How does the DPDP Act affect Telemarketing?

Why is Telemarketing so important?

There are over a billion mobile subscribers, and 64% of Indians are reported to receive 3 or more promotional calls every day (I personally received over 5 calls while writing this article). 

Financial services account for 51% of these, followed by real estate, healthcare, telecom and others services. The subscriber’s contact information is a low hanging fruit: the user may themselves furnish their details or the data may be sourced in bulk from third parties.

While customers consider it a nuisance, businesses use telemarketing generously. With the DPDP Act now prohibiting collection and use of customer data without consent, a complete overhaul is on the horizon. 

What are the existing Telemarketing Regulations in India?

Telecom Regulatory Authority of India (TRAI) introduced Telecommunication Commercial Communications Customer Preference Regulations in 2018, requiring telemarketers to register and respect customer preferences stored on a blockchain-based distributed ledger (DL) to curb Unsolicited Commercial Communication (UCC). 

While this established a framework for respecting “Do Not Call” preferences, significant enforcement gaps remain.

Banks and NBFCs must also maintain internal Do Not Call lists under RBI circulars. Even the Supreme Court of India has called for the enactment of a law banning UCCs altogether. Despite all of this, no comprehensive legal framework has existed to regulate telemarketing consent effectively—until now.

What are the key challenges Telemarketing faces today?

Jurisdiction Limitations: TRAI’s regulations cover calls and SMS but exclude digital channels like WhatsApp and email. They can only regulate TSPs and have zero control over senders of UCCs.

Illegal Telemarketers: Many telemarketers do not register as telemarketers. If they are reported, their connection is disconnected. They just get more SIMs..

Weak Penalties: The penalties are not particularly high, and TRAI cannot fine businesses for lack of jurisdiction.

Consent Ambiguity: Traditional “blanket consent” would be taken for all activities.

What does DPDP Act mean for Telemarketing?

The DPDP Act, 2023, introduces a much stricter regime focused on consent-based data processing:

• Personal data (like phone numbers and emails) can only be used with granular consent for the specific purpose of marketing.
• Blanket or general privacy consents are no longer valid.
  
• Businesses must provide easy mechanisms for customers to withdraw consent anytime.
  
• Violations carry fines up to ₹250 crores per incident, a significant deterrent.
  
  

Complementing this, TRAI’s Regulations on Digital Consent Acquisition (DCA) were released, under which

• Businesses must obtain consent for sending any non-transactional messages to a subscriber directly through the provider’s network
• Subscribers will also have the option to revoke their consent.
• All consent to be recorded immutably on a distributed ledger (DL-Consent).
• Telemarketers must verify consent on this ledger before outreach.
• All consents obtained so far will be rendered invalid and businesses will have to obtain fresh consents for commercial communication

This combined framework aims to close loopholes, improve accountability, and protect customer privacy across all telemarketing channels, including calls, SMS, WhatsApp, and emails.

How will the Telemarketing sector achieve compliance under the DPDP Act?

DPDP Act marks a major shift in the way BFSI entities look at data. To avoid the hefty penalty of 250 crores, all financial institutions must comply with the DPDP Act at the earliest. With the DPDP Draft Rules right around the corner, it's essential to start preparing. Entities in the  telemarketing sector must:

• Obtain free, specific, and valid consent before processing personal data for marketing.
  
• Maintain accurate, auditable records of all consents.
  
• Issue notices to data subjects for data collected before DPDP enforcement, outlining rights and data processing details.
  
• Implement data mapping to link data usage to purposes, including app data and cookies.
  
• Provide data summaries and third-party sharing disclosures to users on request.
  
• Cease data processing and erase data upon consent withdrawal or purpose completion.
  
• Report data breaches promptly to the Data Protection Board and affected individuals.
  
• Ensure compliance across all communication channels—calls, SMS, WhatsApp, email, and websites.
  

Leegality Consent Manager can integrate across all your customer acquisition channels and ensure that you remain compliant in all personal data that is processed in your systems. Fill the form below to set up a call with us.   

‍

‍

‍