All posts
ProductJanuary 2026

DPDP Act 2023: What every BPO needs to know about voice AI

A legal + technical guide to DPDP compliance for automated voice calls — consent management, PII redaction, and audit trails.

Verbalyze Compliance Team7 min readProduct

The Digital Personal Data Protection Act, 2023

The DPDP Act 2023 came into force in India in 2024, establishing obligations for organizations that collect, process, or store personal data of Indian residents.

For BPOs running automated voice calls, the obligations are significant.

Key Requirements for Voice AI

1. Informed Consent

Every automated call must obtain explicit informed consent before any data processing begins. This means:

  • Playing a consent notice in the caller's language
  • Recording the caller's verbal consent
  • Storing a time-stamped consent record

    • Verbalyze provides a built-in Consent Management Module that handles notice delivery, consent capture, and audit-trail storage.

    2. PII Redaction

    Voice recordings containing Aadhaar numbers, PAN cards, bank account numbers, or OTPs must be redacted before storage. Verbalyze performs real-time PII redaction at the transcript level — the raw audio is not stored post-call.

    3. Purpose Limitation

    Data collected during a voice call can only be used for the declared purpose. Call recordings used for "quality monitoring" cannot be repurposed for model training without fresh consent.

    4. Audit Trails

    Every data processing event must be logged with a timestamp, processing purpose, and operator identity. Verbalyze generates SOC-2 compatible audit logs for every call.

    Compliance Checklist

    Consent notice recorded in caller's primary language
    Verbal consent stored with timestamp
    Real-time PII redaction active
    Call recordings encrypted at rest (AES-256)
    Data retention policy configured (max 90 days default)
    Audit logs exported to SIEM

    Explore more insights from the Verbalyze team

    Back to Blog