India's AI companies have a data privacy problem and most don't know it yet

Most people in leading tech firms get asked about data rules, to which there might be a slight nod and a mention of the privacy laws which they updated 7 months ago. Maybe a reference to the Data Protection Officer they're planning to appoint "very soon", and then they move on.

Turns out, many Indian AI firms aren’t skipping the Digital Personal Data Protection (DPDP) Act by accident. It’s more like they’re convinced they’ve already dealt with it. Truth is, they haven’t. The difference between their idea of following rules and what the law really wants can be massive - sometimes shockingly wide.

This isn’t meant to scare anyone. Truth is, the talk about India’s DPDP Act feels heavy on legal jargon. Maybe it’s lost in theory, more concerned with wording than real impact. What happens when you’re just trying to build actual AI tools out there? That part gets ignored. Imagine explaining it over coffee, not in a boardroom. Someone sharp but not obsessed with laws. That’s the version I’m going for here. Clarity over complexity. Reality before rhetoric. Not what the statute declares - what it does.

Most businesses picture a little square when someone mentions permission. That box appears during registration. It comes with words like “I accept the rules and how my data is handled.” People usually skip reading them. Once checked, firms believe they have approval. Their duty feels complete. The law views things differently.

Consent has to point directly at one thing. It cannot float around vaguely inside 40 pages of legal talk. People need clear sight on exactly what they accept, why it matters, their real option to say no. Just as simple to walk away? That is what rules demand when permission slips lose force.

Now picture this: most AI tools operate behind the scenes in ways people rarely notice. Someone joins a money-tracking app, aiming to understand where cash goes each month. Information on every purchase begins piling up quietly. Years pass - without clear warnings - the business shifts gears. That stored history now feeds algorithms designed to judge financial trust. A fraud detection setup might do the job. A system that spots suspicious activity could work too. Another option is software that suggests products based on user behaviour.

Was there clear agreement from the person at sign-up? Unlikely. Not by today’s DPDP standards, anyway.

It’s not just some minor issue. What we’re dealing with runs deep into the system's design. Because solving it requires starting over - rethinking how information gets gathered, what people hear when their data is taken, along with handling permission tracking through time. A lot of businesses have yet to begin this work.

What really catches my attention lately? The way Indian startups handle data. Not locked up. Not stuck in silos. Flowing - between departments, across tools, through workflows. Respectfully noted: it gives them speed. A kind of agility others chase but rarely catch. This issue trips up the DPDP Act.

One rule stops firms from reusing personal information for new goals unless they ask people again. Known as purpose limitation, this idea might surprise many businesses more than any other part of the law. Surprising how often it gets overlooked.

Should your support staff gather details to fix this issue - those details stay out of ad systems unless people say yes again. When your app grabs location for directions - that info stays away from ads unless users are told and agree. Only with clear permission does any of it move elsewhere.

Here’s the bright side: there’s a way through. Firms pulling ahead create something known as a data governance framework - a kind of blueprint tracking where each bit of personal information travels, its purpose, along with clear permission checks for every step. True, it might seem overwhelming at first glance. When handled right, though, it boils down to solid day-to-day management habits.

This thing tends to catch people off guard more than anything else once they hear about it. When your business picks the way personal information gets used, the DPDP Act sees you as a data fiduciary. Being one means accountability stays with you, no matter who actually works with the data.

So what happens in real life? Picture this: hand off user data to some outside AI firm, a storage platform, or a labelling outfit. Should they mess up, the blame lands on you anyway. A deal stating “they’re responsible” won’t shield you under the DPDP law. Paper promises fade when regulators step in.

One moment you’re reviewing contracts, next you notice zero mention of data safeguards. Offshore AI partners get hired while nobody checks where Indian user information actually lands. A quiet risk builds - legal departments overlook it, since vetting third parties for privacy never mattered much until the new rules arrived.

Wrong moves here carry fines as high as ₹250 crore per major breach. That sum hits hard even for well-backed startups. A young firm might never recover.

Realistically, not all Indian AI firms are out to deceive. Many truly aim to create solid tools while respecting people who use them. Yet, wanting it isn’t enough when rules demand proof - what counts is paper trails, not promises.

One thing stands out about those firms doing this right - they approached data governance like building a feature, not drafting policy. Their engineers joined meetings usually saved for lawyers. Product leads stepped in early instead of being looped in later. Inside their codebases, permission controls arrived on day one, not year two. Tough vendor checks happened upfront, long before paperwork got signed.

Right now, Indian AI firms can shape how they handle data - simply because rules are arriving early enough. Not later, under pressure. Not after things spiral past control. A chance slips in here: fix habits while small. Before growth locks bad patterns in place. Before penalties demand changes nobody planned for. A planned and well researched due diligence against this unprecedented wave of change will give companies lots of room to pilot around newly found obstacles which are going to form naturally over time.

So it’s a race against a silent yet visible clock and time runs out on chances like these. Starting today makes sense.

Faraz M Siddiqui is a Delhi-based legal professional.