Building 10DLC-compliant privacy policies


An organization must have a privacy policy on its website to be compliant with 10DLC regulations. Carriers require a comprehensive privacy policy that discloses how your organization may collect, use, and share personal information. Privacy policies should ensure the protection of user information from unauthorized access, use, and disclosure.


10DLC Privacy Policy Requirements

There are two mandatory requirements for all privacy policies. The absence of either of these will result in the rejection of the use case. However, these requirements on their own will not fulfill the requirements for the privacy policy. We provide examples of these in the next section.

  1. No Sharing or Selling Personal Information for Marketing Purposes: Your privacy policy must explicitly state that personal information obtained for text-message opt-in is never sold or shared with third parties for their marketing purposes. 
  2. Opt-Out Instructions: Your privacy policy must share instructions on how users can opt out of receiving text messages.


Carriers closely scrutinize language related to sharing information with third parties for marketing purposes. Your privacy policy should clearly indicate that you only share personal information with third parties to fulfill your organization's obligation to its users. If your policy states that you share information with third parties for essential business operations, you can maintain compliance by explicitly stating that text-message opt-in data in particular is never shared with third parties for their marketing purposes.


Examples of Required Language

We recommend asserting your commitment to not sharing information with third parties without consent or legal obligation with the following language:

"[Your organization] maintains strict privacy policies to protect the personal information of our users obtained for text message communications. This information is never sold, rented, released, or traded to others without prior consent or legal obligation. Any sharing of information with third parties is solely for the purpose of fulfilling the organization's obligations to the user. Personally identifiable information will never be shared with third parties for marketing purposes."

Here is an alternative concise example:

"Text messaging opt-in data and consent will not be sold or shared with third parties or affiliates for their marketing or promotional purposes."

To share opt-out instructions with users, we recommend sharing the following language in your privacy policy:

"Text Message Opt-Out: If you are receiving text messages from us and wish to stop receiving them, simply respond with either “STOP” or “UNSUBSCRIBE” to the number from which you received the message. You will not receive further text messages unless you opt back in."

Creating your Privacy Policy

For best practices, it's recommended to craft a personalized privacy policy addressing the following key points:

  • Information Collection: The different types of personal information your organization collects
  • Collection Methods: How your organization collects that information from users
  • Usage: How your organization uses any information collected 
  • Sharing: How your organization shares any information collected
  • Data Protection: Explain how your organization protects user data


Privacy Policy Generators

While we recommend crafting a personalized privacy policy, we understand that creating one from scratch can be challenging. Consider utilizing a privacy policy generator to assist you. A privacy policy generator automates the process of creating a privacy policy for a website by providing a template and customizable options to suit the organization's data collection and usage practices.


Here are some examples of online resources that provide generated privacy policies that may be helpful:


Ensure that your Privacy Policy Complies with 10DLC Standards

If you use a privacy policy generator, the policy should be revised to ensure it complies with 10DLC criteria. First, make sure that it is comprehensive and addresses the key points from the Creating Your Privacy Policy section in this guide. Next, ensure that your privacy policy covers the requirements listed in the 10DLC Privacy Policy Requirements section in this guide.


A generated policy will typically contain a section regarding when information is shared with others. We recommend asserting your commitment to not sharing text-message opt-in data with third parties for their marketing purposes in this section with example language from the section above.


Next, review any bullets in the privacy policy section about sharing information for anything that is inconsistent with the requirements mentioned so far. Mentions of marketing or of sharing information with third parties can lead to the rejection of the use case, so these should be removed or clarified.


Before You Submit

Take this quiz to determine if your website fulfills all the necessary requirements for manual vetting.


We recommend sharing your privacy policy with GetThru Support for review in case any revisions are required. If you are creating a privacy policy for the first time, feel free to request a review prior to publishing it to your website. Please write to support@getthru.io if you have any questions or difficulty adding your website! For reference, you can view GetThru's privacy policy here: Toskr Privacy Policy.