SMS Compliance

Compliance applicable to SMS and text-based messaging

Message Types

Organizations need to classify the type of message they are sending by the following message types and need to use the appropriate sender name for the message type (covered in the content section).

How to classify the messages when sending via API? Sending Your First SMS via Unifonic API

Message TypeDescription
Warning Messagesare high-priority messages or alerts to warn of an imminent or occurred event, sent to people in the danger zone, by government authorities
Awareness Messagesinclude guidance or informative content sent to all users by government agencies, banks, universities, schools, and more
Service Messagesinclude service content sent to specific users for the purpose of providing or requesting information related to the delivery of that service. These are typically personalized to the user and could include OTP authentication, appointment confirmations, and more
Personal Messagesare sent from a specific personal number to another personal number without involving any organization or business system in between
Promotional (Marketing) Messagesare of a commercial nature, sent to advertise or promote goods, services or business opportunities, including the promotion or collection of donations even for charitable organizations



The CST specifies which industries may send which messages types to recipients in KSA as follows:

  1. Government Agencies: May send Awareness, Service and Warning messages.
  2. Private Agencies: May send Promotional, Awareness and Service messages.
  3. Individuals: May send Personal messages.
  4. Parties outside of KSA: May only send Service or Personal messages.


Timing and Frequency

Awareness and promotional messages may only be sent between 9 a.m. and 10 p.m. (KSA Time) - any day of the week.
No timing rules are specified for warning or service messages.
Marketing messages may only be sent between 7 a.m. and 9 p.m. - any day of the week.
No timing rules are specified for warning or service messages.
In the month of Ramadan, awareness and promotional messages may only be sent between 12 pm and 1 am (KSA Time).
Coordination with any relevant regulators should be done before sending an awareness message
Recipients may not receive more than one message per day.



Unifonic platform includes a feature which automatically stops an SMS Campaign at 9pm (KSA) and then allows it to resume at 9:30am (KSA). This is only associated with marketing (promotional) traffic and is only available for KSA for the time being.


Consent Management

The sender of a promotional message must:The sender of the marketing message must:
Enable the recipient to request to unsubscribe in a free and easy way, at any time, through traditional and electronic channelsInclude a free and easy way to unsubscribe (opt-out) in each marketing message.
Stop sending promotional messages, at the most within 24 hours after receiving the unsubscribe request.Keep a record of those recipients who have consented (subscribed, opted-in) for the duration that marketing messages are being sent.
Submit a notification to the recipient confirming the unsubscription or subscription to receiving promotional messages.Get consent (opt-in) from the recipient either over SMS or via another channel except for a voice call.
## Provide proof of consent, which does not include consent contained in privacy policies and contracts.State that the recipient is opting in to receive marketing messages. Words such as ‘promotions,’ ‘offers’, and ‘discounts’ may be used when an opt-in message is sent

It is important to note that the end recipients have a measure of control over what messages they receive and can select the DND (Do not disturb) function on their phone lines to prevent them from receiving promotional messages. Each operator in KSA is required to implement this option on their network.

The operators do, however, bypass the DND list for transactional messages (alerts, warnings, and service messages) if dedicated accounts and routes are used - such as those designated for Marketing traffic, also known as black traffic, and those designated for transactional messages, also known as White traffic.

Customers cannot use white traffic routes to bypass DND lists when sending Marketing messages. This is an offence which, if reported to the CITC, will result in sender id suspension and/or financial penalties being imposed.



Unifonic has a feature which can allow you to capture and track subscriptions. Unifonic uLink is a link (URL) shortening service that is available to Unifonic platform users. This can be used to collect opt-in, or opt-out in SMS messages. Recipients can be redirected to a webpage (URL) of your choosing.

Custom links can be created for each recipient, enabling you to track exactly who has clicked on the link, and extract the report from within the Unifonic platform.





Please be aware that message content should not break any local government laws. No religious, political or patriotic content is allowed, and any promotional messages related to Non-Muslim religious events, etc. should also be avoided.

This includes links embedded in the text message - i.e if a link is included in a message, that redirects to a webpage or a piece of content, the content in that webpage cannot break any local laws or include religious, political or patriotic content related to Non-Muslim religious events.

The sender must include their electronic address in the message (Their sender ID)All promotional messages must be sent from a sender name that includes the prefix- AD. For example, AD XXXXXXXXX
All promotional messages must be sent from a sender name that includes the suffix - AD. For example, XXXXXXXXX-AD.
Sender names reserved for transactional or service messages cannot be used for sending promotional messages, and vice versa.



We verify and activate sender IDs in relation to the messages being sent, whether transactional or promotional, to provide an additional layer of compliance.

Unifonic platform has an automatic content blocker which prevents any messages sent over SMS which contain prohibited words, from being delivered, whether sent using an API or our Multichannel Campaigns application.

In addition, the maker checker, a feature which requires a campaign to be approved by a designated administrator, allows you to double-check the quality and content of each campaign before it is sent.



The use of personal information how it is sourced, stored, and used, is another key area that needs to be addressed.

Personal Data Protection Law

Along with the telecom regulators, in-country laws also exist to protect consumers. One of these is the New Data Protection Law in KSA, which relates to the collection, processing, storing, and publishing of personal data. Amongst others, it is important to note the following:

1When collecting or storing an individual's personal information, they need to be informed what their personal data will be used for. They hold the right to object to the storing or processing (use) of their personal information.
2Personal information can only be collected with explicit consent from the individual.
3Marketing messages may only be sent if an individual has opted-in, and an opt-out option must always be provided with each message sent.
4Personal data must be shared with the individual (data holder) if requested, but can only be disclosed to others under certain circumstances.

Address Harvesting and Dictionary Attack

The CST and TDRA also prohibit the use of Address Harvesting and Dictionary Attacks as a source for sending messages:

  1. "Address Harvesting" Means computer software used for searching the internet for gathering email addresses.
  2. "Dictionary Attack" Means sending messages to electronic addresses obtained by automatic systems that use methods of combining names, letters, numbers, punctuation marks or symbols.

Industry Regulators: SAMA

Regulatory bodies may exist for specific industries, such as SAMA for example, which is the banking regulator in Saudi Arabia. It is important to ensure compliance with your industry regulator before sending any promotional messages.

One of these to take note of is the hosting of personal data. SAMA, for example, specifies that, when making use of cloud computing services, to ensure that those services used are located in Saudi Arabia or that the member organization has explicit approval from SAMA, if used outside of Saudi Arabia.



Unifonic platform is backed by a secure local infrastructure, hosted in the Kingdom of Saudi Arabia and is compliant with ISO 27001 Information Security Management System Standard, enabling the highest levels of local compliance and security.