Calls grow for tougher regulations on WhatsApp, Telegram as spam threatens brand safety
From a consumer protection and brand liability standpoint, OTT communication apps including WhatsApp and Telegram have transformed into an unpredictable and high-risk communication space.
ADVERTISEMENT
While telecommunications companies, including Reliance Jio, Airtel, and Vodafone Idea, continue to call for stricter oversight on OTT communication platforms like WhatsApp and Telegram to curb fraud and unsolicited communication, the advertising industry too has sounded the alarm due to the risk to the brand safety.
The Consumer Protection (E-Commerce) Rules, 2020, require fair business practices, yet WhatsApp Business API users overwhelm users with marketing messages, often with minimal opt-in controls. As more users block businesses on WhatsApp and Telegram, eroding trust in these platforms as communication channels, brand reputations are also said to be equally at risk.
The increase in spam-related activities on OTT communication apps like WhatsApp and Telegram presents a major regulatory loophole. Unlike traditional telecom services that are governed by the Telecom Commercial Communications Customer Preference Regulations (TCCCPR), 2018, these OTT platforms operate in a gray area.
"While they provide communication services similar to telecom operators, they are not classified as telecom service providers (TSPs) under the Indian Telegraph Act, 1885 and hence evade the stringent anti-spam obligations imposed on telcos," points out Sonam Chandwani, Managing Partner KS Legal & Associates.
This legal vacuum allows businesses and bad actors alike to exploit WhatsApp and Telegram for mass messaging, fraud, phishing, and unsolicited marketing—without fear of regulatory consequences. This is especially alarming given that these platforms handle personally identifiable information, yet are not subject to sector-specific telecom compliance requirements.
With the Digital Personal Data Protection Act, 2023 (DPDP Act) in force, the question arises that should OTT apps also be held accountable for data misuse, given their involvement in mass communication and spam proliferation?
According to Chandwani, from a consumer protection and brand liability standpoint, WhatsApp has transformed into an unpredictable and high-risk communication space.
"Users are blocking businesses not because of the brand itself, but because they have lost trust in WhatsApp as a communication channel. This damages the reliability of direct consumer engagement, making it harder for brands to operate within legitimate parameters."
From a contractual liability perspective, the absence of adequate safeguards by WhatsApp exposes businesses using its API to risks such as data breaches, fraud allegations, and potential violations of consumer rights.
"If WhatsApp does not implement a more rigorous spam-prevention mechanism, brands will continue to face diminishing ROI on their marketing investments and regulatory scrutiny under the DPDP Act," she remarks.
In the current business landscape, Unsolicited Commercial Communications (UCC) from companies have proliferated significantly. These spam communications yield minimal or no benefits for both the sending organisations and recipients. The public interest is expected to be served better with the advent of the Telecom Commercial Communications Customer Preference (2nd amendment), Regulations, 2025 (TCCCPR) in order to protect citizens’ right to privacy, according to Ruby Singh Ahuja, Senior Partner at Karanjawala & Co.
She believes that the telcos should focus on developing innovative marketing and advertising strategies that respect consumer preferences and privacy, rather than burdening the consumers with UCC.
The Loophole In Regulations
The Competition Commission of India (CCI), in Vinod Kumar Gupta vs. WhatsApp Inc. noted that instant messaging apps operate in a different market from traditional telecom services due to fundamental differences in technology and functionalities. Furthermore, TRAI’s own approach suggests that it does not consider OTT communication apps to fall within its direct regulatory ambit.
"Given this, the question of TRAI implementing a regulatory framework for OTT apps does not naturally arise. Any regulation of OTT communication services would likely fall under the purview of the Ministry of Electronics and Information Technology (MeitY), not TRAI," points out Sumeysh Srivastava, Associate Director, The Quantum Hub (TQH) - a public policy firm.
Currently, there is no dedicated legal framework in India that specifically addresses unsolicited messages or spam on OTT communication apps. The IT Act, 2000, and the IT Rules, 2021, govern intermediaries like WhatsApp and Telegram, requiring them to set up grievance redressal mechanisms, but these are primarily for addressing violations related to harmful content, not generic spam.
Private telecom operators have rightly opposed TRAI’s recent spam-control regulations, arguing that OTT apps like WhatsApp and Telegram continue to evade regulatory accountability. The same has also led to an anti-competitive scenario, where telecos are overburdened with compliance costs, while OTT apps operate unchecked.
Telecom operators argue that while TSPs are subject to strict UCC regulations under the TCCCPR, no equivalent framework applies to OTT communication service providers.
One of the reasons, according to Chandwani, why TRAI must regulate OTT communication apps, is due to regulatory arbitrage and unfair burden on telcos. Under the current regulatory framework, telcos are forced to filter and verify bulk messages under TRAI’s regulations, while WhatsApp and Telegram allow mass messaging with zero compliance requirements. This creates an uneven regulatory playing field.
While telecos require Aadhaar-based KYC for new connections, WhatsApp allows anyone with a phone number to send bulk messages, making it an attractive tool for spam operations.
Additionally, she notes that the DPDP Act mandates data minimisation and user consent, yet WhatsApp and Telegram fail to enforce these principles in bulk messaging. This makes them a breeding ground for financial fraud and phishing scams. Also, OTT messaging apps have no real-time fraud detection systems, allowing scam operators to masquerade as legitimate businesses.
As smartphone adoption and internet penetration increase, more people rely on OTT apps for communication, naturally leading to a rise in spam-related activities on these platforms. Addressing spam effectively requires collaboration among all stakeholders, including regulators, platforms, telecom providers, and users, point out experts.
"Given how OTT communication plays a crucial role in facilitating personal and professional communication, enabling access to services and opportunities, OTT communication platforms must recognise the evolving threat landscape and proactively implement measures to curb misuse.
"This includes equipping users with effective tools to manage unwanted communication, strengthening spam detection mechanisms, and ensuring greater transparency in how accounts engage in mass messaging," points out Srivastava.
What Can Brands Do
Under existing regulations such as TRAI’s UCC framework, bulk promotional SMS providers must comply with strict guidelines, including sender ID registration and customer consent management. However, OTT messaging apps have no such mandatory opt-in and tracking mechanism.
To prevent being flagged as spam, as per Chandwani, brands must incorporate legally sound communication strategies, such as:
Explicit User Consent: Mirroring the opt-in process under GDPR and DPDP Act, brands should ensure messages are sent only to those who have provided prior explicit consent.
Pre-approved Templates: WhatsApp Business API users should rely on pre-verified message templates, avoiding aggressive promotional content that violates Section 43A of the IT Act, 2000 regarding the protection of sensitive personal data.
Transactional vs. Promotional Messaging: WhatsApp should mandate a clear differentiation between transactional and promotional communication, akin to TRAI’s SMS regulation where promotional messages are restricted to specific time slots.
Brands must also be mindful of data retention policies, as excessive or prolonged user engagement could be flagged as a violation of privacy rights under the DPDP Act, experts conclude.
