Building Compliant AI Voice Agents For New Zealand and Australia
Cold calling with AI voice agents is fast, scalable, and cost-effective. But if you don't get compliance right, you're asking for fines, complaints, and brand damage.
Whether you're operating in New Zealand under the Privacy Act 2020 or in Australia under the Privacy Act 1988 and the Do Not Call Register Act 2006, here’s what matters: Your voice agents must be built with structure, transparency, and control.
The Cost of Getting It Wrong
In New Zealand, breaching the Privacy Act 2020 can lead to investigations by the Privacy Commissioner, reputational damage, and financial penalties of up to $10,000 per complaint. But the real risk is often broader, compliance failures can trigger media scrutiny and permanent loss of customer trust.
In Australia, the stakes are even higher. Under the Privacy Act 1988 and the Do Not Call Register Act 2006, serious breaches can attract fines of up to $2.5 million AUD, with escalating penalties for repeat offences
We have covered being complient for calling in the United States, Link here
Here’s how we ensure our AI agents meet those standards and how you can too.
1. Get the Law Right
New Zealand:
The governing law is the Privacy Act 2020.
It regulates how personal information is collected, stored, used, and disclosed — even by AI.
Australia:
Two key laws apply:
Privacy Act 1988 – Covers handling of personal information.
Do Not Call Register Act 2006 – Requires businesses to check against the national DNC register before making telemarketing calls to private numbers.
Failing to comply in either country can result in:
Investigations by privacy regulators
Penalties and enforcement action
Damaged brand trust and customer complaints
2. Why Prompt Design and Guardrails Matter
AI voice agents follow instructions. If those instructions (prompts) aren’t tight, you risk:
Improvisation under pressure
Giving incorrect legal answers
Ignoring a do-not-call request
Making illegal or misleading statements
That’s why prompt engineering is the core compliance layer. Every Retell agent is built with structured multi-step flows that lock in:
What the agent says
When it says it
How it responds to objections, privacy concerns, and legal questions
3. Checklist: What Every AI Voice Agent Needs to Be Compliant
Use this as a non-negotiable list when deploying outbound AI calls:
Clear Identification
Always introduce the agent as an AI voice assistant
State the business name and purpose of the call
Example: “Hi, I’m an AI voice assistant calling on behalf of [Company Name] to help with [Purpose].”
Visible Caller ID
No blocked, hidden, or unknown numbers
Number must be traceable back to the business
Time-of-Day Restrictions
Agents should only call between allowed hours (typically 9am–6pm business days)
Avoid weekends and public holidays unless prior consent exists
Embedded Privacy Law Knowledge
Agents must know how to respond if someone asks: (Please see our guide below of what the agent can say).
“Is this legal?”
“Are you recording me?”
“Where did you get my number?”
“What’s your privacy policy?”
Example Prompt:
“This call complies with the Privacy Act 2020 in New Zealand. If you’d like more information, you can view our full privacy policy at [URL].”
All this should be built into the agent’s knowledge base for real-time access.
Immediate Do Not Call Handling
If the person says:
“Don’t call me again”
“Remove me from your list”
“I didn’t consent to this
The AI should:
Acknowledge the request
Confirm the number will be removed
Immediately terminate the call
Trigger a Do Not Call flag in your system
Example Prompt:
“Understood. I’ve removed your number from our contact list. You won’t be contacted again.”
This response is logged and actioned without delay.
Escalation Protocol
Some people want to speak to a human. That’s fair.
Prompt:
“I understand. I’ll ask one of our team members to follow up with you directly.”
Set a task or notification for your team to follow up within 24 hours.
4. How Retell Makes This Work
With Retell, we bake compliance into every voice agent from day one. Here’s how:
Prompt guardrails that prevent off-script responses
Custom knowledge bases for legal and company-specific FAQs we upload our FAQ, and law guidance for the agent to know.
Multi-step flows that adapt to user responses while staying within legal bound
Webhook + API support to update DNC lists, CRM tags, and escalation systems in real time
Compliance Isn't Optional
Every call your AI makes reflects your brand. If it's misleading, unclear, or legally shaky — people notice. Regulators notice too.
Compliance isn’t a blocker. It’s a competitive advantage. When you show you respect privacy, people are more likely to engage — and your team avoids costly fallout.
AI Voice Agent Q&A Primer: Legal, Privacy & Compliance
Each of these should be pre-programmed into your agent’s knowledge base and linked to the flow logic. This ensures your agent responds accurately, respectfully, and in line with legislation.
❓“Is this legal?”
✅ Agent Response:
“Yes, this call complies with the Privacy Act 2020 in New Zealand [or Privacy Act 1988 in Australia] and all relevant communication laws. If you'd like to end the call, I’ll do that now.”
❓“Are you a real person?”
✅ Agent Response:
“I’m an AI voice assistant calling on behalf of [Company Name]. I can help with your query, and you’re welcome to end the call at any time.”
❓“Are you recording this call?”
✅ Agent Response (if not recording):
“No, this call is not being recorded. It’s a live AI interaction, and nothing you say will be stored or reused.”
✅ Agent Response (if recording):
“Yes, this call may be recorded for quality and training purposes. You can choose to end the call at any time.”
❓“Where did you get my number?”
✅ Agent Response:
“This number was sourced through publicly available business listings or provided during a previous interaction with [Company Name]. If you'd like to be removed, I can take care of that now.”
❓“What’s your privacy policy?”
✅ Agent Response:
“You can view our full privacy policy at [privacy_policy_url]. It explains how we handle, store, and protect your information.”
❓“Remove me from your list” / “Don’t call me again”
✅ Agent Response:
“Understood. I’ve removed your number from our contact list. You will not receive any more calls from us. Thank you and goodbye.”
🔁 Behind the scenes:
- Trigger webhook/API call to suppress number in CRM
- Log as “Do Not Call” event
- End call
❓“Who gave you permission to call me?”
✅ Agent Response:
“We are calling business or publicly listed numbers only. If this is a personal line or you did not request contact, I’ll remove you from our list immediately.”
❓“What laws do you comply with?”
✅ Agent Response (NZ):
“We follow the Privacy Act 2020 in New Zealand. This governs how your information is collected and used.”
✅ Agent Response (AU):
“We comply with the Privacy Act 1988 and the Do Not Call Register Act 2006 in Australia.”
❓“Who are you representing?”
✅ Agent Response:
“I’m calling on behalf of [Company Name], a registered business in [Country]. You can verify us at [company_website_url].”
❓“Can I talk to a real person?”
✅ Agent Response:
“Yes, I’ll ask one of our team members to contact you directly. Is there a good time for someone to reach out?”
🔁 Behind the scenes:
- Create task in CRM for manual follow-up
- Log request and tag as “human escalation”
❓“Is this a scam?”
✅ Agent Response:
“No, this is a legitimate call from [Company Name]. You can visit our website at [company_website_url] or call our main number to verify.”
❓“You’re breaking the law calling me.”
✅ Agent Response:
“I understand your concern. This call is intended for business outreach and complies with applicable privacy laws. I’ll remove your number now if you’d prefer not to be contacted.”
🧠 Pro Tip: Link Q&A to Specific Keywords
Trigger responses when the agent hears:
- “Privacy”
- “Legal”
- “Record”
- “Permission”
- “Scam”
- “Remove”
- “Do not call”
- “Real person”
- “Compliant”
Use multi-intent detection or fallback paths to make sure nothing slips through.
We don’t treat compliance as an afterthought.
We treat it as a promise to your business, your customers, and your reputation.
That’s why every AI agent we deploy is built with compliance baked in, tested against real scenarios, and monitored continuously.
Because one misstep can cost more than money it can cost trust.
At Waboom.ai, we take that seriously.
And we build accordingly.
