Who’s Really Protecting Your Consent? Rethinking the Digital Consent Acquisition Framework

If you’ve ever wondered why your DND (Do Not Disturb) registration (we covered it here) doesn’t always stop unwanted promotional messages, or why a complaint about spam takes forever to resolve, the answer often lies in an unglamorous but important piece of telecom plumbing: the “Digital Consent Acquisition (DCA) framework.” 

Led by the Telecom Regulatory Authority of India (TRAI), the Digital Consent Acquisition (DCA) framework was introduced under the Telecom Commercial Communications Customer Preference Regulations, 2018 (TCCCPR). The framework enables consumers to provide verifiable digital consent to receive promotional communications (offers they have opted into, cashback alerts, or loan reminders) even if their mobile number is registered under Do Not Disturb (DND). It establishes a secure and traceable mechanism for recording, verifying, and sharing consent, ensuring that only authorised commercial communications reach consumers while reducing unsolicited messages and strengthening consumer trust.

In June 2025, the government also launched a pilot programme involving 11 banks, during which over 13 million customer consents were uploaded. Following the pilot’s conclusion in February 2026, the Telecom Regulatory Authority of India is moving towards the formal rollout of the framework, beginning with banking institutions. 

What is the Digital Consent Acquisition (DCA) framework? 

The DCA framework involves two distinct but inter-related processes:

  • Registration: Registration is the initial, one-time step in the process. In the case of Registration, a bank or business (known as Principal Entity, or PE) wishes to communicate with a customer who has consented to receive promotional content; it engages an Originating Access Provider (OAP) or a System Integrator (SI) to record that consent on the shared Digital Ledger Technology (DLT) platform. The subscriber’s own operator, known as Terminating Access Provider (TAP) is notified after the fact, and the subscriber is able to view or revoke the consent. Under the existing framework, however, the TAP has no role in capturing or verifying the consent at the point of registration.
  • Scrubbing: Scrubbing is the recurring step that occurs each time the business intends to send a promotional message. Before delivery, the message is checked against several parameters: the sender header, the approved template, the whitelisted URL, and, most importantly, the existence of a valid consent record for that subscriber. Only messages that clear this validation are delivered. Under the current framework, this scrubbing function is also performed by the OAP or SI, rather than by the subscriber’s own operator.

Where this breaks down for the consumer

  • Accountability doesn’t sit where control sits. When a consumer files a complaint about an unwanted message, the regulatory liability and reputational impact falls on the home operator despite having limited visibility and control over the consent management process. The gap is evident in the data trends from DLT ecosystem. 93% of the 32,042 entities blacklisted on the platform are linked to just two operators that only perform functions of OAP and have no direct relationship with consumers.  As of March 2026, 40% of blacklisted templates traced back to a single such operator. 
  • Sensitive consent data travels further than it needs to. The current framework requires sensitive customer consent data outside their home network. The current framework requires sensitive customer consent data to be stored outside the subscriber’s home network. Banks and other stakeholders have expressed concerns that consent data should be accessible only to the Principal Entity and the subscriber’s home telecom operator, citing the need for stronger data governance, privacy, and accountability. This approach is also consistent with the data minimisation principle under the Digital Personal Data Protection Act, 2023, which requires personal data to be collected, processed, and shared only to the extent necessary for the specified purpose. 

A more consumer-centric alternative

The underlying idea behind the DCA framework is a significant step forward. It places consumer consent at the centre of commercial communications so that only authorised messages reach subscribers. However, its implementation could benefit from a structural refinement:

  • Under the revised framework, the subscriber’s home telecom operator, or TAP, becomes the primary custodian of consent. Consent is captured, validated, and securely maintained by the home operator either directly or through secure APIs rather than being independently created or stored by third-party entities.
  • OAPs and SIs continue to facilitate the transmission of commercial communications on behalf of Principal Entities. However, they no longer function as independent custodians of subscriber consent. Instead, promotional messages are validated against consent records maintained by the subscriber’s home operator before delivery.

The approach could strengthen privacy and data governance by limiting access to consent data to the PE and the subscriber’s home telecom operator, reducing unnecessary data sharing in line with the data minimisation principle under the DPDP Act, 2023. By aligning consent management with the operator responsible for customer grievances, it brings operational control and regulatory accountability together, ultimately enhancing consumer protection, trust, and the integrity of the digital consent ecosystem.