — you generally need consent to contact the customer, not specific consent for each transactional message type.

TCPA Fines

$500 per violation (per message). $1,500 per willful violation. Class actions are common — a campaign to 10,000 people with improper consent = $15 million in exposure.

DMHub TCPA Compliance Features

• Opt-in consent capture at channel connect
• Automatic STOP/UNSUBSCRIBE keyword handling
• Opt-out list maintained per phone number
• Do-not-contact list enforcement on all outbound sends

---

CASL (Canada)

Canada's Anti-Spam Legislation — enforced by the CRTC. Covers commercial electronic messages (CEMs) sent to Canadian addresses.

What It Covers

Email, SMS, and instant messages with a commercial purpose sent to Canadian email addresses or phone numbers.

WhatsApp messages are likely covered (they're electronic messages sent for commercial purposes), but enforcement has focused on email and SMS.

The Key Rules

1. Express or Implied Consent

Express consent: Recipient explicitly checked a box or sent a keyword agreeing to receive messages.

Implied consent: You have an existing business relationship (they bought from you in the last 2 years), or they published their contact info publicly and didn't include a no-contact statement.

Implied consent expires — business relationship implied consent lasts 2 years from the last transaction.

2. Identification

Every commercial message must:

• Identify the sender (business name + contact info)
• Include a functioning unsubscribe mechanism

3. Unsubscribe Must Be Free and Immediate

Processing an opt-out must take no longer than 10 business days. The mechanism must remain functional for 60 days after the message is sent.

CASL Fines

Up to $1 million per violation (individuals) or $10 million per violation (businesses). The CRTC also allows private right of action (class actions).

---

GDPR (European Union + UK)

General Data Protection Regulation — applies to any business that processes data of EU or UK residents, regardless of where the business is located.

What It Covers

The collection, storage, and use of personal data — including contact information used for marketing.

The Key Rules

1. Lawful Basis for Processing

You need a lawful basis to process personal data. For marketing, the most common are:

• Consent: explicit, specific, informed
• Legitimate interests: requires a balancing test — your interest must outweigh the individual's privacy interest

2. Consent Requirements

GDPR consent is stricter than TCPA:

• Freely given (no pre-ticked boxes, no bundled consent)
• Specific (separate consent for each purpose)
• Informed (must know what they're consenting to and who is collecting)
• Unambiguous (affirmative action, not passive acceptance)

❌ "By using our service, you agree to marketing communications." ✅ A clearly labeled checkbox: "I'd like to receive marketing messages about [Business Name] offers and news via WhatsApp." (Unticked by default.)

3. Right to Erasure ("Right to Be Forgotten")

Individuals can request deletion of their personal data. You must respond within 30 days. You must actually delete it — not just unsubscribe.

4. Data Processing Records

You must maintain a record of processing activities (what data, for what purpose, how long you keep it, who you share it with).

5. WhatsApp Specifically

Using the WhatsApp Business API means you're a data controller. Meta is a data processor. You need a Data Processing Agreement (DPA) with Meta (available in the Meta Business Settings).

Personal data sent over WhatsApp is end-to-end encrypted in transit. But you're responsible for how you store conversation data in your CRM.

GDPR Fines

Up to €20 million or 4% of annual global turnover (whichever is higher) for serious violations. Lighter fines for procedural violations.

DMHub GDPR Features

• Consent timestamp logging per contact
• Right-to-erasure request handling (deletes contact + conversation history)
• Data export for subject access requests
• EU data residency option (Neon Postgres EU region)
• DPA available on request

---

PDPA (Southeast Asia)

Several Southeast Asian markets now have data protection laws modeled on GDPR:

| Country | Law | Key Requirement | |---------|-----|----------------| | Thailand | Personal Data Protection Act (2022) | Consent or legitimate interest; penalties up to 5M THB | | Singapore | Personal Data Protection Act (2012, amended 2021) | Consent; opt-out for marketing | | Malaysia | Personal Data Protection Act (2010) | Consent for direct marketing | | Indonesia | Personal Data Protection Law (2022) | Consent; breach notification within 14 days | | Philippines | Data Privacy Act (2012) | Consent; NPC registration for large processors |

The practical implications are similar to GDPR: get explicit consent, provide opt-out, don't sell data, report breaches promptly.

---

Quick Compliance Checklist

Before sending your first campaign:

For US/TCPA:

• [ ] Documented prior express written consent for every marketing contact
• [ ] Opt-out keywords configured (STOP, QUIT, CANCEL, UNSUBSCRIBE)
• [ ] Opt-outs respected immediately and recorded
• [ ] Sender identification in every message

For Canada/CASL:

• [ ] Express or valid implied consent documented
• [ ] Unsubscribe mechanism in every message
• [ ] Business name + contact info in every message

For EU/UK GDPR:

• [ ] Lawful basis identified for each marketing purpose
• [ ] Consent recorded with timestamp and specific purpose
• [ ] Data Processing Agreement with Meta signed
• [ ] Privacy policy updated to reflect WhatsApp data processing

For All Markets:

• [ ] Opt-out list maintained and enforced
• [ ] Marketing vs. transactional messages distinguished
• [ ] Staff trained on compliance basics

---

How DMHub Helps

DMHub automates several compliance tasks:

• Consent capture built into channel connection flow
• STOP/UNSUBSCRIBE keyword handling on all SMS and WhatsApp sends
• Opt-out list synchronization across channels (unsubscribe on SMS removes from WhatsApp too)
• Contact deletion for erasure requests
• Consent timestamp logging per contact record

We don't make compliance decisions for you — that requires legal advice. But we give you the tools to implement the decisions your lawyer recommends.

---

Unsure about compliance in your market? Talk to our team — we can introduce you to compliance partners who specialize in messaging law for SMBs.