Quick answer. RCS privacy is governed by general data-protection and consumer-privacy law plus messaging-specific duties, not a single “RCS privacy law.” Businesses must protect the personal data they collect, maintain and link to a privacy policy from the opt-in, use the data only for the purposes the consumer agreed to, and honor privacy rights under laws like California’s CCPA/CPRA (and the GDPR for EU contacts). On the wire, RCS messages are encrypted in transit; person-to-person chats are now end-to-end encrypted, while business messages are processed by the sending platform.
Because a business message and its analytics (delivery, reads, clicks) pass through the platform and carrier infrastructure, A2P RCS is not end-to-end encrypted — which is normal and necessary for business messaging, but means brands should treat message content and contact data with the same care as any other CRM data: minimize what they collect, secure it, and disclose how it’s used.
Practical privacy duties for an RCS program: keep a clear privacy policy accessible from the call-to-action, collect only what you need, honor data-subject requests (access/delete) under applicable state laws, and don’t share data for marketing without disclosure and consent.
Key facts
- No standalone “RCS privacy law” — obligations come from TCPA/CTIA (messaging), state privacy laws (CCPA/CPRA and others), and GDPR for EU residents.
- Maintain and link a privacy policy from the opt-in; disclose data use; honor access/deletion rights.
- Transit encryption (TLS) protects messages in motion; metadata is still processed by the platform/carriers.