TRAI can fine your business between ₹1,000 and ₹1,50,000 per violation for non-compliant AI calls, and a single customer complaint can trigger an investigation that shuts down your entire outbound campaign. That is not a hypothetical. Indian edtech and fintech companies have already had their AI call operations suspended for getting this wrong.
So here is the answer you actually came for: yes, AI call center software is legal in India. But the word "legal" is doing a lot of work in that sentence. Compliant AI calling in India means satisfying not one but two distinct regulatory frameworks, specifically TRAI and the Digital Personal Data Protection Act (DPDPA), along with sector-specific rules from bodies like the RBI, IRDAI, and SEBI depending on your industry. Getting only one of these right is not enough.
At OnDial, we work with businesses across India to build voice AI solutions designed for real-world compliance from the ground up. From what I have seen, the most common mistake is not malicious. It is a genuine misunderstanding of which regulator governs what.
In this guide, you will learn exactly what TRAI requires, what DPDPA adds on top of it, what your AI must say in the first 15 seconds of every call, and how to build a compliance posture that actually holds up.
The Two Compliance Layers Most Businesses Confuse
Most compliance articles on this topic treat TRAI compliance and DPDPA compliance as the same thing, or worse, they treat TRAI as the only thing that matters. That framing can get your business into serious trouble.
TRAI governs whether you are permitted to call someone. DPDPA governs what you are permitted to do with the data that call generates. These are two entirely separate legal obligations, and they require two separate, trackable consent records.
What TRAI Actually Governs
The Telecom Regulatory Authority of India (TRAI) is India's telecom regulator. Its mandate is to regulate commercial communications to protect consumers from unsolicited calls and messages. The key regulation for AI call centers is the Telecom Commercial Communications Customer Preference Regulations (TCCCPR), 2018, most recently amended in February 2025.
TRAI's scope covers who you can call, when you can call, what number series you must use, whether you must disclose the automated nature of the call, and how to handle the DND and NCPR registry. These are the "before and during the call" rules.
What DPDPA Actually Governs
The Digital Personal Data Protection Act, 2023 (DPDPA), with its Rules notified in November 2025, is India's comprehensive data privacy law. It governs what happens after the call: how you store the voice recording, what you do with the customer's data, how long you keep it, and how you honor a customer's request to delete it.
Under DPDPA, a voice recording is personal data. The transcript your AI generates is personal data. The customer intent signal your CRM logs is personal data. All of it requires purpose-specific, revocable, documented consent, separate from the TRAI consent you obtained to make the call in the first place.
A Delhi-based company was fined ₹50 lakh for non-compliant call recordings, according to ConversAI Labs. That is a reminder that data handling failures carry real financial consequences that TRAI compliance alone cannot protect you from.
TRAI Rules for AI Calling: What You Must Follow
TRAI compliance is the baseline. Every AI call center operating in India must meet these requirements, with no exceptions and no workarounds.
DND and NCPR Registry Compliance
The National Customer Preference Register (NCPR), commonly known as the Do-Not-Disturb (DND) registry, is the single most important list in Indian call center compliance. Before any AI outbound call, your system must check whether the recipient has registered on the NCPR.
Two categories matter here.
DND-Exempt Transactional Calls are calls related to an existing customer relationship, including order confirmations, OTP delivery, appointment reminders, and service alerts. These are generally permitted even to DND-registered numbers.
DND-Restricted Promotional Calls, which include lead generation, new product offers, and marketing campaigns, cannot be made to DND-registered numbers. The penalty for a single violation is ₹1,000, with potential service disconnection after three complaints, according to TRAI's TCCCPR framework. At scale, this adds up fast.
Your AI platform must scrub every number against the updated DND list before every campaign, not once at the start but before every single call attempt. TRAI-approved DND scrubbing vendors are required for this, and records must be maintained for a minimum of six months.
Calling Hours, Number Series, and AI Disclosure
Calling hours: All commercial AI calls in India are restricted to 10:00 AM to 7:00 PM, seven days a week, based on the recipient's local time zone. Targeting 10:30 AM to 6:30 PM is the practical safe window to account for edge cases.
Number series: TRAI mandates the use of specific number series for commercial calls. The 140-series is designated for transactional communications, and the 160-series is for service calls. Using a standard 10-digit mobile number for promotional outreach is now a violation under the February 2025 TCCCPR amendment. Many businesses unknowingly violate this by running marketing messages through service number series.
AI disclosure: This is where I see companies get tripped up most often. Under TRAI's current guidelines, your AI system must clearly identify itself as automated within the first 15 seconds of the call. Passing off an AI voice agent as a live human is not just non-compliant. It constitutes deceptive trade practice. There is no grey area here.
DPDPA and Voice AI: The Data Layer You Cannot Ignore
Think TRAI compliance is enough? It is not. Not anymore.
India's DPDPA Rules 2025 bring approximately 800 million internet users under a comprehensive privacy framework, according to the International Association of Privacy Professionals (IAPP). Full enforcement is expected by May 2027, but the compliance architecture, including consent infrastructure, audit logs, and erasure workflows, must be built now.
Consent Under DPDPA vs TRAI Consent
This distinction matters more than almost anything else in this guide. TRAI consent is about the call. DPDPA consent is about the data.
When a customer agrees to receive a service call, they have given TRAI consent. But the moment your AI records their voice, stores that recording, transcribes the conversation, passes it to a CRM, or uses it to train a model, that action falls under DPDPA data processing territory. For all of that processing, you need a separate, purpose-specific, revocable consent that is documented with a timestamp, the language of consent, and the specific processing purpose.
DPDPA defines valid consent as: free, specific, informed, unconditional, and unambiguous, expressed through a clear affirmative action. Passive compliance approaches, such as "by continuing this call you consent to," do not meet this standard.
Data Retention, Audit Logs, and Penalties
Under DPDPA, personal data including call recordings must be deleted once the purpose for which it was collected is fulfilled. Organizations must maintain one-year tamper-proof audit logs of all consent records and data processing activities.
CERT-In separately mandates log retention for 180 days, and sector-specific regulators like IRDAI require insurance call recordings to be retained for a minimum of six months. Navigating these overlapping timelines requires a documented retention policy that satisfies all three simultaneously.
The stakes are significant. DPDPA non-compliance penalties can reach up to ₹250 crore for serious violations including breach reporting failures and inadequate security safeguards, according to DPDPA.com. That number should be on every compliance team's radar.
What Your AI Must Say in the First 15 Seconds
Let me be direct here, because this is where theory becomes practice. Most compliance guides tell you what the rules are. Very few tell you what your AI agent must actually say. This section does exactly that.
The Mandatory Disclosure Script
Every TRAI-compliant AI call in India must include the following information at the very start of the call, within the first 15 seconds:
- Identity: The company name making the call
- Nature: A clear statement that this is an automated call
- Purpose: The specific reason for this call
- Recording notice: If the call will be recorded, this must be stated upfront with the specific purpose
A compliant opening sounds like this: "Hello, this is an automated call from [Company Name]. This conversation may be recorded for [specific stated purpose]. The reason for this call is [specific purpose]."
The word "automated," or its equivalent in the language of the call, is non-negotiable. I have personally reviewed AI voice scripts where companies try to soften this with phrasing like "This is a call on behalf of..." in ways that obscure the automated disclosure. That approach creates compliance exposure that is simply not worth taking.
Opt-Out Requirements
Within the first 30 seconds of every promotional AI call, you must offer a clear opt-out mechanism. The standard instruction is: "Press 9 to stop receiving calls from us." Opt-out requests must be processed within 24 to 48 hours and synced with your DND preferences. Failing to honor an opt-out is a direct TRAI violation, and it is one of the most common causes of complaints that trigger investigations.
Sector-Specific Rules: Finance, Insurance, and Healthcare
Being TRAI and DPDPA compliant is the floor. If your business operates in a regulated sector, additional frameworks apply on top of these two.
Financial services: The RBI Fair Practices Code governs call windows, mandatory disclosures, recording requirements, and grievance handling for any AI call involving credit, collections, or financial product communication. Any voice AI script involving loan terms, EMI reminders, or account information must be reviewed by a qualified lawyer before it goes live.
Insurance: IRDAI requires that sales call recordings be retained for a minimum of six months. This creates a direct tension with DPDPA's right-to-erasure provisions. If a customer requests data deletion under DPDPA, and that data includes a regulated insurance sales recording, you cannot simply delete it. Your AI platform must be configured to retain what is legally required while restricting further processing and documenting explicitly why the data cannot be deleted when a customer requests erasure.
Healthcare: While India lacks a central healthcare data law equivalent to HIPAA, medical ethics guidelines apply strongly. AI voice agents deployed for healthcare communications should be limited to appointment scheduling and billing inquiries. Recording sensitive health conversations, including diagnoses and treatment histories, should be avoided unless explicit, purpose-specific consent is obtained.
As one compliance framework puts it plainly: India has more compliance surface area on a phone call than almost any other market in the world, according to Caller Digital's 2026 Voice AI Guide. That is not a reason to avoid AI calling. It is a reason to build your platform properly from the start.
Conclusion
AI call center software is legal in India, and when done correctly, it is one of the most powerful communication tools available to growing businesses. The key is understanding that legal operation requires satisfying two parallel frameworks: TRAI, which governs the call itself, and DPDPA, which governs the data the call generates. Businesses in finance, insurance, or healthcare must stack sector-specific rules from RBI, IRDAI, and other regulators on top of those two.
The businesses that treat this compliance work as a foundation, not an afterthought, are the ones that scale with confidence. I have seen firsthand how a well-structured voice AI deployment, built on transparent consent and clean data handling, creates better customer experiences and measurable trust. Companies cutting corners on this are creating liability, not growth.
At OnDial, we build voice AI platforms designed specifically for India's regulatory environment, because localized compliance is not a checkbox but the architecture itself. If you are evaluating whether your current AI call center setup would hold up to a TRAI audit or a DPDPA data principal request, the OnDial team is ready to walk through it with you. Visit ondial.ai to book a compliance-first voice AI consultation tailored to your business.
