DPDP Act 2023: What It Means for Voice AI in India

The Digital Personal Data Protection Act 2023 (DPDP Act) imposes specific obligations on any organization that processes personal data of Indian residents — and voice AI deployments are squarely within scope. Voice calls collect personal data by definition: caller identity, voice biometrics, conversation content, and inferred intent are all personal data under the Act's definition. Organizations running voice AI programs in India need to understand four specific obligations: lawful basis for processing, consent mechanics, data localization, and breach notification timelines.

What Personal Data Does Voice AI Collect Under the DPDP Act?

Under Section 2(t) of the DPDP Act, personal data means "any data about an individual who is identifiable by or in relation to such data." Voice AI systems routinely collect data that meets this definition: the caller's phone number (directly identifying), their recorded voice (potentially biometric), the content of their conversation (may include financial, health, or professional information), and metadata like call time, duration, and geographic location.

Voice recordings are particularly sensitive because voiceprints qualify as biometric data under the Act, which is categorized alongside health data and financial data as data requiring heightened protection. The government has signaled through draft rules (as of March 2026) that biometric data processing will require explicit opt-in consent rather than deemed consent.

Organizations must map which data categories their voice AI system collects before they can determine the correct compliance posture. A voice agent that only collects name and contact preference has a lighter compliance burden than one that collects income, health conditions, or payment information during the conversation.

What Consent Mechanisms Are Required for Voice AI Calls?

The DPDP Act requires "free, specific, informed, unconditional, and unambiguous" consent for processing personal data where consent is the chosen lawful basis. For voice AI, this creates a practical design question: how do you obtain valid consent from a caller before the AI begins processing their data?

The most defensible approach is a pre-call consent disclosure — a brief recorded message at the start of the call that explains the data being collected, the purpose, and gives the caller the option to opt out before the conversation proceeds. This must be in a language the caller understands, which for pan-India deployments means the disclosure should be available in the caller's preferred language.

Consent records must be maintained and must be withdrawable. A caller who provides consent on one call cannot be assumed to have consented indefinitely — organizations need a mechanism to honor withdrawal requests. Under Section 6(4), withdrawal must be as easy as giving consent. Practically, this means a toll-free opt-out number or a simple SMS keyword, not a 5-step online form.

Does the DPDP Act Require Data Localization for Voice AI?

Section 16 of the DPDP Act authorizes the Central Government to notify categories of personal data that must be stored only within India. As of June 2026, the government has not yet published a final notification specifying localization requirements — the rules are in consultation phase. However, the draft rules released in January 2026 included voice recordings and biometric data in the proposed restricted categories.

Enterprises making infrastructure decisions now should assume localization requirements for voice data will apply. Deploying on infrastructure with data residency in Indian data centers (Mumbai or Hyderabad AWS/Azure/GCP regions, or on-premise) is the architecturally conservative choice. Platforms that store call recordings, transcripts, or voice embeddings in US or European data centers will require data transfer mechanisms that may not survive the final regulations.

The cost of retrofitting a cloud deployment for data residency after the rules are finalized significantly exceeds the cost of choosing India-resident infrastructure from the start.

What Are the Breach Notification Requirements for Voice AI Systems?

Section 8(6) of the DPDP Act requires data fiduciaries to notify the Data Protection Board "in such form and manner as may be prescribed" upon becoming aware of a personal data breach. Draft rules propose a 72-hour notification window, consistent with GDPR standards. Affected data principals (the individuals whose data was breached) must also be notified.

For voice AI systems, a breach scenario could include unauthorized access to call recordings, exposure of transcripts, or compromise of voice biometric embeddings. Organizations need an incident response plan that covers voice data specifically — including the ability to identify which callers' data was exposed, generate the required notifications, and preserve evidence for the Board.

Penalties under the DPDP Act reach up to ₹250 crore per instance of non-compliance, with separate penalties for breaches, failure to notify, and processing children's data without verifiable parental consent.

Conclusion

DPDP compliance for voice AI is not a checkbox exercise — it requires deliberate architectural choices about data collection scope, consent UX, storage location, and incident response. Organizations that treat compliance as an afterthought will face expensive retrofits when the final rules are published. The practical path is to build consent mechanics, data minimization, and India-based data residency into the voice AI deployment from day one.