Your SMS Marketing Is About to Become Illegal — Part IV and the End of Spray-and-Pray

Open your phone right now. Go to your SMS inbox. Scroll through the last week’s messages.

Count the ones you didn’t ask for. Property launches. Flash sales. Loan offers. Credit card promotions. Political rallies. Restaurant openings. Insurance renewals. Educational course registrations. Vehicle offers. Supermarket deals. Festival greetings from companies you have never heard of.

If you are a typical Sri Lankan mobile subscriber, the number is somewhere between ten and thirty per week. On a bad week — festival season, election season, year-end sales season — it can be significantly more.

Now ask yourself a question: how did these companies get your number?

The answer, in the vast majority of cases, is that they bought it. Sri Lanka has a thriving grey market in mobile number databases. Companies — some legitimate aggregators, some decidedly less so — compile lists of mobile numbers from various sources: loyalty programmes, event registrations, business card collections, scraped directories, and occasionally from telco data that should never have left the operator’s systems. These databases contain anywhere from a few hundred thousand to ten million numbers, with “60-90% accuracy” being the standard sales pitch. Accuracy, in this context, means the number is still active. It says nothing about whether the person at the other end wants to hear from you.

The economics are irresistible. Bulk SMS costs a few cents per message. A database of ten million numbers costs a few thousand dollars. Send one campaign to the full list, get a 0.1% response rate, and you have ten thousand leads. The maths works even at astonishingly low conversion rates because the marginal cost of each additional message is effectively zero.

This is the spray-and-pray model. It has defined consumer marketing in Sri Lanka for the better part of a decade. And Part IV of the PDPA is about to make it illegal.

Not discouraged. Not regulated. Not subject to best-practice guidelines. Illegal.

Part IV — specifically Section 27 — will be the single most disruptive provision of the entire PDPA for consumer-facing businesses. More disruptive than the consent requirements of Part II. More disruptive than the cross-border transfer rules. More disruptive than the penalty regime. Because Section 27 doesn’t just change how you process data. It changes how you talk to your customers.

What Part IV Says

Part IV of the PDPA is titled “Solicited and Unsolicited Messages.” It is relatively short — a handful of sections — but its impact is enormous.

The core provision is Section 27, and its fundamental principle is simple: opt-in, not opt-out.

Under the current Sri Lankan marketing landscape, the default is that you can send messages to anyone unless they have specifically told you to stop. This is the opt-out model. You are in the pool until you ask to be removed. Section 27 inverts this. Under the PDPA, you cannot send a message to anyone unless they have specifically told you it is acceptable. You are out of the pool until you ask to be added.

This is not a subtle distinction. It is a complete inversion of the default. And the details make it even more significant.

Schedule III Consent Conditions

The consent required under Part IV is not just any consent. It must meet the conditions set out in Schedule III of the Act. This means it must be freely given, specific, informed, and unambiguous. It must be given by a clear affirmative action. Pre-ticked boxes don’t count. Bundled consent — “by using this service you agree to receive marketing messages” — doesn’t count. Buried terms and conditions don’t count.

The data subject must know exactly what they are consenting to, who will be sending messages, what kind of messages, and through what channels.

Sender Identification

Every message must clearly identify the sender. Not a short code. Not a generic “INFO” or “PROMO” tag. The actual identity of the organisation sending the message. This alone will eliminate a significant portion of current SMS marketing practice, where messages arrive from unidentifiable sender IDs and provide no clear indication of who is responsible.

Broad Definition of “Message”

Part IV uses a broad definition of “message” that extends well beyond SMS. It covers any electronic message sent for direct marketing purposes. This includes SMS, email, WhatsApp messages, Viber messages, push notifications, and potentially even targeted social media messages sent directly to individuals. If you are sending a communication to a specific person for the purpose of marketing a product or service, Part IV applies.

The One Exception

Part IV does contain one notable exception: internet advertisements that are displayed as part of a free service. If you offer a free app or website and display advertisements as part of the service — the ads-for-free-content model — this is not caught by Part IV. The rationale is that the user has implicitly accepted advertisements as the price of the free service. But this exception is narrow. It applies to displayed advertisements, not to direct messages. You can show banner ads in your free app. You cannot use the fact that someone downloaded your free app to justify sending them promotional SMS messages.

What Part IV Doesn’t Say Yet

Here is the critical caveat: Part IV has not come into force.

Under the original Act, the commencement window for Part IV was 24 to 48 months from the date of certification. That window would have closed in March 2026. But the 2025 Amendment changed the commencement mechanism to ministerial discretion — different provisions can be brought into force at different times by Gazette notification.

As of March 2026, no commencement date for Part IV has been gazetted.

This is not an accident. The government is holding Part IV back deliberately. And the reason is straightforward: Part IV is a bomb.

The telecommunications industry, the retail sector, the financial services industry, the real estate sector, and the political establishment all rely heavily on unsolicited messaging. Bringing Part IV into force without a transition period and clear implementation guidelines would cause immediate, widespread disruption. The Authority knows this. The Ministry knows this. The telcos have made absolutely certain that everyone knows this.

So Part IV sits in limbo — enacted but not commenced, legally real but practically dormant. The smart reading is that it will be one of the last provisions to be brought into force, likely with subsidiary regulations that provide some kind of transition mechanism. But it will come into force. The question is when, not whether.

Who Gets Hit Hardest

Telecommunications Operators

The telcos are in a double bind. Dialog, SLT-Mobitel, Hutch, and Airtel are simultaneously the infrastructure through which unsolicited messages are sent and major senders of unsolicited messages themselves. Every telco in Sri Lanka sends promotional SMS to its own subscriber base — data pack offers, value-added services, loyalty programme promotions. They also provide bulk SMS platforms to third-party marketers.

The Telecommunications Regulatory Commission of Sri Lanka (TRCSL) has an existing Operator Self-Governance Policy that includes some provisions on unsolicited communications. But this policy is largely self-regulatory and its enforcement has been, to put it diplomatically, inconsistent. Part IV would supersede this with a statutory regime backed by penalties.

The telcos face a business model question: bulk SMS services are a revenue line. Not the largest one, but a meaningful one. Part IV doesn’t eliminate bulk SMS. It eliminates unsolicited bulk SMS. The telcos will need to build consent verification into their bulk SMS platforms — ensuring that businesses using their infrastructure have valid consent for the numbers they are messaging. This is technically feasible but operationally complex and commercially uncomfortable.

Retail and E-Commerce

The retail sector in Sri Lanka — from large chains like Keells, Cargills, and Arpico to smaller e-commerce operators — relies heavily on SMS and WhatsApp marketing. Flash sale announcements, loyalty point reminders, new store openings, festival promotions. Much of this is sent to databases that were built through point-of-sale collection (“give us your number for the loyalty card”) with consent that would not meet Schedule III standards.

The challenge for retail is that SMS marketing actually works. Response rates for well-targeted retail SMS are genuinely higher than most other channels. Losing the ability to message a large, untargeted database is painful. But the businesses that have invested in proper customer relationships and genuine opt-in will find that their smaller, consented audience performs better than the old spray-and-pray approach ever did.

Financial Services

Banks and insurance companies face a particularly tricky line: the distinction between transactional and promotional messages. A message telling you that your credit card payment is due is transactional — it is related to the service you have contracted for. A message offering you a pre-approved personal loan at an attractive interest rate is promotional — it is marketing a new product.

The line between these two categories is not always clean. Is a message about a credit card upgrade transactional (it relates to your existing card) or promotional (it is selling you a new product)? Is a reminder about travel insurance before a detected overseas transaction helpful service or cross-selling? Financial institutions will need to develop clear internal classifications and ensure that promotional messages meet the Part IV consent standard, even when sent to existing customers.

Real Estate, Education, and Automotive

These three sectors deserve special mention because their entire marketing model is built on cold outreach. Real estate developers promoting new projects, private universities and educational institutes recruiting students, and vehicle dealers announcing new models or promotions — all of these rely heavily on purchased databases and unsolicited messaging.

For these sectors, Part IV is existential. The cold outreach model dies. There is no way to obtain Schedule III consent from someone you have never had a relationship with. You cannot consent to messages from a company you have never heard of. These sectors will need to fundamentally rethink their customer acquisition strategies — moving from push to pull, from interruption to attraction, from purchased databases to earned audiences.

Political Messaging

This is the edge case that nobody wants to discuss publicly. Political parties and candidates in Sri Lanka make extensive use of bulk SMS during election campaigns. Part IV, read literally, would apply to political messaging just as it applies to commercial messaging. A message asking you to vote for a particular candidate or attend a political rally is, functionally, a solicitation.

Whether Part IV will be interpreted to cover political messaging — and whether there will be carve-outs for election-related communications — remains to be seen. But the fact that political actors are among the largest users of unsolicited messaging is undoubtedly a factor in the government’s caution about commencing Part IV.

The Transition Problem

Let us make this concrete. You are a marketing director at a mid-sized Sri Lankan company. You have a database of 500,000 mobile numbers. You have been sending promotional SMS to this list for three years. Your open rates are decent. Your click-through rates generate meaningful revenue. Your CEO considers this database a valuable corporate asset.

Part IV is about to commence. What do you do?

Option A: Re-consent. Send a message to all 500,000 numbers asking them to opt in to future communications. This is the legally clean approach. It is also the re-consent paradox: you are sending an unsolicited message (asking for consent) in order to obtain consent to send messages. If Part IV is already in force, this message itself may be non-compliant. And even if you time it correctly — sending the re-consent request before commencement — the response rate will be dismal. Industry benchmarks suggest that opt-in re-consent campaigns recover between 5% and 15% of the original database. You will go from 500,000 to 50,000 overnight.

Option B: Segment and accept the loss. Identify the portion of your database that was collected with something approaching valid consent — customers who actively signed up, who ticked a box, who filled in a form. Message only those. Accept that 90% of your database is unusable. This is honest but commercially devastating.

Option C: Rely on legitimate interest. Argue that you have a legitimate interest in marketing to existing customers, and that this legitimate interest provides a legal basis for continued messaging under Part II of the PDPA. This argument has some theoretical merit for existing customers — but it does not override Part IV. Section 27 is specific. It requires consent for electronic marketing messages. Legitimate interest is a general processing ground in Part II. Specific provisions override general provisions. Section 27 wins.

Option D: Do nothing and hope. Continue with current practices and hope that enforcement will be slow, penalties will be lenient, and the Authority will have bigger fish to fry. This is, candidly, what most organisations will do. It is also the riskiest strategy in the medium term, because the first enforcement actions under Part IV will likely target the most visible offenders — and if you are sending millions of unsolicited messages, you are visible.

The best approach is a combination of A and C, implemented gradually. Start building consent now, while you still can. For every customer interaction — every purchase, every service call, every website visit, every app session — create an opportunity for genuine, informed, Schedule III-compliant consent. Build your consented database over time so that by the time Part IV commences, you have a meaningful audience that you can legally reach.

This is a twelve-to-eighteen-month project. It requires changes to your point-of-sale systems, your website, your app, your call centre scripts, your customer service processes. It requires a consent management platform that records what was consented to, when, through what channel, and what information was provided at the time of consent. It requires training for every customer-facing employee.

If you start today, you might be ready when Part IV commences. If you wait for the Gazette notification, you will not.

What Permission-Based Marketing Actually Looks Like

Consent Management Infrastructure

At its core, permission-based marketing requires a system that records and enforces consent. For every individual in your database, you need to know: did they consent to receive marketing messages? When did they consent? What were they told at the time? What channels did they consent to (SMS, email, WhatsApp, push notification)? What categories of message did they consent to (promotions, product updates, newsletters, event invitations)? Have they modified or withdrawn their consent since?

This is not a spreadsheet exercise. It is a system. It needs to integrate with your CRM, your marketing automation platform, your point-of-sale systems, your customer service systems, and your communication channels. When a customer withdraws consent — which they have the right to do at any time — the withdrawal must propagate across all systems in real time.

Preference Centres

A preference centre is a customer-facing interface where individuals can manage their communication preferences. It allows them to choose what they want to hear about, how often, through which channels. It gives them control. And it gives you something more valuable than a purchased database: expressed preference.

When a customer tells you they want to receive SMS notifications about flash sales in the Colombo area but not email newsletters about new product lines, that is marketing gold. You know exactly what they want, and you can deliver precisely that. Your message is relevant, expected, and welcome. Your response rates will be dramatically higher than anything you ever achieved with spray-and-pray.

Value Exchange

Permission-based marketing works best when there is a genuine value exchange. The customer gives you their attention and their data. What do they get in return? If the answer is “more spam but with their permission,” you have missed the point entirely.

The value exchange needs to be real. Early access to sales. Exclusive offers. Genuinely useful information. Personalised recommendations based on actual purchase history. Content that is worth reading. If you cannot articulate what the customer gets from giving you permission to message them, you do not deserve that permission.

The Opportunity

Here is the counterintuitive truth that the best marketers already understand: a permission asset is more valuable than a bulk database.

A list of 50,000 people who have actively chosen to hear from you, who have told you what they want, and who open your messages because they expect value from them — that list will outperform a list of 500,000 purchased numbers on every metric that matters. Higher open rates. Higher click-through rates. Higher conversion rates. Lower unsubscribe rates. Lower complaint rates. Lower cost per acquisition.

And there is a second-order effect that is harder to quantify but arguably more important: trust.

Trust is the most undervalued asset in Sri Lankan business. In a market where consumers are bombarded with unsolicited messages, where their phone numbers are traded like commodities, where they have no control over who contacts them or how often — a business that respects their preferences, that only contacts them when invited, that gives them genuine control — that business stands out. It earns trust. And trust, in the long run, is worth more than any database.

The Sri Lankan marketing industry has operated for years on the assumption that access to phone numbers equals access to customers. That sending more messages to more people equals better marketing. That the marginal cost of an additional SMS being close to zero means you should send as many as possible.

Part IV will shatter that assumption. The businesses that rebuild on the other side will be stronger for it.