含羞草社区

含羞草社区 increasing phishing and mobile spam problem has been a target of the Telecom Regulatory Authority of India (TRAI) since 2018, when the Telecom Commercial Communication Customer Preference Regulations, 2018 (regulations), were implemented. The objective was to regulate commercial communication through SMS and phone calls. With rising instances of phishing, smishing and spam calls, the TRAI is now evolving more modern processes to regulate unsolicited commercial communication through such means.

The regulations recognise three categories of entities, access providers, or telecom service providers; principal entities, or businesses that send commercial communication to individuals; and registered telemarketers or entities that assist principal entities in sending commercial communications. The regulations establish a co-regulatory framework, which enables the TRAI to regulate commercial communications through access providers. They must have an interoperable blockchain-based system to register and regulate commercial communication sent by principal entities and telemarketers, which need separate registrations on the blockchain system. The original scope of the regulations required consent to send only service explicit communications, defined as promotional communication to existing customers.

In 2023, the TRAI through its digital consent acquisition directive (DCA directive) required every access provider to set up a digital consent acquisition platform (DCA platform) and mandated that all forms of promotional communication, whether to prospective or pre-existing customers, be sent only on receiving consent through the DCA platform. DCA platforms were only recently operationalised fully because of operational delays. A Joint Committee of Regulators, including the Reserve Bank of India, the TRAI, the Department of Telecommunications and the Ministry of Home Affairs, issued a press release in May 2024, clarifying that digital consent must be acquired through the DCA platforms only and be revocable. Within DCA platforms, access providers offer only three methods of consent collection: QR codes displayed at points of sale (PoS); the principal entity submitting phone numbers on the DCA platform, or APIs integrated with the website, applications or PoS machines of the principal entity. Through these means, consent acquisition messages will be sent to individuals who opt to receive business promotional communications. Previous consent acquisition methods, such as website terms and conditions, are now forbidden. Businesses must consciously nudge customers to respond to consent acquisition messages without calling or sending SMS messages, since such means may be considered independent promotional communications. Businesses cannot include reminders to respond to consent acquisition messages within other communications not requiring consent, since the regulations and the DCA directive prevent the mixing of communication categories. Businesses cannot send repeated consent requests that keep their messages at the top of an email inbox; they may be sent only once every 90 days.

Customers may be hesitant to give consent due to the excessive number of commercial communications they already receive. Businesses must adopt customer-friendly processes, such as automatic APIs reminding customers of their consent status if they do not respond within 90 days. They must build customer trust by inserting adequate notices into customer journeys, notifying customers of the nature of promotional communications they will be sending.

Businesses must also prepare for the overlap between consent requirements under the regulations and the incoming Digital Personal Data Protection Act, 2023 (DPDPA). The DPDPA does not account for frameworks such as the regulations and applies in addition to the regulations. Consent acquisition messages must be sent separately, with businesses also complying with DPDPA notice and consent requirements. Where consent is the legal basis for data processing, businesses have to obtain consent twice. A consent acquisition message may not be an appropriate consent request under the DPDPA and may not cover consent for all DPDPA processing purposes. The regulations are silent on businesses denying services where consent has not been given for sending promotional communication, but the DPDPA does not permit such actions.

Businesses must therefore modify their compliance mechanisms to protect their interests without incurring prohibitive compliance costs.

Ada Shaharbanu is a senior associate and Ajeeth Srinivas is an associate at Spice Route Legal.