Gistly
Subscribe to newsletter
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Your IVR says “this call may be recorded for quality and training purposes.” It has said that for years. Under India’s old IT Act regime, that was sufficient. Under the Digital Personal Data Protection Act, 2023, it is not.
A QA manager at a 300-agent BPO in Pune discovered this during a compliance readiness assessment. Their legal team reviewed the IVR script and flagged it.
The legacy disclaimer fails the DPDP Act on multiple counts.
It is vague on purpose. “Quality and training purposes” is not specific enough. The DPDP Act requires consent tied to a clearly stated, specific purpose.
It is passive, not affirmative. The phrase “may be recorded” is a notification, not a consent request. The DPDP Act requires consent that is free, specific, informed, and unambiguous.
There is no withdrawal mechanism. Under Section 6 of the DPDP Act, a data principal has the right to withdraw consent at any time.
It does not account for multilingual requirements. Consent that a caller cannot understand is not informed consent.
Under Section 6, consent must be free, specific, informed, and unconditional.
For call recordings, this means the caller must be told exactly what data is being collected, the stated purpose must be specific, the caller must have a genuine option to decline, and consent must be documented in an auditable format.
Penalties: fines up to Rs 250 crore (approximately $30 million) for significant breaches. Non-compliant recordings create a self-documenting paper trail.
Update your IVR and agent scripts. Replace the generic disclaimer with language that meets the four DPDP criteria.
Monitor compliance on 100% of calls. AI-powered call auditing evaluates every call for consent delivery.
Gistly’s approach follows The Compliance Loop: Detect missing consent statements. Flag violations. Coach agents. Verify corrections. Monitor continuously.
With 100% call auditing, a consent script failure is caught on the first call.
Gistly Quotable: “A passive disclaimer is not consent. Under the DPDP Act, every call recorded without explicit, informed, purpose-specific consent is a documented violation sitting in your own call logs.”
Yes. Call recordings capture voice data, names, account numbers — all personal data under the DPDP Act.
The old regime allowed implied consent. The DPDP Act requires consent that is free, specific, informed, and unambiguous, plus the right to withdraw at any time.
Yes. Conversation intelligence platforms evaluate every call against consent criteria and flag calls where any element is missing.
Related reading:
Gistly audits 100% of calls for consent compliance. See how it works →
Gistly audits every conversation automatically — compliance flags, QA scores, and coaching insights in 48 hours.