How will the Data Protection Act impact Telemarketing?

November 3, 2023

Pushkal Dubey

Founder's Office


  • Despite TRAI and RBI regulations focused on Unsolicited Commercial Communication (UCC), telemarketing went unchecked due to weak enforcement and regulatory loopholes.
  • The Digital Personal Data Protection Act 2023 is the first authoritative Indian law to strictly prohibit telemarketing without user consent.
  • Penalties of up to ₹50 Crores may apply per instance of violation of the DPDP Act.
  • The DPDP Act holds businesses directly liable for any non-compliant telemarketing activities.
  • Businesses must ensure granular consent for telemarketing, provide valid notice for data collected before the DPDP Act, and offer user rights over data.
  • To manage compliance efficiently, telemarketers should consider onboarding a  Consent Manager to handle consents across all customer interaction channels.

Telemarketing is Huge

There’s over a billion mobile subscribers and 64% of Indians are reported to receive 3 or more promotional calls everyday (I personally received over 5 calls while writing this article). Financial services account for 51% of these, followed by real estate, healthcare, telecom and others services. The subscriber’s contact information is a low hanging fruit: the user may themselves furnish their details or the data may be sourced in bulk from third parties.

While customers consider it a nuisance, businesses use telemarketing generously. Bajaj Finserv, for example, has a team of over 4,500+ telecallers and around 45% of loans to existing customers are pitched via telemarketing calls. For the longest time, telemarketing has been a cornerstone of customer acquisition in India.

Until now.

With the notification of the Digital Personal Data Protection Act 2023 (DPDP Act) a complete overhaul is on the horizon. The DPDP Act prohibits collection and use of customer data without consent. It is crucial that businesses that deal with large amounts of personal data, like telemarketers, understand how they can comply with the new law.

In this piece we will answer the following questions:

  • What are the existing regulations on telemarketing?
  • What changes with the new Data Protection Law?
  • How does this impact a business that uses telemarketers?
  • What is the impact on telemarketers?

Telemarketing Law before DPDP Act

The Telecom Regulatory Authority of India (TRAI) issued regulations back in 2007 and subsequently in 2018 as a measure to tackle Unsolicited Commercial Communication (UCC). These are the Telecommunication Commercial Communications Customer Preference Regulations 2018, we will call them UCC Regulations. As per the UCC regulations all telemarketers must register with the TRAI. A customer can register their preference by dialing 1909 and Telecom Service Providers (TSPs) must ensure that registered telemarketers adhere to these preferences.  

These preferences are all recorded on a blockchain based distributed ledger (DL) maintained by TRAI and TSPs. The DL contains a record of subscribers and their preferences such as category, mode, time and day bands of communication. Telemarketers must scrub the DL for subscriber preference and cannot send any UCCs in contravention to these preferences. 

Moreover, there are Reserve Bank of India (RBI) circulars directed at commercial banks and NBFCs emphasizing on the requirement of maintaining a Do Not Call list to protect against UCC pertaining to credit card, loan and other marketing operations. Even the Supreme Court of India has called for enactment of a law banning UCCs altogether. 

In 2021 there were over 800,000 complaints against UCCs and the number rose to 900,000 in 2022. Despite regulatory efforts there had not been a sufficient resolution to the problem of UCCs. ‍


These regulations could not solve the problem of UCCs.

  1. TRAI Jurisdiction -  The regulations only pertain to phone calls and messages leaving out important channels like Whatsapp and email. TRAI can really only regulate TSPs and they do not have any jurisdiction on the senders of these UCCs
  2. Illegal Telemarketers - Many telemarketers do not register as telemarketers. If they are reported, their connection is disconnected. They just get more SIMs.
  3. Faulty Enforcement The penalties are not particularly high and TRAI cannot fine businesses for lack of jurisdiction.The total financial disincentives imposed by TRAI on telcos in relation to UCC till 2022 stood at 34.9 cr. This is a negligible sum in light of the amount that telcos make through telemarketing.  
  4. Service Message Loophole - Senders used to send promotional messages in the guise of service messages claiming that they have obtained consent to send UCCs. This will now be resolved using digital consent acquisition (DCA). More on this here.[Note- Link the DCA header here]

These limitations may have worked out in favor of TSPs and businesses that rely on telemarketing. However, the Digital Personal Data Protection Act promises to be a different beast altogether.

The DPDP Act is much stricter and focused law regulating telemarketing than ever seen before

What is the new Data Protection law?

Digital Personal Data Protection (DPDP) Act, 2023

The Digital Personal Data Protection Act 2023 applies to digital personal data which means any digital data of an individual who is identifiable by such data. Name, mobile number, email and other personal details which are used by telemarketers would qualify as personal data and be covered under the DPDP Act. Read our dedicated piece on the DPDP Act for more.

Under the DPDP Act, businesses that collect and process data of an individual must take consent from them for that specific purpose. If they fail to do this in the manner specified in the Act, they become liable to a fine of up to ₹50 crores for each instance of violation!  

This means that if a telemarketer is calling you to sell you a credit card, they must have your consent for the purposes of marketing. If a bank is sharing your number with the telemarketer then they must have obtained that consent from you. 

For telemarketers and businesses that engage them, this means that they can no longer take a single blanket consent under a broad privacy policy. They must collect granular consent for the specific purpose of marketing. Further, they must let people withdraw their consent. If consent for marketing is withheld or withdrawn then businesses/telemarketers cannot call them.

Digital Consent Acquisition (DCA)

In tandem with the notification of the Digital Personal Data Protection (DPDP Act), TRAI has also come out with a new Direction in June ‘23. It updates the UCC Regulations for Digital Consent Acquisition.

In these Directions TRAI comes out and acknowledges issues relating to promotional messages being sent as service messages; it also accepts that there is no clear process to verify if Principal Entities (businesses that engage telemarketers) have actually obtained consent. They had envisaged a digital consent acquisition method in the legislation but it was yet to be implemented. This was the right time to bring DCA in. 

Under this direction, a business must obtain consent for sending any non-transactional messages to a subscriber directly through the provider’s network. Subscribers will also have the option to revoke their consent. Subscribers will receive these requests for consent from a number starting with ‘127’. These consents will be recorded directly on a DL called DL-Consent. Now, along with scrubbing the DL for preferences, telemarketers will also need to scrub the DL for consents. Therefore, telemarketers would no longer be able to send promotional/service messages to a subscriber if their consent is not verifiably recorded on the DL-Consents.

Telemarketers must be careful to only contact those individuals who have given specific consent for receiving promotional communication

Crucially, with the roll out of DCA, all consents obtained so far will be rendered invalid and businesses will have to obtain fresh consents for commercial communication using the DCA method. Once DCA is in force, no other consent for making calls/sms to subscribers will be considered valid.

Impact on Businesses

Impact on Telcos and Telemarketers

So far, regulation of UCC has been stunted due to TRAI’s stunted jurisdiction, loopholes in TRAI regulations and the lack of an overarching law. These issues may get resolved with the DPDP-DCA combo.

Telcos will now have to demonstrate compliance with TRAI’s DCA directives because the consents will now be recorded in a verifiable and immutable manner on the DL-Consents. Issues relating to businesses feigning consent from subscribers and sending promotional messages in the guise of service messages will be resolved. 

So far penalties for illegal telemarketers have been the suspension of connections. However, with the overarching jurisdiction of the Data Protection board, illegal telemarketers can be exposed to fines up to 50 crores for each instance. This may give an impetus to the clamp down on pesky UCCs.

It is yet to be seen if a higher penalty and a new regulatory authority will be able to entirely alleviate the menace of illegal telemarketers and cold calls on illegally obtained phone numbers. The sheer scale of the problem is huge. However, at least legitimate businesses would now have to distance themselves from these activities to minimise their risk exposure.

Impact on Businesses that engage Telemarketers

So far banks, NBFCs and the likes have not been exposed to liabilities regarding lack of user consent. The UCC Regulations could only regulate TSPs directly, through audits, SOPs and financial disincentives,  and telemarketers indirectly, through suspension of connections. A business that engages multiple telemarketers would remain insulated even if some of the telemarketers engaged were involved in UCCs.

Owing to the lack of enforcement mechanism, the leads of legitimate businesses are likely sourced from activities that are not compliant with TRAI’s UCC Regulations or from whatsapp, email and other channels that are not subject to any UCC regulations whatsoever. 

With the DPDP Act in force, businesses will now become directly liable for telemarketing where customers have not provided consent. An individual who receives a call from a telemarketer to sell a bank’s credit card may make a complaint against the bank to the DPB. If it is found that the telemarketer approached this individual without their consent and based on the instruction of the bank or based on data shared by the bank, then this bank becomes liable. 

This is going to be  a massive problem. To illustrate just how integral telemarketing is to the asset book of a finance organisation - 15% of Bajaj Finserv’s entire loan book is sourced from telemarketing. 

In order to avoid liability businesses will now need to ensure that they have valid consent for every lead generated through telemarketing, or for that matter, any marketing or distribution channel. Currently, businesses require their channel partners to obtain valid consent from the individuals whose data they share. This is backed by indemnities from these channel partners for any losses that arise out of lack of complying with consent and data protection obligation. This will no longer make the cut owing to the size of the penalties and the ease of making a complaint.  

How to Comply

So telemarketers must obtain free, specific, and valid consent from individuals before using their personal data for sending commercial communications. They must also maintain accurate records showing consent for each user contacted. But that’s not all, other than consent based telemarketing here are the other DPDP obligations that a telemarketer/business will need to fulfill:

  • For personal data collected before the enactment of the DPDP Act, telemarketers must issue a notice to the data subjects. This notice should detail the data collected, the purpose of its processing, and inform them of their rights to withdraw consent and seek grievance redressal.
  • Implement high-level data mapping to link data usage to specific purposes and data principals. This should include data from App IDs and cookies, which may also be considered personal data under the DPDP Act.
  • Prepare to provide data subjects with summary records of their data that has been processed, the purposes of this processing, and details of any third parties with whom the data has been shared.
  • Upon a user's withdrawal of consent or once the specified purpose for data processing has been fulfilled, telemarketers must cease all processing activities and erase the data.
  • In the event of a personal data breach, the data fiduciary (telemarketer) could be liable for penalties up to 250 Crore Rupees. They must also notify the affected Data Principal(s) and the Data Protection Board (DPB) of the breach.
  • The DPDP Act encompasses all forms of telemarketing communication, including phone calls, SMS, WhatsApp, emails, and website interactions. Telemarketers need to ensure that all channels comply with the new legislation.

Telemarketers are advised to consider onboarding a registered Consent Manager to centrally manage consent for all user data, ensuring streamlined compliance with the DPDP Act.

Leegality Consent Manager can integrate across all your customer acquisition channels and ensure that you remain compliant in all personal data that is processed in your systems. Fill the form below to set up a call with us.   

The concept of Consent Managers is new in India but is quite prevalent globally as data protection laws like the EU’s GDPR and California’s CCPA impose similar obligations as the DPDP Act 

Sign up for a demo and early trial access

Customized Demo for every use case
Deep dive into your unique needs and compliance challenges
Free access to testing account
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.