9278.io
FeaturesIndustriesPricingBlogFAQ
Sign inGet Started
Back to blog
Compliance8 June 2026 · 8 min read

AI Voice Agent Compliance in India: TRAI & DPDP

Putting an AI voice agent on your phones doesn't exempt you from India's telecom and data rules. TRAI compliant AI cold calling means getting DLT registration, DND scrubbing, consent and the DPDP Act right, because get them wrong and your lines can be cut off. Here is what's required in 2026, in plain English.

AI Voice Agent Compliance in India: TRAI & DPDP

Introduction

An AI voice agent can carry a large share of your call volume, but India's telecom and data rules are strict and the penalties bite. This guide sets out what you need to stay compliant, whether your agent only answers inbound calls or your business also sends commercial communication of any kind.

The phrase "TRAI compliant AI cold calling" tends to get treated as a marketing badge, but in practice it is a checklist of concrete obligations that span two separate regimes: the telecom side, governed by TRAI through the TCCCPR, and the data-protection side, governed by the DPDP Act 2023. The two overlap but are enforced by different bodies, so satisfying one does not satisfy the other. A useful mental model is to think of every campaign as needing a "telecom clearance" (am I allowed to place this call, on this number, to this person, at this time?) and a "data clearance" (am I allowed to hold and use the personal data that makes this call possible?). The rest of this article walks through both, in the order you would tackle them when setting up AI voice compliance in India.

The core rulebook: TCCCPR 2018

AI-powered calling is legal in India, provided you follow the rules, and in 2026 those rules have teeth. All commercial calling sits under the Telecom Commercial Communications Customer Preference Regulations (TCCCPR), 2018, which TRAI enforces. The 2025 update that matters most: AI-generated voices are now formally classified as "artificial" voices. Your agent is therefore held to the same robocall rules as any automated dialling system. The fact that it runs on AI buys you no exemption. Treat what follows as a plain-English guide, not legal advice.

It helps to be precise about what the TCCCPR actually covers. It regulates commercial communication, which TRAI defines broadly to include any voice call or message that promotes, advertises or solicits business. That sweep is why genuine inbound service calls, where the customer rang you, sit far more comfortably than outbound cold calls, where you initiated contact. The distinction between promotional and transactional or service communication runs through every rule that follows, so getting your classification right at the start saves a great deal of trouble later. If your AI agent only ever picks up calls that customers place to you, much of the heavy outbound machinery, DLT scrubbing of dialling lists and the promotional calling window in particular, applies with a far lighter touch, though consent and data-handling duties still apply to whatever you record and store.

Register on DLT (this is non-negotiable)

Before any commercial call goes out, you must be registered on a telecom operator's DLT (Distributed Ledger Technology) platform. Your business registers as a Principal Entity (PE), your calling provider registers as a telemarketer (RTM), and a PE-TM binding links the two so that every call is legally attributable. Skip this and telcos are directed to block your commercial traffic. Since the February 2025 amendments, new registrations also require physical verification and Aadhaar-based biometric or OTP authentication.

DLT registration is not a one-time form you forget about. Once you are a registered Principal Entity you must also keep your PE-TM bindings current whenever you change calling providers. For AI cold calling specifically, the important point is that the artificial voice your agent uses places its calls through that registered chain, so the call is always traceable back to a named, verified business. That traceability is the whole point of the framework, and it is what lets TRAI act quickly against bad actors. Practically, keep your registration details, KYC documents and binding records in order before you scale, because carriers can and do suspend traffic from entities whose paperwork has lapsed. If you are weighing up doing this yourself versus using a managed platform, factor the ongoing administration in, not just the initial sign-up; you can compare what each plan handles for you on our pricing page.

Register on DLT
Without this, telcos are directed to block your commercial traffic.

Scrub against DND, and get consent right

Scrub every list against the National Customer Preference Register, the DND registry, before you dial. Do it for each campaign, not once. The 2025 amendments also tightened the consent rules. Inferred consent, drawn from an existing relationship, lasts only as long as that relationship does. Explicit consent to complete a specific transaction is valid for just 7 days. And a call counts as transactional only if it is triggered within 30 minutes of a customer action; outside that window it is promotional and needs promotional consent. Keep consent records and a clear audit trail.

DND scrubbing is where many otherwise careful businesses slip up, because customer preferences change between campaigns. A number that was reachable last month may have registered on the National Customer Preference Register (the renamed DND registry) since, so scrubbing has to happen against a fresh copy of the register immediately before each dial-out, not against a stale snapshot. When you build campaigns with an AI agent, the safest pattern is to make scrubbing an automated step in the pipeline rather than a manual checkbox someone can forget. A few practices that keep consent and DND clean in day-to-day operation:

  • Record the source of every consent, where, when and for what purpose it was given, so you can demonstrate it if challenged.
  • Time-stamp transactional triggers so you can prove a call fell inside the 30-minute transactional window.
  • Re-scrub before every campaign against the latest NCPR data, and exclude any number that has opted out.
  • Honour opt-outs instantly and propagate them across every list and channel, not just the one the customer used.
Scrub against DND and get consent right
The Feb-2025 amendments tightened consent significantly.

Use the right number series and window

Route each kind of traffic on the correct series. 140-series numbers carry promotional and marketing calls; 160-series numbers carry transactional and service calls. Promotional calls are confined to the 9am-9pm window, and mixing the two series is a violation. Tell callers the conversation is recorded, store those recordings securely, and act on opt-out requests at once. Customers can now report spam within 7 days, so a clean opt-out process is your protection.

Number-series discipline matters more than it first appears, because it is one of the easiest things for a carrier or regulator to check automatically. Slipping a marketing pitch into what was meant to be a service call is exactly the kind of misuse the series separation exists to prevent. For an AI voice agent, route outbound promotional campaigns through the correct 140-series identity, keep genuine service and transactional interactions on the 160-series, and make sure the agent's script does not drift from a service confirmation into an upsell that turns the whole call promotional. The 9am-9pm window applies to promotional traffic specifically; when in doubt, the conservative reading is to respect it. For sector guidance on where service and promotional calls blur, our note on AI voice agents for BFSI works through several real examples.

Use the right number series and window
Mixing promotional and service traffic is a violation.

Penalties, and the DPDP Act

The penalties are not trivial. A first-time offender can face a 15-day suspension of outgoing telecom services; a repeat offender can be disconnected from all telecom resources for a year and blacklisted. Sitting on top of TRAI's telecom rules is the Digital Personal Data Protection (DPDP) Act 2023, with Rules notified in November 2025, which governs the personal data behind your calls. It calls for lawful consent, security safeguards, a grievance officer, breach reporting, and data localisation for sensitive data. Full compliance is due by May 2027, but the work to get there starts now.

Under the DPDP Act 2023, the people you call are data principals and your business is a data fiduciary with defined duties towards them. In the context of AI cold calling, the personal data in question is not just phone numbers but everything your agent captures: call recordings, transcripts, intent and outcome tags, and any details the customer shares during the conversation. Treating that data lawfully means collecting it for a stated purpose, keeping it only as long as you need it, securing it with reasonable safeguards, and being able to act on a data principal's requests to access or erase their information. Because the DPDP Rules were notified in November 2025 with a phased runway to May 2027, the sensible approach is to design these duties into your AI voice compliance setup from the outset rather than retrofitting them under deadline pressure. The two regimes reinforce each other here: the consent you gather for TRAI purposes and the consent you need under the DPDP Act should be captured once, cleanly, and stored where you can prove it.

Penalties and the DPDP Act
This is why compliance can't be an afterthought.

A practical compliance workflow for AI voice agents

Pulling the pieces together, here is the order most teams find easiest to follow when standing up TRAI compliant AI cold calling. First, classify your use case honestly: inbound service, outbound transactional, or outbound promotional, because that decides how much of the framework applies. Second, complete DLT registration as a Principal Entity and bind your calling provider before a single commercial call goes out. Third, build DND scrubbing and consent checks into the dialling pipeline so they run automatically on every campaign. Fourth, separate your number series and enforce the promotional calling window in the dialler itself. Fifth, layer DPDP-aware data handling over the top: secure storage, retention limits, recording disclosure and a route for data-principal requests.

The reason to automate each step rather than rely on process discipline is that the penalties fall on the business, not on the individual who forgot. A platform that ships these controls as defaults turns a recurring compliance risk into a configuration you set once.

Conclusion

AI voice agents are legal and effective in India, but the freedom to run them rests on getting the basics in place: the right registrations, DND scrubbing on every list, valid consent, and DPDP-ready data handling.

You can manage all of this by hand, or pick a platform where it ships as standard. 9278.io focuses on inbound voice agents and pre-configures TRAI calling-window enforcement, DND scrubbing, promotional-versus-transactional routing, consent capture and audit trails, and DPDP data localisation on every plan, with recordings kept in your own environment. Compliance stops being a project and becomes the default. Build your first agent or explore the industries we serve. This article is general information, not legal advice; Indian telecom and data rules change frequently, so consult a qualified telecom/data lawyer before you launch.

Ready to put a voice agent on your phones?

Native-audio AI agents in 15+ Indian languages, on Jio/Airtel/BSNL/Vi, live in hours.

Build your first agent

Frequently asked questions

Is AI calling legal in India in 2026?

Yes, but only if you comply with TRAI's TCCCPR rules. AI voices are classified as artificial voices, so commercial calling needs DLT/telemarketer registration, DND scrubbing, valid consent, correct number series, the 9am-9pm promotional window, and recording disclosure. Genuine inbound service calls carry a lighter burden.

What is DLT registration and do I need it for AI calling?

DLT registration is mandatory registration on a telecom operator's platform before making commercial calls. Your business registers as a Principal Entity, your provider as a telemarketer, and you complete a PE-TM binding. Without it, carriers block your commercial traffic.

How long is consent valid under the 2025 TRAI rules?

Inferred consent lasts only for the duration of the customer relationship, and explicit consent to fulfil a transaction is valid for just 7 days. A call is only transactional if triggered within 30 minutes of a customer action; otherwise it needs promotional consent.

What are the penalties for non-compliant AI calling in India?

First-time offenders can face a 15-day suspension of outgoing telecom services; repeat offenders can be disconnected from all telecom resources for up to a year and blacklisted. DPDP breaches carry separate, much larger financial penalties.

Does the DPDP Act apply to AI calling?

Yes. The DPDP Act 2023, with Rules notified in November 2025, governs the personal data behind your calls, requiring lawful consent, security safeguards, a grievance officer, breach reporting, and data localisation. Full compliance is required by May 2027.

Do I need DLT registration if my AI agent only answers inbound calls?

The heavy outbound machinery, scrubbing dialling lists against DND and enforcing the promotional calling window, is built for outbound commercial calls, so it applies far more lightly to genuine inbound service calls a customer places to you. However, you still have data-handling duties under the DPDP Act for anything you record or store, and if your inbound flow ever triggers outbound commercial follow-up, that follow-up falls back under the full TCCCPR framework including DLT registration.

What is the difference between promotional and transactional calls under TRAI?

Promotional calls advertise or solicit business and must run on the 140-series within the 9am-9pm window with promotional consent. Transactional or service calls relate to an existing transaction or relationship and run on the 160-series. A call only counts as transactional if it is triggered within 30 minutes of a customer action; outside that window it is treated as promotional and needs promotional consent. Mixing the two series is a violation.

How often do I need to scrub my list against DND?

Before every campaign, against a fresh copy of the National Customer Preference Register. Customer preferences change between campaigns, so a number that was reachable last month may have opted out since. Scrubbing once and reusing the result is one of the most common ways businesses end up sending non-compliant calls, which is why the safest approach is to make scrubbing an automated step in your dialling pipeline.

All articlesBuild your first agent
9278.io

Native-audio voice agents for Indian businesses. Sub-second latency, self-hosted dashboard, Indian carrier connectivity — without the enterprise vendor markup.

Customer dashboard↗

Platform

  • Features
  • Pricing
  • FAQ
  • Dashboard

Industries

  • Real Estate
  • Legal Services
  • E-Commerce
  • Restaurants
  • Automotive
  • Home Services

Company

  • About
  • Blog
  • Contact

Legal

  • Terms of Service
  • Privacy Policy
  • Refund & Cancellation
  • Grievance Redressal
  • All policies →

© 2026 9278.io · All rights reserved.