AI and India's DPDP Act: What Every Business Must Know in 2026

If your business uses AI tools that process your customers' personal data, India's DPDP Act 2023 gives you concrete legal obligations. Consent, purpose limitation, security safeguards, and breach reporting are now the law. AI makes each of these harder, not easier.

That is the direct answer. Here is the detail you need.

What the DPDP Act Is, in Plain Terms

The Digital Personal Data Protection Act, 2023 (DPDP Act) was passed in August 2023. The Rules were notified on November 14, 2025, following a phased implementation schedule (per the Press Information Bureau notification, Nov 2025 and the Shardul Amarchand Mangaldas analysis, 2025).

The structure is straightforward:

• Data Principal: the individual whose personal data is being processed (your customer, user, or employee)
• Data Fiduciary: any entity that decides why and how personal data is processed — that is almost certainly your business
• Significant Data Fiduciary (SDF): a higher-risk category the government will designate based on volume, sensitivity, and risk. SDFs face additional obligations including appointing a Data Protection Officer resident in India, independent data audits, and Data Protection Impact Assessments. As of June 2026, the government has not yet published the official SDF list.

The enforcement phases matter:

• Phase 1 (November 13, 2025): The Data Protection Board of India (DPBI) was established.
• Phase 2 (November 2026): Consent Manager framework becomes operational. Third-party consent managers must register with the DPBI. Organisations should be actively preparing now.
• Phase 3 (May 14, 2027): Substantive obligations on Data Fiduciaries — consent, purpose limitation, data minimisation, security, breach notification — come into full force.

You have roughly a year to get your house in order before full enforcement. That is not a comfortable margin if you are running AI tools in production today.

Penalties are serious. Failure to maintain reasonable security safeguards: up to ₹250 crore. Failure to notify the DPBI or affected individuals of a breach: up to ₹200 crore. Other violations: up to ₹50 crore (per the DPDP Act 2023 and DPDP Rules 2025 as published by PIB).

How AI Specifically Intersects with the DPDP Act

This is where I see founders go wrong. They treat data privacy as an HR or legal problem. When you run AI in your product, it becomes an engineering and product problem.

Several specific friction points:

Training data and historical personal data. If you used customer data to fine-tune a model, you need a lawful basis for that use. Consent given for one purpose — say, customer support — does not automatically extend to model training. This is a retroactive problem for many businesses.

Prompts containing personal data. When a user types their name, medical history, or financial detail into your AI product, that prompt is personal data. If that prompt is sent to a third-party LLM API (OpenAI, Gemini, etc.), you are transferring personal data to a data processor. You need a Data Processing Agreement with that provider, and you need to be honest with users about it in your consent notice.

Retention and the right to erasure. AI models trained on or near personal data are difficult to "forget." The DPDP Act gives Data Principals a right to correction and erasure. If you cannot honour that right because personal data is embedded in model weights, you have a technical debt problem that is also a legal problem.

Automated decision-making. If your AI makes or significantly influences decisions about individuals — credit, employment, healthcare triage — and you are classified as an SDF, algorithmic accountability becomes a formal obligation, not just good practice.

A Practical Compliance Checklist for Indian Businesses Using AI

Work through this before Phase 3 enforcement lands in May 2027.

• Audit your data flows. Map every place personal data enters your AI system: intake forms, chat interfaces, uploaded documents, API calls. You cannot protect what you have not mapped.
• Review your consent notices. The DPDP Rules require a clear, separate notice explaining what data you collect, why, and with whom you share it. Vague "we may use your data to improve our services" language will not pass.
• Check your third-party LLM contracts. If you call a cloud LLM API with personal data in the prompt, confirm you have a Data Processing Agreement and understand where that data is stored and retained.
• Set a data retention policy and enforce it. The Rules require minimum one-year log retention. You also need a maximum: data that is no longer necessary must be deleted. Build this into your product, not just your privacy policy.
• Establish a breach response process. The Rules require you to notify the DPBI "without delay" upon discovering a breach, and then notify affected Data Principals. "Without delay" is not a well-defined window yet, but plan for 72 hours as a working default.
• Prepare for the Consent Manager framework. If you process high volumes of personal data, registering as or integrating with a consent manager will become relevant from November 2026.

Why Privacy-First and On-Device AI Reduces Your Exposure

I built Dhiya NPM — a library that runs retrieval-augmented generation entirely in the browser using WebGPU and IndexedDB, with no API key and no server call. The personal data never leaves the user's device.

This is not only a technical design choice. It is a compliance posture.

When processing happens on-device, you eliminate a category of DPDP obligations almost entirely: no third-party data processor, no cross-border data transfer risk, no server-side retention problem. The consent surface shrinks to what is strictly necessary.

The same logic applies to any edge-AI architecture. More computation at the edge means fewer data flows to audit, fewer breach vectors to protect, and simpler consent notices to write. Privacy-first AI design and DPDP compliance are not in tension — they point in the same direction.

Common Mistakes Founders Make

I see these patterns repeatedly with Indian startups and SMBs building AI products.

• Treating consent as a checkbox. A buried, pre-ticked checkbox at sign-up is not valid consent under the DPDP Act. Consent must be free, specific, informed, and unambiguous.
• Assuming a privacy policy is enough. The DPDP Rules require a separate, itemised consent notice — not just a generic policy page.
• Ignoring third-party API data exposure. Sending customer PII in prompts to a US-based LLM API without a Data Processing Agreement is a violation waiting to happen.
• Not auditing data retention. Old customer data sitting in S3 buckets or database tables because "we might need it later" is exactly the kind of unnecessary retention the DPDP Act is designed to eliminate.
• Waiting for enforcement to begin. The May 2027 enforcement date sounds distant. It is not. Building compliant data flows into an existing product takes longer than building them in from the start.

You can see a related application of these principles in how we approached XwFin for GST compliance — designing for Indian regulatory requirements from day one, rather than retrofitting compliance after the fact.