Privacy policy rejections
About a 2-3 minute read.
Privacy policy rejections are common and usually fixable with one edit to your published policy. This guide covers the issues that get flagged and what to do about each. For how the reason reaches you, see How rejections work.
The most common privacy rejection by far
Your policy doesn't carve SMS opt-in data out of its data-sharing language.
Most off-the-shelf privacy policies contain something like:
"We may share your personal information with our marketing partners with your consent."
That's fine for general data privacy, but carriers require an unconditional exception for SMS opt-in data, and they don't accept "with your consent" as that exception.
The fix
Add a clear statement, typically in your "Sharing" or "Data Use" section:
SMS opt-in information, including your phone number and your consent to receive text messages, is never shared, sold, or rented to any third party for marketing purposes, regardless of any other consent you may have given.
You don't have to use that exact wording. What matters is that all of these are present and unambiguous:
- The carve-out is specifically about SMS / mobile opt-in data, not generic.
- It covers every form of transfer, shared, sold, rented.
- The prohibited purpose is marketing.
- The exception is absolute, with no consent override.
After updating, publish the change before asking for a re-file. The reviewer fetches the URL and reads it live; a draft that isn't published will be rejected the same way.
Other privacy policy problems, with fixes
No URL provided
The privacy policy URL field was blank. Provide a URL pointing to your published policy.
The URL doesn't resolve
The link is broken. Test it in a private/incognito window, a 404 or "can't be reached" means the link is wrong, or the policy isn't published at that address yet.
The URL points to something that isn't a privacy policy
The link loads, but to a homepage, a terms page, or a placeholder. Point it directly at the privacy policy page.
SSL / certificate error
The policy page has an expired or invalid certificate. Fix the certificate or host the policy somewhere properly secured. Reviewers won't accept HTTPS warnings.
A verbal script doesn't reference the policy
If your opt-in is collected by phone or in person, the script has to mention the privacy policy, for example, "Our privacy policy is available at example.com/privacy." Add that line and re-provide the script.
Marketing is mentioned but isn't a selected use case
Your policy talks about marketing communications, but the campaign isn't registered for marketing. Either rewrite that section so it's specific to non-marketing communications, or move to a use case that includes marketing (a structural change AgentMessage re-files for you).
Offline opt-in with no reachable policy
If your opt-in is in person or over the phone rather than on a website, you still need a compliant policy the reviewer can read, published at a URL or provided to support as a document.
Things people try that don't work
"It's covered in our Terms of Service." The privacy policy has to be a separate, identifiable document. A privacy section buried in a long TOS doesn't count.
"We don't share data, so we don't need to say so." You do. Carriers don't infer non-sharing from silence, they require explicit no-sharing language for SMS data specifically.
"Our policy is GDPR/CCPA-compliant." Helpful for legal compliance, but those regimes allow data sharing with consent, while the 10DLC carrier requirement prohibits it for SMS opt-in data even with consent. You need to satisfy both, separately.
"The policy is only in our app." The reviewer needs to read it from a URL or a provided document. If it's only inside an app, supply a copy to support and explain the setup.
After you fix it
- Publish the updated policy on your site, don't ask for a re-file until it's live.
- Verify the URL (and any internal links) load in a private/incognito window.
- Contact support to have the campaign re-filed. If the only change was on your website, no campaign rebuild is needed, the reviewer re-fetches the policy.
When to involve a lawyer
AgentMessage can tell you what carriers require to pass 10DLC review. We can't write your privacy policy or guarantee any wording satisfies other legal regimes (state laws, GDPR, HIPAA). For non-trivial businesses, have a lawyer review the SMS carve-out language before publishing.