How will the Data Protection Act impact Telemarketing?

There’s over a billion mobile subscribers and 64% of Indians are reported to receive 3 or more promotional calls everyday (I personally received more than 5 calls while writing this article). Financial services account for 51% of these, followed by real estate, healthcare, telecom and others services. The subscriber’s contact information is a low hanging fruit: the user may themselves furnish their details or the data may be sourced in bulk from third parties. 

While customers consider it a nuisance, businesses use telemarketing generously. Bajaj Finserv, for example, has a team of over 4,500+ telecallers and around 45% of loans to existing customers are pitched via telemarketing calls. For the longest time, telemarketing has been a cornerstone of customer acquisition in India.

Until now.

With the notification of the Digital Personal Data Protection Act 2023 (DPDP Act) a complete overhaul is on the horizon. The DPDP Act prohibits collection and use of customer data without consent. It is crucial that businesses that deal with large amounts of personal data, like telemarketers, understand how they can comply with the new law. 

In this piece we will answer three main questions:

• What are the existing regulations on telemarketing?
• What is the new Data Protection Law?
• What is the practical impact on telemarketers? 

In response to the last question, we believe the services of a Consent Manager will make compliance a much easier task. The last section explores the concept of Consent Managers and why telemarketers and other businesses could use one.

‍

Telemarketing Law before DPDP Act

The Telecom Regulatory Authority of India (TRAI) issued regulations back in 2007 and subsequently in 2018 as a measure to tackle Unsolicited Commercial Communication (UCC). As per the 2018 regulations all Telecom Service Providers (TSPs) and other telemarketing enterprises need to register with a blockchain based DLT platform. The DLT platform is coregulated by TRAI and TSPs contains a record of subscribers and their preferences such as category, mode, time and day bands of communication. No UCCs can be sent in contravention to these preferences. 

Moreover, there are Reserve Bank of India (RBI) circulars directed at commercial banks and NBFCs emphasizing on the requirement of maintaining a Do Not Call list to protect against UCC pertaining to credit card, loan and other marketing operations. Even the Supreme Court of India has called for enactment of a law banning UCCs altogether. 

In 2021 there were over 800,000 complaints against UCCs and the number rose to 900,000 in 2022. Despite regulatory efforts there had not been a sufficient resolution to the problem of UCCs. 

‍

These regulations could not solve the problem of UCCs. Why?

• The regulations only pertain to phone calls and messages leaving out important channels like Whatsapp and email.  

• The penalties are not particularly high. For instance, the State Consumer Commission in New Delhi ruled against banks and telemarketers for harassing users with UCC but ordered a compensation of just 25,000 Rupees.

• Even if the penalty is high, there is insufficient and irregular enforcement which leaves the telemarketers to operate with very little oversight.

• Despite the DLT system, the TSPs allowed telemarketing to occur without cross checking the consent preferences on their platform as companies collected consent elsewhere.

These limitations may have worked out in favor of TSPs and businesses that rely on telemarketing. However, the Digital Personal Data Protection Act promises to be a different beast altogether.

‍

‍

What is the new Data Protection law?

The Digtal Personal Data Protection Act 2023 applies to digital personal data which means any digital data of an individual who is identifiable by such data. Name, mobile number, email and other personal details which are used by telemarketers would qualify as personal data and be covered under the DPDP Act. However, the DPDP Act does not apply to data that is publicly made available by the user or data required to be disclosed under law. For instance, if I share my Whatsapp number on my LinkedIn profile, telemarketers can use it without my consent.

The Act classifies two central stakeholders -
Data Principal - the individual to whom the data relates to; and

Data Fiduciary - the companies that collect or process personal data.

Let us say a Bank obtains contact information of an individual from a marketing agency and calls the individual to promote a lending product. Here, the individual is the Data Principal, the Bank and marketing agencies are both Data Fiduciaries.

‍

The Data Fiduciaries have the tallest task in complying with the DPDP Act. 

Consent Requirement 

The DPDP Act adopts a consent centric framework for data processing. For most operational purposes including telemarketing, a data fiduciary cannot collect or use personal data without consent. This means that a telemarketer cannot use or even collect the name, number, or email of a customer unless the customer has given free, informed, and clear consent. There are certain DPDP exceptions but these will rarely apply to telemarketing.

Telemarketers must maintain detailed audit logs to prove valid consent. The customer can withdraw their consent at any time and the Data Fiduciary is obligated to erase the data upon such withdrawal. The data must also be erased if its specified purpose is fulfilled. The exact time allowed for retention after consent withdrawal and purpose fulfillment is yet to be clarified but storage cannot be indefinite.

Lawful Purpose

Consent or legitimate use are not enough, the data must also be processed for a lawful purpose. Given the TRAI and RBI regulations, telemarketing communication against DLT registered preferences would constitute an unlawful purpose and breach the DPDP Act. Moreover, with the new DCA Rules the telemarketers need to take user consent on the TSP's network and record the same directly on the DLT. So now a business cannot lie about having obtained consent separately because the consent is also being taken on the access provider's network. All past consents will become invalid and everyone will have to take fresh consent. This new regime is being rolled out in a phase manner and once it is fully implemented, telemarketers will have another legal hurdle to cross.

Therefore, telemarketers can only initiate promotional communication if

A) Data Principal has given consent for their contact information being used for promotions; AND

B) The mobile subscriber has agreed to receive commercial communication under the DLT registry preferences. 

If either of these is absent, it means a breach of DPDP Act obligations with a possible penalty of up to 50 Crore Rupees. Read more on DPDP Penalties and more on our Consent Blog.

Rights of the Data Principal  

‍The DPDP Act also provides the Data Principals with powerful rights over their data. This adds to the compliance obligations of Data Fiduciaries like telemarketers. Some notable rights are - 

• Right to obtain information - The Fiduciary must furnish a summary of the data it has processed, the processing activities undertaken, and identities of entities with whom the data has been shared to the Data Principal upon request.  

• Right to correction, update, and erasure of data. The Data Fiduciary’s database must be up to date with changes in consent preferences and data processing activities must change accordingly.

• Right to readily available grievance redressal provided by the Data Fiduciary in respect of their obligations under the DPDP Act.

Presently, it is hard to imagine any telemarketing organization is well equipped to manage all the obligations imposed by the Digital Personal Data Protection Act. The Act provides for a Data Protection Board (DPB) tasked with enforcing the law and holding entities accountable for non-compliance.

Before the DPB is notified and the DPDP Act is enforced, companies have time to understand and prepare for what the new law entails. Let us consider some of the practical implications.

‍

What are the practical implications on Telemarketing?

Navigating this new landscape will be most challenging for telemarketers as consent is key and users do not like consenting to promotional communication.

‍

‍

Here are some of the on ground changes that can be expected by telemarketers once the DPDP Act is enforced:  

• Telemarketers will need to collect valid consent for using personal data. For every user contacted the telemarketer will need to show a record of free and specific consent for receiving commercial communication. 
• Telemarketers should initiate high level data mapping at the backend to specific purposes and data principals. This includes mapping data from App Ids and Cookies which may also be considered personal data.
• The DPDP Act will apply to all forms of telemarketing communication including phone calls, SMS, Whatsapp, emails, websites and more. Care must be taken to align all channels with the new law.  
• For user data collected before the DPDP Act’s enactment, a notice must be sent informing the users of the data and purpose of its processing as well as their right to withdraw consent with ease and grievance redressal.
• Telemarketers must prepare to furnish the user with summary records of the data processed, purpose of use and identities of entities with whom the data was shared.
• Telemarketers will need to stop all processing activities and erase the data upon withdrawal of consent or after fulfillment of specified purpose.
• In case of breach of personal data, the fiduciary or the telemarketer may be liable to pay a penalty of up to 250 Crore Rupees. They must also inform the Data Principal and the DPB of said breach.
• To centrally manage consent for all user data, telemarketers should consider onboarding a registered Consent Manager.

Consent Managers and Why Telemarketers Need One

The Digital Personal Data Protection Act recognizes that comprehensively managing consent preferences of so many different users may prove cumbersome for any organization. It introduces the concept of a third party ‘Consent Manager’ as registered intermediaries tasked with facilitating consent between Data Principals and Fiduciaries in a compliant manner. 

‍

‍

For instance, Consent Managers will assist in maintaining detailed consent logs which will need to be produced by the Data Fiduciary to prove consent. Consent Managers can allow automation of various processes such as data and consent collection, data correction, erasure and so on.

There is still a lack of clarity on the specifics of the consent manager framework in India and the Digital Data Protection Rules are expected to clarify much. Until then it will benefit Indian businesses to rethink their data governance policies and prepare to account for consent requirements in their telemarketing practices.