In today’s digitally connected world, data has become a new currency. However, with huge data comes greater responsibility, and managing the consent of the data holders becomes indispensable for businesses. Consent management ensures that businesses properly obtain, store and track user consent for collecting and processing personal data. With comprehensive privacy laws such as India’s Digital Personal Data Protection Act (DPDPA) and the IT Act, 2000, organisations are now under increasing obligation to obtain clear, informed and verifiable consent before handling personal data.
India’s open banking ecosystem is evolving rapidly, backed by digital infrastructure, the Account Aggregator framework, and strong data privacy regulations. Consent management lies at its core, giving consumers control over who accesses their financial data, what is shared, and for how long. However, data leaks and misuse persist, especially when information is shared outside regulated channels through vague consents or unverified platforms, leading to spam calls and messages. This has led to the need for stricter enforcement and greater user awareness to ensure secure and ethical data sharing.
Presently, under the regulatory framework defined by the Telecom Commercial Communications Customer Preference Regulations (TCCCPR), 2018, an entity can make commercial communications to a consumer irrespective of their Do Not Disturb (DND) preferences, provided the entity has taken explicit consent from the consumer. However, enforcement has remained challenging due to the unreliable nature of offline consent mechanisms.
Recognising the importance of consent in protecting consumers from spam and data misuse, India’s Telecom Regulatory Authority (TRAI) recently stepped in to address constant gaps in how businesses acquire and validate consent. TRAI observed that a large number of spam complaints are made by customers against the business entities from whom the consumers have earlier purchased goods or services. Upon investigation, such business entities were often found to possess the consent of the consumer collected through offline, unverifiable methods, raising serious questions about their legitimacy. In many cases, consumers reported that their contact details had been obtained through misrepresentation or unauthorised data sharing.
Directions on the Pilot Project for Digital Consent Management
On June 13, 2025, TRAI issued directions regarding conducting a Pilot Project to acquire fresh digital consent through the Consent Registration Function (CRF) Framework with RBI-regulated Banks. Given the sensitivity of banking transactions and cases of financial fraud through spam calls, the banking sector has been prioritised for the first phase of implementation. The Pilot aims to validate the operational, technical, and regulatory aspects of the enhanced Consent Registration Function (CRF) and lay the foundation for sector-wise scaling of the digital consent ecosystem.
- Steps to be followed by all Access Providers:
All Access Providers must conduct a three-month Pilot Project, limited to RBI-regulated banks as Principal Entities (PEs), within a Regulatory Sandbox environment to validate the technical, operational, and consumer-centric aspects of the Consent Revocation Framework (CRF). Access Providers must integrate end-to-end Distributed Ledger Technology (DLT) systems for consent recording and revocation, coordinate with participating PEs for system integration, and execute consumer awareness campaigns.
While functioning as Originating Access Providers (OAPs), they are responsible for transferring consent data to the respective Terminating Access Providers (TAPs). When functioning as TAPs, they must send customer notifications, receive revocation requests and update the CRF accordingly. Access Providers must also provide logistical support, participate in Working Groups, conduct fortnightly review meetings, and submit reports of such meetings to the Authority. A detailed report must be submitted within ten business days of the Pilot’s completion, and a final consolidated report must follow within the same timeframe.
Additionally, they are required to launch media or digital campaigns within thirty days of the issuance of this Direction to educate consumers about the Pilot Project and revocation mechanisms, waive off inter-operator charges for the duration of the Pilot, and comply with any modifications in workflow, terms, or reporting requirements as directed by the Authority based on stakeholder feedback and ongoing experience.
- Processes and Safeguards for the Pilot Project:
Banks must upload customer consents, either in bulk or incrementally, through the respective portals of the Originating Access Facilitators (OAFs) or via any other secure mechanism, including API integration with OAPs. Along with each upload, banks must submit an online undertaking confirming the authenticity and accuracy of the consents in a format prescribed by the Authority during the Pilot Project. Once uploaded, OAFs will forward these consent records to the concerned Terminating Access Providers (TAPs) for registration on the DLT platform. TAPs must immediately notify customers of each successfully recorded consent (except in the case of bulk uploads) via SMS from the ‘127xxx’ short code, also providing an option for customers to opt out. If a customer opts out, the consent must be deleted from the DLT platform.
To ensure transparency and regulatory compliance, OAFs and TAPs must implement a secure and interoperable framework that allows Principal Entities (PEs) to access up-to-date information about recorded, valid, and revoked consents linked to customer mobile numbers. This framework should include strong access controls, audit trails, and performance safeguards. Additionally, TAPs must allow customers to retrieve all active consents by sending an SMS to ‘127xxx’ using keywords such as “My consents” or other secure channels.
Customers must also receive fortnightly SMS updates from TAPs informing them about:
- consents recorded on CRF,
- the mechanism for consent revocation
- weblink to the TAP’s portal, where consumers can securely see the complete details of the concerned PEs. The portal must always remain accessible.
TAPs must provide a user-friendly interface for consent revocation, enabling customers to revoke consents for individual or multiple PEs through the web, mobile app, or SMS.
Further, Access Providers must create dedicated pages on their websites within 30 days and on their mobile apps within 60 days of the Direction’s issuance. These pages should detail the Pilot Project, registration, and revocation processes, with links placed prominently on their Preference or UCC complaint registration pages.
- Reporting Requirements:
Each Access Provider, through the designated working group, must submit a detailed report to the Authority within ten business days of completing the Pilot Project. This report should be supported by relevant data collected during the project and provide a comprehensive assessment of the implementation.
It must briefly describe the Pilot Project, its outcomes, and key findings. The technical evaluation should cover API performance, integration logs, latency in updating records on the Consent Revocation Framework (CRF), and system uptime. The report should also analyse the consent lifecycle, including the number of consents recorded and revoked and the success rate of customer notifications. A user interface review must include screenshots and notes on accessibility or interface issues, particularly revocation testing. Feedback from participating banks, especially nodal officers, should be documented alongside consumer feedback, including sample complaints, actions taken, and survey insights. Additionally, the report must detail inter-operator coordination issues such as SLA breaches, reconciliation errors, or integration challenges.
Feedback may also be provided on areas such as scaling and commercial rollout, improvements to the consent workflow to ensure a balance between customer protection and business ease, development of user-friendly revocation interfaces, effective consumer notification practices, public awareness strategies for CRF, and any regulatory or policy interventions necessary to strengthen the framework.
Concluding Remarks
This regulatory initiative is a strong step towards creating a more transparent and accountable commercial communication ecosystem. A secure and verifiable digital consent system can reduce spam, deception, and unauthorised data sharing. TRAI’s efforts, in collaboration with RBI and other stakeholders, aim to build a sector-wise consent management ecosystem that upholds consumer rights while enabling legitimate business communication.
In conclusion, consent management is no longer a minor back-end compliance activity but central to digital trust and business credibility. Whether dealing with data protection laws or enabling data flows in open banking, the ability to obtain, store, and verify user consent is indispensable. Regulators like TRAI are setting the tone for a privacy-first, consumer-centric digital economy.
Authors: Manisha Singh and Kratika Patel
First Published by: Mondaq here