Telcos battle to become gatekeepers of India’s customer consent data

India’s private telecom operators have drawn a clear line in the sand over who controls one of the most commercially valuable assets in the country’s digital economy: customer consent. In submissions to the Telecom Regulatory Authority of India (TRAI), the operators have urged a fundamental redesign of the proposed Digital Consent Acquisition (DCA) framework, one that would place them, and not third-party intermediaries, at the centre of how consent for commercial communications is collected, stored, verified and enforced.

The stakes, as ever in Indian telecom, are considerably larger than they might appear at first reading.

The DCA framework is TRAI’s attempt to bring order to one of the more intractable consumer grievances in the digital age: spam and unsolicited commercial messages. Under the proposed system, brands and enterprises, referred to as Principal Entities, or PEs, would be permitted to send promotional messages only to customers who have explicitly consented to receive them. A Distributed Ledger Technology (DLT) platform would verify the presence of valid consent before any message is delivered, and communications without that verification would be blocked at the network level. It is, in design, a significant tightening of the rules around commercial communication, and a recognition that the existing opt-out-based regime has largely failed to protect consumers.

The contention, however, lies in the architecture of consent management within this system, specifically, the role of Originating Access Providers, or OAPs.

OAPs are intermediary aggregators that facilitate the origination of commercial communications on behalf of enterprises. They sit between the brand that wants to reach a consumer and the telecom network that ultimately delivers the message. Crucially, they do not necessarily maintain a direct relationship with the subscriber at the receiving end. Reliance Jio, Bharti Airtel and Vodafone Idea do, they are the companies whose SIM cards subscribers carry, whose networks they rely on for calls, data and messages, and whose customer service channels they turn to when something goes wrong.

The telcos’ argument, stripped to its core, is one of accountability. An entity that has no relationship with the end consumer, they contend, cannot credibly be held responsible for consent that affects that consumer. “An OAP-only entity cannot claim accountability toward subscribers because it neither serves nor has any direct relationship with them,” the operators have argued in their submissions to TRAI. Allowing such entities to act as primary consent custodians, to upload, validate and manage consent records on the DLT platform, creates what the operators describe as a dangerous disconnect between responsibility and accountability.

Their alternative architecture is straightforward: consent records should be stored, validated and managed by the customer’s own telecom operator, the Terminating Access Provider or TAP, which is the network on which the subscriber’s connection actually resides. Under this model, Principal Entities would be directed to obtain DCA services exclusively from the serving TAP of the customer they wish to reach. OAP-only players, those without a

meaningful subscriber base of their own, would be disallowed from acting as independent consent custodians or uploading consent records to the DLT platform.

From a consumer protection standpoint, the telcos’ logic has considerable force. If a subscriber wishes to withdraw consent, dispute an unauthorised communication, or file a complaint about spam received despite having opted out, their most natural point of contact is their telecom operator, not an aggregator they may never have heard of. Concentrating consent management with the serving network would, at least in theory, shorten the grievance redressal chain and create clearer lines of enforcement. It would also mean that the entity held responsible for a consent failure is the same entity that can actually act on it, suspending message delivery, logging the complaint, or escalating to TRAI.

But the telcos’ push also raises questions that TRAI will need to examine carefully. Handing the major operators full control of consent repositories for their subscriber bases would give Jio, Airtel and Vi significant leverage over the commercial communications ecosystem. Brands and enterprises that want to reach customers on a particular network would need to route their consent acquisition through that network’s infrastructure, a position that could, depending on how pricing and access conditions are structured, give operators a commercial advantage over OAPs and aggregators in the business of commercial messaging. The line between consumer protection and market control is not always a bright one, and regulators will need to be alert to the possibility that the proposed architecture, however compelling in principle, could entrench incumbent network power in ways that reduce competition and raise costs for businesses seeking to communicate with their customers.

There is also the question of portability and interoperability. Consent is not static, customers change operators, and their preferences and consent records should, in principle, travel with them. How a TAP-centric architecture would handle consent portability at the point of mobile number portability (MNP) is a design challenge the framework will need to address explicitly. Similarly, the DLT platform’s ability to maintain a coherent, auditable and tamper-proof record of consent, one of its central selling points, could be complicated if consent records are fragmented across multiple operator-owned repositories rather than managed through a common neutral infrastructure.

The broader implication of this debate is that consent, as a concept, has moved far beyond its original regulatory framing. In the early days of spam regulation, consent management was a compliance function, a box to be checked before a promotional message was sent. What the DCA framework recognises, and what the telcos’ intervention underscores, is that consent is now an infrastructure question. Who controls the record of what a customer has agreed to receive, who can verify it in real time before a message is delivered, and who can enforce withdrawal or revocation, these are questions about power, accountability and the architecture of India’s commercial communications ecosystem.

TRAI’s response to the operators’ submissions will shape that architecture for years to come. The regulator will need to weigh the genuine consumer protection benefits of operator-led consent management against the risks of concentrating too much control in the hands of a small number of network players. Getting this balance right matters not just for the spam problem the DCA framework was designed to solve, but for the broader question of how India governs the relationship between its citizens and the commercial entities that seek their attention. Based on industry submissions to TRAI on the proposed Digital Consent Acquisition framework.

CT Bureau