Regulators on both sides of the Tasman treat AI-driven calls exactly the same as human telemarketing. New Zealand’s Privacy Commissioner and Australia’s ACMA have issued six-figure fines in the past two years, and enforcement activity is rising. A non-compliant campaign can cost more than it earns—so building compliance into your process from day one is essential.

‍

The legal framework in New Zealand

New Zealand has no single “Telemarketing Act,” but you still have to meet several overlapping requirements:

• Privacy Act 2020 and the Telecommunications Information Privacy Code govern how you collect, store, and use personal data.
• Marketing Association Telemarketing Code of Practice (voluntary, but widely adopted) sets calling hours, disclosure rules, and opt-out obligations.
• TCF Scam Prevention Code requires you to display a valid caller ID and avoid spoofing.

In practice this means you must have consent before calling, identify yourself and your purpose at the start of the call, let people opt out immediately, and honour the Marketing Association’s Do-Not-Call list if you subscribe to it.

‍

The legal framework in Australia

Australia’s rules are more prescriptive:

• Do Not Call Register Act 2006—you must wash every list against the Register unless you hold express or inferred consent.
• Telecommunications (Telemarketing & Research Calls) Industry Standard 2017—sets strict calling hours and disclosure wording.
  • Permitted hours: 9 am–8 pm (Mon–Fri) and 9 am–5 pm (Sat). Sunday and public-holiday calls are prohibited.
• Spam Act 2003—covers SMS and email marketing; relevant if your campaign uses multiple channels.
• Privacy Act 1988 (plus 2025–26 reforms) requires privacy-by-design and transparency for automated decision-making.

Failing to filter numbers, calling outside the allowed window, or forgetting a mandatory disclosure can trigger ACMA infringement notices or Federal Court action.

‍

Getting consent right

• Express consent is the gold standard. Capture it in writing (a tick-box, SMS opt-in, or recorded verbal “yes”).
• Inferred consent is only valid when you have an existing business relationship and the customer could reasonably expect marketing calls about similar products or services.
• Deemed consent (sometimes claimed under NZ law) is risky for outbound sales—stick to express or inferred consent.
• Record consent details in your CRM and check them before every call. If you can’t prove consent, you don’t have it.

‍

Minimum disclosures every AI call must include

At the very start of the call you should state, in clear language:

• Who you are (“This is EnvokeAI calling on behalf of …”).
• Why you’re calling (“We’re letting you know about our new …”).
• That you’re an AI system and that a human is available on request.
• Whether you’re recording the call.
• How to opt out (“Press 9 or tell me to stop calling”).
• Your contact details (a phone number or email they can reach).

Putting these points in the same order every time helps agents—and regulators—verify compliance quickly.

‍

Time-of-day and frequency rules

• NZ Marketing Code: 8 am–9 pm Monday–Saturday. Avoid Sundays and public holidays unless the customer expressly asks for a Sunday call.
• AU Industry Standard: 9 am–8 pm Monday–Friday, 9 am–5 pm Saturday. No calls on Sunday or national public holidays.
• Best practice for trans-Tasman campaigns: program your dialler to use the stricter Australian window for all numbers.
• Limit call attempts to a single number to a reasonable frequency (for example, no more than three outbound calls in 30 days unless the customer re-engages).

‍

Privacy and data handling basics

• Collect only the data you genuinely need for the stated purpose.
• Encrypt recordings and personal data at rest and in transit.
• Purge or anonymise data as soon as it is no longer required.
• Publish an AI disclosure and privacy statement on your website that explains how your voice technology works.

Australia’s upcoming privacy reforms will make an explicit AI impact statement mandatory for most businesses by late 2026—getting ahead now saves re-work later.

‍

Eleven-point compliance checklist

• Screen every list against the NZ Marketing Association DNC (if you’re a subscriber) and the Australian Do Not Call Register.
• Confirm express or inferred consent is recorded for each number.
• Configure your dialler’s timezone and calling-hour limits for both countries.
• Play the required opening disclosure on every call.
• Provide a live-agent transfer option and complete it within 30 seconds when requested.
• Provide an immediate opt-out method and remove numbers within five business days.
• Encrypt call recordings and limit access to authorised staff.
• Delete or anonymise recordings after your defined retention period (e.g., 90 days).
• Keep an audit trail of call date, time, script version, and consent status.
• Review scripts and processes quarterly against updated ACMA and NZ Privacy guidance.
• Document a breach-response plan, including notification obligations and timelines.

‍

Copy-and-paste disclosure script

“Kia ora, you’re speaking with EnvokeAI, an automated voice assistant calling on behalf of [Client Name].We may record this call for quality and training.The purpose of today’s call is to [state purpose].If you’d like to speak to a human agent, just say ‘human’ at any time.To stop calls like this, press 9 or tell me to opt out.May I continue?”

Swap in your client name and call purpose, and you have a compliant opener for both New Zealand and Australia.

‍

Baking compliance into your AI dialler

• Pre-dial consent check: query your CRM or consent database before each call.
• Dynamic script variables: insert client name, purpose, and opt-out instructions at runtime so the wording always matches the campaign.
• Real-time monitoring: log each prompt and customer response; trigger alerts if the customer requests a human but no transfer happens.
• Automated retention rules: run a nightly job that encrypts new recordings and deletes any that exceed your retention period.
• Quarterly audits: sample at least one percent of calls and confirm every disclosure requirement is met.

‍

AI doesn’t get a free pass, regulators expect more, not less, from automated callers. If you embed consent checks, transparent scripting, sensible call windows, and strong data hygiene into your outbound workflow now, you’ll stay on the right side of both New Zealand and Australian law, protect your brand, and keep your AI working for you instead of against you.