Outbound Call Regulations in India

Telemarketing Number Series: Telemarketers are mandated to use only designated phone number series (the 140 series) for outbound commercial calls, so that such calls are identifiable and traceable. Using ordinary 10-digit numbers for marketing calls is prohibited – if a company or its agents use normal personal numbers to make spam calls, telecom providers will disconnect those numbers on the first complaint and blacklist the caller for two years. In fact, TRAI's rules explicitly forbid any subscriber (individual or business) from engaging in telemarketing via a regular number; telemarketing must be done through registered routes only.

Penalties for Violations: Violating DND rules can lead to escalating penalties and eventual blacklisting as laid out by TRAI's regulations (e.g. fines that increase with each offense and permanent disconnection after repeated violations).

Enforcement of DNC: Consumers who have registered for DND should not receive commercial calls. If they do (after 7 days of registration), they can lodge a complaint via a toll-free short code 1909 (phone or SMS) or the DND complaint app. TRAI requires mobile operators to investigate and take action on such complaints. TRAI has also set time-of-day restrictions on telemarketing: promotional calls or texts are not allowed between 9:00 PM and 9:00 AM to prevent nuisance during off hours. Even for numbers not on the DND list, marketers must observe this quiet period. Together, these rules form a strict Do Not Call regime that outbound call centers in India must build into their processes (e.g. scrubbing calling lists daily against the updated DND registry, honoring consumer opt-out requests, and limiting call times).

Official Databases (DND Lists): The official DND registry (NCPR) is maintained under TRAI's oversight. Telemarketers get access to NCPR data – typically via an online portal or through their telecom service provider – once they register and obtain a telemarketer ID. The National Consumer Preference Portal (NCPR website) lists all registered telemarketers and provides tools to check a phone number's DND status. Companies operating call centers must regularly download or query the NCPR to filter out numbers that have opted out before initiating any campaign. This is usually a built-in compliance step for outbound dialer systems in India.

"Do Not Originate" (DNO) concept: In addition to "Do Not Call," regulators worldwide have introduced the idea of Do Not Originate lists, which block certain numbers from ever being used as caller ID. These are typically numbers that should only receive inbound calls (e.g. emergency numbers, banking hotlines) and would never legitimately make outbound calls. If such a number appears as the caller ID, it's certainly spoofed by a scammer. In India, the focus to date has been on DND, but the DNO concept is recognized. A DNO list is essentially a blacklist of numbers that carriers must never allow to originate calls, including invalid or unassigned numbers and inbound-only numbers. TRAI has discussed measures like DNO in the context of combating spoofed robocalls (for example, preventing scammers from impersonating official helpline numbers). While as of 2025 India has not rolled out a nationwide DNO registry, regulators are working on caller-ID authentication frameworks and may implement DNO policies in the future as an anti-spoofing tool. In practice, Indian telecom providers do take ad-hoc action to block calls purporting to originate from known inbound-only numbers (like 1800 helplines or 112 emergency line) even without a formal DNO list. Outbound call centers should be aware that spoofing numbers (especially government or bank numbers that aren't meant for outgoing calls) is illegal and such traffic will be filtered or blocked if detected.

Consent Requirements: For a call center, this means that using a person's contact number for an outbound call must have a lawful basis – typically the person's informed consent for that specific purpose, unless another legitimate ground applies. The DPDPA requires consent to be "free, specific, informed, and unambiguous" with a clear affirmative action by the individual. In practical terms, if a company is cold-calling prospects, it needs to have obtained their number legitimately and not in violation of privacy choices (for example, calling people on the DND list without explicit consent could violate both TRAI regulations and the DPDPA's consent requirements).

Obligations under DPDPA: The law imposes duties on organizations to protect personal data and respect user rights. Data Fiduciaries must publish a privacy policy and give individuals notice of how their data will be used. Any personal data collected during calls (e.g. call recordings, lead information, phone numbers) can only be used for the purpose stated at collection and must not be retained longer than necessary. They also must secure it with reasonable safeguards to prevent leaks or unauthorized access. Individuals have new data subject rights, including the right to access information on what data a company has about them, to correct or erase their data, and to grievance redressal in case of issues. For example, if a consumer who was contacted by a telemarketer later asks, "What information of mine do you have on file?", the company is obliged to answer and comply with any legitimate request to delete or correct that data. Outbound call centers should build procedures to handle such requests (similar to GDPR's data subject access requests).

Call Recording Considerations: Notably, if a call is recorded (which itself is personal data, as it contains the person's voice and possibly sensitive information they share), the individual should be informed and the recording should only be used for the stated purposes (say, "quality and training") unless further consent is obtained. Under DPDPA's transparency and consent principles, it's good practice to play a message like "This call may be recorded for quality purposes" at the start of a call, thereby informing the person and implicitly obtaining consent by them continuing. Companies will also need to ensure secure storage and limited retention of call recordings, since the law mandates protecting personal data and not keeping it longer than needed.

Compliance for Domestic vs Foreign Entities: Importantly, India's data protection requirements have extraterritorial reach. The DPDPA applies to any processing of digital personal data within India, and also to processing outside India if it is in connection with offering goods or services to people in India. In other words, a foreign call center or company calling Indian consumers falls under the law's scope. Both Indian companies and foreign companies dealing with Indian user data must comply with the DPDPA (with a few exceptions for personal/domestic use, and for small offline businesses, etc.). There is no blanket exemption just because the entity is not physically in India.

Enforcement and Penalties: The law establishes a Data Protection Board of India (DPB) as the enforcement authority. Individuals (data principals) can lodge complaints with the DPB if their data rights are violated, for the Board to investigate and adjudicate. The DPB has powers to order remedies and impose substantial financial penalties for non-compliance. For example, a company that makes unauthorized calls using personal data without consent, or suffers a data breach of call recordings, could be fined. The DPDPA allows penalties that can go up to hundreds of crores of rupees (several million USD) for large-scale violations. The Board can even direct that a company's access to certain data be blocked or suspend its operations (e.g. block a website or app) if it repeatedly flouts the law.

Comparison to GDPR: The Indian DPDPA is somewhat simpler and more "business-friendly" than GDPR, but it embodies similar principles of user consent, data minimization, and accountability. Like GDPR, it defines personal data broadly and gives data principals rights over their information. One difference is that DPDPA does not categorize data into special sensitive classes with bespoke rules – it uses a more uniform approach. Also, cross-border data transfer rules under DPDPA are more relaxed: the Act allows personal data to be transferred outside India by default, except to countries that the government may notify as restricted for data transfers (a "negative list"). This means an outbound call center can store or process data outside India, provided it ensures compliance and the destination is not on a banned list. By contrast, earlier drafts had stricter localization requirements, which were dropped to facilitate business. That said, large enterprises may have extra duties. If a company is designated as a Significant Data Fiduciary (based on criteria like volume of data, risk to users, etc., to be determined by the government), it will have additional compliance burdens. These can include appointing an in-country Data Protection Officer and an independent data auditor, and submitting to periodic Data Protection Impact Assessments. A foreign firm that targets millions of Indian users might fall in this category and thus need to, for example, hire a local DPO based in India.

In summary, outbound call centers should treat personal data of Indian consumers with the same care as they would under GDPR – obtain proper consent (especially for marketing calls), provide opt-out and disclosure mechanisms, and protect any data collected during calls. Non-compliance can trigger both telecom penalties (under TRAI's rules) and data privacy penalties under the DPDPA.

India historically regulated call center operations through specialized telecom rules, although these have been liberalized recently to ease business. Key regulations specific to running call centers include telecom licensing rules (OSP guidelines), rules on call recording and customer consent, caller identification requirements, and various dialing practice restrictions:

Telecom Licensing and OSP Guidelines: Call centers in India are typically classified as "Other Service Providers" (OSPs) by the Department of Telecommunications. OSPs are essentially business process outsourcing centers that use telecom resources to provide services like telemarketing, customer support, etc. Until 2020, OSPs had to register with DoT and comply with numerous restrictions (such as no interconnection between domestic and international centers, mandatory security deposits, etc.). However, in a major reform, DoT issued new guidelines in November 2020 eliminating the registration requirement and loosening many rules to encourage the industry. No license or registration certificate is now required for OSP call centers in India. Operators are free to use telecom resources from authorized carriers as needed. The updated OSP regime permits interconnecting multiple call center locations via VPN, using centralized or cloud-based PBX systems, and even allows agents to work from home with secure connections.

In effect, running a call center does not require a special telecom license as long as the center is not providing telecom services itself but merely using licensed telecom operators' facilities. That said, OSPs must still follow the general telecom law: they cannot, for instance, route calls in a way that bypasses authorized networks or tariffs (a practice known as "toll bypass"). If an outbound call center in India needs to call international numbers or receive international calls, it must do so through duly licensed International Long Distance (ILD) operators or permitted VoIP gateways. The OSP guidelines now allow carrying voice traffic over VPNs or private leased circuits for flexibility, but any termination of international calls onto the Indian PSTN (public phone network) must go through an ILD license holder. In summary, the regulatory burden on the infrastructure/setup of call centers is much lighter now – no upfront permission needed – but call centers are expected to use only authorized telecom resources (e.g. phone lines, SIP trunks from telecom companies) and to keep call detail records as required. DoT can audit or take action if a call center is found engaging in illegal telecom routing or not cooperating with lawful interception orders, etc.

Caller ID and Number Presentation: Outbound calling operations must adhere to India's rules on caller identification. Spoofing or misrepresenting the caller ID is illegal. TRAI's Telecom Commercial Communication Customer Preference Regulations (TCCCPR) require that telemarketers use numbers specifically allocated for telemarketing, ensuring the nature of the call is apparent to the recipient. Telemarketing voice calls are required to originate from numbers in the 140 series – a special prefix range designated nationally for promotional calls. This way, when a customer sees a number beginning with 140x… on their caller ID, they can recognize it as a marketing or business call. Normal 10-digit mobile numbers should not be used for bulk outbound campaigns. In mid-2024, to further refine this system, DoT introduced an additional series: numbers beginning with 160 have been allotted exclusively for service or transactional calls (as opposed to pure promotions). For example, one-time password calls or important account-related alerts from a bank would come from a 160xxxxx number, whereas telemarketing or sales calls might come from 140xxxxx numbers. This differentiation helps consumers trust genuine service calls and ignore likely spam.

By September 2024, TRAI has directed all telecom operators to integrate these 140/160 series calls into a blockchain-based platform for monitoring. For a call center, this means when you get your outgoing lines from a carrier, you will be assigned an approved number (or numbers) in those series as your caller IDs. Presenting any caller ID that you have not been allocated, or masking your identity, is prohibited. Indian telecom networks deploy filters to block calls that show unauthorized or impossible caller IDs (for instance, a call originating from abroad that displays an Indian 10-digit number is likely to be flagged and blocked as spoofed). Outbound call centers should ensure the number displayed to call recipients is valid and traceable to them. They should also display a telephone number that a consumer can call back or message (for opt-out) wherever feasible.

Consent and Call Recording: In India, it is legal for a party to a phone call to record the conversation without separately informing the other party, as there's no explicit two-party consent law for call recording in private conversations. A call center (being one party on the call) can therefore record calls with customers for legitimate purposes like training or quality assurance. However, from a privacy and consumer rights standpoint, it is strongly advised to obtain the customer's consent or at least give a prior notification. Most reputable call centers play a pre-recorded message at the call start ("This call may be recorded for quality purposes") – this serves as notice, and the customer's decision to continue the call can be taken as implied consent. Under the new DPDPA, recording someone's call would count as processing their personal data, so you should have a basis for it (consent or another lawful purpose) and you must handle that recording securely.

Customer consent is also crucial for the call content itself. If the call is telemarketing, the customer's number should not be called at all unless they have either not registered on DND or have otherwise consented to that category of call. Additionally, some types of calls require explicit consent – for example, auto-dialed pre-recorded marketing messages (robocalls) are generally not allowed without the called party's prior consent. In practice, live agent calls for telemarketing rely on the consumer not having opted out (DND) or having opted in via some signup. If during a call a consumer says "I do not want to continue" or asks not to be called again, that withdrawal of consent must be honored. The DPDPA gives individuals the right to withdraw consent at any time, and once that happens, the organization should stop processing their data for that purpose – meaning no more marketing calls to that person.

Operational Rules (Call Timing, Frequency, etc.): Outbound call centers must be mindful of rules intended to prevent harassment. As noted, TRAI's UCC regulations prohibit marketing calls during certain hours (no calls before 9 AM or after 9 PM local time). They also limit the frequency of contact – while there isn't a hard numeric cap in the law on how many times you can call a person, placing too many unsolicited calls to the same number could be deemed an "unfair trade practice" or harassment. The Consumer Protection Act, 2019 in India includes provisions against unfair commercial practices, and persistently bothering consumers who have declined offers could fall afoul of that. In regulated sectors, there are specific rules too: for instance, the Reserve Bank of India (RBI) has a code of conduct for debt recovery agents that restricts when they can call borrowers and mandates they respect borrower privacy. Similar guidance exists for insurance telemarketing via IRDAI. So, call centers should implement policies like "no more than X call attempts to the same person in Y days" and only call within approved times, to stay within the spirit of consumer protection laws.

International Calling and CLI Masking: If an outbound call center in India is dialing international numbers (customers abroad) or receiving calls from abroad to connect to local agents, certain telecom rules apply. India does not allow completely free VoIP-to-PSTN interconnection without regulation – any international outgoing voice traffic generally should go out through an ILD operator or an IP telephony service permitted under telecom licenses. The OSP guidelines now permit use of VPN for carrying voice, which means an Indian call center can route calls from a foreign client's network into India over a private data link. However, once those calls need to terminate to an Indian phone, they must patch into the PSTN via a local telecom operator.

"Masking" in a benign sense (using a centralized number to connect two parties) is allowed – for example, some services mask the agent's personal number by using a central trunk number to connect to customers. This is fine as long as the number used is one assigned for that service. What is not allowed is masking the true origin of an international call by making it appear as local. Telecom operators in India have systems to detect anomalous caller IDs – e.g. if a call from an overseas network comes in with an Indian mobile number as caller ID, the networks will likely block it since an Indian mobile number should originate within India. Similarly, if a call center in India is calling customers abroad, they should comply with the numbering regulations of the destination country (and possibly present a valid caller ID for callback). Indian authorities cooperate internationally to combat spoofed calls and have been exploring frameworks like STIR/SHAKEN (caller ID authentication) to further ensure authenticity of call origin.

In summary, running an outbound call center in India requires compliance with both telecom regulations (using only authorized lines, presenting proper caller ID, respecting DND preferences, timing rules) and data/privacy regulations (consent for marketing, proper handling of personal data, not recording or sharing information without authorization). Many of these requirements are operationalized through technology – for example, dialer systems that automatically filter DND numbers and enforce calling hour limits – and through training agents on compliance (such as reading consent scripts). Non-compliance can lead to phone lines being cut off by telcos, monetary fines, or other legal action from regulators.

Multiple authorities in India oversee various aspects of outbound calling, from telecom compliance to consumer protection to data privacy. Key regulatory bodies include:

Consumer Protection and Sector-Specific Authorities

Unwanted calls can be seen as a consumer rights issue, so consumer protection bodies also have a role. The Central Consumer Protection Authority (CCPA), under the Consumer Affairs Ministry, can act against companies for unfair trade practices. If an outbound calling campaign constitutes harassment or mis-selling (for example, persistent deceptive marketing calls even after opt-out), the CCPA could potentially intervene under the Consumer Protection Act.

There are also sector-specific regulators that watch over how their industry contacts consumers. For instance, the Insurance Regulatory and Development Authority of India (IRDAI) issued directives to insurance companies telling them to strictly follow TRAI's telemarketing rules – not to engage unregistered telemarketers or call DND customers. The Reserve Bank of India (RBI) has guidelines for banks and loan recovery agents on fair calling practices (time limits, no intimidation, etc.). Such regulators coordinate with TRAI; in fact, TRAI formed a Joint Committee of Regulators (JCoR) including RBI, SEBI, IRDAI, etc., to address unsolicited communications across sectors. So, depending on the context of the calls (telemarketing, debt collection, service calls), a call center might be answerable to one of these agencies as well.

Enforcement Agencies

While not regulators per se, it's worth noting that law enforcement can come into play for certain abusive call scenarios. Scam or fraudulent calls (like phishing attempts or impersonation calls) are dealt with by cybercrime cells and the police, under laws such as the Indian Penal Code and IT Act. DoT and TRAI share spam call reports with law enforcement when the calls involve fraud. So, a compliant outbound call center should ensure it doesn't stray into any activity that could be seen as an unlawful nuisance or fraud, lest it attract police action.

Online Resources

Each of these authorities has online portals or resources:

• TRAI – provides regulations, consumer DND registration, and complaint facilities.
• DoT and Sanchar Saathi portal – provides telecom guidelines and tools like SIM check and spam report (Chakshu).
• MeitY – publishes the text of laws like DPDPA and will host Data Protection Board information.
• CCPA – issues notices on unfair practices.
• IRDAI – issues circulars to insurers to comply with telemarketing norms.

Outbound call organizations need to be cognizant of all these regulators: TRAI and DoT for telecom compliance, MeitY/DPB for data handling, and consumer protection or sector regulators for industry-specific conduct rules.

Organizations operating outbound calling services in India must interact with several official registries and compliance portals:

National Customer Preference Register (NCPR) – DND List: This is the official "Do Not Call" database in India, managed under TRAI's direction. Every company that wants to make marketing calls or send marketing SMS in India must consult the NCPR. To do so, the company (or its outsourced call center) first registers as a telemarketer. Upon registration, they receive credentials to access the NCPR data (either by downloading lists of DND numbers or via an API/query). The NCPR portal (formerly at nccptrai.gov.in) allows filtering of numbers by preference. Companies are expected to scrub their calling lists against the NCPR on a regular (often weekly) basis so that they do not contact any number on the Do Not Disturb list. The NCPR/DND list is continuously updated as consumers register or change preferences, and telemarketers must keep up-to-date. There is also a facility for companies to check a specific number's DND registration status on the portal. In essence, accessing the NCPR is not just a one-time event but an ongoing compliance process. Telemarketing firms typically integrate this with their dialer software – before a call is placed, the number is checked against the DND database. Non-compliance (calling DND-listed numbers without explicit consent) can lead to complaints and penalties.

Telemarketer Registration (TRAI & Access Providers): As noted, any entity making outbound commercial calls must register as a telemarketer. This is usually done through one of the telephone service providers (TSPs). For example, if you get bulk calling lines from Airtel or Jio, they will require you to complete a telemarketer registration per TRAI rules. Registration involves providing your business details and agreeing to follow the anti-spam guidelines. TRAI maintains a central registry of telemarketers — the list of registered telemarketers (with their IDs, company name, address, etc.) is publicly available. Companies can verify if a vendor is a properly registered telemarketer via this list.

To streamline operations, TRAI introduced a Distributed Ledger Technology (DLT) platform in recent years. All principal entities (the companies initiating communication) and telemarketers must register on a DLT portal operated by telecom operators, as part of TCCCPR 2018 compliance. Through the DLT system, telemarketers register their sender IDs (headers) and even templates of messages or call scripts. Initially this was focused on SMS content, but it's being extended to voice calls as well. By September 2024, voice call workflows on the 140/160 series are mandated to be on the DLT platform, meaning every promotional call can be logged and tracked on the ledger. For an outbound call center, this means an upfront step is to sign up on the relevant DLT portal (each major mobile operator has one, interconnected with others) and register your entity and consent templates. The registration portals are online – typically, after submitting KYC documents and a letter of authorization, the telemarketer is issued a unique Registration ID (e.g., ERMS** digits) which is used in all communications. Without this registration, telecom operators are instructed to block outgoing traffic – TRAI has directed telcos to disconnect any lines being used for unregistered telemarketing. Thus, legitimate outbound call operations must complete this registration before launching campaigns.

Sanchar Saathi (TAFCOP/Chakshu): The DoT's Sanchar Saathi portal is primarily aimed at consumers for managing mobile connections and reporting fraudulent communications. Within this, the Chakshu tool is a newer analytics platform where suspicious call patterns can be reported and analyzed. While not a registration for companies, it's a database relevant to outbound calls because companies could end up being flagged there if their call patterns trigger too many complaints. It's advisable for call centers to monitor feedback and complaints (through 1909 or other channels) to avoid appearing in such spam/fraud reports.

Digital Personal Data Protection Compliance: Under the DPDPA, there isn't a requirement for general data controllers to register with the government (unlike some earlier data protection bill drafts). However, certain classifications bring added obligations. If a company is notified as a Significant Data Fiduciary (SDF), it will have to register a Data Protection Officer (DPO) and perhaps a representative in India. The DPO's name and contact information would need to be provided to the Data Protection Board for official records. Additionally, SDFs must undergo periodic data audits by independent auditors. These are internal compliance measures but involve interaction with the Data Protection Board (for filing audit reports, etc.).

There is also likely to be a requirement to report certain types of data breaches to the Data Protection Board and perhaps inform affected individuals, once the rules are notified. So in terms of "portals": once the DPB is operational, expect an online interface for organizations to notify breaches and for individuals to file complaints. Companies might also have to engage with a government-designated consent manager system (the DPDP Act mentions that individuals may give or manage consent through consent manager platforms, which would then liaise with businesses). While details are emerging, outbound call centers that deal with personal data at scale should prepare to register or nominate compliance personnel (such as a DPO) when required and to possibly register with any official grievance or consent platforms under the new law.

Other Industry Databases: Depending on the domain of calling, there may be other registration requirements. For example, a call center making outbound collections calls on behalf of banks might need to be registered as a debt recovery agent with the RBI or the bank itself. Those making insurance sales calls may need to be registered with IRDAI as a telemarketer or insurance intermediary. These are not national databases like DND, but industry-specific accreditation. The main ones to highlight remain the TRAI/DoT mechanisms for telecom and the MeitY/DPB mechanisms for data protection.

How and Where to Register

In summary, companies should take the following steps:

1. Telemarketer Registration: Register with an access provider (telecom operator) or via the TRAI distributed ledger system to get a Telemarketer ID. This usually involves online submission of documents on portals provided by operators (e.g., Vodafone Idea's DLT portal, Jio's DLT portal, etc.). Once approved, the entity can register headers and templates as needed.
2. NDNC/NCPR Subscription: Using the telemarketer credentials, subscribe to NCPR data. TRAI provides a way for registered telemarketers to download the DND lists or query numbers. This might be through the Telecom Commercial Communication Preference portal (which is the interface to NCPR). Ensure technical integration so that your dialing lists are cleaned against it.
3. Data Protection Preparations: Appoint a data protection lead. If likely to be classified as significant, be ready to appoint a DPO in India and perhaps register them once the Board starts such registrations. Keep an eye on MeitY's announcements for any Data Protection compliance portal launch (for filing compliance reports or breach notices).
4. Company Identifiers: If you are a foreign entity, consider setting up a local presence or at least an Indian point-of-contact to handle regulatory interactions. While not strictly a "registration," having an address in India for serving notices (or an agent to respond to authorities) is practical, especially under the DPDPA which will expect an address for communication from every data fiduciary (even if abroad).

By fulfilling these registration requirements and using the official databases (like DND lists), outbound call centers can lawfully operate and avoid heavy disruptions (such as having their phone lines blocked by carriers or facing legal sanctions).

Extraterritorial Application of Rules: India's outbound call regulations are not limited to domestically incorporated companies. If a foreign company – say a call center or an overseas firm – makes outbound calls to people in India, it is largely expected to follow the same rules as an Indian entity would. There are a few aspects to this:

Do Not Call compliance: The fact that a call originates outside India does not exempt it from DND requirements. Legally, any unsolicited commercial communication directed at an Indian number falls under TRAI's UCC regulations. In practice, a foreign call center won't have a direct interface with TRAI (since they might not be registered telemarketers in India), but the Indian carriers that carry international calls do implement spam filtering. For example, if an overseas operation repeatedly calls numbers on India's DND list, those calls will likely result in recipients complaining via 1909. Indian telecom operators trace unsolicited calls and have been directed by TRAI to cut off resources to offending telemarketers. While disconnecting a foreign caller is not straightforward, what happens is Indian operators can block the incoming routes or patterns associated with that caller. Many foreign scam call operations find their calls being blocked at Indian gateways when abuse is detected. Thus, foreign companies are indirectly forced to honor the DND list if they want their calls to successfully connect.

The recommended approach for a foreign entity is to partner with an India-registered telemarketer or telecom provider. For instance, a UK call center calling Indian customers may contract with an Indian telecom carrier to terminate those calls; that carrier will require DND scrubbing and will provide a 140/160 series number for use. If the foreign company tries to route calls into India through illegitimate means (e.g. "grey route" VoIP gateways that make the call look local), they run afoul of DoT's telecom laws and the calls are likely to be blocked as spam/fraud.

Data Protection Law: The DPDPA explicitly covers processing of Indian personal data by entities even if they are located abroad. So a foreign company calling Indian consumers is a "Data Fiduciary" under Indian law with respect to those consumers' data. This means they should abide by consent requirements, purpose limitation, etc., just as an Indian company would. If a UK or US company, for example, is cold-calling Indian individuals without consent and misusing their data, in theory the Data Protection Board of India could take action against that company. Enforcement internationally can be challenging, but the law arms the government with tools like blocking the company's services in India or prohibiting transfers of data to it. Also, if the foreign company has any presence or assets in India, penalties can be pursued.

Practically, any serious enterprise engaging with Indian customers will want to voluntarily comply with DPDPA to maintain goodwill and avoid sanctions. This might involve, for instance, providing Indian data principals with a privacy notice, honoring opt-out requests, and appointing an India-based representative or DPO if required. Notably, if a foreign company is large-scale in India's market, it could be tagged as a Significant Data Fiduciary, which would compel it to appoint a local DPO and undergo audits – effectively drawing it further into the Indian regulatory net.

Cross-Border Telemarketing Operations: Many foreign firms outsource their calling to Indian BPOs, and conversely some Indian companies outsource to foreign call centers. If a foreign call center is directly calling Indian customers, it's wise for them to register as a telemarketer in India via a local partner. While not strictly mandated by law (since registration is tied to having an Indian telecom connection), doing so gives them a sanctioned identity (Telemarketer ID) and access to the DND registry. Without that, they rely on guesswork and risk regulatory action. We see some foreign businesses choosing to incorporate a subsidiary in India to handle local calling compliance. Another route is using cloud telephony providers in India – for example, a foreign company can use an Indian cloud call service which will ensure all TRAI rules are followed (calls come from 140-series numbers, etc.). In short, foreign entities are expected to "play by the rules" if they enter Indian telecom space, typically by working through Indian licensed operators who enforce those rules.

Consequences of Non-Compliance for Foreign Players: If a company abroad ignores Indian DNC or privacy rules, they may initially still get some calls through, but over time they can face increasing call failure rates (due to blocking) and even legal designation as a spam source. Indian authorities have at times taken up the issue of cross-border scam calls with foreign governments (for example, many spam/extortion calls come from abroad; DoT and MEA coordinate to tackle those). For a bona fide business, the damage to reputation and customer trust by not following regulations would be significant. Additionally, under consumer protection laws, if an overseas company indulges in abusive calling, Indian consumers could file complaints in Indian courts or consumer forums, which could lead to banning orders or financial judgments enforceable if the company has any Indian presence.

To summarize, foreign companies targeting Indian users via phone calls are subject to Indian outbound call regulations in practice and principle. Such companies should:

• Use Indian-assigned telemarketing numbers (rather than random international numbers) so that calls appear with the proper 140/160 prefix and pass through spam filters.
• Honor the National DND registry – i.e., do not call numbers fetched from India without verifying they haven't opted out. Ideally, use an Indian data vendor or partner who can scrub contact lists against the NCPR.
• Obtain clear consent for any marketing calls (the combination of DND rules and data protection law essentially makes unsolicited calls to fully opted-out consumers unlawful).
• Comply with data protection obligations: if collecting any personal data from calls (even just the fact someone answered or responded), treat that data under DPDPA requirements. This includes providing a way for an Indian consumer to exercise their rights (for example, an email or India address to request "do not call me" or deletion of their data).
• Be prepared to appoint an India-based representative or officer if the scale of activity demands. While not every foreign company will need a presence, having a local point of contact for regulators (and even customers) is beneficial.

In essence, Indian regulations have a long arm. The telecom network and data protection frameworks are designed such that even foreign-to-India calls must respect Indian consumer choices and privacy. Companies abroad cannot hide behind their jurisdiction when calling Indian phones – if they want reliable connectivity and to build customer relationships in India, they must follow the Indian "do not call" and data privacy rules just as any domestic call center would.