Privacy Policy All message senders must have an acceptable Privacy Policy when registering 10DLC campaigns. The most important aspect of the Privacy Policy mandates clearly describing how consumer data will be used and shared (if applicable), and how consumers can contact the message sender. A compliant Privacy Policy for 10DLC messaging should include the points below to help ensure that campaign registration and vetting are successful. Consent When a campaign is being vetted, the language presented in a sender's Privacy Policy is heavily scrutinized to ensure the message sender doesn't improperly claim to have the consumer’s consent to share end-user data with third parties for marketing purposes. While it's permissible for a business to share end-user data essential for business operations, the fundamental practice of sharing data to sell consumer information (leads) to third parties is a prohibited campaign type and will be rejected. Privacy Policies are reviewed during vetting to ensure consumer data isn't transferred among various organizations. To successfully address these requirements, we recommend adopting and including a process in the Privacy Policy that demonstrates senders will refrain from sharing information consumer data. Example: "Mobile information will not be shared with third parties/affiliates for marketing/promotional purposes. All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties." Opt-out instructions Message senders are required to acknowledge the consumer's right to opt out of a messaging campaign to ensure that message recipients’ consent remains intact. The Privacy Policy must also include instructions on how to opt out of future communications. Example: “If you wish to be removed from receiving future communications, you can opt out by texting STOP, QUIT, END, REVOKE, OPT OUT, CANCEL, or UNSUBSCRIBE.” Bandwidth strongly suggests that each brand create a personalized Privacy Policy with accompanying SMS disclosures as discussed above. Bandwidth cannot provide guidance on what is legally required within a Privacy Policy. It's the responsibility of the message sender and their provider to research and ensure the Privacy Policy meets TCPA laws, as well as, individual carrier compliance requirements. For new, non-established brands entering the messaging space, there are online resources that can help you develop the required operational processes and Privacy Policy templates that will fit the unique needs of your business. Note: If you're using online resources, your Policy, Practices, and Procedures must still include the above SMS disclosures and functions. Failure to adopt these practices may result in receiving a registration and vetting rejection (i.e., “805 - Compliant privacy policy is required on website”).