You've built a pipeline. Your CRM is loaded with mobile numbers. You spin up an AI voice agent, point it at the list, and queue a thousand outbound dials. Three weeks later, ACMA sends a letter. Your client gets a complaint. The campaign stops dead.

Australian Do Not Call Register compliance isn't optional, and AI doesn't create a loophole. The Do Not Call Register Act 2006 applies to any unsolicited marketing call to an Australian number, whether a human or a bot is speaking. Most lead-gen agencies assume they're covered because they bought "opt-in" data or because the agent hangs up politely. They're not. Here are the five mistakes we see most often.

1. Thinking B2B exemptions apply to sole traders

The DNCR exempts calls to a business or government body. That sounds simple until you realise most small businesses in Australia operate as sole traders. A plumber trading under an ABN, a consultant with a mobile in their own name, a freelance designer - all individuals, all protected by the DNCR if they've registered their number.

You can't tell from the phone number whether it belongs to a company or an individual. The onus is on you to check the register before dialling. ACMA offers a free wash service at donotcall.gov.au. Upload your list, get back the numbers you must not call. Most agencies skip this step because it takes an hour. That hour costs less than one complaint fine.

If the business uses a landline published in a directory under a company name, you're safer. If it's a mobile, assume DNCR applies unless you have explicit consent or an existing business relationship.

2. Ignoring state-based dial-hour rules

The Spam Act 2003 sets acceptable calling hours: weekdays 9am to 8pm, Saturday 9am to 5pm, no Sundays or public holidays. Those hours are in the recipient's local time zone. If you dial from Sydney at 4pm AEDT and the prospect is in Perth, you've just cold-called them at 1pm AWST - legal, but if you dial at 6pm AEDT, it's 3pm in WA and still fine. Dial at 9pm AEDT and you've broken the rule in every state west of you.

AI platforms that auto-dial across time zones need geographic number assignment or manual timezone gating. We've seen agencies run national campaigns from a single queue with no time filtering. The agent politely introduces itself at 8:15pm in Adelaide. The recipient reports it. One complaint triggers an audit of your entire operation.

Set your dialler to pause campaigns outside valid hours per prefix. VoxReach gates AU dial windows by state automatically, but if you're using another platform or a generic SIP trunk, you must configure this yourself.

3. Not offering or honouring in-call opt-out

Section 11 of the DNCR Act requires you to provide a free, simple way for the recipient to opt out during the call. "Press 9 to stop future calls" satisfies this if you suppress the number immediately. Saying "you can unsubscribe by emailing us" does not - ACMA expects instant opt-out with no further action from the recipient.

AI agents must recognise natural opt-out phrases: "take me off your list", "don't call again", "remove my number". If the agent keeps talking or asks why they want to opt out, you've failed the test. The call we listened to last Tuesday had the agent respond to "stop calling me" with "I understand you're busy - can I call back next week?" The prospect hung up and lodged a complaint the same day.

Your voice agent script needs an explicit opt-out listener, immediate suppression in your CRM, and a log entry timestamped to the second. ACMA audits require proof you honoured the request.

4. Failing to keep audit logs for five years

ACMA can demand records of every outbound marketing call: number dialled, date, time, duration, opt-out requests, consent evidence. You must retain these for five years. Most agencies keep logs for 90 days or rely on telco CDRs that don't capture consent metadata.

If you can't prove a number gave prior consent or wasn't on the DNCR at the time of the call, ACMA assumes you broke the law. The penalty per breach can reach $2.5 million for a body corporate under current settings. Even a small volume of complaints triggers an infringement notice in the tens of thousands.

Store call disposition, consent source, DNCR wash date, and opt-out timestamp in a read-only audit table. Export monthly to offline backup. Make sure your AI platform or SIP provider logs are linked to your CRM records so you can reconstruct every conversation if asked.

5. Assuming AI changes the compliance burden

An AI voice agent is a telemarketing tool. It doesn't matter that the voice is synthetic or that no human monitored the call in real time. If the purpose is unsolicited marketing, DNCR and Spam Act rules apply in full. ACMA has published guidance making this explicit: automated systems must meet the same standards as human callers.

Some agencies hope AI gives them cover because the technology is new. It doesn't. The law regulates the activity, not the speaker. You still need consent, you still check the register, you still honour opt-outs, you still respect dial hours.

What to do before your next campaign

Wash your list against the DNCR every 30 days. Configure timezone-aware dial windows. Script a clear, immediate opt-out flow into your AI agent. Store call logs in a durable format linked to consent records. If you're running outbound for clients, make DNCR compliance an explicit line item in your proposal so the liability is shared and documented.

VoxReach enforces AU dial-hour gating by state, logs every opt-out with a timestamp, and integrates suppression directly into HubSpot, Pipedrive, and thirty other CRMs so the record updates in real time. You still need to wash your lists and manage consent, but the platform won't let you dial outside legal hours or ignore an opt-out. Sign up free at app.voxreach.com.au/signup - 30 minutes of calls, no card, and you can test compliance guardrails with your own scripts before you go live.