GDPR Compliance



This information is not legal advice. While we do our best to provide useful information as a starting point, Yotpo SMSBump advises all merchants to obtain professional legal advice to ensure that all marketing campaigns are sent in full compliance with all applicable laws.


If you plan to send SMS marketing messages to citizens of the European Union, you must adhere to the GDPR. To do so, you must follow a couple of simple and easy steps presented in the following article.  



What is the GDPR?


GDPR stands for the General Data Protection Regulation that went into effect in May 2018. It protects the privacy and personal data of individuals within the European Union and addresses data protection and privacy in the European Union and the European Economic Area.


GDPR centralizes the rules and processes businesses must follow in order to protect and respect the interests of European citizens.



How to Stay Compliant with the GDPR


When sending marketing messages to EU citizens, you must:


  • Obtain explicit consent. 

  • Include a free and available opt-out mechanism at all times.

  • Explicitly state your Privacy Policy on your checkout page and all subscriber collection methods.



Obtaining Consent 


According to the GDPR, shoppers must explicitly agree to receive promotional text marketing messages from you. When collecting phone numbers on your website through a pop-up or another subscriber collection method, you must clearly state that the individual agrees to receive recurring marketing messages. You must mention that consent is not a condition of purchase and provide links to your Terms of Service and Privacy Policy


A consumer opt-in to receive messages should not be transferable or assignable, and message senders should not use opt-in lists that have been rented, sold, or shared.


With Yotpo SMSBump, consent can be obtained at your store’s checkout or via our various subscriber collection tools. All of them are built-in for compliance with all legal regulations and include the required legal verbiage.



Checkout example



Remember that having consent for SMS doesn’t apply to sending other types of promotional messages (i.e., email).



Providing an Opt-out Method


The GDPR requires you to honor their “right to be forgotten” and give customers clear instructions on how to opt out, such as an opt-out link in your text messages. It is important to remember that opting-out must be free and available at all times.



The Yotpo SMSBump campaign text editor automatically includes an opt-out link to all your text messages and ensures compliance at all times. If a customer requests to have their personal data deleted from our servers, please forward their number to, and we will act on it.






Keeping your Privacy Policy up to date


Your Privacy Policy should be explicitly stated on your checkout page and all subscriber collection methods. There are a few things you must mention in your store’s Privacy Policy to stay GDPR compliant:


  • How your brand is collecting and using customers’ data. 

  • How that data is being secured by you and by any data processors (i.e., Yotpo SMSBump) you're working with.

  • How you enable and support your customers’ rights to understand and control their personal data.



Please note that, if you haven’t already done so, Shopify will require you to set up your terms of service and privacy policy in your legal settings for your store to be fully compliant. In order to do it, click on the link in the blue box below the checkbox, or go to your Shopify Admin → Settings → Policies and insert the full compliance text in the Terms of Service and Privacy Policy sections from our dedicated Knowledge Base article.



This was our quick guide on staying compliant with the GDPR before sending marketing messages to EU citizens. Don’t hesitate to go to our Knowledge Base for more useful articles, or contact us if you have any questions or feedback.


Australia’s Anti-Spam Legislation


Complying with US SMS marketing regulations

Canada's Anti-Spam Legislation


Last Modified: Aug 1, 2022