A Project by Meridian Bridge Strategy
Book Consultation
Compliance Guide

AI and Machine Learning Under DPDP

AI and ML models are built on data. DPDP impacts how Indian companies can collect training data, build models, and deploy automated decision-making systems.

Hey there! Grab a chai, because we’re about to talk about something crucial for almost every modern business: how India’s new privacy law, the Digital Personal Data Protection (DPDP) Act, 2023, impacts your Artificial Intelligence (AI) and Machine Learning (ML) initiatives.

If you’re using AI for anything from customer service chatbots to personalized recommendations, or even internal process automation, your business relies heavily on data. And guess what? A lot of that data is personal data belonging to individuals. The DPDP Act is all about protecting that personal data. For many, understanding DPDP AI implications feels like decoding rocket science, but it doesn’t have to be. Let’s break it down in plain English.

What AI/ML Means Under DPDP

At its heart, AI and ML are about learning from data to make predictions or decisions. Under DPDP, the key question is: whose data are you using, and do you have the right to use it for AI?

  • Data Fiduciary: This is you – your business or startup – if you’re the one deciding why and how to process personal data. For example, if you collect customer purchase history to train a recommendation engine, you’re the Data Fiduciary.
  • Data Principal: This is the individual whose personal data you’re processing. Your customer, your employee, your website visitor – their data is involved.
  • Consent is King: For almost all personal data processing under DPDP, you need clear, informed, and unambiguous consent from the Data Principal. This is especially true for training AI models. You can’t just scrape data and feed it to your algorithms.
  • Purpose Limitation: When you collect data, you must clearly state what you’re going to use it for. If you collect email addresses for newsletters, you generally can’t then use them to train an AI model for predictive analytics without getting fresh consent specifically for that new purpose.

Understanding these basics is your first step towards ensuring your machine learning data protection strategy aligns with the DPDP Act.

Practical Requirements for AI/ML under DPDP

Your AI models are only as good as the data they’re trained on. But under DPDP, you can’t just throw all the data you have at your algorithms. You need to be mindful of specific requirements:

  • Data Minimization: Only collect and use the personal data that is absolutely necessary for your specific AI purpose. Don’t hoard extra data “just in case.”
  • Transparency: Be open with Data Principals about how their data is being used by your AI systems. Your privacy policy needs to clearly explain this.
  • Accountability: As the Data Fiduciary, you are responsible for protecting the personal data you process, even when it’s being used by sophisticated AI models. This includes implementing reasonable security safeguards.
  • Impact Assessments: For AI systems that involve high-risk processing (e.g., using sensitive personal data, or making significant automated decisions), you might need to conduct a Data Protection Impact Assessment (DPIA). This helps identify and mitigate privacy risks proactively.

Here’s a quick look at common data types used in AI and their DPDP risk levels:

Data TypeRelevance to AI/MLDPDP Risk Level
Name, Email, PhonePersonalization, identificationHigh
Location DataGeospatial analysis, targeted servicesHigh
Usage Data (app/website)User experience optimization, behavior predictionMedium
Purchase HistoryRecommendation engines, fraud detectionMedium
Biometric Data (face/fingerprint)Advanced authentication, emotional AIVery High
Health DataMedical diagnostics, wellness appsVery High
Employment HistoryRecruitment AI, performance predictionHigh

Common Mistakes to Avoid

It’s easy to get caught up in the excitement of AI and overlook the privacy implications. Here are some common pitfalls for businesses developing or deploying AI:

  • Assuming Public Data is Free Data: Just because data is publicly available (e.g., social media profiles, public forums) doesn’t mean you have blanket consent to scrape it and use it to train your AI models without checking DPDP implications. Consent for public display isn’t consent for AI training.
  • Vague Consent: Getting a general “I agree to terms and conditions” isn’t enough if you’re using personal data for complex AI processing. Consent needs to be specific about the purposes, including AI training and DPDP automated decision making.
  • Ignoring Data Principal Rights: Individuals have rights under DPDP, including the right to access, correct, or erase their personal data. If their data is part of your AI training set, you need a process to handle these requests.
  • Lack of Transparency in AI Decisions: If your AI makes significant decisions about individuals (e.g., loan applications, job screenings), DPDP requires you to be transparent about how these decisions are made and to offer human review if necessary.
  • Not Anonymizing/Pseudonymizing: Using real, identifiable data for training when a less identifiable version would suffice is a missed opportunity to reduce risk. Always aim to minimize the use of directly identifiable personal data.

How to Comply with DPDP for AI/ML

Compliance isn’t just about avoiding penalties (which can go up to ₹250 Crore!). It’s about building trust with your users and operating ethically. Here’s how you can approach DPDP AI compliance:

  • Robust Consent Management: Implement systems that allow you to obtain, record, and manage granular consent for different data processing activities, including specific uses for AI training and deployment.
  • Conduct Data Protection Impact Assessments (DPIAs): For any AI system that processes sensitive personal data or has the potential for high risk to Data Principals, a DPIA is a must. This helps you identify and mitigate risks before deployment.
  • Data Governance for AI: Establish clear policies for how personal data is collected, stored, processed, and deleted throughout its lifecycle, especially when it interacts with AI systems. This includes policies for anonymization and pseudonymization.
  • Ensure Transparency: Your privacy policies should clearly explain what personal data your AI systems use, why they use it, and how individuals can exercise their rights regarding their data. If you use DPDP automated decision making, explain the logic and potential impact.
  • Secure Your Data and AI Models: Implement strong security measures to protect the personal data used in your AI systems from breaches, unauthorized access, or misuse.
  • Vendor Due Diligence: If you’re using third-party AI tools or platforms, ensure your vendors are also DPDP compliant and that your data processing agreements reflect DPDP requirements.

For deeper insights into specific challenges, explore our analyses and check out our industry guides for tailored advice.

Real-World Scenarios

Let’s look at how DPDP might affect common AI uses:

  1. AI-Powered Customer Service Chatbot:

    • Scenario: Your e-commerce startup builds a chatbot that learns from customer conversations (names, order IDs, query details) to provide better support.
    • DPDP Challenge: You need explicit consent from customers that their conversation data will be used to train an AI. General website T&Cs might not cover this specific use.
    • Solution: During the first interaction or signup, clearly state that conversations are used to improve the AI chatbot, with an option to opt-out or provide anonymized feedback.

  2. HR Tech for Resume Screening:

    • Scenario: An HR tech company uses AI to scan thousands of resumes, identify top candidates based on skills, education, and experience, and rank them for employers.
    • DPDP Challenge: This involves DPDP automated decision making that can significantly impact a Data Principal’s livelihood. There’s also a risk of bias in the AI leading to discrimination.
    • Solution: Conduct a rigorous DPIA. Be transparent with candidates about the AI’s role in screening. Ensure human oversight in the final selection process and provide an avenue for candidates to challenge AI decisions.

  3. Personalized Marketing Recommendations:

    • Scenario: An online streaming service uses machine learning data protection techniques to analyze user viewing history and recommend movies and shows.
    • DPDP Challenge: While seemingly innocuous, using browsing habits and viewing data for profiling needs clear consent. Users must understand that their activity is used for personalized recommendations.
    • Solution: Offer clear, granular consent options upon signup or in privacy settings, allowing users to opt-out of personalized recommendations while still using the service. Clearly explain how their viewing data informs these recommendations.

Quick Actions You Can Start This Week

Feeling a bit overwhelmed? Don’t be! Here are 5-7 practical steps you can take right away to move towards DPDP compliance for your AI and ML initiatives:

  1. Audit Your AI Data Sources: Identify every piece of personal data your AI models (both training and deployed) are currently using. Where did it come from?
  2. Review Consent Mechanisms: For any data identified in step 1, check if you have valid, specific consent for its use in AI. If not, plan how to obtain it or anonymize the data.
  3. Map Your AI Systems for Personal Data: For each AI/ML system, understand exactly what personal data it processes, why (its purpose), and how it processes it (e.g., for automated decisions, profiling).
  4. Consider a DPIA: If any of your AI systems involve sensitive personal data or make significant automated decisions about individuals, schedule a Data Protection Impact Assessment. Don’t wait!
  5. Train Your Team: Ensure your data scientists, developers, product managers, and legal/compliance teams understand the DPDP Act and its implications for AI.
  6. Update Your Privacy Policy: Make sure your public-facing privacy policy clearly articulates how your AI uses personal data, the purposes, and individuals’ rights.
  7. Plan for Data Principal Rights: Establish clear internal processes for how you will handle requests from individuals to access, correct, or delete their personal data, especially if it’s used in your AI models.

Real-World Examples Companies struggling with this issue

E-commerce

Amazon India

58

Amazon India operates under a global privacy policy that benefits from mature US/EU compliance but lacks India-specific DPDP alignment. At 58/100, the combination of e-commerce, voice assistant (Alexa), payment (Amazon Pay), and entertainment (Prime Video) data creates a multi-dimensional profile — all flowing to US-headquartered infrastructure.

⚠️ Global privacy policy not tailored to DPDP Act 2023
⚠️ Alexa voice data and Ring camera data handling raises DPDP questions
+4 more gaps detected
Feb 2026 View Report
EdTech

BYJU'S

38

BYJU'S, a major EdTech platform, handles sensitive educational data, including that of children. Its privacy policy is extensive but hasn't fully updated for the DPDP Act 2023, particularly struggling with granular consent, verifiable parental consent for minors, and specific data retention timelines. These gaps create substantial regulatory risk, especially concerning Section 23 (Children's Data).

⚠️ No explicit DPDP Act 2023 reference; relies on IT Act 2000 framework
⚠️ Bundled consent fails 'freely given' and 'specific' DPDP standards
+5 more gaps detected
Feb 2026 View Report
Gaming

Dream11

43

Dream11 processes some of the most sensitive behavioral data: gambling patterns, winning/losing streaks, deposit amounts, and withdrawal frequency. At 43/100, treating this gambling behavior data with standard privacy practices — while DPDP requires enhanced protections for data that reveals financial behavior and potential addiction patterns — creates significant risk.

⚠️ No DPDP Act 2023 reference
⚠️ Gambling behavior data profiling without enhanced consent
+5 more gaps detected
Feb 2026 View Report
📞 Free Consultation