Call Recording Compliance in India: 2026 Retention Rules

Every Indian call center records its calls. Far fewer record them legally. Recording compliance has tightened sharply with DPDP Act 2023, and BFSI has had to follow RBI guidelines for years. Here's the complete 2026 picture: what's required, what's recommended and what gets you in trouble.

The legal foundation

Three frameworks govern call recording in India:

1. Indian Telegraph Act 1885 — recording is legal with at least one party's consent. The business is the consenting party; the customer is informed.
2. DPDP Act 2023 — recordings contain personal data, so consent records, retention windows, encryption and India residency apply.
3. Sectoral regulations — RBI for BFSI, IRDAI for insurance, sectoral guidance for healthcare.

Retention windows by industry

Longer is fine; shorter is risky. If a customer complaint or regulatory query lands, your recording is your evidence.

Encryption + residency requirements

• In transit: TLS 1.3 between handset and server, no exceptions
• At rest: AES-256 with rotating keys, encrypted file system
• Residency: Indian data center (AWS Mumbai / Hyderabad, Azure India, GCP Mumbai). Global regions are not DPDP-compliant for Indian personal data
• Backups: encrypted, geo-redundant within India only

Consent capture — the part most teams botch

DPDP requires explicit consent for processing personal data. For call recording, this means:

1. Recorded audio notice at call start: "This call may be recorded for quality and compliance."
2. Logged consent record per call — timestamp + recipient + notice played confirmation
3. Configurable per state if local regulations are stricter
4. Customer can request a copy of their recording (DPDP data subject right)
5. Customer can request deletion after retention window expires

Access controls — who can play recordings

• Agent — can NOT play their own recordings (prevents tampering)
• Supervisor — can play recent recordings of their team for QA
• Compliance officer — full historical access for audits
• Customer (DPDP data subject) — can request a copy of their own call
• Auditor (external) — read-only with watermark, time-bounded access

Every play action should be logged with who, when, why. Logs retained as long as the recordings themselves. Kedeyo's cloud contact center ships these access controls and audit logs by default.

What auditors actually look for

1. Random sample of 10 recordings — are they playable, encrypted, retained?
2. Consent record for each — was the recorded notice played at call start?
3. Access log — who's been pulling recordings recently? Pattern of unauthorised access?
4. Retention policy alignment — does the data deletion match your stated retention windows?
5. Disposal log — when recordings ARE deleted, is the deletion verified and logged?

Common gotchas

• Recordings stored in Singapore / EU regions — DPDP non-compliant for Indian customer data
• Agents able to download recordings — fraud risk, audit fail
• No consent notice — silent recording is a DPDP violation
• Inconsistent retention — same data type with different deletion dates across systems
• No disposal proof — when retention expires, deletion needs a verifiable record

Bottom line

Call recording compliance in India isn't optional. The fix is structural — pick a CCaaS that defaults to AES-256, India residency, role-based access and audit logs, then layer your industry's retention window on top. Read our TRAI DND compliance guide for the related outbound-calling rules. Reference: RBI's official site for the BFSI retention guidance.