SMS Guidelines, Regulations & DLT Compliance

1. Regulatory Framework

2. Regulatory Framework

India has one of the world's most structured and technologically sophisticated commercial SMS regulatory ecosystems. At its core is the TCCCPR 2018 — a blockchain-powered framework that governs every commercial message sent to an Indian mobile subscriber. Understanding this multi-layer framework is essential before a single SMS is sent.

2.1 TRAI — Telecom Regulatory Authority of India

The Telecom Regulatory Authority of India (TRAI), established under the TRAI Act 1997, is the apex regulatory authority for telecommunications in India. TRAI issues regulations, directions, and orders governing A2P SMS and commercial communications. Its key instrument for SMS compliance is the Telecom Commercial Communications Customer Preference Regulations (TCCCPR), first enacted in 2018 and significantly amended in February 2025

Reference: TRAI Official Website | TRAI TCCCPR Page

2.2 TCCCPR 2018 — The Core Framework (Amended February 12, 2025)

The Telecom Commercial Communications Customer Preference Regulations (TCCCPR), 2018 were notified on July 19, 2018 and came into full force on February 28, 2019. They superseded the earlier TCCCPR 2010. The TCCCPR 2018 is India's primary legal instrument for regulating commercial SMS and voice communications and is notable globally for being the first telecom regulatory framework in the world to deploy blockchain technology (Distributed Ledger Technology / DLT) for commercial communication governance.

The regulations serve a dual purpose: protecting consumers from Unsolicited Commercial Communications (UCC / spam), while enabling legitimate businesses to communicate with customers who have consented or set appropriate preferences.

Key milestones in TCCCPR evolution:

1. July 19, 2018: TCCCPR 2018 notified — mandated DLT adoption, Sender/Principal Entity registration, template whitelisting.

• February 28, 2019: Full enforcement commenced.

• November 2020: Mandatory DLT registration deadline for all entities sending commercial SMS.

• February 1, 2021: Template scrubbing fully enforced — unregistered templates blocked at the network level.

• October 1, 2024: CTA (Call-to-Action) Whitelisting and Variable Tagging mandated — all URLs/links in messages must be pre-approved; all template variables must be pre-tagged.

• February 12, 2025: Major amendments — new message category suffix system (-P, -S, -T, -G), Service Explicit category discontinued, stricter UCC complaint mechanisms, biometric authentication added to registration, honeypot deployment mandated.

• May 6, 2025: Header suffix rule effective — all SMS headers automatically carry -P, -S, -T, or -G suffix appended by TSPs during DLT scrubbing.

Reference: TCCCPR 2018 Original Text (TRAI) | TCCCPR 2025 Amendment — Official Gazette

2.3 DLT — The Blockchain Engine Powering India's SMS Ecosystem

Distributed Ledger Technology (DLT) is the blockchain-based platform that underpins all domestic A2P SMS in India. Every entity that sends commercial SMS in India — whether a bank, e-commerce company, hospital, or startup — must be registered on a DLT platform operated by one of the authorised Indian telecom operators. The DLT platform:

• Records all Principal Entity (PE) registrations and unique Entity IDs

• Maintains a centralised registry of all approved SMS Headers (Sender IDs)

• Maintains a registry of all approved Content Templates and Consent Templates

• Runs real-time scrubbing of every outgoing commercial SMS against DND preferences, approved headers, and approved templates

• Synchronises data across all operator DLT platforms — so registering once covers all networks

• Records consumer consent for promotional communications

• Tracks complaints and enforces blacklisting of violators

As of early 2025, the DLT ecosystem includes approximately 250,000+ registered Principal Entities, 600,000+ registered Headers, and over 55 million approved message templates.

2.4 Digital Personal Data Protection Act, 2023 (DPDP Act)

The Digital Personal Data Protection Act, 2023 (DPDP Act), enacted on August 11, 2023, is India's first comprehensive privacy statute. While its substantive enforcement provisions are still being operationalised (the Data Protection Board of India is yet to be constituted as of early 2026, and the Draft DPDP Rules 2025 are under public consultation), businesses should prepare for full enforcement imminently.

For SMS specifically, the DPDP Act overlays additional consent obligations on top of TCCCPR:

• Granular Consent: Phone numbers (personal data) may only be used for marketing SMS with specific, informed, freely given, unconditional, and unambiguous consent. Blanket or bundled consent (e.g., a general T&Cs checkbox) is no longer sufficient.

• Purpose Limitation: Consent obtained for one purpose (e.g., e-commerce delivery alerts) cannot be repurposed for promotional SMS without fresh consent.

• Right to Withdraw: Subscribers may withdraw consent at any time; withdrawal must be as easy as granting consent.

• Data Fiduciary Obligations: Businesses processing phone numbers for SMS are 'Data Fiduciaries' with obligations including data minimisation, accuracy, security, and deletion upon purpose completion.

• Consent Managers: A new institutional category — registered Consent Managers — will manage subscriber consent across platforms.

• Extraterritorial Scope: The DPDP Act applies to any entity outside India that processes personal data of Indian citizens in connection with offering goods or services in India.

• Penalties under DPDP Act: Up to ₹50 crore (~USD $6 million) per instance for processing data without valid consent; up to ₹250 crore (~USD $30 million) per incident for data breaches.

Reference: DPDP Act 2023 — Full Text (MeitY) | Draft DPDP Rules 2025

2.5 Other Applicable Legislation

• Telecom Act, 2023: The new Telecommunications Act (replacing the Telegraph Act, 1885) reinforces powers around subscriber data, interception, and commercial communications.

• IT Act, 2000 (Sections 43A & 72A): Currently the operative data protection law pending DPDP Act enforcement — imposes liability for breach of sensitive personal data.

• Consumer Protection Act, 2019 & CCPA Guidelines (2023): Prohibit 'dark patterns' in digital consent collection. Directly relevant to opt-in flows and subscription traps in SMS marketing.

1. RBI Circular on Digital Payment Security Controls (2021): For banking/fintech entities — mandates specific standards for OTP and transactional SMS delivery.

• SEBI Circular on Investor Communication: Securities-related SMS must comply with SEBI guidelines in addition to TCCCPR.

Reference: Telecom Act 2023 (DoT) | TRAI TCCCPR Full Resource Page

3. Two Delivery Routes: Domestic vs International

India offers two fundamentally different SMS delivery routes for businesses, each with distinct requirements, capabilities, and trade-offs. Understanding which route is right for your use case is the most important decision before you begin.

4. DLT Registration — The Complete Step-by-Step Process

4.1  DLT Platforms — Choose One, Covers All

TRAI authorises major Indian telecom operators to host DLT platforms. You only need to register on ONE platform — all DLT platforms are synchronised with each other, so your Entity ID, Headers, and Templates are automatically available across all operators' networks.

4.2 Stage 1: Principal Entity (PE) Registration

The Principal Entity (PE) is your company or organisation — the legal entity that authorises commercial SMS to be sent on its behalf. Registering as a PE is the foundation of the entire process. Upon approval, you receive a unique PE ID (Entity ID) that must be passed in the message payload of every SMS you send.

Registration Types:

• Enterprise (Principal Entity): For any company, institution, or individual that wants to send SMS to its own customers. This is what most businesses register as
• Telemarketer: For SMS aggregators, resellers, and CPaaS providers that transmit commercial SMS on behalf of other businesses. If you are a CPaaS platform, you register as a Telemarketer (or both).

Documents Required for PE Registration:

• PAN Card: Business PAN card (mandatory — primary KYC document)
• GST Certificate: GSTIN (GST Identification Number) certificate
• Business Registration: Certificate of Incorporation (for companies) / Partnership Deed / Shop & Establishment Certificate / any valid business licence
• Authorized Signatory PAN & Aadhaar: KYC documents of the person signing on behalf of the entity
• Letter of Authorization: On company letterhead, authorising the signatory to register on behalf of the company
• Valid Business Email ID and Mobile Number: Used for OTP verification and communication
• 2025 Amendment — Biometric Authentication: The February 2025 TCCCPR amendments mandate physical verification and biometric authentication (Aadhaar-based OTP or biometric) for all new registrations. This applies to both PE and Telemarketer registrations

Registration Fee:

• PE Registration: ₹5,900 (inclusive of GST) — one-time fee. This is the standard fee across Airtel, Jio, Vodafone Idea, and most other operators.
• BSNL: ₹3,300 (inclusive of GST) — slightly lower
• Business Registration: Certificate of Incorporation (for companies) / Partnership Deed / Shop & Establishment Certificate / any valid business licence

Approval Timeline:

Entity approval typically takes 24–72 working hours if all documents are correct and complete. Common reasons for delay include mismatches between company name and PAN card, unclear document scans, or missing authorisation letters.

4.3  Stage 2: Header (Sender ID) Registration

A Header (formerly called Sender ID, now officially termed 'Header' in TRAI regulations) is the unique 6-character alphanumeric identifier that appears as the 'from' name on the recipient's phone. It must represent your brand name or service.

Header Format Rules:

• Length: Exactly 6 characters for transactional/service headers
• Case: Uppercase alphabetic (A–Z) only — no numbers in the 6-char header itself (numbers appear in the operator prefix)
• Brand Relevance: The header must be clearly identifiable as your brand or service. Generic headers (e.g., ALERTS, NOTICE, UPDATE) are rejected
• Uniqueness: A uniqueness check is enforced — if another entity already has your desired header, you must choose a different one
• Supporting Document: If the header doesn't obviously correlate with your company name, upload a document proving the relationship (trademark certificate, brand guidelines, etc.)

Header Types (Pre-2025 Amendment Classification):

May 2025 Update — Header Suffix System:

From May 6, 2025 (per TCCCPR 2025 Amendment), all SMS headers automatically carry a suffix appended by the telecom operator during DLT scrubbing, indicating the message category. Businesses do NOT need to change anything — this is applied automatically by the TSP.

Header Fee:

• Sender ID/Header Registration: ₹590 per header per year — annual renewal required.

• Additional headers for the same entity cost the same annual rate.

Header Approval Timeline: ‍

Header approval typically takes 1–3 working days. Unused headers (no traffic for 90 days) are automatically deactivated by operators and must be re-registered.

4.4  Stage 3: Content Template Registration

Every single SMS you intend to send must match a pre-approved Content Template registered on the DLT platform. This is non-negotiable. A message that doesn't match an approved template is silently blocked at the network level. There is no error message; the SMS simply disappears.

Template Categories:

Template Formatting Rules:

• Brand Name Required: Every template must include your brand name (complete business name, brand name, or trademark) in the content field. This is mandatory.

• Variables (Placeholders): Dynamic content (OTP codes, names, amounts, order IDs, dates, tracking numbers) is represented by the placeholder {#var#} in templates. A maximum of 5–6 variables is allowed per template. Variables must be pre-tagged by purpose (since October 1, 2024).

• Variable Tagging (October 1, 2024 Mandate): Each variable must be tagged according to its type — e.g., OTP, amount, account number, date. This prevents misuse of open-ended variables to inject spam content. Variables can only carry the specific data type for which they're tagged.

• Template ID: Each approved template gets a unique Template ID that must be passed in the message payload alongside the PE ID.

• Template Ownership: Once approved, the entity retains ownership of that template across all DLT platforms.

• Template Registration Cost: Free — there is no charge for registering content templates.

• Template Approval Time: 1–3 working days.

Template Example:

4.5 Stage 4: CTA Whitelisting (Mandatory Since October 1, 2024)

Effective October 1, 2024, all Call-to-Action (CTA) elements in SMS templates — including URLs, app download links (APKs), OTT platform links, and any clickable content — must be pre-whitelisted on the DLT platform before they can be included in messages. Any message containing a non-whitelisted URL is automatically scrubbed (blocked) during delivery.

CTA Whitelisting Rules:

• Mandatory Pre-Approval: Every URL, app link, or OTT link intended for use in SMS must be submitted and approved via the DLT platform before use.

• No Public URL Shorteners: Shortened URLs (bit.ly, tinyurl, etc.) are blocked. Use full branded URLs or dedicated branded short domains.

• Domain Ownership Proof: You must demonstrate ownership or authorised use of the URL/domain you wish to whitelist.

• Scope: Covers all URLs, APK download links, OTT links (WhatsApp, Telegram, etc.) — any clickable or callable element.

• Existing Templates: All previously approved templates containing URLs must be updated and the URLs whitelisted — retroactively applied.

4.6 Stage 5: PE-TM Binding (Linking Your Provider)

The final step before you can send via a Telemarketer (your SMS provider/CPaaS platform) is the PE-TM (Principal Entity – Telemarketer) Binding. This creates a formal, DLT-recorded relationship between your entity and your chosen provider, authorising them to send messages on your behalf.

• Log in to your DLT account after PE registration is complete.

• Navigate to 'Telemarketer Request' or equivalent section.

• Search for your SMS provider/CPaaS by their registered Telemarketer ID (your provider will give you this ID). Add them and submit the binding request.

• The Telemarketer must accept the binding request from their side.

• Once bound, your provider can transmit messages using your registered headers and templates.

• TCCCPR 2025 Restriction: The maximum number of intermediaries between the Principal Entity and the end Telemarketer is now limited (typically one aggregator between PE and final TSP), to ensure full traceability of messages.

4.7  DLT Registration Costs Summary

4.8  Typical DLT Registration Timeline

5. Message Categories, DND, and Time Restrictions

5.1  The Four Message Categories (Post-May 2025)

Every commercial SMS in India must be classified into one of four categories. This classification determines: whether the message bypasses DND, when it can be sent, and what consent is required.

5.2  DND — Do Not Disturb Registry

The National Do Not Disturb (DND) Registry (also called the National Customer Preference Register / NCPR) is managed by TRAI and maintained by all telecom operators. Subscribers can register to block all commercial communications or selectively block by category (financial, real estate, education, health, etc.).

DND has several levels:

• Fully Blocked: All commercial communications blocked, except Transactional, Service Implicit, and Government messages.

• Partially Blocked: Subscriber allows certain promotional categories. E.g., 'Receive only banking and healthcare promotions.' The DLT scrubbing system checks the promotional category tag in your template against the subscriber's allowed preferences.

• Not on DND: All commercial communications permitted, subject to time window restrictions for promotional messages.

DLT scrubbing runs in real-time against the DND registry for every outgoing message. Promotional messages to fully blocked numbers are silently dropped. There is no error — the message is simply not delivered.

5.3 Promotional SMS — Time Restriction

5.4  Digital Consent Acquisition (DCA)

The DCA facility, mandated by TRAI (Direction issued June 2, 2023), enables businesses to digitally register customer consent for receiving promotional communications. The process:

1. Business creates and submits a Consent Template on the DLT platform (distinct from Content Templates).

2. Customer is presented with the consent request (web, app, IVR, or in-person).

3. Customer verifies consent via OTP (triggered through the telecom operator).

4. Consent is recorded on the DLT Consent Register, linked to the subscriber's mobile number.

5. Business can then send promotional messages to that subscriber regardless of DND status.

Note: Consent via DCA is valid for 12 months from approval date and must be renewed. TRAI acknowledged in 2025 that many businesses find the DCA process restrictive and alternatives are being explored.

6. How SMS Headers Appear to Recipients

Understanding the full structure of an SMS header as it appears on a recipient's phone is important for managing customer expectations and for correctly structuring your Sender ID registration.

The two-letter operator+circle code (e.g., VM = Vodafone Mumbai, JB = Jio Bangalore, AD = Airtel Delhi) is automatically prepended by the carrier. Businesses do not control this prefix. If a subscriber moves from one circle or operator to another (using MNP), the prefix changes accordingly.

7. Consent Requirements

Consent requirements in India differ by message category. The most restrictive rules apply to promotional messages; transactional messages require the least formality.

7.1  Opt-Out Requirements

• STOP / UNSUBSCRIBE: All promotional SMS campaigns must offer and honour opt-out. Standard opt-out keyword is STOP (or START to re-subscribe).

• Mandatory Opt-Out Mechanism (2025 Amendment): Telecom operators are now required to include a mandatory opt-out option in promotional messages (e.g., 'Reply STOP to opt out'). This is becoming a required element of all promotional templates.

• 90-Day Re-Contact Rule: After a subscriber opts out, you may NOT send them a consent acquisition request for 90 days from the opt-out date.

• 1909 Short Code: Subscribers can report spam to their operator by SMSing to 1909 or calling 1909. Complaints can be filed within 7 days of receiving the spam message (extended from 3 days in 2025 amendment).

• TRAI DND App: Subscribers can also report spam via the TRAI DND mobile app.

8. Content Restrictions

8.1  Absolutely Prohibited Content

• Firearms — promotion, sale, or instruction related to weapons

• Gambling — any form, including online casinos, lottery, fantasy sports with financial stakes

• Adult / sexually explicit content

• Money / loan schemes — payday loans, unregulated lending, debt collection with threats

• Political content or election campaign messaging

• Religious content — proselytising or faith-based solicitation

• Controlled substances — narcotics, cannabis, vaping

• Alcohol — promotion of alcoholic beverages to the general public

• Phishing and fraud — impersonation, false Sender IDs, misleading content

• Spam — bulk unsolicited messages with no registered consent or DLT approval

• P2P traffic via A2P paths — routing personal communications through commercial channels to evade DLT

• Grey route / unauthorised routing — using SIM boxes or unregistered telemarketers to bypass DLT

• OTPs or bank-branded messages sent by non-bank entities impersonating financial institutions

8.2  URL and Link Restrictions

8.3  OTP-Specific Rules

• OTP messages must be sent via the Transactional (-T) category

• OTP messages must match a registered Transactional template

• OTP template must include the brand name

• OTP codes must be in a tagged {#var#} variable of type 'OTP'

• OTP validity and instruction ('Do not share') strongly recommended

• No promotional content may be mixed into OTP messages — this reclassifies the message as Promotional and subjects it to DND/time restrictions

• For banking OTPs: RBI mandates additional security standards (no clickable links in OTP messages per RBI advisory)

8.4  Financial Sector (BFSI) — Additional Rules

• RBI Guidelines: OTP messages for banking and payment authentication must comply with RBI's Digital Payment Security Controls. No URLs in banking OTP messages.

• SEBI: Capital market communications (trade alerts, portfolio updates) must comply with SEBI circular requirements on investor communication.

• IRDAI: Insurance-related SMS must comply with IRDAI communication guidelines.

• No Fake Bank Headers: Impersonating a bank's Sender ID is a criminal offence under the IT Act and IPC in addition to TCCCPR violations.

9. Message Encoding & Character Limits

10. Carrier Landscape

India has five major telecom operators (TSPs) serving over 1.18 billion mobile subscribers. Number Portability (MNP) is fully operational — subscribers can move between operators while retaining their number. The DLT platform automatically routes messages to the correct operator after portability.

11. Sending Best Practices

• Always Include PE ID and Template ID in Message Payload: Both must be passed as parameters in your SMS API request for every message. Without them, messages fail DLT scrubbing.

• Respect the Promotional Window: 10:00 AM – 9:00 PM IST strictly. Schedule campaigns to ensure even if API submission is at 8:55 PM, delivery completes before 9:00 PM.

• Never Mix Promotional and Transactional Content: A single promotional sentence in a service/transactional message reclassifies the entire message as Promotional — triggering DND checks and time restrictions.

• Use Full URLs Only: All URLs must be CTA-whitelisted and full-length. No public shorteners. This is now a hard network-level block.

• Maintain Header Activity: Headers unused for 90 days are automatically deactivated. Ensure at least minimal traffic to preserve active headers, or proactively renew before dormancy.

• Double Opt-In for Marketing Lists: Implement a confirmation step after initial opt-in. Send a confirmation SMS and activate the subscriber only when they respond affirmatively.

• Store Consent Records: Maintain records of how and when each subscriber opted in, including channel, timestamp, opt-in wording, and any supporting evidence. Under the DPDP Act (when enforced), you will need to prove consent.

• Include Opt-Out in Every Promotional Message: 'Reply STOP to opt out' or similar. Honour opt-outs immediately.

• Test Templates Before Mass Campaigns: Send test messages to your own numbers before launching a large campaign to verify correct template matching and formatting.

• Do Not Use Grey Routes: SIM-box routing and unregistered telemarketers are actively detected by TRAI's AI/ML systems and honeypots. Penalties include immediate disconnection and blacklisting.

• Indian Language Messages: Use UCS-2 encoding for regional language content. Templates containing Indian script must be registered in the correct encoding.

• Review Templates After Regulatory Updates: TRAI updates regulations frequently. Template categories, variable rules, and CTA requirements have all changed since 2021. Audit your template library after every major TRAI announcement.

12. Penalties for Non-Compliance

13. Pre-Launch India SMS Compliance Checklist

DLT Registration — Domestic Route

• [ ] Determined which delivery route to use: Domestic (DLT) or International (ILDO)

• [ ] Selected DLT platform (Airtel, Jio, Vi, BSNL, Tata, or SmartPing)

• [ ] Completed Principal Entity (PE) registration with all KYC documents

• [ ] Received and recorded unique PE ID (Principal Entity ID)

• [ ] Biometric/Aadhaar OTP verification completed (per 2025 amendment)

• [ ] All SMS Headers (Sender IDs) registered — 6-char brand-relevant headers for transactional/service, numeric for promotional

• [ ] All Content Templates registered — correct category (Transactional / Service / Promotional / Government)

• [ ] Brand name included in every content template

• [ ] All variables in templates pre-tagged by type (OTP, amount, name, date, etc.) per Oct 1, 2024 mandate

• [ ] All URLs in templates CTA-whitelisted on DLT platform (Oct 1, 2024 mandate)

• [ ] No public URL shorteners used in any template

• [ ] PE ID and Template ID integration confirmed with SMS provider API

• [ ] PE-TM Binding completed with your SMS provider / CPaaS platform

Message Categories & DND

• [ ] Every message type correctly categorised: Transactional (-T) / Service (-S) / Promotional (-P) / Government (-G)

• [ ] Promotional messages scheduled to send only between 10:00 AM – 9:00 PM IST

• [ ] No promotional content mixed into Transactional or Service templates

• [ ] DND scrubbing confirmed active for promotional campaigns

• [ ] Explicit Digital Consent (DCA) process set up if sending promotional to DND subscribers

Consent & Opt-Out

• [ ] Opt-in consent mechanism in place for all marketing recipients

• [ ] Consent records stored with timestamp, channel, wording, and phone number

• [ ] STOP / opt-out keyword response configured

• [ ] Opt-out instruction included in every promotional message

• [ ] 90-day re-contact restriction programmed for opted-out numbers

Content & Legal

• [ ] Prohibited content review completed: no gambling, adult, political, religious, firearms, alcohol, cannabis content

• [ ] OTP messages contain only OTP code, brand name, and validity — no promotional content

• [ ] Banking/fintech OTP messages comply with RBI Digital Payment Security Controls

• [ ] DPDP Act compliance plan in place — ready for enforcement

• [ ] Legal counsel with India telecom/privacy expertise has reviewed the programme

14. Authoritative Sources & References

14.1 TRAI — Official Regulatory Sources

• TRAI Official Website

• TRAI — TCCCPR Regulation Page

• TCCCPR 2018 — Original Regulation Text (PDF)

• TCCCPR 2025 Amendment — Official Regulation (PDF)

• TRAI Press Release — 2025 TCCCPR Amendment (PIB)

• TRAI Press Release — DLT Implementation Status

• TRAI TCCCPR 2025 Latest Update (PIB)

14.2 DLT Platform Links

• Airtel DLT Connect

• Jio TrueConnect DLT

• Vodafone Idea VILPOWER

• BSNL DLT Platform

• MTNL DLT Platform

• Tata Teleservices DLT

• Videocon / SmartPing DLT

14.3 Primary Legislation

• Digital Personal Data Protection Act, 2023 — Full Text (MeitY)

• DPDP Act — PRS India Legislative Summary

• Telecommunications Act, 2023 (DoT)

• IT Act 2000 (MeitY)

14.4 Spam Reporting

• Sanchar Saathi — Fraud Reporting (DoT Chakshu Platform)

• TRAI DND App / 1909 Short Code — UCC Complaint Portal

14.5 Legal & Regulatory Analysis

• ICLG — Data Protection Laws India 2025–2026 (AZB & Partners)

• Sigma Chambers — 2025 TCCCPR Amendment Analysis

• Talk-Q — India SMS Messaging Regulations 2025 Complete Guide

• DPDP Act and Telemarketing — Impact Analysis