The Telecom Regulatory Authority of India (TRAI) and the Reserve Bank of India’s (RBI) newly launched digital consent pilot, sending selected users SMS alerts to manage promotional message permission, marks an important milestone in India’s digital landscape. For the first time, millions of consumers who have long received 10–15 promotional messages daily, often without clear visibility into where or when they gave consent, may soon see tangible control over who can contact them.
But this pilot, while significant, only scratches the surface of a much deeper issue, the need for consent governance that is fully aligned with India’s Digital Personal Data Protection (DPDP) Act.
As Mr. Ashok Hariharan, CEO of IDfy, aptly puts it: “Until now, the average consumer had no real control over the barrage of promotional messages. With this pilot and the broader intent of DPDP, we are finally empowering citizens to see and revoke all consents they’ve given, not just for promotions, but across the entire digital ecosystem.”
In this blog, we explore why the TRAI–RBI pilot must be viewed as the first domino, and why DPDP-aligned consent governance must go far beyond marketing messages if India truly wants to uphold privacy rights and data protection.
The TRAI–RBI Pilot: A Breakthrough
At its core, the Digital Consent Acquisition (DCA) pilot sends SMS alerts from short code 127000 to a select subset of mobile users. These messages link to a secure consent management page where participants can view, modify, or revoke promotional consents held by 11 major banks.
For many users, this is the first time they’ll be able to see the permissions they gave years ago, legacies of paper forms or siloed digital systems that offered no transparency. Mr. Hariharan emphasises this point:
“A citizen can now see and revoke all consents given across 11 major banks, an important step forward.”
Yet, while this initiative aligns with the broader DPDP ethos of giving control back to individuals, it only applies to a narrow use case of promotional communications. The real challenge lies in extending this control to every purpose that modern organisations process data for.
Also Read : Top 5 Consent Management Platforms in India 2025
Promotional Messages Are Only One Piece of the DPDP Puzzle
Promotional SMS consent has long been a public irritation, and giving users visibility into old marketing consents is a step forward. However, consider the broader consent ecosystem:
- Banks and digital platforms collect consent for profiling and cross-sell analytics.
- E-commerce players use consent for personalised product recommendations and AI model training.
- Financial services rely on consent for credit score modelling, fraud detection, and data enrichment.
- Digital platforms share data with third-party partners for strategic partnerships.
Most consumers have no visibility into these deeper purposes today. This is where the DPDP Act’s consent regime becomes critical.
Under the DPDP Act, consent must be:
- Free, specific, informed, and unambiguous, with clear notice of the purposes for which personal data will be processed
- The consent should be accompanied by a mechanism for withdrawal that is easy and comparable to the method by which consent was given.
That means consumers shouldn’t just see a check-box for “marketing messages,” they should see what their data is used for, by whom, and how to revoke that consent.
DPDP: A Framework That Empowers Consumer Control
The DPDP Act, which came into force with associated rules in late 2025, establishes a rights-based, consent-driven framework governing digital personal data in India. Key DPDP principles relevant to consent governance include:
- Notice Requirements :
Data fiduciaries must inform individuals about the specific purposes and processing activities at the time of consent collection
- Revocation Rights :
Under DPDP, a data principal (the individual) has the right to withdraw consent at any time, and this withdrawal must be as easy as giving the consent in the first place
- Consent Managers :
The law envisions mechanisms, including registered consent managers, to centralise and manage consents in an interoperable way
This means consent isn’t simply a “yes/no” click buried in a form; it’s a living, manageable right of the individual.
Also Read : The DPDP Compliance Checklist (2025): Step-by-Step Guide for Indian Businesses
Why the Current Pilot Needs a DPDP-Driven Expansion
Here’s how most digital journeys work today :
- When a consumer applies for a loan, they are asked for consent to process sensitive financial and behavioural data.
- During KYC checks, identifiers are shared and verified across public and private systems.
- When shopping on an e-commerce platform, consent is taken for profiling and personalised recommendations.
- Many platforms use data for AI model training, analytics, or sharing with partners.
Yet consumers rarely see a single dashboard where all of these consents are visible, reviewable, and revocable, something that the DPDP Act explicitly promotes. It isn’t enough to have marketing message consent if profiling consent, analytics consent, and sharing consents are hidden or inaccessible.
Our CEO, Mr. Ashok Hariharan, stresses that “Promotional SMS consent is just the first domino. If we truly comply with DPDP, consent governance must go beyond telco rails. Telcos manage commercial communication consent, but a unified consent experience requires bridging multiple worlds.”
The Consequences of Ignoring Full DPDP Compliance
When consent is fragmented and opaque:
- Users assume legitimacy, and many fraud scams begin when people assume a promotional SMS or call is legitimate because they believe they had given consent. This misplaced trust becomes fertile ground for scams, social engineering, and identity theft.
- Organisations expose themselves to regulatory and reputational risk under DPDP, which mandates full visibility into processing purposes and consent records.
DPDP compliance isn’t just a legal checkbox; it’s central to building trust, reducing fraud, and modernising digital interactions. The current pilot operates largely within telecom and bank consent silos. However, DPDP, by design, requires consent transparency across multiple domains:
- Consent for profiling & behavioural analytics
- Consent for automated decision systems / AI model training
- Consent for data enrichment, credit modelling, and sharing with partners
- Consent for any processing purpose where personal data is involved
Under DPDP, a customer can revoke consent not just for promotional messages but for all of these purposes, and organisations must respect that.
This means moving from scattered, platform-specific consent controls to a unified, portable view of all consents a person has granted, a DPDP-aligned vision of privacy governance.
Also Read : Penalties Under DPDP: Fines, Breach Scenarios, and How to Reduce
Conclusion
India’s first unified digital consent pilot is an important signal. It shows regulators and industry recognise that the old paper-based, fragmented consent world isn’t sustainable. But real consumer empowerment requires DPDP-compliant consent governance across the entire digital economy.
Promotional messages are just the first domino. The next and much larger challenge is to ensure that consumers can see all the purposes their data is used for, and can revoke consent across all these purposes with equal ease. Organisations should embed DPDP notice requirements and consent management deep into their platforms, along with consent records that are centralised, accessible, and actionable. Only then will India’s digital ecosystem truly reflect the promise of privacy, control, and trust that DPDP envisages.
Get in touch with us at shivani@idfy.com to take control over your data with India’s most trusted DPDP compliance platform, Privy by IDfy. We will keep you updated on the latest developments regarding the DPDP rules and how they will impact your business. Stay glued to this space for more information on data, privacy, compliance, and all things DPDP.