INDIA’S ANTI-SPAM CRUSADE: NAVIGATING DEVELOPMENTS IN TELECOM LAWS

INTRODUCTION

India’s spam woes are at an all-time high. 66% of Indian mobile users receive three or more spam calls each day, often from personal mobile numbers. These spam calls are largely from businesses in the financial or real estate space. As the frequency of these unsolicited communications continues to escalate, there is a pressing need for robust regulatory measures to safeguard individual privacy and mitigate the growing risks posed by such invasive practices.

REGULATORY FRAMEWORK FOR THE TELECOMMUNICATION SECTOR

Present laws that regulate commercial communications over telecom networks and penalise spam comprise the Telecom Commercial Communications Customer Preference Regulations, 2018 (“TCCCPR”). Through the TCCCPR, the Telecom Regulatory Authority of India (“TRAI”), the regulator for the telecommunications sector in India, establishes a co-regulatory regime with Indian telecom service providers (“TSPs”) to regulate commercial communications transmitted through telecommunication networks (both through phone calls and text messages). The TCCCPR requires TSPs to institute a “distributed ledger technology” platform and onboard businesses that want to send commercial communications. Businesses are required to register themselves on the platforms and comply with obligations relevant to the category of communications they propose to send.

The TCCCPR further requires businesses to seek consent for certain promotional communications, depending on the type of relationship the businesses have with the individuals. If there is no pre-existing relationship with the target individuals, communications constitute “promotional” communications. In such cases, the TCCCPR does not impose a specific obligation to procure explicit consent. However, businesses are required to perform the scrubbing (verification) of the target list of numbers against preference and consent registers maintained by TSPs. If there is a pre-existing relationship with the target individuals, the messages will constitute “service explicit messages” under protocols established by the TSPs. In such cases, explicit consents are required for the sending of such communications. Until recently, explicit consents may have been obtained in two ways – by individuals providing an opt-in response to consent acquisition messages shared by the business, or through online means by OTP verification.

The consent-based architecture of sending promotional communications under the TCCCPR has been largely unsuccessful. Spam communications are rampant still. The TRAI has noted that promotional messages are being sent without verifying consents and that such messages are being sent under the guise of service messages (which do not require explicit consents). These lapses have been attributed to inefficiencies on the part of TSPs.

THE TRAI DIRECTIVE

In order to address this menace, in June 2023, the TRAI issued a directive that requires TSPs to develop a “Digital Consent Acquisition” or a “DCA” facility to manage individuals’ consents to commercial communications digitally, across TSPs and businesses (“Directive”). The Directive requires TSPs to ensure that promotional messages are not sent without verifying the consents and preferences of individuals and that no promotional messages are sent under service category messages. For this purpose, the Directive requires TSPs to develop the DCA facility, and to:

  • enable individuals to record and revoke their consents on the DCA facility;
  • develop SMS, IVRS, or online facilities to enable individuals to indicate their unwillingness to receive consent acquisition messages by specific businesses;
  • ensure that the name of the business and scope are mentioned in consent acquisition messages initiated by businesses;
  • ensure that businesses whitelist (register) URLs, APKs, OTT links, or call back numbers on the DCA facility, and that only such whitelisted attributes are included in consent acquisition messages;
  • ensure that consent acquisition messages have details relating to revocation of consents; and
  • if individuals reject or ignore consent-seeking requests, ensure that no consent acquisition messages are sent to such individuals for the next 90 days, unless initiated by the individuals themselves.

Based on the Directive, TSPs have imposed corresponding obligations on businesses that want to send promotional messages (for instance: businesses will now have to register any URLs or call back details on the DCA platforms, prior to inclusion within consent acquisition messages). Consent acquisition and management protocols are likely to become rigorous, and organisations ought to reevaluate their telemarketing campaigns accordingly. The Directive does not prescribe any penalties for businesses that do not comply with the Directive, however, under the TCCCPR, TSPs may impose usage caps on the use of telecom services by businesses, and even restrict their access to such telecom services in case of non-compliance. 

CONCLUSION

The TRAI has been instrumental in the campaign against unsolicited commercial communication in India. For instance, in June 2023, the TRAI issued another directive requiring TSPs to implement artificial intelligence and machine learning models that flag and block smishing messages. 

The DCA facility was operationalised in November 2023. Upon implementation, existing consents acquired by businesses have been rendered null and void, and businesses are now required to seek fresh consents digitally. It remains to be seen whether the Directive will be effective in curbing the spread of spam in India.