India's Digital Personal Data Protection Act 2023 (DPDP Act) came into force with significant implications for any business that collects personal data — and voice interactions are squarely in scope. If you're using voice AI to call customers, collect consent, or record interactions, DPDP compliance is not optional.
What Data Does a Voice AI System Collect?
A typical voice AI deployment processes at minimum:
- Voice recordings — biometric data under DPDP
- Transcripts — personal data
- Phone numbers — personal data
- Call metadata — timestamps, duration, outcome — personal data
- Consent records — required to be stored
Under the DPDP Act, all of this constitutes "personal data" for which explicit consent is required before collection and processing.
The Consent Requirement
The DPDP Act requires free, specific, informed, and unambiguous consent before personal data can be processed. For a voice AI making outbound calls, this means the call itself must begin with a consent disclosure — before any data about the interaction is recorded or processed.
Practically, every Agni call opens with a language-matched disclosure: who is calling, what data will be collected, how it will be used, and how the customer can withdraw consent. The customer's acknowledgment is recorded as the consent event.
Key requirement: Consent must be documented. "The customer didn't object" is not sufficient. There must be a positive consent signal — either verbal acknowledgment or a DTMF press — that is recorded and timestamped.
Data Residency: India Only
The DPDP Act requires that personal data of Indian citizens be stored within India. For voice AI deployments, this means:
- Voice recordings must be stored on India-based servers
- LLM inference cannot send customer voice data to servers outside India
- Transcripts cannot be processed on foreign infrastructure
Global voice AI platforms — Vapi, Retell, Bland — route audio through US or EU servers. This creates a structural DPDP violation for Indian deployments. Agni processes everything on India-hosted infrastructure; no data leaves Indian jurisdiction.
Retention and Deletion Rights
Under DPDP, individuals have the right to request deletion of their personal data ("right to be forgotten"). Your voice AI system must be able to:
- Identify all data associated with a given phone number or customer ID
- Delete it within a reasonable timeframe upon request
- Confirm deletion to the customer
This creates a tension with RBI's 2-year recording retention requirement for BFSI companies — which takes precedence. The practical resolution: recordings required for regulatory compliance are retained under the regulatory exemption; all other data is subject to DPDP deletion rights.
Penalties for Non-Compliance
The DPDP Act provides for penalties up to ₹250 crore per violation for significant data breaches. For smaller violations — inadequate consent capture, improper retention — penalties can reach ₹10–50 crore. For BFSI and healthcare companies, where voice data is sensitive by definition, the risk is material.
What Compliant Looks Like
A DPDP-compliant voice AI deployment in India:
- Opens every call with a consent disclosure in the customer's language
- Records the consent acknowledgment with a timestamp
- Stores all data on India-based, ISO 27001-certified infrastructure
- Retains data per the applicable regulatory schedule
- Can respond to a deletion request within 30 days
- Has a documented data processing agreement with the AI provider
Agni is designed to meet all six requirements out of the box. For most Indian businesses, deploying Agni means their voice AI is DPDP-compliant from the first call.
