50. Compliance SMS - wymagania prawne

Poziom: Krytyczny (Legal!) | Czas czytania: 10 min

SMS marketing w Polsce i UE podlega ścisłym regulacjom. Naruszenie przepisów może kosztować do 20 mln EUR. Ten tutorial pokrywa wszystkie wymagania prawne dla SMS marketingu.

Regulacje prawne

Podstawowe wymagania:

✅ REQUIRED:
1. Explicit consent (wyraźna zgoda)
2. Clear purpose (cel przetwarzania)
3. Easy opt-out (łatwa rezygnacja)
4. Data protection (bezpieczeństwo danych)
5. Record keeping (dokumentacja zgód)
6. Right to be forgotten (prawo do usunięcia)

PENALTY: Do €20M lub 4% rocznego obrotu

Ustawa o świadczeniu usług drogą elektroniczną

Art. 10 ust. 1 (Polska):

Zakazane jest:
❌ Wysyłanie niezamówionych informacji handlowych (spam)
❌ Ukrywanie tożsamości nadawcy
❌ Brak możliwości rezygnacji

KARA: Do 3% przychodu (UOKiK)

❌ WRONG:

html

[Submit]

*By submitting you agree to receive SMS

Pre-checked lub zakamuflowana zgoda = INVALID!

✅ CORRECT:

html

<form>
  <label>Numer telefonu:</label>
  <input type="tel" name="phone" placeholder="+48 123 456 789">
  
  <label>
    <input type="checkbox" name="sms_consent" required>
    Wyrażam zgodę na otrzymywanie informacji handlowych SMS 
    od {{Company Name}} zgodnie z 
    <a href="/privacy-policy">Polityką Prywatności</a>.
    Zgoda może być wycofana w dowolnym momencie przez SMS "STOP".
  </label>
  
  <button type="submit">Zapisz się</button>
</form>

json

{
  "phone": "+48123456789",
  "sms_consent": true,
  "consent_date": "2026-02-18T10:30:00Z",
  "consent_ip": "83.45.67.89",
  "consent_source": "website_signup_form",
  "consent_text": "Full checkbox text stored",
  "double_opt_in": true,
  "doi_confirmed_at": "2026-02-18T10:35:00Z"
}

W GHL Custom Fields:

sms_consent: Yes/No (checkbox)
consent_date: 2026-02-18
consent_ip: 83.45.67.89
consent_source: landing-page-coaching
doi_status: confirmed

Double Opt-In SMS (Recommended)

Why DOI?

✅ Legal proof (explicit confirmation)
✅ Valid numbers only (reduces waste)
✅ Higher engagement (interested people)
✅ Lower opt-out rate
✅ Compliance protection

Implementation:

Step 1: Form submitted

User enters phone + checks consent box
→ Tag: "sms-pending-confirmation"
→ Store consent data

Step 2: Confirmation SMS sent

SMS:
"Hi {{firstName}}! 

Welcome to {{Company}}! 

To complete signup, reply YES to confirm you want to receive our SMS updates.

Reply STOP to cancel.

- Team {{Company}}"

Step 3: User replies "YES"

GHL detects reply "YES"
→ Tag: "sms-confirmed" added
→ Tag: "sms-pending-confirmation" removed
→ Add to marketing SMS lists
→ Confirmation recorded (DOI complete)

Send confirmation:
"Thanks for confirming! You're all set to receive our SMS updates. Reply STOP anytime to opt out."

Opt-Out Requirements

Legal Requirements:

✅ MUST HAVE in every marketing SMS:
- Clear opt-out instructions
- "Reply STOP" or "Text STOP"
- Process immediately (<24h)
- Confirmation of opt-out
- Free of charge

❌ ILLEGAL:
- No opt-out option
- Making it difficult ("call us to opt out")
- Delaying processing
- Charging for opt-out

Message Examples:

Option 1: In message body

🎉 Flash Sale! 30% OFF coaching packages TODAY only.

Book: link.co/sale

Reply STOP to opt out

Option 2: After main content

Hi {{firstName}}! Your appointment reminder...

[main content]

━━━━━━━━━━━
Reply STOP to unsubscribe

Auto-Reply Setup in GHL:

Workflows → Create → "SMS Opt-Out Handler"

TRIGGER: SMS reply received
    ↓
IF: Message contains "STOP" (case insensitive)
  → ACTION: Remove tag "sms-subscriber"
  → ACTION: Add tag "sms-opted-out"
  → ACTION: Add to DND (Do Not Disturb - SMS)
  → ACTION: Send confirmation SMS:
      "You've been unsubscribed from SMS. 
       You won't receive marketing texts from us. 
       Reply START to opt back in."

Opt-Out Confirmation SMS:

"✓ You've been unsubscribed

You won't receive marketing SMS from {{Company}} anymore.

Changed your mind? Reply START to opt back in.

You may still receive transactional SMS (appointment confirmations, order updates)."

SMS Types: Marketing vs Transactional

❌ Requires explicit consent:
- Promotional offers
- Sales announcements
- Newsletter-style updates
- Event invitations (marketing)
- "Thinking of you" messages
- Re-engagement campaigns

Must include: Opt-out option + sender ID

✅ No marketing consent required:
- Appointment confirmations
- Order status updates
- Shipping notifications
- Password reset codes
- Account alerts
- Payment confirmations
- Customer service replies

*Still need basic relationship with customer

Grey Area Example:

BAD (mixed):
"Your order #123 has shipped! 📦

Track: link.co/track

PS: Check out our new products: link.co/shop"
^^^ This makes it marketing! Needs consent ^^^

GOOD (transactional only):
"Your order #123 has shipped! 📦

Track: link.co/track123
ETA: Feb 20

Questions? Reply to this text."

Time Restrictions

Dozwolone godziny (Polska/UE):

✅ ALLOWED:
Monday-Friday: 8:00 AM - 9:00 PM
Saturday: 9:00 AM - 9:00 PM
Sunday: 10:00 AM - 8:00 PM

❌ PROHIBITED:
Late night: after 9 PM
Early morning: before 8 AM
Holidays: Use caution (test with segment first)

EXCEPTION: Transactional SMS (24/7 OK)

GHL Time Settings:

Workflows → SMS Action → Advanced Settings:

☑ Send only during business hours
Hours: 8:00 AM - 9:00 PM
Days: Monday-Sunday
Time zone: Contact's timezone (automatic)

If outside hours: Queue until next allowed time

Frequency Limits (Best Practices)

RECOMMENDED MAX:
Marketing SMS: 2-3 per week
Promotional: 1 per week  
Transactional: No limit

HIGH RISK (opt-outs):
Daily marketing SMS
Multiple SMS same day (unless event-driven)

Monitor opt-out rate:
>2% per campaign = TOO FREQUENT

Data Storage & Security

✅ Data Protection Measures:
- Encrypted storage
- Access controls (who can see phone numbers?)
- Audit logs (who accessed what?)
- Regular backups
- Secure API connections (Twilio/GHL)

✅ Data Retention:
- Keep consent records: 3 years after opt-out
- Delete marketing data: Within 30 days of opt-out
- Transaction data: 5 years (accounting law)

GHL Security:

Settings → Team → User Permissions:

Limit SMS access:
☑ Admin: Full access
☑ Manager: Send + view
☐ Staff: View only (no phone numbers)
☐ External: No access

Penalties & Enforcement

VIOLATIONS:
- No consent: Up to €20M or 4% revenue
- No opt-out option: €10M or 2% revenue
- Data breach (phones exposed): €20M or 4%
- Not honoring opt-outs: €10M or 2%

REAL CASES:
- Company X (2024): €5M for SMS spam without consent
- Company Y (2025): €2M for ignoring opt-out requests

UOKiK (Poland):

Can impose:
- Fines up to 3% of revenue
- Order to stop illegal practices
- Public warnings
- Obligation to delete data

Compliance Checklist

Before sending ANY marketing SMS:

CONSENT:
☑ Explicit consent obtained (checkbox, not pre-checked)
☑ Purpose clearly stated
☑ Consent data recorded (date, IP, source)
☑ Double opt-in implemented (recommended)

MESSAGE:
☑ Sender clearly identified (company name)
☑ Opt-out instructions visible ("Reply STOP")
☑ Content matches consent scope
☑ Links (if any) clearly marked

TIMING:
☑ Sent during allowed hours (8 AM - 9 PM)
☑ Time zone respected (contact's local time)
☑ Frequency reasonable (<3/week)

TECHNICAL:
☑ Opt-out automation working (test it!)
☑ Opt-outs processed immediately
☑ DND list respected (no send to opted-out)
☑ Phone numbers in E.164 format (+48...)

LEGAL:
☑ Privacy policy available & linked
☑ Data processing agreement with Twilio/GHL
☑ Security measures in place
☑ Team trained on compliance

Emergency Response Plan

If you accidentally violate:

1. STOP immediately (pause all campaigns)
2. Identify scope (how many affected?)
3. Send apology + opt-out reminder
4. Document incident
5. Implement safeguards
6. Notify DPA if >500 people affected (GDPR)

Apology SMS Example:

"We apologize for the previous SMS. It was sent by error to contacts who don't have active SMS consent.

To ensure you don't receive future messages, reply STOP.

We've updated our processes to prevent this.

- {{Company}} Team"

Best Practices Summary

✅ DO:
- Get explicit consent (checkbox)
- Use double opt-in
- Include opt-out in every marketing SMS
- Process opt-outs immediately (<24h)
- Respect time restrictions (8 AM - 9 PM)
- Keep consent records (3+ years)
- Separate marketing vs transactional
- Train team on compliance
- Review quarterly

❌ DON'T:
- Buy SMS lists (always illegal!)
- Pre-check consent boxes
- Send without consent
- Ignore opt-out requests
- Send late night / early morning
- Hide sender identity
- Mix marketing into transactional
- Assume consent from one channel = all channels

Następny krok: 51. Koszty i rozliczenia SMS - budgeting dla SMS marketingu

50. Compliance SMS - wymagania prawne ​

Regulacje prawne ​

RODO/GDPR (EU/Polska) ​

Ustawa o świadczeniu usług drogą elektroniczną ​

Uzyskiwanie zgody (Consent) ​

Proper Consent Form ​

Consent Data to Store ​

Double Opt-In SMS (Recommended) ​

Why DOI? ​

Implementation: ​

Opt-Out Requirements ​

Legal Requirements: ​

Message Examples: ​

Auto-Reply Setup in GHL: ​

Opt-Out Confirmation SMS: ​

SMS Types: Marketing vs Transactional ​

Marketing SMS (require consent): ​

Transactional SMS (no consent needed*): ​

Grey Area Example: ​

Time Restrictions ​

Dozwolone godziny (Polska/UE): ​

GHL Time Settings: ​

Frequency Limits (Best Practices) ​

Data Storage & Security ​

GDPR Requirements: ​

GHL Security: ​

Penalties & Enforcement ​

RODO/GDPR Fines: ​

UOKiK (Poland): ​

Compliance Checklist ​

Emergency Response Plan ​

If you accidentally violate: ​

Best Practices Summary ​