India received 4,168 crore spam calls in a single year, according to the 2025 India Insights Report. That is not a typo. That number - staggering enough on its own - is exactly why regulators are watching AI voice calling more closely than ever before, and exactly why businesses deploying AI calls in India need a clear-eyed understanding of what is actually legal.
So, is AI calling legal in India? Yes. But only under specific conditions. AI-powered outbound calls are permitted in India when you have prior explicit consent from the recipient, when you have scrubbed your lists against the DND registry, when you call within permitted hours, and when your AI identifies itself as automated. Miss any one of those four conditions, and you are not running a compliant campaign - you are running a liability.
I've worked alongside businesses that assumed AI calling was a grey area, a kind of "we'll deal with the rules later" situation. What I consistently see is that the grey area closes very fast once a TRAI complaint is filed. One complaint can get a campaign suspended. Three can get your number blacklisted. This guide maps out the entire compliance picture, including the parts that most AI calling guides skip entirely.
Here is what you will learn: exactly which TRAI regulations apply to AI calls, how consent must be captured and stored, what the 2025 amendment changed, why TRAI compliance alone is not enough, and what a properly built AI calling system should look like in practice.
What TRAI Actually Regulates: The TCCCPR Framework Explained
The Telecom Commercial Communications Customer Preference Regulations (TCCCPR), 2018 is the primary legal framework governing all commercial voice communication in India. It covers outbound calls made for promotional, transactional, or service purposes - and AI-generated voice calls fall squarely within its scope.
The TCCCPR introduced distributed ledger technology (DLT) - a blockchain-based platform - as the infrastructure for tracking telemarketers, managing consent, and monitoring commercial communications. Every registered telemarketer in India must operate through this DLT system. Think of it as the backbone of India's anti-spam architecture.
The February 2025 Amendment: What Changed and Why It Matters
TRAI's Second Amendment to the TCCCPR, released in February 2025, tightened several rules that directly affect AI calling operations. Understanding these changes is not optional. It is the difference between running legally and running blind.
The amendment introduced four key shifts. First, the consumer complaint window was extended from 3 days to 7 days - meaning recipients now have a longer window to report your AI call as spam. Second, inferred consent (consent assumed from a general business relationship) is now valid only for the duration of the contractual relationship. Third, explicit consent for fulfilling a commercial transaction is valid for just 7 days from acquisition. Fourth, auto-dialers and robocalls must now be formally notified to the originating access provider in advance.
That last point is one most businesses have not operationalized yet. If you are running AI voice campaigns without pre-notifying your telecom provider about auto-dialing, you are already out of step with the updated TCCCPR.
Transactional vs. Promotional Calls: A Line You Cannot Afford to Blur
This distinction is where many businesses quietly break the law without realizing it.
Transactional calls are those tied to an existing customer relationship - OTP confirmations, order updates, appointment reminders, service notifications. These are generally permitted even to numbers registered on the DND list, provided the call is genuinely transactional. Promotional calls are outbound marketing, lead generation, new product offers, or sales pitches. These are heavily restricted and cannot be made to DND-registered numbers without prior explicit consent.
Here is the trap: an AI voice agent that starts with a service-like message and then mentions a promotional offer mid-call is classified as a promotional call under the TCCCPR. The opening framing does not change the category. TRAI classifies the intent of the entire call, not just its opening seconds.
The Three Pillars of TRAI Compliance for AI Calling
Compliance under TRAI is not a single checkbox. It is a three-part operational system that must be functioning continuously, not just at campaign launch.
Pillar 1: DND Registry Compliance
The DND (Do Not Disturb) registry - formally called the National Customer Preference Register (NCPR) - is a database of numbers that have opted out of receiving promotional communications. Before any promotional AI call is made, every number on your campaign list must be checked against this registry.
This is not a one-time scrub. DND registration status can change daily. Your system needs real-time verification protocols before every campaign. Penalties for calling a DND-registered number start at Rs. 1,000 per violation, with service disconnection possible after just three complaints. Maintain DND scrubbing records for a minimum of six months for audit readiness.
Transactional calls - OTP, order confirmation, delivery alerts - are generally exempt from DND restrictions, but that exemption disappears the moment the call includes promotional content.
Pillar 2: Calling Hours and Number Series Rules
All commercial AI calls in India must occur between 10:00 AM and 7:00 PM, seven days a week, in the recipient's local time zone. This is not your business's time zone - it is theirs. An AI campaign scheduled against a single national time slot is already structurally non-compliant for recipients in different regions.
Experienced practitioners actually target a safer buffer of 10:30 AM to 6:30 PM to avoid edge-of-window violations during system delays or queue overruns.
The number series mandate is equally non-negotiable. Promotional calls must originate from numbers in the 140 series. Transactional and service calls must use the 160 series. Using a regular 10-digit mobile number for commercial calling is a violation - one of the most common infractions I see from businesses that launched AI calling without proper telecom infrastructure. Calls from non-designated numbers are automatically flagged by TRAI's DLT monitoring systems.
Pillar 3: Consent - Explicit, Documented, and Revocable
This is where AI calling most often collapses legally. Consent under TRAI - and under the broader Indian legal framework - must meet four criteria: it must be informed, specific, unambiguous, and revocable.
Informed means the recipient knows they are being contacted by an AI voice system for a specific purpose. Specific means consent is tied to a defined category of communication, not a blanket future permission. Unambiguous means a clear verbal "yes" or DTMF keypress confirmation - not silence, not continued listening. Revocable means the recipient can opt out at any time, and your system must process that opt-out within 24 to 48 hours.
A compliant AI call opening sounds like this: "Hello, this is an automated call from [Company Name]. This is an AI voice assistant. Do you consent to continue?" The call must terminate immediately if the answer is no. Consent records - including timestamps and opt-out logs - must be stored in an auditable system.
(And yes, that disclosure matters even when your AI sounds indistinguishable from a human. Attempting to pass off AI as a live human agent is not just non-compliant - it potentially qualifies as a deceptive trade practice under Indian consumer law.)
The TRAI-Only Trap: Why Telecom Compliance Is Not Enough
Here is the part of this conversation that almost nobody is having openly. And it is the part that can still get a "TRAI-compliant" business into serious legal trouble.
A vendor telling you "we are TRAI-compliant" is giving you a technically accurate but strategically incomplete answer. TRAI governs how your AI call is placed. It does not govern what your AI does with the data it captures during that call.
The moment your voice AI processes, stores, transcribes, or acts on what a customer says, other regulators step in.
DPDPA 2023: The Data Protection Layer You're Probably Missing
The Digital Personal Data Protection Act (DPDPA), 2023 - with Rules notified in November 2025 - introduces a comprehensive horizontal data protection framework that applies directly to AI voice interactions. Full enforcement begins in May 2027, but organizations should be building compliant infrastructure now.
Under DPDPA, consent for data processing must be free, specific, informed, unconditional, and unambiguous. This is separate from TRAI's consent requirement for placing the call. You can have valid TRAI consent to make a call and still violate DPDPA if you process the call's voice data without a separate, purpose-specific consent.
Data localization requirements mean that customer data generated by your AI calls must reside within India. The Act also grants customers the right to erasure - you must be able to delete a customer's call recordings, transcripts, and associated analytics within 30 days of a valid request. CERT-In mandates audit log retention for 180 days; DPDPA requires one year of tamper-proof records. Both requirements apply simultaneously.
Industry-Specific Regulators: RBI, IRDAI, and SEBI
If your business operates in financial services, insurance, or securities, your AI calling compliance map has additional layers.
RBI mandates that call recordings related to customer complaints must be retained for a minimum of two years, with secure access logging. IRDAI requires that insurance sales calls be recorded, retained for at least six months, and include mandatory consent notification - that consent must be captured and logged, not simply disclosed. SEBI has its own communication compliance requirements for securities-related outreach.
The practical implication: your AI calling compliance infrastructure cannot be a single TRAI-focused system. It needs to accommodate sector-specific retention timelines, consent categories, and audit requirements that may conflict with each other. Documented retention hierarchies - stating which regulation takes precedence when retention periods differ - are essential.
What Happens When You Get It Wrong: Real Penalties, Real Consequences
The consequences of non-compliant AI calling in India are immediate and operational, not just financial.
Under TRAI's updated TCCCPR framework, penalties range from Rs. 1,000 to Rs. 1,50,000 per violation. Three complaints against a number trigger service disconnection. A single UCC complaint must now be resolved within 5 days - down from the previous 30-day window. TRAI's enforcement posture has shifted from reactive to proactive: as of early 2026, TRAI is evaluating whether to allow disconnection of numbers flagged as suspected spam by AI monitoring systems - even before any formal consumer complaint is filed.
One concrete pattern I've seen unfold repeatedly in India: a fintech or edtech business launches an AI outbound campaign on short timelines, skips DND scrubbing, uses a standard 10-digit number, and within weeks receives enough complaints to trigger telecom operator action. Their campaign shuts down. Their number is flagged across DLT systems. Rebuilding telecom trust after that flags takes significant time and cost.
The DPDPA adds a separate penalty stack for data handling violations - up to Rs. 250 crore for significant data breaches. These are not theoretical risks. They are the business outcomes of treating compliance as an afterthought.
What Compliant AI Calling Actually Looks Like in Practice
Compliance is not a restriction on AI calling. It is the architecture that makes AI calling sustainable.
Building a Compliance-First AI Voice System
At OnDial, when we help businesses deploy AI voice assistants, we treat the compliance infrastructure as foundational - not a feature added at the end. Here is what a properly built system actually requires.
Pre-call verification layer: Every number is automatically scrubbed against the current DND/NCPR list before being queued for dialing. This is not a batch process - it is real-time. DND status can change daily, and yesterday's verified list is not today's compliant list.
Registered number infrastructure: Campaigns use 140-series numbers for promotional calls and 160-series for transactional calls. This is telecom registration that must be completed with your telecom service provider before campaigns go live - not something you configure in the AI platform itself.
Opening disclosure protocol: Every AI call begins with clear identification. The system announces the company name and that the call is automated. A consent prompt follows before any substantive conversation occurs. The call terminates if consent is declined. The entire exchange is logged with timestamps.
Consent and opt-out management: Consent records are stored with timestamps in an auditable system. Opt-out requests are processed within 24 hours and synced with DND preferences. Customers receive confirmation of removal. Records are retained for a minimum of six months.
Call scheduling controls: Campaigns run only between 10:00 AM and 7:00 PM in the recipient's time zone. Queue management prevents calls from being initiated near the boundary windows. Timezone detection is automatic.
Data handling compliance: Call recordings and transcripts are stored with data localization requirements in mind. Retention timelines align with the strictest applicable regulation - TRAI, DPDPA, or sector-specific rules (RBI, IRDAI). Deletion workflows are documented and testable.
Building this correctly from the start is significantly less costly than rebuilding it after a compliance incident. I've seen teams spend more on remediation in a single quarter than they would have spent on compliant infrastructure over a full year.
Conclusion
Understanding whether AI calling is legal in India comes down to three non-negotiables: TRAI-compliant consent, real-time DND verification, and AI disclosure on every call. Get those right, and AI voice becomes one of the most effective customer communication tools available to Indian businesses. Miss them, and a single complaint can halt your entire operation.
Here is what matters most to take away. TRAI is the baseline - DPDPA and sector-specific regulators govern what happens to the data your calls generate. Compliance is not a constraint on scale; it is the infrastructure that makes scale legally durable. And the penalty window is getting shorter, not longer, as TRAI's enforcement posture continues to tighten.
At OnDial, we build AI voice assistants for Indian businesses that need to scale their customer communication without the legal exposure that comes from cutting corners on compliance. If you are evaluating AI calling for your business - or auditing what you already have - the right first step is a clear view of your current compliance posture.
Talk to the OnDial team about building a compliant, human-centric AI voice system that is designed for India's regulatory environment from the ground up.
