Skip to content
dialque
Book a demo
Back to blog
9 min readBy The dialque Team

Call recording compliance in India: DPDP Act + IT Act requirements

India has no two-party consent law for call recording, but the DPDP Act 2023 and IT Act SPDI rules impose data-handling obligations that catch most teams off guard. Here is the actual rule.

ComplianceIndiaDPDP

Most contact centres in India record every call. Some teams do it on purpose for QA and dispute resolution. Some do it because the dialer is set to record by default and no one thought to turn it off. Both groups underestimate the regulatory weight.

India does not have a US-style two-party consent law for call recording. But the DPDP Act 2023 and the older IT Act 2000 + SPDI Rules 2011 create real obligations once a call is recorded — and the penalties under DPDP Act are non-trivial.

This post breaks down the actual requirements for storing, securing, sharing, and disposing of call recordings in India.

The legal framework

Three pieces of law interact:

IT Act 2000 + Section 43A and SPDI Rules 2011

Defines "Sensitive Personal Data or Information" (SPDI) — including financial info, biometric data, health records, sexual orientation, etc. — and mandates "reasonable security practices" for entities holding it. Voice recordings of conversations that contain SPDI are themselves SPDI.

DPDP Act 2023 (Digital Personal Data Protection)

Replaces the older Privacy Rules. Applies to all "personal data" (not just SPDI). Imposes specific obligations on Data Fiduciaries (entities that determine purpose + means of processing) and Data Processors (those processing on the Fiduciary's behalf).

For a contact centre, you are the Data Fiduciary for the personal data of customers you talk to. Your dialer vendor is the Data Processor (when it stores your recordings on its infrastructure).

Indian Telegraph Act + Indian Wireless Telegraphy Act

Restricts interception of telecom traffic by third parties (not by the parties on the call). Recording your own customer-service calls is not interception; recording someone else's calls is.

Is recording legal at all?

Yes. Recording your own commercial calls is permitted in India provided:

  1. The caller is aware that the call may be recorded (the "this call may be recorded for quality and training purposes" disclosure)
  2. The recording is used for stated, lawful purposes (QA, dispute, regulatory compliance)
  3. Storage + access controls meet "reasonable security practices"
  4. Data subject rights under DPDP Act are honoured (access, correction, erasure, grievance)

The one-party-consent doctrine prevails in India. The recipient does not need to explicitly consent; they need to be informed.

The notification requirement

Operationally, this means every recorded inbound or outbound call must:

  • Play a recording disclosure at the start ("Hi, this is dialque calling from [...]. This call may be recorded for quality purposes")
  • Allow the recipient to ask not to be recorded if they object (a "press 9 to opt out" or "let me know if you would like not to be recorded" line)
  • Stop recording if they opt out

Most dialers (including dialque) play the disclosure automatically when the campaign is configured with recording on. The opt-out path is configurable per campaign.

What counts as "reasonable security practices"

The SPDI Rules say "reasonable security practices" means complying with ISO/IEC 27001 or equivalent. The DPDP Act is more flexible but the Data Protection Board has signalled that 27001-level controls are the floor.

In practice, for call recordings:

  • Encryption at rest: AES-256 minimum on the storage backend. S3 + SSE-KMS satisfies this.
  • Encryption in transit: TLS for any audio that leaves the recording server (download, streaming to QA reviewer).
  • Access control: role-based, audit-logged. QA analyst sees recordings; agent does not see colleagues' recordings; finance does not see any.
  • Audit log: every access to a recording is logged with user ID, timestamp, IP. Retained for at least 1 year.
  • Backups: encrypted, geo-redundant, tested quarterly.

Data residency under DPDP Act

The DPDP Act allows cross-border transfer of personal data except to countries the government specifically restricts (the "negative list", which is short and updated rarely). Practically:

  • Storing call recordings on AWS Mumbai or any Indian cloud region — no issue
  • Storing on AWS US-East-1 — allowed unless the customer base includes someone whose data the DPDP Act is restricting that region for (rare)
  • For BFSI customers — the RBI's *Storage of Payment System Data* directive requires data to be stored only in India. If you record calls involving payment data, you fall under this; you must store the recordings in an Indian region.
  • Defence, govt, sectoral regulators (IRDAI, SEBI, TRAI) may impose their own residency rules.

The safe default is store all call recordings in an Indian cloud region or on-prem in India. There is no economic downside (AWS Mumbai pricing is competitive) and you sidestep the regulatory ambiguity.

Retention — how long to keep recordings

DPDP Act says personal data must be erased once the purpose is fulfilled. For call recordings, "purpose fulfilled" is fuzzy. Industry norms:

| Use case | Retention | |---|---| | Banking / financial services | 5-7 years (RBI / SEBI guidelines) | | Insurance | 5 years (IRDAI) | | Healthcare | 3 years minimum, longer for medical records | | General B2B SaaS sales | 1-3 years | | Marketing / OBD broadcasts | 6-12 months | | Internal team training (anonymised) | indefinite once anonymised |

Pick a retention schedule and apply it programmatically — delete recordings older than the threshold automatically. Manual cleanup never gets done.

dialque applies the configured retention at the campaign level; once a recording crosses the threshold it is deleted from storage and the link in the database is nulled.

Data subject rights under DPDP Act

Recipients (Data Principals) have:

  • Right to access — they can request a copy of their call recording
  • Right to correction — for the metadata around the recording (their phone number, the campaign they were called for)
  • Right to erasure — they can ask you to delete their recording
  • Right to grievance — they can complain to your designated Grievance Officer

You need a Grievance Officer appointed and contactable. Most teams put this on the legal page; dialque's customers do the same. The Grievance Officer must respond to requests within statutory timelines (currently 30 days).

When a customer requests erasure of their recording:

  1. Locate the recording (your dialer's UI should support search by recipient phone number)
  2. Verify identity (do not just delete on someone's email request)
  3. Delete from storage + recording-log entry; retain a tombstone showing it was deleted on request
  4. Confirm in writing to the requester

Penalties under DPDP Act

The Act allows penalties up to ₹250 crore per instance for major violations (security breach, large-scale processing without lawful basis). Routine non-compliance penalties are in the ₹10 lakh to ₹2 crore range. The Data Protection Board has been signalling enforcement is real and is increasingly active.

Practically, most enforcement starts with a complaint from a Data Principal — they ask for their recording, you cannot find it / refuse / take 90 days — and escalates.

Operational checklist

  • Recording disclosure plays at the start of every recorded call
  • Opt-out path works and is logged
  • Encryption at rest (S3 SSE-KMS or equivalent)
  • Encryption in transit (TLS)
  • Access control by role; audit log of every recording access retained 1+ year
  • Retention policy defined per campaign and enforced programmatically
  • Grievance Officer designated, contactable, response SLA defined
  • Annual review of who has access, with revocation of stale access
  • Backup tested quarterly
  • Data residency aligned with customer's regulatory category (BFSI / non-BFSI)

Frequently asked questions

Do I need explicit verbal consent on every call?

No. Notification (disclosure announcement) satisfies the requirement provided you give them a way to opt out.

Can I record calls to agents without their consent?

Same rule applies. The agent must be informed (covered in their employment terms + onboarding) and the same security practices apply to internal recordings.

What if my customer says "do not record me" mid-call?

Stop the recording. Most dialers support pausing recording mid-call via a hotkey or agent-side button.

How does this differ from GDPR?

GDPR has stricter consent requirements (opt-in, not opt-out) and broader scope. If your customer base includes EU residents, follow GDPR for them.

Can I share recordings with my client (we are a BPO)?

Yes if the client has lawful basis to receive them (typically: they are the Data Fiduciary and you are their Data Processor). Document this in your service contract.

India is not a "no rules" jurisdiction for call recordings — the DPDP Act has put a real framework in place that contact centres are still catching up to. The good news: the rules are sensible and mostly already covered if you use a serious dialer + cloud storage with default-on encryption. The work is in process: notification, opt-out, retention schedule, grievance officer, and audit log.