Thomson Reuters has published a Q&A providing a high-level summary of email marketing (spam) compliance requirements in India. It addresses requirements for opt-in or opt-out consent, consent exceptions, email subject lines, email content, and unsubscribing. It also identifies relevant statutes, regulations, guidelines, regulatory authorities, sanctions, and remedies. This Q&A only addresses personal data processing requirements or restrictions relevant to using email addresses to send marketing messages. It does not address personal data use for broader marketing purposes, such as targeting email content based on behavior or generated profiles.
Reproduced from Thomson Reuters Practical Law with the permission of the publishers.
Primary Legislation
1. What primary legislation and regulatory authority governs email marketing activities?
India does not have a comprehensive law or regulatory authority governing email marketing activities.
However, certain industry-specific laws and regulations impose confidentiality requirements and restrict personal information uses, including for email addresses, in ways that may impact email marketing activities. These laws affect organizations operating in the:
Draft telecommunication bill. The Indian Government released the draft Indian Telecommunication Bill in September 2022 and has invited comments from stakeholders. The 2022 bill will replace the Indian Telegraph Act, 1885 and Indian Wireless Telegraphy Act, 1933. While the existing sector-specific laws and regulations primarily govern direct marketing activities through calls and text messages, the 2022 bill will also govern direct marketing activities through emails.
The 2022 bill will empower the Indian Government to prescribe measures for protection of users from “specified messages”. These include any message offering, advertising or promoting goods, services, interest in property and investment opportunities (among other things). Such measures can include:
Based on press reports, the authors understand that an updated version of the 2022 bill has been approved by the Indian Government which was to be introduced in Parliament in its monsoon session beginning from July 20, 2023. However, the draft was not introduced and it is currently unclear as to when it will be tabled before the Parliament.
Unsolicited commercial communication regulations. The Indian Government has issued the Telecom Commercial Communications Customer Preference Regulations, 2018 (UCC Regulations) under the TRAI Act which clarify that no commercial communication, including communications for advertising and soliciting business (among other things) will be sent to a recipient, unless the recipient has specified otherwise. The UCC Regulations currently only govern voice calls and communications sent through telegraph. However, they will apply to commercial communications that are sent through emails once the 2022 bill is implemented.
Sector-specific laws and regulations also govern direct marketing activities through calls and text messages. Laws related to marketing calls and text messages are outside the scope of this Q&A.
E-Commerce Rules
The Indian Government has issued the Consumer Protection (E-Commerce) Rules, 2020 (E-Commerce Rules) (in English starting on page 7) under the Consumer Protection Act, 2019 (Consumer Protection Act). While these rules do not directly address email marketing, they require every e-commerce entity to record a consumer’s consent for the purchase of any good or service offered on its platform if the consumer expresses consent through an explicit and affirmative action. Consent cannot be recorded automatically, including in the form of pre-ticked checkboxes.
Digital Personal Data Protection Act, 2023
India’s Supreme Court recognized the right to privacy as fundamental in 2017 and requested that India’s government enact a law to address this issue. In this regard, the Indian Government has been attempting to pass a comprehensive data protection law. Recently, the Digital Personal Data Protection Act, 2023 (DPDP Act) has been enacted on 11 August 2023 though it is unclear when various provisions will come into force. The DPDP Act is likely to be implemented in a phased manner over a certain time period, and will be supplemented with rules issued by the Indian Government.
The DPDP Act is applicable when data fiduciaries (namely, persons who determine the purpose and means of processing of personal data) process digital personal data, where such personal data, capable of identifying an individual, is either collected in digital form or is digitised after it is collected non-digitally. Email addresses of individuals/ data principals would qualify as “personal data” and email marketing would qualify as ‘processing’ under the DPDP Act, thereby requiring data fiduciaries to comply with the privacy requirements set out in the DPDP Act. The requirements under the DPDP Act will not apply to publicly available personal data. The DPDP Act requires data fiduciaries to process personal data for a lawful purpose (namely, any purpose not expressly forbidden by law), in relation to which a specific opt-in consent (by way of a clear and itemised notice) has been taken from the concerned data principal. Further, the processing should be necessary for the specified purpose. The DPDP Act has introduced the concept of ‘legitimate uses’, prescribing a list of situations where the express consent of an individual is not required. This includes personal data provided voluntarily for specified purposes and there is no indication of the data principal’s objection to use such personal data for that purpose (among other things).
Prior to the enactment of the DPDP Act, consent for processing was only required for sensitive personal data and information (email addresses were not classified as “sensitive” personal data) and not all types of personal data. Once the relevant provisions of the DPDP Act are made effective, organisations will be required to revisit their grounds for processing to determine whether the processing can be justified as any ‘legitimate use’ or if consent will need to be obtained.
Additionally, data fiduciaries will have to be careful while processing personal data belonging to children/ persons with disability unable to give consent. Such processing would require verifiable consent from parents/ lawful guardians, and the processing cannot be used to track or monitor children, direct targeted advertising at them or cause a detrimental effect on their well-being.
Regulatory Authority
The following regulatory authorities are responsible for overseeing email marketing in their sectors:
Once the relevant provisions of the DPDP Act are brought into force, a Data Protection Board of India will be established to implement and enforce data protection requirements, and to act as the adjudicating authority.
2. Does this jurisdiction generally require opt-in consent or does including an opt- out mechanism satisfy requirements?
Opt-In Consent or Opt-Out Mechanism Requirements
Currently, Indian law generally does not require either opt-in consent or an opt-out mechanism, unless sector- specific consent rules apply (see Question 1).
However, Indian organizations commonly include an unsubscribe option in marketing emails as a best practice.
Once the relevant provisions of the DPDP Act are brought into force, specific opt-in consent of data principals will have to be taken by data fiduciaries. In this regard, a plain and clear request for consent will have to be accompanied by a notice informing data principals (among other things) of the specific purpose of processing their personal data (here, email marketing purposes). The notice has to be given in any of the 22 languages mentioned in the 8th schedule of the Constitution of India. The manner of the notice will be prescribed by the Indian Government by way of supplemental rules.
For processing that has been consented to before the DPDP Act comes into force, data fiduciaries will be required to give to data principals the above information, as soon as practicable.
The data principal’s opt-in consent must be free, specific, informed, unconditional and unambiguous. As stated earlier, in cases of personal data of children/ persons with disability unable to give consent, such consent must be gathered from parents or lawful guardians.
The DPDP Act also prescribes an opt-out mechanism by allowing data principals to withdraw their consent, after which data fiduciaries must cease processing such data (within a reasonable time) and erase the personal data from its records. The unsubscribe option in marketing emails would qualify as such an opt-out mechanism.
For a model opt-in consent clause, see Standard Clause, Email Marketing Consent and Disclosures (India).
3. What exceptions to the consent requirements exist, if any?
Exceptions to Consent Requirements
Currently, Indian law does not include any exceptions to the sector-specific consent requirements for email marketing.
However, the DPDP Act specifies a list of ‘legitimate uses’ for which an opt-in consent will not be required. This includes personal data provided voluntarily by data principals for specified purposes, where there is no indication of objection to use such personal data for that purpose (among other things). Further, the DPDP Act gives the Indian Government the power to exempt certain data fiduciaries (including startups), basis volume and nature of personal data processed, from the obligations of notice.
The Government can also, more broadly, exempt certain data fiduciaries for specific periods of time from certain specified obligations.
4. Do the requirements for business-to- business email marketing differ from business-to-consumer email marketing?
Business-to-Business vs Business-to- Consumer Email Marketing
No. India does not separately regulate business-to- business and business-to-consumer email marketing.
The DPDP Act only covers personal data (as opposed to non-personal data, such as organisational data). So, only email marketing to individuals or consumers will require compliance with requirements of the DPDP Act.
5. Must the email subject line meet any specific requirements?
Email Subject Line Requirements
No. Indian law does not impose any specific requirements for the subject lines of marketing emails.
6. Must the email body text or header information meet any specific requirements?
Email Content Requirements
Indian law does not impose any general requirements for marketing email content. However, sector-specific regulations for the insurance industry require:
(Regulation 25 and Schedule VII, Paragraph 7.2, IRDAI (Registration of Corporate Agents) Regulations, 2015 (in English starting on page 47) and Regulation 29 and Schedule VI, Form T, Paragraph 10, IRDAI (Insurance Web Aggregators) Regulations, 2017.)
They also require insurers and insurance intermediaries that send internet-based or electronic communications, including email, to:
(Regulation 9(2), IRDAI (Insurance Advertisements and Disclosure) Regulations, 2021 (in English starting on page 7).)
The Advertising Standards Council of India (ASCI) has published a Code for Self-Regulation that requires advertisements to be legal, decent, truthful, and not hazardous or harmful while observing fairness in competition. The ASCI is a self-regulatory council, not a government body, and compliance with its code is voluntary. While the code does not expressly address email marketing, its content standards would apply to advertising sent through emails.
Even when not legally required, it is best practice to include an unsubscribe option in the marketing emails.
For a set of model email disclosures, see Standard Clause, Email Marketing Consent and Disclosures (India).
7. What are the potential sanctions and remedies for non-compliance?
Sector-specific laws impose monetary penalties for non- compliance. These are as follow:
Authors: Deepa Christopher – Partner; Rebha Dakshini – Managing Associate
By browsing this website you agree that you are, of your own accord, seeking further information regarding TT&A. No part of this website should be construed as an advertisement of or solicitation for our professional services. No information provided on this shall be construed as legal advice.
Agree Disagree