TRAI Compliance for AI Calling: The 7 Rules Every Indian SMB Founder Must Know

In 2026, TRAI has escalated penalties on outbound commercial calls three times in 18 months. The first-violation fine is now ₹2 lakh plus a 15-day operator suspension. Repeat violations climb to ₹10 lakh plus blacklisting. Severe non-compliance can result in complete telecom-resource disconnection. And TRAI's automated AI monitoring system is now flagging suspected spam callers BEFORE any formal customer complaint is filed.

If you're running an Indian business that calls leads — whether through human telecallers, automated dialers, or AI calling agents — you're operating in one of the most regulated outbound-calling jurisdictions in the world. The typical SMB founder I talk to has never heard of half the rules.

I run QuotaHit, an AI sales department for Indian SMBs. Compliance is a feature, not a bureaucratic afterthought — and I've spent the last month deep in the regulation books, talking to telecom lawyers, and registering with DLT platforms. Here's what every founder making outbound calls in India needs to know in 2026.

1. Every outbound business call needs DLT-registered headers

DLT — Distributed Ledger Technology — is the blockchain-style system the four major Indian telecom operators (Jio, Airtel, Vi, BSNL) use to track who's allowed to send commercial communications. SMS got DLT-locked in 2020. Voice calls followed.

If you're calling customers from a number that isn't registered in DLT under your company's entity name, three things happen:

• Your caller ID may not display properly on Truecaller (which has 250M+ Indian users)
• Indian operators flag your number as suspected spam within 50-100 outbound calls
• A customer complaint triggers TRAI's automated compliance system — first violation, ₹2 lakh fine; severe violations, complete telecom-resource disconnection

Registration is per-operator, costs about ₹5,900 + GST per entity per operator (so ₹26,000 total for full coverage), and takes 3-7 business days each. You register your business entity (using GSTIN + PAN), then attach approved caller-ID headers (e.g., "QuotaHit" or "QHQH" — alphanumeric strings under 6 characters for transactional, longer for promotional).

If you're using a calling platform like Twilio that doesn't sell Indian DIDs anymore (Twilio dropped India outbound DIDs in August 2024, by the way — that's a separate issue most foreign SaaS users haven't caught up to), you'll need to switch to Plivo, Exotel, Vobiz, or another India-native provider that can issue 140-series numbers tied to your DLT registration.

2. The 140-series isn't optional anymore

In 2024, TRAI mandated that all promotional and transactional voice traffic in India route through the 140-series number range — a specifically-allocated block (140, 141, …, 149) for legitimate commercial calling.

If your business is calling customers from a regular 10-digit Indian mobile number, or worse, from an international caller ID (which is what happens by default with Twilio and most foreign telephony APIs), you're not just non-compliant — you're guaranteed to hit operator-side spam classification within days.

The 140-series tells the operator: "this is a registered commercial call, route it through with the header I've assigned, deliver it without spam-filtering." It's expensive enough (typically ₹1,500-5,000/month per number depending on provider) that fly-by-night scammers can't afford it, which is exactly the point.

3. NDNC scrubbing is required before every campaign

The National Do Not Call (NDNC) registry — also called the National Customer Preference Register — is the Indian equivalent of America's Do-Not-Call list. Any consumer can register their number; commercial callers are legally required to scrub every outbound list against the registry before dialing.

Here's the part most SMB founders miss: it's not a one-time check. The registry updates daily. A number that wasn't on the list yesterday may be on it today. You need to scrub before every campaign, not just before you import the contact list.

Third-party APIs like 2Factor.in and the operator-side DLT portals offer real-time NDNC checks. Expect to pay ₹3,000-5,000/month for an API subscription that handles the scrub at the volume an SMB-tier customer would need.

Penalty for calling an NDNC-listed number: ₹2 lakh first violation, climbing to ₹10 lakh for repeats, plus operator-side disconnection at the severe end.

4. The 10 AM to 7 PM rule (recipient local time)

TCCCPR 2018 (Telecom Commercial Communications Customer Preference Regulations) explicitly prohibits commercial voice calls before 10 AM or after 7 PM in the recipient's local time zone. No exceptions for "they submitted a form" or "they're an existing customer."

If you're running an outbound sales operation that lets enthusiastic BDEs dial at 9 PM because that's when the founder is most likely to pick up, you're committing a violation per call. With AI calling specifically — where the "call instantly on form submission" promise is the whole product — you need explicit time-window enforcement.

At QuotaHit, this is a cron-scheduled check before every dial. If the form is submitted at 9:47 PM IST, the call queues until 10:00 AM the next morning. This is non-negotiable. The 5-second response time advantage I wrote about in last week's post comes with an asterisk: 5 seconds during operating hours, queued otherwise.

5. The mandatory AI disclosure script

If you're using an AI voice agent — which an increasing percentage of Indian SMBs are, since ChatGPT made voice cloning consumer-grade in 2024 — you must disclose this in the first few seconds of the call.

TRAI's guidance, as of the second amendment to TCCCPR in February 2025, requires the following elements in any AI-generated commercial voice call:

1. Company name ("Hi, this is [Agent Name] from [Company Name]")
2. AI disclosure ("This is an AI-assisted call")
3. Recording disclosure if you're recording ("This call is being recorded for quality")
4. Opt-out availability (caller can opt out by saying "remove me" or pressing a key)

The current QuotaHit script does this in 12 words: "Hi [name], this is Angelina from QuotaHit calling about your demo request. Quick heads-up — this is an AI sales call and it's being recorded for quality. Got a quick minute?"

Skip any of these four elements and a single complaint can trigger investigation. The script can sound natural and warm — TRAI doesn't mandate it sound robotic, just that it be clear.

6. DPDPA changes the data-handling game

The Digital Personal Data Protection Act 2023 went into force in stages through 2025. By Q2 2026, all stages are active. For AI calling, two clauses matter most:

Consent for data collection. When you record a call and store the caller's name, phone number, and transcript, you're processing personal data. The caller must have given consent — either explicitly (a checkbox on the form they submitted) or by continuing the call after the disclosure ("call is being recorded — got a quick minute?" + their continued participation counts as implied consent in the current guidance, but explicit checkbox is safer).

Data retention policy. You can't keep call recordings forever. You need a documented retention period (typically 12 months for audit purposes), an automated deletion workflow, and a way for a data principal to request their data be erased ("right to be forgotten").

DPDPA penalties for non-compliance are dramatic — up to ₹250 crore for severe violations affecting many users. For SMB-scale operations, the practical risk is being audited after a single complaint and being asked to produce your retention policy and consent flow. If you can't, the fine is whatever the Data Protection Board decides feels appropriate.

7. The opt-out workflow (process within 48 hours)

When a caller says "remove me from your list" — or sends a written request, or asks the AI to stop — you have 24 to 48 hours to process the removal across every list, every CRM, every automation. After that, calling them again is a separate violation.

In practice this means:

• Your AI bot needs to detect opt-out intent and flag the contact immediately (most AI agents I've audited from Indian SMB SaaS vendors do NOT have this wired)
• Your CRM needs to honor a do_not_call: true flag on every outbound call attempt
• Your outbound queue/cron needs to re-check the flag before dialing, not just at import time
• You need an audit trail showing when the opt-out was received and when the contact was suppressed

A well-configured AI calling product handles this automatically. A poorly-configured one accidentally calls the same opt-out customer two more times because the campaign was already queued. TRAI considers each of those a separate violation.

What this looks like as a budget

For an Indian SMB shipping the compliance stack properly in 2026:

Most SMB founders I've talked to are surprised by this number — they assumed AI calling was just "plug in OpenAI and go." The infrastructure cost of legitimate compliance is real, and it's why we're seeing a wave of fly-by-night AI calling tools getting de-platformed every quarter while compliant operators stick around.

The strategic angle

Compliance isn't just a cost center. It's a moat.

When I demo QuotaHit to a sophisticated founder — somebody who's already burned money on an unverified AI calling vendor that got their number blacklisted — the conversation goes differently the moment I show them the DLT registration certificate and the NDNC integration. They've seen what happens to vendors who skip this. They want to rent the compliance layer, not build it themselves.

The competitive map looks like this in mid-2026:

• Global AI SDR products (11x, Artisan, Regie): priced in USD, no India compliance stack at all. Cannot legally operate at scale in India.
• Indian voice infrastructure (Bolna, Sarvam): deep compliance support, but no SDR product on top. You buy them to build with.
• Old-guard Indian dialers (Knowlarity, MyOperator, Exotel): compliance-ready but not AI-agent-native. They route human-driven calls, not autonomous conversations.

The opening is a fully-compliant, AI-native, India-priced SDR product. That's what we're building.

If you're a founder running outbound calls in India and you've been operating in the "we'll worry about compliance later" mode, the math has changed. The fines are now real, the operator-side detection is now automated, and the first violation is no longer just a slap on the wrist. Move now or pay later.

I'll write about the GST + Stripe India billing setup for SMB SaaS in the next post — another regulatory layer most founders learn about painfully on the way to their first paying customer.