Explicit SMS data section
Call out phone numbers and SMS consent data as a category you collect, and what you do with them. Hiding it inside a generic 'personal information' bucket is the single most common reason carriers flag a policy.
A2P 10DLC privacy policy requirements
What carriers and The Campaign Registry expect to see in a privacy policy for A2P 10DLC. None of this is legal advice — it's the pattern reviewers actually look for, distilled from common rejection reasons.
Guidance only — not legal advice and not affiliated with Twilio, The Campaign Registry, or any carrier. Consult a lawyer for your specific obligations.
Free — no signup required
Check whether your campaign meets the policy bar
Drop in your campaign details and policy URLs — we'll flag what reviewers will. Free, no signup.
Required elements
No-sale / no-sharing-with-third-parties language
Include a clear statement that mobile information (phone numbers, opt-in data) is not sold, rented, or shared with third parties for marketing or promotional purposes. This wording is widely expected by carriers and TCR reviewers.
Sub-processor disclosure
Name the categories of service providers (e.g., SMS gateway / Twilio, analytics, CRM) that may process phone numbers strictly to deliver the service. Make clear these are processors, not data buyers.
Opt-out / data access rights
Describe how a user can stop messages (Reply STOP) and how they can request access or deletion of their data. Provide a contact method.
Effective date and version
Include a visible 'Last updated' or 'Effective' date. Reviewers look for evidence the policy is current.
Publicly reachable URL
The policy must live at a stable URL that returns 200 without login. Linking to a Notion/Google Doc behind auth, or a 404, is treated as no policy at all.
Synthetic SMS section
A minimal SMS section that contains the language reviewers look for. This is a synthetic example for illustration — replace business names and contact details with your own and have it reviewed for your jurisdiction.
SMS / Text Messaging We collect phone numbers and consent records when you opt in to receive SMS messages from Acme. We use this information solely to send the messages you have requested and to keep records of consent. We do not sell, rent, or share your mobile information — including your phone number and SMS opt-in data — with third parties for their own marketing or promotional purposes. We share phone numbers only with service providers that help us deliver SMS (for example, our SMS gateway), strictly to provide the service and under contractual confidentiality. To stop receiving messages, reply STOP to any message. For help, reply HELP or contact [email protected].
What gets flagged
- Privacy policy at a Notion / Google Doc URL behind a login.
- "We may share information with partners" with no carve-out for phone numbers.
- No mention of SMS or text messaging anywhere in the document.
- Effective date older than the most recent material site change, or missing entirely.
- Policy auto-generated by a template that doesn't reference your actual data flow.
Frequently asked questions
Do I need a separate SMS privacy policy or can I use my existing one?
An existing privacy policy is fine as long as it has an explicit SMS section covering opt-in data, no-sale language for phone numbers, and a way to opt out. Many policies fail review because they cover the topic generically without mentioning SMS at all.
Where should the privacy policy link from?
From the same page where the user opts in to SMS (e.g., your signup form, checkout, or keyword landing page), and from your site footer. Carriers may crawl the opt-in page and expect a working privacy link.
Can the policy live on a third-party domain?
It is safest to host it on your own domain. Third-party hosting (Notion, Google Sites) can work if the URL is public and stable, but linking to a doc that requires login is treated as no policy at all.
Is this legal advice?
No. This page describes what carriers and TCR reviewers commonly check for in A2P 10DLC reviews. It is not legal advice. Consult a lawyer for your specific privacy obligations.