Introduction
On June 16, 2025, the Telecom Regulatory Authority of India ("TRAI") launched a pilot project aimed at operationalising a new framework for digital consent management. Implemented in collaboration with the Reserve Bank of India ("RBI") and select banks, the project marks the beginning of a larger national effort of bringing transparency and accountability to the process of obtaining consumer consent for commercial communication.
The decision comes at a time when regulatory attention to unsolicited calls and messages is growing, particularly those made under the guise of consent. The pilot is not just a technical or operational exercise, but it represents a long-overdue recognition of the need to strengthen the credibility of consent itself.
The Problem with Consent Today
The present challenge lies in the way consent is collected and used by commercial entities. Under the existing telecom regulations, businesses are permitted to send promotional communications to users even if they are registered under the Do Not Disturb (DND) list, provided they have the user's explicit consent. However, in practice, consent has often become a vague and unverifiable claim. Many businesses assert that they have secured permission from consumers but are unable to provide any transparent or trustworthy record of when and how such consent was obtained. In many cases, consumers allege that their personal data was collected without their knowledge or misused through third-party sharing or deceptive offline practices. This has not only led to a deluge of spam calls and messages, but has also created serious vulnerabilities for financial fraud, phishing, and data misuse etc. The deficit in trust between consumers and service providers continues to widen.
Why Digital Consent Matters
A fundamental issue that regulators like the TRAI are now trying to address is not merely about whether consent exists, but whether it is meaningful. Consent must be explicit, informed, and revocable. For it to serve as a legitimate basis for commercial outreach, there must be a secure, auditable trail that confirms that the user actively agreed to be contacted for specific purposes. The pilot project is intended to ensure implementation of a secure, standardised mechanism to obtain, verify, and manage consumer consent digitally. It is an attempt to move away from informal, often opaque modes of data collection towards a system that respects both consumer autonomy and regulatory scrutiny.
A Sectoral Approach with Banking at the Centre
The pilot begins with the banking sector, which is not a coincidence. Banks and financial institutions are among the most frequent senders of promotional messages, and also among the most sensitive when it comes to data security. The consequences of a fraudulent or misleading message from a bank can be far more damaging than a simple inconvenience, it can result in loss of funds, identity theft, or wider systemic risks. By testing the consent framework first within the banking sector, the TRAI and the RBI hope to validate the technical and legal mechanics of the model under a regulatory sandbox, before expanding it to other sectors such as insurance, real estate, or e-commerce.
Laying the Groundwork for a Broader Ecosystem
While the pilot is narrow in scope for now, it lays the groundwork for an interoperable digital consent registry where businesses will be required to record consumer consent in a uniform format, accessible for verification by telecom service providers before any communication is allowed. Such a registry would, in effect, become a digital checkpoint, ensuring that no message or call reaches the consumer, unless it has passed the test of consent. For this to succeed, onboarding of commercial entities will be critical.
Interestingly, the pilot aligns with the broader principles of the Digital Personal Data Protection Act, 2023 ("DPDPA"), which also emphasises the need for valid, purpose-specific consent, managed through licensed Consent Managers.
Therefore, the TRAI pilot should not be seen in isolation, but rather as part of an ecosystem-wide effort to build user-centric data governance in India.
Conclusion
The TRAI's pilot project is an important milestone in reshaping how consent is treated in India's digital economy. If implemented well, it can not only reduce spam and fraud but also restore trust in commercial communication. For consumers, it means greater control over who gets to contact them and for what purpose. For businesses, it sets a higher bar for accountability, but also provides a fairer, more transparent framework within which they should engage with customers. The eventual success of this system will depend on how quickly and effectively stakeholders adopt this new framework. But the pilot sends a clear signal that the era of vague, unverifiable consent is coming to an end and a more secure and standardised model of communication is beginning to take shape.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
