The same core compliance principles apply in every country OneSignal supports. The specific laws differ by country, including TCPA in the US, CASL in Canada, GDPR/PECR in the UK and EU, and the Spam Act in Australia. They all enforce the same fundamental requirements.Documentation Index
Fetch the complete documentation index at: https://documentation.onesignal.com/llms.txt
Use this file to discover all available pages before exploring further.
Preventing SMS fraud
SMS pumping is a type of fraud where bad actors artificially inflate messaging volumes, typically by triggering high-volume sends in a very short period to high-risk countries, generating revenue at your expense. For customers using OneSignal SMS, we have built-in protections:- Spend warnings: OneSignal monitors your messaging volume against your contracted spend. If your usage begins to exceed your contracted amount, we’ll alert you to investigate.
- Automatic send disabling: If your spend crosses a threshold above your contracted amount, OneSignal automatically disables sending on your account to prevent further damage.
- Geographic restrictions: Your account is restricted to sending only to the geographies included in your contract, preventing bad actors from routing messages to high-cost international destinations you never intended to reach.
Compliance best practices
Consent
You must have consent before sending a message. The standard depends on the message type:- Promotional messages require the highest standard of consent. The subscriber must take an affirmative action to opt in, such as an unchecked checkbox, a keyword reply, or a form submission. Pre-checked boxes, bundled consent, or assumed consent from silence are non-compliant everywhere.
- Transactional messages (order confirmations, shipping updates, account alerts) have a lower consent bar. In most jurisdictions, a user entering their phone number in a form where disclosure language is visible is sufficient. The message must be directly related to the purpose for which the number was collected.
- OTP / verification messages follow the same consent standard as transactional messages.
Privacy policy
Every messaging program must have a published privacy policy accessible to subscribers. The privacy policy should explain what data you collect, how you use it, and how subscribers can exercise their rights. A link to your privacy policy is required during the sender resource application process in every country.Record-keeping
Maintain clear records of how and when each subscriber’s consent was obtained. If challenged by a regulator, the burden of proof is on you to demonstrate that valid consent exists. Store timestamped records of opt-ins (form submissions, keyword replies, API events) and opt-outs.Sender identification
Every message must identify who is sending it. Include your brand name in the message body. If you’re using an alphanumeric sender ID, the sender name itself serves as primary identification, but still include your brand name in the body, since some devices may not display the sender ID prominently.Opt-out mechanism
Every message must include a way for the recipient to unsubscribe:- For sender resources that can receive inbound messages (toll-free, 10DLC, long codes, short codes), include STOP keyword instructions (for example, “Reply STOP to opt out”).
- For alphanumeric sender IDs, which cannot receive inbound messages, include an unsubscribe link. See Consent keyword management for how to build a web-based unsubscribe flow.
Quiet hours
Promotional messages should only be sent during appropriate hours in the recipient’s local time zone. Transactional and OTP messages are generally exempt from quiet hours, but use good judgment. A shipping update at 3 AM will generate complaints regardless of legality.| Country | Recommended sending window |
|---|---|
| United States | 8 AM–9 PM local time |
| Canada | 9 AM–9 PM local time |
| United Kingdom | 8 AM–8 PM local time |
| EU countries | 8 AM–8 PM local time |
| Australia | 9 AM–8 PM local time |
Match content to your approved use case
Your messages must align with the use case approved during your sender resource application. If your sender resource was approved for transactional messages, do not use it to send promotional content. Carriers and regulators monitor for mismatches, and violations can result in campaign suspension or sender resource revocation.Prohibited and restricted content
Every country prohibits certain categories of content. The following are restricted or prohibited in most jurisdictions OneSignal supports:- Universally prohibited: Illegal content, phishing, smishing, social engineering, fraud, and spam.
- Widely restricted (SHAFT): Sex, Hate, Alcohol, Firearms, and Tobacco. In the US, some SHAFT categories may be permitted with age gating and a Special Business Review, but require additional carrier approval.
- Cannabis / CBD: Prohibited in the US (federally illegal) and Australia. CBD-only content is permissible in the UK but not cannabis. Rules vary by country.
- Age-restricted content (alcohol, gambling): May be permitted in some countries but typically requires case-by-case carrier review and age gating.
Country-specific requirements
Sender resource applications
Per-country approval processes, additional notes, and governing laws for every market OneSignal supports.
FAQ
Does consent expire?
There is no universal expiration date for SMS consent, but stale lists can create compliance risk. If a subscriber hasn’t received a message in a long time, re-engagement best practices suggest sending a reminder before resuming your program. Some jurisdictions (for example, Australia) require that your unsubscribe mechanism remains functional for 30 days after sending.What happens if a subscriber on a purchased list texts STOP?
The opt-out is processed and honored. However, using purchased, rented, or shared contact lists is non-compliant in every jurisdiction OneSignal supports. You should not be sending to lists you did not collect consent for in the first place.Do quiet hours apply to OTP messages?
Transactional and OTP messages are generally exempt from quiet hour restrictions. That said, use good judgment. Sending a non-urgent notification at 3 AM will generate complaints regardless of whether it is technically permitted.What is SHAFT content?
SHAFT stands for Sex, Hate, Alcohol, Firearms, and Tobacco, categories of content that are restricted or prohibited in most SMS markets. Some SHAFT categories may be permitted in specific countries with additional carrier approval or age gating. Check country-specific requirements in Sender resource applications before sending SHAFT-adjacent content.Can I send cannabis-related content?
Cannabis content is prohibited in the US (federally illegal) and Australia. CBD-only content is permissible in the UK. Rules vary significantly by country. Verify the specific restriction before sending any cannabis or CBD content.Related pages
Sender resource applications
Per-country approval processes, sender resource types, and governing laws.
SMS opt-in and collection
Collection methods, required disclosure language, and audience validation.
Consent keyword management
STOP, HELP, START, and custom opt-out keyword handling.
Composing messages
Character limits, MMS, trackable links, and RCS rich content.