Understanding Saudi Arabia’s Personal Data Protection Law (PDPL)

With the recent implementation of Saudi Arabia's Personal Data Protection Law (PDPL), businesses must meet specific regulatory standards regarding customer data collection and consent in relation to their SMS communications. The introduction of this new legislation has left some businesses unsure of how to remain compliant with the regulations. In this article, we aim to provide some clarity on how to stay compliant with PDPL while continuing to use SMS marketing as an effective tool for customer engagement and information.

To that end, we will first briefly introduce the new law and why it has been introduced. We will then outline the different types of SMS messages that require customer consent, describe the appropriate methods for gathering that consent, and answer some common questions about compliance that our clients often have.

For a more detailed description of the PDPL legislation itself, our recent article on the subject is a great place to start.

The Importance of PDPL Compliance in SMS Messaging

The PDPL has been formulated to protect personal data and improve transparency in data processing activities. For businesses engaged in SMS-based interactions, the law mandates clear consent procedures to protect customer privacy. The PDPL’s consent requirements focus on transparency, ensuring customers understand how their data will be used, and ensuring that companies obtain explicit permission for SMS messaging. 

It’s important to clarify that this customer consent (SMS opt-in) is a regulatory requirement, not a recommendation.

Types of SMS Messages and Consent Requirements

Under the PDPL, consent must be secured for specific SMS messages. The types of messages that require consent are as follows:

• Conversational Messages: These are one-to-one messages typically initiated by the customer. Examples might include a product query, requesting a status update on delivery, or contacting a specific staff member.

Consent is implied in conversational messages if the customer texts the company first. Otherwise, the company must obtain verbal or written opt-in consent. If the company wishes to continue with the conversation and provide more information that can be considered personal, consent must be collected.

• Informational Messages: SMS messages that fall into this category must provide information directly related to the customer’s relationship with the business. This could be a purchase confirmation, a delivery update, or a service notification. This type of message should be informative and cannot contain any promotional content.

Consent is always required for Informational Messages.

• Promotional Messages: These messages promote products, services, or events to customers. They are often referred to as SMS marketing campaigns. Due to their nature, promotional messages fall under tighter regulations and require express written consent. This consent ensures customers are fully aware they will receive marketing content and provides a secure foundation for maintaining compliance.

Written consent is always required for promotional messages.

How To Collect Customer Consent: Methods and Requirements

Obtaining consent is essential for businesses seeking to implement most types of SMS communication. Several methods allow for legally compliant consent collection, each ensuring transparency and accessibility for customers:

• Verbal Consent: Customers may provide consent verbally, via phone or in person. However, to document this form of consent accurately, companies should keep a detailed record of when and how consent was given to verify compliance.

• Paper Forms: Customers may sign physical forms to indicate SMS opt-in consent. This method is often used during in-person interactions, such as in retail locations, and should clearly state the purpose and nature of future SMS communications.

• Email: If customers already receive email communications, companies can use this channel to request SMS opt-in consent. An embedded link within the email enables easy access to a consent form specifically for SMS communications.

• QR Codes: When scanned, a QR code can link customers to an opt-in form or trigger a pre-filled text message for consent. This method works well in physical settings and can be a quick, customer-friendly way to obtain SMS consent. Note that disclaimers must be displayed under the QR code.

• Web Forms: Companies can include SMS opt-in options within online forms, such as signup pages or during checkout. The wording on these forms should be clear and indicate how SMS information will be used.

• SMS Opt-In: Customers can directly consent to SMS communications by initiating a text to the business. This method, known as a "text-to-join" option, is beneficial for customers who prefer mobile-first engagement. Companies can promote this option via a pop-up on their website to encourage customers to text in and request the service.

Single Opt-in vs. Double Opt-in

Single opt-in occurs when a customer gives verbal or written consent, either in person or via a form or a QR code. When single opt-in consent is obtained, the business may send welcome texts, appointment reminders, and alerts without gaining further consent from the customer. However, a single opt-in is not sufficient to send marketing messages.

Double opt-in adds an extra layer of security for both the customer and the business. It requires the customer to confirm consent once they receive an SMS from the business. In these cases, the business will send a further SMS, for example prompting the customer to reply with the word ‘YES’ This level of consent is required for receiving Promotional Messages.

Privacy Policy

To remain compliant with PDPL regulations, all companies using SMS messaging must update their privacy policy.

The privacy policy should accurately describe the company’s SMS program and details of how it will handle and protect customer data.

Detailed guidelines on what needs to be included in a privacy policy to be compliant with PDPL can be found on the SDAIA website:

https://sdaia.gov.sa/Documents/PrivacyPolicyGuideline.pdf

Extra Points to Note

• Businesses in the healthcare sector must inform all customers who have opted into receiving SMS messages that SMS as a messaging service is not 100% secure.
• Any method used to obtain consent from a customer for receiving SMS messages must provide:
  
  - A link to the company’s privacy policy.
  - A link to the company’s terms of service.
  - A clear description of the services that the customer is signing up to.

Frequently Asked Questions on SMS Consent Compliance

• If I already have a customer’s phone number, does that count as SMS consent?
  No. Having a customer’s phone number does not mean you have permission to send marketing SMS messages. Separate, explicit consent is required for SMS communications.
• If a customer consents to receive emails, does that also cover SMS consent?
  No, email and SMS consents are independent. Companies must collect distinct opt-in permissions for each communication channel.
• Can I use one checkbox to obtain both SMS and email consent?
  No, combining SMS and email consent in a single checkbox risks non-compliance. Separate opt-in options are necessary to ensure customers provide explicit, specific consent for each type of communication.
• How can businesses ensure an easy opt-out process for customers?
  PDPL requires that opt-out procedures be as easy as opt-in processes. Companies must provide customers with an accessible method to unsubscribe, such as a simple "STOP" response to SMS. Opt-out should be free and straightforward.

As businesses in Saudi Arabia adapt to the requirements of PDPL, a proactive approach to SMS consent collection is essential. Obtaining customer consent ensures that your business remains compliant and will also build an extra layer of transparency and trust between your organization and its customers. With clear, well-documented methods to gather consent and through maintaining up-to-date privacy policies, you can ensure that your company remains compliant while still delivering a positive, respectful customer experience. 

At Unifonic, all our products and services comply with these regulations, and we are ideally placed to help our clients navigate the complexities of adhering to these new standards.

For more on PDPL, please view our previous blog. 

The above provides a summary of ways to collect consent. However, Unifonic cannot provide legal advice, so please check with your legal counsel before taking any action in your pursuit of PDPL compliance.