The legal layer is what kills AI campaigns that didn't take it seriously. Every state in India has seen 2–3 cases in 2024–25 where a campaign was sanctioned for AI-related compliance issues — undisclosed AI calls, DND violations, voter data misuse, deepfakes of opponents. The sanctions ranged from warnings to FIRs.
This guide is the legal map, written in plain English. Four laws and regulations apply to AI voice campaigns in India, and they overlap in important ways. Get this right at the start; trying to fix it during the campaign is roughly impossible.
The four-layer legal stack
In rough order of operational impact on a campaign:
- ECI 2024 Synthetic Content Advisory — political-specific rules for AI use
- TRAI TCCCPR 2018 — outbound commercial communication rules
- DPDP Act 2023 — personal data processing
- IT Rules 2021 — intermediary and online content rules
Each has its own enforcer, its own remedies and its own time pressure. A campaign that ignores any one of them is exposed to ban-level risk.
Layer 1: ECI 2024 Synthetic Content Advisory
Issued by the Election Commission of India in March 2024 ahead of the General Election. The advisory has three specific requirements that directly govern AI voice agents.
Requirement 1: Disclosure of AI-generated content
Any campaign-generated content that is AI-produced — audio, video, image, text — must be labelled clearly. For voice calls, this means the agent's opening must self-identify as AI.
Compliant opening: "नमस्कार, मैं [Agent Name] हूँ — [Candidate]'s campaign की AI सहायक..."
Non-compliant opening: "नमस्कार, [Candidate] बोल रहा हूँ..."
The line between candidate voice cloning (allowed, with disclosure) and impersonation (banned) is exactly here.
Requirement 2: Prohibition of deepfakes of opponents
AI-generated content depicting an opponent in scenarios they didn't actually appear in — saying things they didn't say, doing things they didn't do — is explicitly banned. Sanctions are immediate: takedown order, fine, and in severe cases referral for disqualification.
This applies to voice as well as video. Synthetic audio of an opponent making a fake statement is a hard violation.
Requirement 3: Takedown obligations
If a candidate's campaign produces or distributes AI-generated content that is found in violation, the ECI can order immediate takedown across all platforms. Failing to comply within a specified time window triggers escalated sanctions.
Operational implications
- Lock the system prompt's AI-disclosure line so the campaign cannot edit it out.
- Maintain an audit log of every AI-generated piece of content the campaign has used.
- Have a 24×7 takedown response capability — usually means a designated compliance officer with authority to pull content within 4 hours.
Layer 2: TRAI TCCCPR 2018
Telecom Commercial Communications Customer Preference Regulations. The main framework for outbound calls and SMS in India.
DLT (Distributed Ledger Technology)
All commercial communications must be sent from DLT-registered sender IDs using pre-approved templates. For AI voice campaigns:
- Sender ID registration: each phone number used as a sender must be registered with the originating telco.
- Template approval: the agent's opening line (and any standardised phrases) must be submitted and approved as templates.
- Turnaround time: typically 5–7 business days for political templates.
DND (Do Not Call) registry
Voters who have registered on the National DND must not be called. The TRAI registry is real-time queryable. Your voter list must be scrubbed against it before every call wave (not just once at the start of the campaign — it updates daily).
- Calling a DND-registered voter is a per-violation offense.
- Repeat violations can result in your sender IDs being blocked at the carrier level.
Time-of-day rules
TRAI restricts commercial communications to specific windows:
- Promotional calls: 9 AM – 9 PM
- Some states have stricter windows during election periods
Election-window restrictions
The ECI's Model Code of Conduct kicks in once election notification is issued. During this period:
- Additional restrictions on bulk outbound communication
- 48-hour silent period before polling — no campaign communication allowed
- Polling-day window: only voter-information communication allowed (no persuasion)
Layer 3: DPDP Act 2023
India's Data Protection Digital Personal Act. Applies to all processing of personal data of natural persons. Political campaigns have no exemption.
Key obligations
1. Lawful basis for processing. The campaign must have a documented basis for processing voter data. For data from the ECI electoral roll, the basis is typically "performance of a public function" — but the campaign must record this rationale.
2. Stated purpose. The campaign must document why the data is being collected and processed. "Political outreach" is too vague — be specific: "Outbound voice contact to inform voters about candidate and capture feedback on local issues."
3. Retention limit. The data cannot be retained indefinitely. The campaign must specify a retention period — typically 24 months for political-data retention with explicit purpose-bound use.
4. Right to erasure. A voter who asks to be removed from the list must be removed across all surfaces (active calls, transcripts, sentiment dashboards) within a reasonable time. The de facto industry standard is 7 days.
5. Cross-border data transfer. DPDP defaults to India-residency unless the destination is on the approved-jurisdictions list. Voter data, call recordings and transcripts should be stored on India-hosted infrastructure.
6. Significant data fiduciary. Large campaigns processing data of >5 million voters may be designated significant data fiduciaries by the Data Protection Board, triggering additional obligations: appointing a Data Protection Officer, conducting impact assessments, undergoing periodic audits.
Operational implications
- Choose a vendor whose infrastructure is in India.
- Document the data flow diagram (voter list → ingestion → call → transcript → analytics) and retain it.
- Build a working right-to-erasure pipeline before launch — not after the first request.
- Hash phone numbers in storage where possible; plaintext only in transit.
Layer 4: IT Rules 2021
Officially the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021. Mostly applies to intermediaries (social media platforms, messaging apps) but two parts touch campaigns directly.
Social media political ads
Platforms (Meta, Google, X) must label political ads, maintain transparency reports, and ensure the campaign is registered as a political advertiser. If you're running AI-generated ads on social platforms, the labels must clearly indicate the political nature plus the AI-generation.
Traceability
For messaging apps (especially WhatsApp), originators of significant content can be traced in case of misinformation events. If your campaign's volunteer-run WhatsApp groups distribute AI-generated content, the originator can be identified — which means the campaign is accountable.
Compliance checklist for AI voice campaigns
A simplified to-do for a campaign launching an AI voice agent:
- System prompt audit: AI disclosure in opening; no impersonation; no opponent attacks.
- DLT registration: sender IDs registered with telco; templates approved.
- DND scrub: voter list scrubbed before every call wave.
- DPDP documentation: data flow diagram; retention policy; consent framework; right-to-erasure pipeline.
- India residency: vendor confirms infrastructure is India-hosted.
- Audit log: every system prompt change, every model swap, every release timestamped.
- Voice clone consent: if applicable, candidate consent documented and time-stamped.
- Takedown response: 24×7 compliance officer with takedown authority.
- ECI Model Code awareness: 48-hour silent period respected; polling-day rules respected.
- Insurance / indemnity: legal protection for the campaign in case of vendor fault.
What ECI is likely to update for 2027
Based on the trajectory of the 2024 advisory and the Data Protection Board's recent guidance:
1. Mandatory visual AI labelling. The 2024 advisory mostly focuses on audio/video. Expect a 2027 update that explicitly requires labelling of AI-generated images.
2. Stricter rules on cross-party AI content. Today, deepfakes of opponents are banned. Expect a broader rule covering any AI-generated content that mentions an opponent in a derogatory manner — even if technically real.
3. Permitted-vendor registry. A possible registry of AI vendors approved for political work. Vendors who haven't completed an ECI-defined certification process may not be allowed to operate.
4. Real-time complaint windows. Currently voters can complain about misuse but the resolution timeline is weeks. Expect tighter SLAs — possibly 24-hour takedown for category-A violations.
5. Standardised disclosure language. A specific phrase or template that the AI must use in its opening. Today the language is at the campaign's discretion within rules; the future may have a prescribed format.
What goes wrong in practice
Common compliance failures from the 2024-25 cycle:
1. The "we'll add disclosure later" failure
Campaigns launch without AI disclosure, get an ECI notice, retrofit the disclosure mid-campaign. The notice and corrective action both end up in press coverage. Reputational damage exceeds any time saved.
2. Stale DND lists
Campaign loads the DND list at the start of the cycle and never refreshes it. Voters who registered for DND later still get called. TRAI cumulative complaints add up; sender IDs blocked late in campaign.
3. Cross-border infrastructure
Campaign uses a US-based vendor whose infrastructure is in US datacentres. DPDP violation surfaces during compliance review — by which point millions of records are stored outside India.
4. Voice clone without consent
A campaign clones the candidate's voice from public speeches, no consent paperwork. Candidate later disputes the AI's specific phrasing; the campaign has no consent document to defend itself with.
5. Audit log gaps
Campaign deploys multiple system prompt revisions, doesn't log changes. When a controversy hits ("what was the agent saying on March 14?"), the campaign cannot reproduce the state on that date.
What good compliance looks like
The campaigns that handled this well in 2024 shared a few patterns:
- Compliance officer designated at kickoff. Not added as an afterthought. Has authority to block content, halt waves, escalate to leadership.
- Legal counsel reviews the system prompt. Word by word. Especially the forbidden-behaviours section and the opening disclosure.
- Monthly compliance review during campaign. What changed in the legal landscape? What new state-level guidance was issued?
- Pre-launch dry run with simulated ECI inquiry. "If we got a notice tomorrow asking us to produce all our voice agent activity since launch, could we?". If the answer is no, fix it before launch.
Where AiSewak fits
AiSewak's defaults are aligned to the compliance frame above:
- System prompt template with locked AI-disclosure line
- TRAI-DLT integration with major Indian telcos
- DND scrubbing as a default pre-flight step before every call wave
- India-hosted infrastructure (DPDP residency satisfied)
- Hashed phone storage with audit trail
- Working right-to-erasure pipeline (7-day SLA)
- Audit log of all system prompt and model changes
- Voice clone consent capture workflow
This is what "compliant by default" looks like. Vendors who don't ship these defaults are passing the compliance work to you.
Where to go next
- 10 Must-Have Features — feature checklist
- The 30-Day Deployment Playbook — execution
- AI Agent for Indian Elections: ECI, Bhashini, Bhasha Stack — India deep dive
- Voter Sentiment Analysis — analytics layer
Compliance is not optional. It is the difference between a campaign that ships an AI agent and a campaign that ends up on the front page for the wrong reasons.