If you are a Canadian business owner thinking about deploying an AI voice agent — to handle after-hours calls, recover missed leads, book appointments, or screen tire-kickers — you are not alone. Adoption has moved from "interesting experiment" to "running quietly in production at the dental office down the street" in the last twelve months.
The question we get most often is not "does this work?" — it does — but "what am I actually allowed to do, and what do I have to disclose?"
The answer in Canada is split across a few different laws and regulators. None of them mention "AI voice agent" by name yet. But each of them already covers the things your agent does. Here is the working compliance checklist we use with our clients in 2026, in plain English.
The Four Frameworks That Apply
Before any specific rule, it helps to know which laws and regulators actually have something to say about an AI agent answering your phone.
1. The CRTC's Unsolicited Telecommunications Rules (UTRs) and the National Do Not Call List (DNCL). These govern outbound telemarketing calls. If your AI agent is making outbound sales calls, you fall under the CRTC's UTRs and need to scrub against the National DNCL.
2. Canada's Anti-Spam Legislation (CASL). CASL governs commercial electronic messages — and "electronic messages" is broader than email. If your voice agent sends an SMS confirmation, books an appointment via email, or follows up after a call with a text, those messages need consent and an unsubscribe path.
3. PIPEDA (federal privacy law) and provincial equivalents like BC PIPA, Alberta PIPA, and Quebec's Law 25. Voice calls are personal information. Recordings, transcripts, and any data you extract from the conversation are all governed by Canadian privacy law.
4. Canada's Artificial Intelligence and Data Act (AIDA), still working its way through the legislative process. Once in force, AIDA will impose additional disclosure and risk-management duties for "high-impact" AI systems. Most small-business voice agents will not hit the high-impact threshold, but the direction of travel matters: more transparency, not less.
What You Actually Have to Disclose to Callers
Here is where most of the confusion sits. The honest answer in 2026: there is no Canadian law that requires you to start every AI call with "this is an artificial intelligence." But the practical answer is: you should anyway.
Here is why, and what to actually say.
For inbound calls (the customer calls you): The CRTC has not mandated a specific disclosure script. PIPEDA does require that you tell callers if you are recording them, and that you have a clear purpose for the recording. The recording disclosure is the legal floor.
For outbound calls (the agent calls the customer): UTRs require identification of who is calling and on whose behalf. If the agent is calling for "Westside Dental Clinic," it must say so.
The script that satisfies both, plus the trust-building common-sense version we recommend:
"Hi, this is Sarah from Westside Dental. I'm an AI assistant, and this call may be recorded for quality and scheduling purposes. How can I help you today?"
That single sentence covers identification (UTRs), recording disclosure (PIPEDA), and AI transparency (best practice and likely required under AIDA in the future). Twenty-eight words. We have not had a single client report that this scripting hurts their booking rate. In fact, our data suggests it helps — callers relax once they know they are not being tricked.
What You Have to Do With the Recordings and Transcripts
This is where most small businesses get exposed. The voice agent platforms (VAPI, Retell, ElevenLabs) store call recordings and AI-generated transcripts by default. Under PIPEDA you are responsible for that data — even if a US-based platform is the one storing it.
The four things you actually need:
A privacy policy that names the practice. Your website privacy policy must disclose that calls may be recorded and transcribed, that AI providers are used to process the call, and where the data may be processed (often outside Canada). If your policy still says "we do not record calls," it is now wrong.
A retention schedule. Decide how long recordings and transcripts are kept, and configure the platform to delete them on that schedule. Common defaults: 30 days for general inquiries, 90 days for booked appointments, longer for complaints or disputes.
A data processing agreement (DPA) with each platform. VAPI, Retell, and the underlying LLM providers (Anthropic, OpenAI) all offer DPAs. Sign them. If you ever face a privacy complaint, the first thing the Office of the Privacy Commissioner of Canada will ask is whether you had a contract in place with your processor.
A way to handle access requests. If a caller asks for a copy of their recording — they have that right under PIPEDA — you need to be able to retrieve it within 30 days.
What You Are Not Allowed to Do
Three lines that get drawn pretty firmly:
You cannot pretend the AI is human if a caller asks. This is consumer-protection territory. If a caller says "are you a real person?" the agent must say no. Configuring the agent to dodge or lie is a deceptive trade practice and a CASL exposure if the call leads to a commercial message.
You cannot make outbound sales calls without consent and a DNCL scrub. This is the same rule that applied before AI agents existed. The platform doing the dialing does not change who is responsible for compliance — you are.
You cannot use AI voice agents in regulated spaces without sector-specific approvals. Healthcare in Ontario (PHIPA), financial services, anything dealing with minors — these have additional rules layered on top. If you are in one of these sectors, get specific advice before deploying.
The Practical Checklist Before You Launch
If you are about to put an AI voice agent live this month, these are the boxes we make sure are checked for every Lifesaver client:
- Disclosure script in place — caller knows they are talking to an AI within the first sentence
- Recording disclosure built into the same opening line
- Privacy policy updated to reflect AI processing and any cross-border transfers
- Retention schedule set on the platform (30 / 90 / 365 days as appropriate)
- DPAs signed with the voice platform and any LLM provider involved
- Process for handling caller access and deletion requests under PIPEDA
- For outbound: DNCL scrub configured, identification line in script, consent records kept
This is not theoretical. The Canadian privacy regulators have been increasing enforcement, and the first round of AIDA-related guidance is expected later this year. The businesses that get ahead of this now are the ones that will not have to scramble when the rules harden.
If you want help putting this in place — or you already have an AI voice agent live and want to make sure you are covered — book a 15-minute call. We will walk through your specific setup and tell you what to fix, no obligation.