A Q&A providing a high-level summary of email marketing (spam) compliance requirements in India. It addresses requirements for opt-in or opt-out consent, consent exceptions, email subject lines, email content, and unsubscribing. It also identifies relevant statutes, regulations, guidelines, regulatory authorities, sanctions, and remedies.

This Q&A only addresses personal data processing requirements or restrictions relevant to using email addresses to send marketing messages. It does not address personal data use for broader marketing purposes, such as targeting email content based on behavior or generated profiles.

Primary Legislation and Regulatory Authority

Primary Legislation

1. What primary legislation and regulatory authority governs email marketing activities?

India does not have a comprehensive law or regulatory authority governing email marketing activities.

However, certain industry-specific laws and regulations impose confidentiality requirements and restrict personal information uses, including for email addresses, in ways that may impact email marketing activities. These laws affect organizations operating in the:

• Banking. The Reserve Bank of India (RBI) issued the following guidelines for banks and non- bank financial services companies (NBFCs):
  • Master Circular on Customer Service in Banks (July 1, 2015) (Customer Service Circular), which prevents banks from cross-selling or using customer email addresses obtained for the purpose of know-your-customer (KYC) obligations for any other purpose; and
  • Master Circular on Credit Card, Debit Card and Rupee Denominated Co-branded Pre-paid Card Operations of Banks and Credit Card issuing non-banking financial services company (July 1, 2015) (Card Circular), which prohibits banks and NBFCs from using email addresses shared by customers for KYC checks, account opening, or issuing cards for email marketing purposes without the customer’s express consent.

• Insurance. The Insurance Regulatory and Development Authority of India (IRDAI) issued the Insurance Regulatory and Development Authority of India (Protection of Policyholders’ Interest) Regulations, 2017 (in English starting on page 15), which require insurers to keep customer information, including email addresses, confidential. Distance marketing regulations govern the solicitation and sale of insurance products and apply to email communications. However, these regulations primarily focus on voice, SMS, or website contact methods and do not set requirements specific to email-related distance marketing. Relevant regulations include:

• • IRDAI (Registration of Corporate Agents) Regulations, 2015 (in English starting on page 47), which concern distance marketing by corporate agents;
  • IRDAI (Insurance Web Aggregators) Regulations, 2017, which concern distance marketing by web aggregators;
  • IRDAI (Insurance Brokers) Regulations, 2018, which concern distance marketing by insurance brokers; and
  • IRDAI (Insurance Advertisements and Disclosure) Regulations, 2021 (in English starting on page 7), which govern insurance advertising and set specific requirements for advertising through electronic media (including emails), including requiring email communications to offer an unsubscribe option and forbidding an insurer or insurance intermediary from allowing third parties to distribute information about an insurance policy, insurer, or insurance intermediary through any mode or medium unless they meet certain requirements. For more on these regulations, see Question 6.

• Telecommunications Regulations from the Telecom Regulatory Authority of India (TRAI) require service providers to ensure user information’s privacy and confidentiality. Telecom service providers can use information about individuals for providing telecommunication services and for no other purpose, including email marketing purposes, unless the provider obtains specific consent. Relevant laws and regulations include the following:

• • Indian Telegraph Act, 1885;
  • Indian Wireless Telegraphy Act, 1933;
  • Telecom Regulatory Authority of India (TRAI) Act, 1997, the Telecom Regulatory Authority of India (Amendment) Act, 2000, and the Telecom Regulatory Authority of India (Amendment) Act, 2014 (together, the TRAI Act);
  • any directions the TRAI issues; and
  • terms of the unified license agreement, the standard form of which is available on the Department of Telecommunications website, along with any amendments to the unified license agreement.

Draft telecommunication bill. The Indian Government released the draft Indian Telecommunication Bill in September 2022 and has invited comments from stakeholders. The 2022 bill will replace the Indian Telegraph Act, 1885 and Indian Wireless Telegraphy Act, 1933. While the existing sector-specific laws and regulations primarily govern direct marketing activities through calls and text messages, the 2022 bill will also govern direct marketing activities through emails.

The 2022 bill will empower the Indian Government to prescribe measures for protection of users from “specified messages”. These include any message offering, advertising or promoting goods, services, interest in property and investment opportunities (among other things). Such measures can include:

• Requiring prior consent from users receiving certain messages.
• Preparation and maintenance of ‘Do Not Disturb’ registers.
• Developing a mechanism to report the receipt of specified messages.

Based on press reports, the authors understand that an updated version of the 2022 bill has been approved by the Indian Government which was to be introduced in Parliament in its monsoon session beginning from July 20, 2023. However, the draft was not introduced and it is currently unclear as to when it will be tabled before the Parliament.

Unsolicited commercial communication regulations. The Indian Government has issued the Telecom Commercial Communications Customer Preference Regulations, 2018 (UCC Regulations) under the TRAI Act which clarify that no commercial communication, including communications for advertising and soliciting business (among other things) will be sent to a recipient, unless the recipient has specified otherwise. The UCC Regulations currently only govern voice calls and communications sent through telegraph. However, they will apply to commercial communications that are sent through emails once the 2022 bill is implemented.

Sector-specific laws and regulations also govern direct marketing activities through calls and text messages. Laws related to marketing calls and text messages are outside the scope of this Q&A.

E-Commerce Rules

The Indian Government has issued the Consumer Protection (E-Commerce) Rules, 2020 (E-Commerce Rules) (in English starting on page 7) under the Consumer Protection Act, 2019 (Consumer Protection Act). While these rules do not directly address email marketing, they require every e-commerce entity to record a consumer’s consent for the purchase of any good or service offered on its platform if the consumer expresses consent through an explicit and affirmative action. Consent cannot be recorded automatically, including in the form of pre-ticked checkboxes.

Digital Personal Data Protection Act, 2023

India’s Supreme Court recognized the right to privacy as fundamental in 2017 and requested that India’s government enact a law to address this issue. In this regard, the Indian Government has been attempting to pass a comprehensive data protection law. Recently, the Digital Personal Data Protection Act, 2023 (DPDP Act) has been enacted on 11 August 2023 though it is unclear when various provisions will come into force. The DPDP Act is likely to be implemented in a phased manner over a certain time period, and will be supplemented with rules issued by the Indian Government.

The DPDP Act is applicable when data fiduciaries (namely, persons who determine the purpose and means of processing of personal data) process digital personal data, where such personal data, capable of identifying an individual, is either collected in digital form or is digitised after it is collected non-digitally. Email addresses of individuals/ data principals would qualify as “personal data” and email marketing would qualify as ‘processing’ under the DPDP Act, thereby requiring data fiduciaries to comply with the privacy requirements set out in the DPDP Act. The requirements under the DPDP Act will not apply to publicly available personal data. The DPDP Act requires data fiduciaries to process personal data for a lawful purpose (namely, any purpose not expressly forbidden by law), in relation to which a specific opt-in consent (by way of a clear and itemised notice) has been taken from the concerned data principal. Further, the processing should be necessary for the specified purpose. The DPDP Act has introduced the concept of ‘legitimate uses’, prescribing a list of situations where the express consent of an individual is not required. This includes personal data provided voluntarily for specified purposes and there is no indication of the data principal’s objection to use such personal data for that purpose (among other things).

Prior to the enactment of the DPDP Act, consent for processing was only required for sensitive personal data and information (email addresses were not classified as “sensitive” personal data) and not all types of personal data. Once the relevant provisions of the DPDP Act are made effective, organisations will be required to revisit their grounds for processing to determine whether the processing can be justified as any ‘legitimate use’ or if consent will need to be obtained.

Additionally, data fiduciaries will have to be careful while processing personal data belonging to children/ persons with disability unable to give consent. Such processing would require verifiable consent from parents/ lawful guardians, and the processing cannot be used to track or monitor children, direct targeted advertising at them or cause a detrimental effect on their well-being.

Regulatory Authority

The following regulatory authorities are responsible for overseeing email marketing in their sectors:

• Banking and Financial Services. Reserve Bank of India (RBI).
• Insurance. Insurance Regulatory and Development Authority of India (IRDAI).
• Telecommunications. Telecom Regulatory Authority of India (TRAI).

Once the relevant provisions of the DPDP Act are brought into force, a Data Protection Board of India will be established to implement and enforce data protection requirements, and to act as the adjudicating authority.

Unsolicited Email Marketing Requirements Summary

2. Does this jurisdiction generally require opt-in consent or does including an opt- out mechanism satisfy requirements?

Opt-In Consent or Opt-Out Mechanism Requirements

Currently, Indian law generally does not require either opt-in consent or an opt-out mechanism, unless sector- specific consent rules apply (see Question 1).

However, Indian organizations commonly include an unsubscribe option in marketing emails as a best practice.

Once the relevant provisions of the DPDP Act are brought into force, specific opt-in consent of data principals will have to be taken by data fiduciaries. In this regard, a plain and clear request for consent will have to be accompanied by a notice informing data principals (among other things) of the specific purpose of processing their personal data (here, email marketing purposes). The notice has to be given in any of the 22 languages mentioned in the 8th schedule of the Constitution of India. The manner of the notice will be prescribed by the Indian Government by way of supplemental rules.

For processing that has been consented to before the DPDP Act comes into force, data fiduciaries will be required to give to data principals the above information, as soon as practicable.

The data principal’s opt-in consent must be free, specific, informed, unconditional and unambiguous. As stated earlier, in cases of personal data of children/ persons with disability unable to give consent, such consent must be gathered from parents or lawful guardians.

The DPDP Act also prescribes an opt-out mechanism by allowing data principals to withdraw their consent, after which data fiduciaries must cease processing such data (within a reasonable time) and erase the personal data from its records. The unsubscribe option in marketing emails would qualify as such an opt-out mechanism.

For a model opt-in consent clause, see Standard Clause, Email Marketing Consent and Disclosures (India).

3. What exceptions to the consent requirements exist, if any?

Exceptions to Consent Requirements

Currently, Indian law does not include any exceptions to the sector-specific consent requirements for email marketing.

However, the DPDP Act specifies a list of ‘legitimate uses’ for which an opt-in consent will not be required. This includes personal data provided voluntarily by data principals for specified purposes, where there is no indication of objection to use such personal data for that purpose (among other things). Further, the DPDP Act gives the Indian Government the power to exempt certain data fiduciaries (including startups), basis volume and nature of personal data processed, from the obligations of notice.

The Government can also, more broadly, exempt certain data fiduciaries for specific periods of time from certain specified obligations.

4. Do the requirements for business-to- business email marketing differ from business-to-consumer email marketing?

Business-to-Business vs Business-to- Consumer Email Marketing

No. India does not separately regulate business-to- business and business-to-consumer email marketing.

The DPDP Act only covers personal data (as opposed to non-personal data, such as organisational data). So, only email marketing to individuals or consumers will require compliance with requirements of the DPDP Act.

5. Must the email subject line meet any specific requirements?

Email Subject Line Requirements

No. Indian law does not impose any specific requirements for the subject lines of marketing emails.

6. Must the email body text or header information meet any specific requirements?

Email Content Requirements

Indian law does not impose any general requirements for marketing email content. However, sector-specific regulations for the insurance industry require:

• Communications sent by insurance intermediaries such as corporate agents and web aggregators to:
  • identify the intermediary and the insurer; and
  • state that the purpose of the communication is solicitation of insurance.
• Insurance intermediaries to provide a prospect the option to exit the page at every stage while selling products through distance marketing.

(Regulation 25 and Schedule VII, Paragraph 7.2, IRDAI (Registration of Corporate Agents) Regulations, 2015 (in English starting on page 47) and Regulation 29 and Schedule VI, Form T, Paragraph 10, IRDAI (Insurance Web Aggregators) Regulations, 2017.)

They also require insurers and insurance intermediaries that send internet-based or electronic communications, including email, to:

• Ensure that recipients can view the full text of:
  • relevant key features;
  • coverage and exclusions;
  • relevant terms and conditions; and
  • any other applicable risk information.
• Provide that disclosure information in a clear and salient manner, not hidden in the body of the text.
• Make the disclosure easily obtainable before offering any application or proposal form.
• Provide email recipients an option to unsubscribe from the mailing list.

(Regulation 9(2), IRDAI (Insurance Advertisements and Disclosure) Regulations, 2021 (in English starting on page 7).)

The Advertising Standards Council of India (ASCI) has published a Code for Self-Regulation that requires advertisements to be legal, decent, truthful, and not hazardous or harmful while observing fairness in competition. The ASCI is a self-regulatory council, not a government body, and compliance with its code is voluntary. While the code does not expressly address email marketing, its content standards would apply to advertising sent through emails.

Even when not legally required, it is best practice to include an unsubscribe option in the marketing emails.

For a set of model email disclosures, see Standard Clause, Email Marketing Consent and Disclosures (India).

Sanctions and Remedies

7. What are the potential sanctions and remedies for non-compliance?

Sector-specific laws impose monetary penalties for non- compliance. These are as follow:

• Banking and financial services:
  • the Banking Regulation Act, 1949 imposes fines up to INR10,000,000 or twice the amount involved in the violation (where the amount is quantifiable) for violations of the Reserve Bank of India’s (RBI) directives (Section 46(4), Banking Regulation Act). If the violation is a continuing one, the Act imposes a further fine of up to INR100,000 for each day that the violation continues (Section 46(4), Banking Regulation Act); and

• • the Reserve Bank of India Act, 1934 imposes fines up to INR100,000 for violations of the RBI’s directives (Section 58B(6), Reserve Bank of India Act). If the contravention or default is a continuing one, the RBI can impose a further fine of up to INR10,000 for each day that the contravention or default continues.

• Insurance. Violations of the Insurance Act, 1938 are subject to a fine that is the lesser of:
  • INR100,000 for each day during which a person fails to comply with the Insurance Regulatory and Development Authority’s directives; or
  • INR10,000,000. (Section 102, Insurance Act.)

• Telecommunications:
  • the Indian Telegraph Act, 1885 provides for fines of up to INR1000 for license holders that violate any condition of their The Act imposes further fines up to INR500 for every week during which the violation continues. (Section 20A, Indian Telegraph Act);
  • the Indian Wireless Telegraphy Act, 1933 provides for penalties between INR100 and INR1000, depending on the offense (Offense and Penalty Sections 6(1) and (1A), Indian Wireless Telegraphy Act); and
  • the Telecom Regulatory Authority of India (TRAI) Act, 1997 provides penalties up to INR100,000 for violating Telecom Regulatory Authority directives. Subsequent offenses can result in fines up to INR200,000. Continuing offenses can result in additional fines up to INR200,000 per day while the violation continues. (Section 29, TRAI Act.).
• Data protection and privacy laws:
  • the Digital Personal Data Protection Act, 2023 provides for fines of up to INR50,00,00,000 for general non-compliance of the DPDP Act and up to INR250,00,00,000 for breach by a data fiduciary to take reasonable safeguards to prevent a personal data breach. (Section 33(1) read with the Schedule, DPDP Act).

Authors: Deepa Christopher – Partner; Rebha Dakshini – Managing Associate and Anindita Dutta – Associate