India’s spam woes are at an all-time high. 66% of Indian mobile users receive three or more spam calls each day, often from personal mobile numbers. These spam calls are largely from businesses in the financial or real estate space. As the frequency of these unsolicited communications continues to escalate, there is a pressing need for robust regulatory measures to safeguard individual privacy and mitigate the growing risks posed by such invasive practices.
Present laws that regulate commercial communications over telecom networks and penalise spam comprise the Telecom Commercial Communications Customer Preference Regulations, 2018 (“TCCCPR”). Through the TCCCPR, the Telecom Regulatory Authority of India (“TRAI”), the regulator for the telecommunications sector in India, establishes a co-regulatory regime with Indian telecom service providers (“TSPs”) to regulate commercial communications transmitted through telecommunication networks (both through phone calls and text messages). The TCCCPR requires TSPs to institute a “distributed ledger technology” platform and onboard businesses that want to send commercial communications. Businesses are required to register themselves on the platforms and comply with obligations relevant to the category of communications they propose to send.
The TCCCPR further requires businesses to seek consent for certain promotional communications, depending on the type of relationship the businesses have with the individuals. If there is no pre-existing relationship with the target individuals, communications constitute “promotional” communications. In such cases, the TCCCPR does not impose a specific obligation to procure explicit consent. However, businesses are required to perform the scrubbing (verification) of the target list of numbers against preference and consent registers maintained by TSPs. If there is a pre-existing relationship with the target individuals, the messages will constitute “service explicit messages” under protocols established by the TSPs. In such cases, explicit consents are required for the sending of such communications. Until recently, explicit consents may have been obtained in two ways – by individuals providing an opt-in response to consent acquisition messages shared by the business, or through online means by OTP verification.
The consent-based architecture of sending promotional communications under the TCCCPR has been largely unsuccessful. Spam communications are rampant still. The TRAI has noted that promotional messages are being sent without verifying consents and that such messages are being sent under the guise of service messages (which do not require explicit consents). These lapses have been attributed to inefficiencies on the part of TSPs.
In order to address this menace, in June 2023, the TRAI issued a directive that requires TSPs to develop a “Digital Consent Acquisition” or a “DCA” facility to manage individuals’ consents to commercial communications digitally, across TSPs and businesses (“Directive”). The Directive requires TSPs to ensure that promotional messages are not sent without verifying the consents and preferences of individuals and that no promotional messages are sent under service category messages. For this purpose, the Directive requires TSPs to develop the DCA facility, and to:
Based on the Directive, TSPs have imposed corresponding obligations on businesses that want to send promotional messages (for instance: businesses will now have to register any URLs or call back details on the DCA platforms, prior to inclusion within consent acquisition messages). Consent acquisition and management protocols are likely to become rigorous, and organisations ought to reevaluate their telemarketing campaigns accordingly. The Directive does not prescribe any penalties for businesses that do not comply with the Directive, however, under the TCCCPR, TSPs may impose usage caps on the use of telecom services by businesses, and even restrict their access to such telecom services in case of non-compliance.
The TRAI has been instrumental in the campaign against unsolicited commercial communication in India. For instance, in June 2023, the TRAI issued another directive requiring TSPs to implement artificial intelligence and machine learning models that flag and block smishing messages.
The DCA facility was operationalised in November 2023. Upon implementation, existing consents acquired by businesses have been rendered null and void, and businesses are now required to seek fresh consents digitally. It remains to be seen whether the Directive will be effective in curbing the spread of spam in India.
This website is owned and operated by Spice Route Legal, and is exclusively meant to be a source of information on the firm, it’s practice areas, and its members.
It is not intended and should not be construed as any form of advertisement, solicitation, invitation or inducement of any sort from the firm or its members.
Spice Route Legal does not warrant that any information provided on the website is accurate, complete or updated, and further denies liability for any and all loss or damage caused to the user as a result of their reliance on the content provided.
The information made available on this site must in no way be relied upon, or construed, as legal advice. If you need legal assistance, we recommend you seek help from competent counsel licensed to practice and advise in the relevant jurisdiction.