Meet us · 9 Jul:Ravan.ai at NBFC100 Tech Summit, Hilton Chennai — see Agni run live collections calls at our booth →
Compliance

DPDP Act 2023 & Voice AI: What Indian Businesses Need to Know Before Deploying

The Digital Personal Data Protection Act 2023 applies directly to AI phone calls. Here's your compliance checklist: consent, data minimisation, retention, and what a Data Fiduciary must do.

AP
Agni Product TeamRavan.ai
27 June 2025  ·  9 min read
DPDP Act 2023 & Voice AI: What Indian Businesses Need to Know Before Deploying

The Digital Personal Data Protection Act 2023 (DPDP Act) is India's first comprehensive data protection law, and it applies directly to businesses using voice AI for customer communication. If you're deploying AI agents to call customers, collect information, or process personal data, you are a Data Fiduciary under the Act — and you have specific obligations.

This guide covers what those obligations are, how they apply specifically to voice AI deployments, and what Agni provides to help you stay compliant.

Who Is a Data Fiduciary?

Under the DPDP Act, a Data Fiduciary is any entity that determines the purpose and means of processing personal data. If you use Agni to call your customers — even through an AI agent — you determine why the call is happening and what data is collected. That makes you the Data Fiduciary. Agni acts as your Data Processor, processing data only to deliver the service you've contracted for.

The Five Core Obligations for Voice AI

1. Lawful Purpose

Every AI call must have a specific, lawful purpose. "Improving our operations" is not sufficient. "Collecting outstanding EMI for loan account #X" or "Confirming appointment booking reference #Y" are sufficient. Your agent's script must correspond to the stated purpose — an agent authorised for appointment reminders cannot pivot to upselling insurance.

2. Explicit Consent

For most commercial communications, you need consent before calling. TRAI's TCCCPR regulations (DLT registration) cover some of this for transactional communications. For AI-assisted calls, best practice is to obtain explicit consent during the customer onboarding process: "I consent to receive automated voice calls regarding my account at the number provided."

Note: Consent for phone calls and consent for data processing are related but distinct. Your privacy policy should clearly explain that call audio and transcripts are processed to provide service and stored for the stated retention period.

3. Data Minimisation

Your AI agent should collect only the data necessary for the stated purpose. An EMI collection agent does not need to ask about household income. An appointment confirmation agent does not need to collect the patient's diagnosis. Configure your agent's script to stay strictly within the scope of what's needed for the task.

4. Data Retention Limits

Personal data cannot be retained longer than necessary for the purpose. For call recordings and transcripts, define a retention period and enforce it. Typical retention periods:

  • Routine customer service calls: 30–90 days
  • Regulated financial communications (NBFC, bank): 2 years (RBI requirement)
  • Healthcare: As per applicable HIPAA equivalent / NHA guidance

Agni allows you to configure per-account retention periods. Data is purged automatically after the retention window.

5. Data Principal Rights

Data Principals (your customers) have rights under the DPDP Act including:

  • Right to access information about their data
  • Right to correction of inaccurate data
  • Right to erasure ("right to be forgotten")
  • Right to grievance redressal

You must have a mechanism to handle these requests. For Agni-processed data, contact our Data Protection team — we will support you in fulfilling valid requests within the statutory timeframe.

What Agni Provides

  • Data Processing Agreement (DPA): Available on request — establishes Agni's role as a Data Processor and your obligations as Data Fiduciary
  • India-hosted infrastructure: All call audio, transcripts, and derived data stored on servers in India (data localisation)
  • Configurable retention policies: Set per-account retention periods enforced automatically
  • Access controls: Role-based access to call recordings and transcripts
  • Audit logs: Full audit trail of data access for compliance evidence

DPDP Act compliance for voice AI is achievable — it requires intentional configuration of your agent scripts, privacy notices, and data handling. Talk to our team about setting up a compliant deployment for your use case.

Frequently asked questions

Does the DPDP Act 2023 apply to AI phone calls in India?
Yes. The Digital Personal Data Protection Act 2023 applies directly to AI phone calls because a caller's voice, phone number, and any personal details shared are personal data. Any business making automated calls is a Data Fiduciary and must obtain explicit consent, minimise data collected, and honour deletion and withdrawal requests. Non-compliance can attract penalties of up to ₹250 crore.
What consent do I need before making AI voice calls under the DPDP Act?
You need free, specific, informed, and unambiguous consent stating the exact purpose before processing any personal data on an AI call. In practice this means a clear opt-in and an audible disclosure at the start of the call, plus an easy way to withdraw consent at any time. Agni captures and timestamps this consent automatically on every call, with a 60-day consent window and do-not-call enforcement built in.
What is a Data Fiduciary under the DPDP Act for voice AI?
A Data Fiduciary is the entity that decides why and how personal data is processed, which for voice AI is the business running the calling campaign, not the platform vendor. Duties include obtaining valid consent, implementing security safeguards, notifying breaches, and deleting data once its purpose is served. Choosing a platform with India-only data residency, like Agni, materially reduces your compliance exposure.
How long can I store voice call recordings under the DPDP Act?
The DPDP Act requires data minimisation, meaning recordings must be deleted once the purpose they were collected for is fulfilled, unless a specific law such as RBI collections rules mandates a longer retention period. There is no single fixed number; retention must be justified by purpose. Agni lets you configure automated retention and deletion policies so recordings expire in line with your stated purpose.
What is a DPDP compliance checklist for deploying voice AI in India?
The core checklist is: obtain explicit purpose-specific consent, disclose that the call is AI-driven, minimise the data you collect, store it on India-based servers, set a retention-and-deletion policy, and provide a working consent-withdrawal and grievance channel. You must also honour do-not-call and TRAI DLT rules. Agni ships with consent capture, India-only servers, and automated retention so most of this checklist is handled at the platform level.
DPDP ActComplianceData ProtectionVoice AILegal

Ready to deploy voice AI that speaks India?

Agni handles Hinglish, regional dialects, RBI-compliant call flows, and sub-300ms latencybuilt specifically for Indian enterprises.