In the current digital economy, consumers start their day by receiving a flurry of commercial communications – either a reminder from the bank, a notification confirming the delivery of a product, or a new sale alert. These commercial communications form the backbone of modern marketing as they present businesses with opportunities to introduce new products to consumers, drive engagements and build long term relationships which power the growth of businesses. However, as important as commercial communications are to businesses, it is increasingly perceived as ‘spam' by consumers, given the sheer volume of such communications, exposure to various kinds of fraud and lack of consent by consumers.
Background
Over the years, the Telecom Regulatory Authority of India (TRAI) has been on the forefront of regulatory reforms to combat the growing menace of unsolicited commercial communications (UCCs) sent over SMS and phone calls. Apart from the enactment and implementation of the Telecom Commercial Communications Customer Preference Regulations, 2018 (TCCCPR) and its recent amendments, TRAI has played an instrumental role in attempting to address UCCs through several innovative measures including the mandates for introduction of Artificial Intelligence (AI) and Machine Learning (ML) based systems to identify and block UCCs, whitelisting of Uniform Resource Locator (URLs), Android Package Kits (APKs) and ‘Over-The-Top' (OTT) links, Principal Entity (PE) – Telemarketer (TM) chain binding process, etc.
Yet, to this date, the highest number of customer complaints in the telecom sector are related to UCCs. In TRAI's latest direction on 13 June 2025, drawing from its power under the regulations to create a regulatory sandbox to combat spam, it announced the launch of its pilot project for ‘digital consent' management in collaboration with the Reserve Bank of India (RBI) and banks, to address one of the prevalent challenges related to UCCs – the verification of consent.
This 3-month pilot project has been initiated pursuant to TRAI's original decision from June 2023 directing telecom service providers (TSPs) to deploy ‘Digital Consent Acquisition' (DCA) facility in the prescribed manner which will enable subscribers to record and revoke their consent. In this pilot project, TRAI has partnered with the RBI, indicating a cross-regulatory collaboration for effective digital consent practices in the telecom and banking sectors.
Snapshot of the pilot project
Under the pilot project, TSPs will essentially test the technical, operational and consumer-centric dimensions of the consent registration facility (CRF). This will entail end-to-end integration of DLT systems for consent recording and revocation, coordination with participating banks for system integration and consumer awareness campaigns and so on. In a bid to maintain checks and balances, there are requirements to conduct progress review meetings and furnish periodic reports to TRAI during the subsistence of the pilot project. TSPs will also be expected to adhere to modifications in the terms, consent workflow and reporting requirements as directed by TRAI from time to time, based on feedback of stakeholders. To incentivise participation, TSPs have been asked to waive off inter-operator charges.
What it means for participating banks
While this pilot project has been initiated in the banking sector (due to the sensitive nature of the transactions and risks of financial frauds involved), it lays the foundation for sector-wise standardisation of the consent acquisition framework. Relevant businesses must accordingly revamp their consent practices and align them with the TRAI's framework. This could potentially entail changes in processes, upgrades to existing technologies and enhanced costs of compliance to adapt to the changes. Importantly, this will present a shift from the current marketing practices, which have relied on other forms of consent, causing banks to rethink their outreach strategies.
How does this fare with the consent requirements under the DPDP Act
The Digital Personal Data Protection Act, 2023 (DPDP Act) also has enhanced consent requirements for processing ‘personal data' in a digital form. Consent under the DPDP Act is required to be free, specific, informed, unconditional and unambiguous with a clear affirmative action. While TRAI's DCA requirement and DPDP Act's consent standards are operationally and conceptually aligned, the consent requirements under the DPDP Act will get triggered for any kind of digital personal data processing, whereas TRAI's pilot is currently limited to specified forms of commercial communications made over telecom networks. Further, TRAI's user interface for digital consent management does not take into account the broader user rights envisaged under the DPDP Act such as the right to access, right to correction, etc. That said, consent obtained under the DPDP Act cannot validate the sending of specified commercial communications under TCCCPR, as they serve distinct legal and operational purposes by different regulatory authorities and should be separately obtained in the prescribed manner. Notwithstanding, it is clear that both frameworks will have to function in a harmonious manner to achieve their respective objectives.
Road Ahead
As India steps into a more privacy conscious era – in line with its global counterparts such as EU and the UK – TRAI's digital consent pilot programme is a crucial development for all businesses to note. While the pilot programme is merely the beginning, it is imperative for relevant businesses to consider the dual compliance requirements and align their practices to the requirements laid down by the relevant regulators. In the context of commercial communications specifically, explicit consent is so important that it can override the ‘Do-Not Disturb' preferences of subscribers, as long as it is obtained in the prescribed manner. Hence, businesses need to invest in the new consent design, prioritise user autonomy and enhance credibility through legally compliant business practices. The success of the pilot project may prove to be instrumental in curbing spam in the longer run. It will also have to be seen if similar mechanisms will be introduced for regulating commercial communication sent using the OTT channels.
The content of this document does not necessarily reflect the views / position of Khaitan & Co but remain solely those of the author(s). For any further queries or follow up, please contact Khaitan & Co at editors@khaitanco.com.
