The Digital Personal Data Protection Act 2023 (DPDP Act) is India's first comprehensive data protection law, and it applies directly to businesses using voice AI for customer communication. If you're deploying AI agents to call customers, collect information, or process personal data, you are a Data Fiduciary under the Act — and you have specific obligations.
This guide covers what those obligations are, how they apply specifically to voice AI deployments, and what Agni provides to help you stay compliant.
Who Is a Data Fiduciary?
Under the DPDP Act, a Data Fiduciary is any entity that determines the purpose and means of processing personal data. If you use Agni to call your customers — even through an AI agent — you determine why the call is happening and what data is collected. That makes you the Data Fiduciary. Agni acts as your Data Processor, processing data only to deliver the service you've contracted for.
The Five Core Obligations for Voice AI
1. Lawful Purpose
Every AI call must have a specific, lawful purpose. "Improving our operations" is not sufficient. "Collecting outstanding EMI for loan account #X" or "Confirming appointment booking reference #Y" are sufficient. Your agent's script must correspond to the stated purpose — an agent authorised for appointment reminders cannot pivot to upselling insurance.
2. Explicit Consent
For most commercial communications, you need consent before calling. TRAI's TCCCPR regulations (DLT registration) cover some of this for transactional communications. For AI-assisted calls, best practice is to obtain explicit consent during the customer onboarding process: "I consent to receive automated voice calls regarding my account at the number provided."
Note: Consent for phone calls and consent for data processing are related but distinct. Your privacy policy should clearly explain that call audio and transcripts are processed to provide service and stored for the stated retention period.
3. Data Minimisation
Your AI agent should collect only the data necessary for the stated purpose. An EMI collection agent does not need to ask about household income. An appointment confirmation agent does not need to collect the patient's diagnosis. Configure your agent's script to stay strictly within the scope of what's needed for the task.
4. Data Retention Limits
Personal data cannot be retained longer than necessary for the purpose. For call recordings and transcripts, define a retention period and enforce it. Typical retention periods:
- Routine customer service calls: 30–90 days
- Regulated financial communications (NBFC, bank): 2 years (RBI requirement)
- Healthcare: As per applicable HIPAA equivalent / NHA guidance
Agni allows you to configure per-account retention periods. Data is purged automatically after the retention window.
5. Data Principal Rights
Data Principals (your customers) have rights under the DPDP Act including:
- Right to access information about their data
- Right to correction of inaccurate data
- Right to erasure ("right to be forgotten")
- Right to grievance redressal
You must have a mechanism to handle these requests. For Agni-processed data, contact our Data Protection team — we will support you in fulfilling valid requests within the statutory timeframe.
What Agni Provides
- Data Processing Agreement (DPA): Available on request — establishes Agni's role as a Data Processor and your obligations as Data Fiduciary
- India-hosted infrastructure: All call audio, transcripts, and derived data stored on servers in India (data localisation)
- Configurable retention policies: Set per-account retention periods enforced automatically
- Access controls: Role-based access to call recordings and transcripts
- Audit logs: Full audit trail of data access for compliance evidence
DPDP Act compliance for voice AI is achievable — it requires intentional configuration of your agent scripts, privacy notices, and data handling. Talk to our team about setting up a compliant deployment for your use case.
