Bulk SMS Compliance in Uganda: UCC + Data Protection Act 2019

If you send bulk SMS commercially in Uganda, two regulators care: the Uganda Communications Commission (UCC) and the Personal Data Protection Office under the Data Protection and Privacy Act 2019 (DPA). Get either wrong and you risk warnings, fines, sender ID suspension or — worst case — loss of access to the networks.

This is the practical compliance guide. Not legal advice, but enough to keep you on the right side of the line.

What the UCC cares about

The UCC governs how content moves over Uganda's networks. For SMS senders, the rules that matter most are:

1. No prohibited content

You cannot send:

• Political campaign messages outside approved windows or without sender ID approval for that purpose
• Religious recruitment messages without consent
• Gambling, adult content, or content promoting illegal activity
• Phishing-style messages impersonating banks, government or operators

2. Sender ID accuracy

The brand name on your SMS must match a real, registered entity. "ACME Ltd" cannot send under sender ID "BANKOFUG". See our sender ID registration guide for how to get a legitimate one.

3. Time-of-day restrictions

While not formally codified for all categories, common UCC guidance is: no commercial sends between 9pm and 7am. Schedule responsibly.

4. Truthful claims

If your SMS promises "free delivery," delivery must be free. If you say "24-hour sale," the sale must run for 24 hours. False claims trigger complaints fast.

What the Data Protection Act 2019 requires

The DPA is Uganda's general data-protection law. For SMS senders, the core obligations are:

1. Lawful basis

You need a lawful basis to process someone's phone number. Most common: consent (they opted in) or legitimate interest (existing customer, not over-broadcasting).

2. Opt-in / opt-out

• Marketing messages typically need explicit opt-in (a checkbox, an SMS reply confirming, or a sign-up where SMS marketing is clearly listed).
• Every marketing message must offer an opt-out. "STOP" reply is the Uganda standard.
• Honor opt-outs immediately. The next batch must exclude opted-out numbers.

3. Data minimization

Only collect and store what you need. A school doesn't need a parent's home address to send fee reminders.

4. Security

You must protect contact data from breach. Encrypted-at-rest databases, no plaintext exports left on shared drives, scoped access.

5. Records and audits

Be able to show: who consented, when, how. If audited by the Personal Data Protection Office, you'll need this evidence.

How Wesendall helps

• Opt-out automation: any recipient who replies STOP is removed from your active list. Wesendall maintains the suppression list per wallet.
• Audit trail: every send is logged with timestamp, recipient, message, status. Exportable for compliance reviews.
• Sender ID brokerage: we help you register a UCC-compliant sender ID on MTN and Airtel — see the sender ID guide.
• DPA-aligned processing: we process data as your processor, not your controller. Data Processing Agreement available on request.
• Scoped access: dashboard role-based access plus wallet-scoped API keys so different teams see only what they need.

Quick compliance checklist

• [ ] Have a clear opt-in mechanism on your sign-up forms.
• [ ] Include "Stop=opt out" or similar at the end of marketing messages.
• [ ] Send commercial messages only between 7am and 9pm.
• [ ] Use a registered sender ID for branded messages.
• [ ] Maintain a written list of who consented, when.
• [ ] Have a published privacy policy that mentions SMS marketing.
• [ ] Sign a Data Processing Agreement with your SMS provider.
• [ ] Don't share recipient contact lists with third parties.
• [ ] Honor STOP replies immediately.

What about transactional messages?

OTPs, payment confirmations, delivery alerts — anything triggered by a user action — fall under a softer interpretation since the user implicitly consented by transacting with you. But you still need to protect the data, keep the messaging strictly transactional (don't sneak marketing into an OTP), and respect retention limits.

Penalties to know about

The DPA allows for fines up to UGX 4,800,000 (2% of annual turnover) for serious violations. The UCC can suspend or revoke your sender ID, which kills your branded messaging until you re-register. For most operators, the reputational cost of being on the regulator's radar is worse than the fine itself.

Next steps

• Read our sender ID guide to get a UCC-approved sender name.
• Sign up for Wesendall and use our built-in opt-out and audit-trail tooling from day one.
• Talk to a Ugandan data protection lawyer if you process sensitive data (health, financial, biometric) at scale.