[Shreya Saswati is a third year B.A.LL.B. (Hons.) Student at National Law University, Odisha]
In its pursuit to curb the dissemination of unsolicited commercial messages, the Telecom Regulatory Authority of India (“TRAI”) issued a direction on 2 October 2023 under the Telecom Commercial Communication Customer Preference Regulation, 2018 (“TCCCPR”). This directed all access providers (“APs”) to develop and deploy the digital consent acquisition (“DCA”) facility in order to record customers’ consent digitally to receive commercial communication from principal entities (“PE”) within strict deadlines.
Here, PE typically refers to an organisation which engages in sending commercial messages to consumers through SMS or voice calls. For instance, banks, financial institutions, and other business entities fall under the category of PE. On the other hand, APs are telecom service providers (“TSP”) such as Airtel, BSNL, and Reliance Jio. These platforms are the connection between individuals and PEs.
Digital Consent Acquisition
The TCCCPR-2018 directs every AP to “ensure that no commercial communication is made to any Recipient, except as per the preferences or digitally registered consent registered in accordance with these regulations.” [regulation 9] Reading along these lines, the DCA system aims to create a unified platform for individuals to register their consent digitally for receiving commercial communications from various PEs.
In the previously existing system, the PEs separately kept track of user consent, making it challenging for APs to verify their authenticity. Hence, the DCA system was put together to provide an easier way for APs to keep a track on user consent while allowing the transmission of commercial communication.
Duties of the Access Providers
The DCA facility developed must appropriately record the users’ consents to receive commercial messages or their revocation thereof. APs must also prepare a SMS/IVR/online facility where customers can indicate their unwillingness to receive consent-seeking messages from certain PEs. Once their number is whitelisted, they will not receive such messages.
The APs need to take the initiative to educate the PEs about the process of taking consent and its verification through the APs and facilitate their on-boarding. Basically, the APs will act as the facilitators of the consent acquisition process, a bridge between PEs and users.
The Consent-Seeking Message
The entire DCA facility revolves around the consent-seeking message to be sent to the users by the PEs with the help of APs. The short code 127xxx must be used in the consent seeking message. This will aid the users in identifying which message is a consent-seeking message and protect them from any deceptive messages. The name and scope of the PE should be clearly mentioned in the consent-seeking message. The message should also include information related to revocation of the consent.
PEs are required to prepare a list of URLs, APKs, OTT links and callback numbers that are authorized for use in consent-seeking messages in order to prevent any unauthorized access or misuse of customer data. If a customer has not replied, or rejected to the message, the PE cannot send the same for the next 90 days. However, customers have the right to initiate the consent registration at any time. This protects the users from unnecessary badgering by the PEs.
Timelines for DCA Implementation
PE initiated consent acquisition process should begin only one month after the DCA Facility is fully functional and advertised or 30 days after successful implementation of DCA. Until then, customer initiated consent registration can take place. The DCA is considered to be successfully implemented when is fully functional and PEs have started registering the consent of consumers via the consent seeking messages. If we go by the timeline provided by TRAI in their direction, PE initiated consent acquisition was set to begin from 1 September 2023. Hence, after this date, PEs cannot use the consent acquired by them from any other process and are needed to adhere to the DCA process for acquiring fresh consent from their targeted audience.
PEs belonging to the banking, insurance, finance and trading related sectors are to be on-boarded first, and all remaining sectors are to be on-boarded subsequently. The prioritization of onboarding banking, insurance, finance, and trading sectors is influenced by their adherence to stringent regulatory requirements and the complexity of implementation within these industries. These sectors operate under specific financial and data privacy regulations, demanding meticulous integration processes to ensure compliance within set deadlines. The complexity of their systems and processes necessitates a focused and comprehensive approach to meet intricate regulatory standards. Initiating onboarding with these sectors allows for addressing the intricacies of their operations, reducing the risk of non-compliance and ensuring a smoother transition for industries governed by rigorous regulatory frameworks.
Implications of the New and Improved Consent Collection
While the direction lays down the procedure and timeline for receiving consent, it most importantly emphasises that existing consents obtained through other means will become null and void. This means that any previous consents obtained through non-digital methods will no longer be considered valid. PEs will need to seek fresh consents exclusively through the DCA process with the help of the access providers.
Shifting to a standardized digital consent acquisition (DCA) process can help maintain consistency in data collection methods. Digital methods often offer better security measures, reducing the risk of errors or unauthorized access associated with traditional non-digital methods. Furthermore, a digital record of consents will give more clarity and form a verifiable platform for APs to keep track of who actually consents.
By nullifying non-standardized consents and seeking fresh consent through a standardized digital process, TRAI is focusing on the intake of only valid and compliant consents for the purpose of advertising. This will put an end to the PEs’ arbitrary method of sending advertisements. For instance, any consents previously obtained via the use of the PE’s website or agreeing to privacy policy would no longer be recognized.
The After-Effects
The implementation of the DCA facility will have significant impacts on the APs, PEs and user relations. While it empowers users to have more control over the messages they receive, it puts a burden on PEs to individually get each user’s consent. This can be a tedious task. Users can now formally choose which commercials they want to see and avoid anything they consider to be unwanted or spam. It is up to the PEs to adequately convince these users to receive their advertisements.
APs have to cooperate with the PEs as well as the users to ensure a smooth functioning of this new system. Ensuring the system remains scalable as user numbers fluctuate or expand demands ongoing attention to maintain its adaptability. Technical integration involves complex modifications to existing systems, requiring meticulous adjustments to databases and software interfaces. Training staff for smooth functioning of the new process and supporting users unfamiliar with the new digital consent process necessitates allocating resources for training programs and providing continuous user support, adding to the operational burden of access providers. Moreover, the guideline requires APs to educate the PEs regarding the new process. This calls for close collaboration between the two. Many TSPs have created portals for PEs to learn the process and begin with the consent seeking process, such as Airtel, Jio and Vodafone Idea (VI).
Conclusion
No change is easy. The DCA system will no doubt be quite burdensome for the PEs and APs, but it is a much needed change. It enhances transparency and accountability in the consent process, protecting the users from receiving unsolicited advertisements. The APs will be required to cooperate with the PEs to gather necessary information and adhere to the TCCCPR’s regulatory standards. Hence, the DCA will provide a standardized and digitally verifiable process of acquiring consent, ensuring the privacy and preferences of users are respected.
– Shreya Saswati