DPDP and CCTV: What You Should Demand From Your AI Camera Vendor
Under India's DPDP Act, CCTV footage is personal data and faces are biometric. The Data Protection Board is live now; substantive obligations bite on 13 May 2027. DPDP CCTV compliance cannot rest on consent — nobody can opt in at a gate. It rests on architecture: where video is processed, how long it is kept, what you can prove.
For twenty years, the Indian video surveillance market ran on a single unspoken assumption: that footage was yours. You bought the camera, you owned the recorder, the video sat in a cupboard in the security room, and nobody asked what happened to it. Retention was "until the disk fills up." Access control was "the guard has the password." Deletion was an overwrite.
That era is over, and most of the market has not noticed.
The Digital Personal Data Protection Act and the DPDP Rules notified on 14 November 2025 do something quietly radical: they reclassify the contents of your NVR. Every face your camera resolves belongs to a person who now has rights over that image. You did not become a data company. You became one anyway.
This piece is not another compliance summary. There are plenty of those, and most of them are written to sell you a consent banner. This is a different argument, and it has an uncomfortable centre of gravity: the most useful thing a vendor can do right now is tell you what to demand from vendors — including from us.
The clock that is already running
Two separate regulatory tracks are converging on the same camera, and buyers routinely confuse them.
The first governs the device. MeitY's Essential Requirements for the security of CCTV, enforced through BIS ER-01, set a product security floor: secure boot and tamper resistance, no universal default passwords, a secure firmware update path, protection of data in transit and at rest, penetration-testing resilience, and documented secure development practice. Since 1 April 2026, only cameras certified against these requirements may be sold in India, and MeitY withdrew the remaining exemptions in January 2026. Analog cameras sit outside ER-01; every IP camera does not.
The second governs the data. The DPDP Act does not care what your camera costs or who made it. It cares that the video identifies people. And its enforcement is phased.
Ten months is not a long time to re-architect an estate of cameras. It is, however, exactly long enough to buy the wrong thing and be stuck with it for seven years.
Why DPDP CCTV compliance is the hardest case in Indian privacy law
Almost every other category of personal data arrives through a door you control. A user signs up. A customer fills a form. A patient is admitted. There is a moment — a discrete, designable moment — where you can present a notice and take a consent.
Video has no such moment. A camera collects from everyone who walks into its frame, continuously, without any of them taking an action. The delivery driver did not sign up. The child who wandered past the society gate did not sign up. The job applicant in your reception did not sign up. And yet each of them is a Data Principal with rights over the images your system just captured.
This produces a structural problem that the law does not fully solve and that most vendors carefully avoid discussing: express, individual consent is not obtainable at a gate. It is not a matter of better UX. There is no interface between a camera and a stranger.
What remains is a set of second-best mechanisms — prominent notice at every point of entry, tight purpose limitation, short and enforced retention, and a genuine erasure path. That is not a loophole. It is the actual compliance strategy, and it has a consequence that the industry has been slow to state plainly:
If you cannot rely on consent, then every part of your compliance posture has to be carried by architecture. What the system technically cannot do becomes more important than what the policy document says it will not do.
This is the sentence that should govern your next procurement.
What customers should demand from us — and from every vendor
Here is the part where a vendor is supposed to explain why its product is compliant. We are going to do something more useful and slightly more dangerous: hand you the questions that make vendors uncomfortable, and commit to being held to them ourselves.
A well-run procurement interrogation takes about forty minutes and will tell you more than any brochure. Ask these fourteen questions. Notice that almost none of them are about the camera.
| Demand | What a good answer looks like | What a weak answer sounds like |
|---|---|---|
| 1. Where does inference actually run? | On an on-premise appliance. Raw frames never traverse the public internet. Demonstrable by pulling the WAN cable and watching detection continue. | "It's a hybrid architecture." "Processing happens securely in the cloud." |
| 2. Prove video never leaves the site. | A network diagram, an egress policy, and a live packet capture during a demo. | A clause in the MSA saying they won't misuse it. |
| 3. What is stored by default — footage or the event? | The event and its metadata. Footage only for a defined window, tied to a stated purpose. | "Everything, so you have it if you need it." |
| 4. Is retention technically enforced or merely configured? | Deletion runs as a scheduled, logged system function that an operator cannot silently disable. | "You can set the retention period in settings." |
| 5. Show me the audit log. | Immutable, retained twelve months, records every view, export, search and model activation, tied to a named user. | "There's a login history." |
| 6. Can analytics run without storing faces? | Yes — count, detect, classify and alert on metadata alone, with identity as an opt-in module, not a default. | "Facial recognition is included free." |
| 7. Is export redacted? | Faces of uninvolved third parties blurred on export by default, with un-redacted export as a privileged, logged action. | "You can download the clip." |
| 8. Is purpose bound per camera and per model? | A camera authorised for fire detection cannot silently be used for attendance. Changing purpose is a logged, approved change. | "All models run on all cameras." |
| 9. Does deletion propagate to derived data? | Erasing a person removes footage, thumbnails, embeddings, vectors, backups and search indices. Vendor can describe how. | "We delete the video file." |
| 10. Will you train on our footage? | No — stated contractually, with no carve-out for "improving the service" or "anonymised aggregates." | Silence, or a broad licence buried in the terms. |
| 11. What exactly does each model infer? | A per-model datasheet: input, output, what is and is not retained, known failure modes, accuracy under low light. | "65+ AI models" with no per-model documentation. |
| 12. Do you sell emotion or sentiment detection for workplaces? | No. And a vendor who understands why you asked. | An enthusiastic yes. |
| 13. Are the cameras ER-01 certified? | Certificate numbers, per model, checkable. | "They're compliant." |
| 14. Who is the Data Processor, and what does the contract say? | A signed processing agreement, a named sub-processor list, breach-notification duties flowing back to you inside a window that lets you hit 72 hours. | "We're just the hardware supplier." |
The liability point buyers keep getting wrong
Under the DPDP Act, the Data Fiduciary — the organisation that decides why and how video is processed — remains accountable to the Data Protection Board even when a vendor performs the processing. You cannot contract your way out of liability. The factory owner, the mall operator, the housing society and the hospital carry the exposure. The vendor carries none of it unless you make them. This is precisely why the fourteen questions above are not paranoia — they are the only leverage you have, and the only moment you have it is before you sign.
Six of those questions do most of the work
If forty minutes is more than you have, the six that separate a defensible deployment from an indefensible one are: where inference runs, whether retention is enforced or merely configured, whether the default artefact is the event or the footage, whether deletion reaches derived data, whether the audit log is immutable, and whether the vendor will train on your video.
Each of those is an architectural property. None of them can be retrofitted by a policy document, a privacy notice or a well-meaning security team. They are decided the day you choose the system — which is why DPDP is, in the end, a procurement problem wearing a legal costume.
What other industries already learned — and what it cost them
India is not the first market to point a privacy law at a camera. The instructive thing is that every jurisdiction that tried it produced the same four lessons, in the same order, and the Indian market can simply read ahead.
Lesson one: the fine is not the lesson. The architecture is.
Between 2022 and 2024, five European supervisory authorities found Clearview AI's handling of biometric data unlawful and imposed penalties totalling more than €110 million — the Dutch DPA alone levied €30.5 million. Here is the part that matters: essentially none of it has been collected. There is no international mechanism to compel a foreign company to pay. The fines became symbolic.
The lesson European buyers absorbed is not "regulators are toothless." It is the opposite and far more useful: if you cannot rely on a penalty to protect you, you must rely on where the data physically sits. An organisation whose video never left its own premises had nothing to recover in the first place. Enforcement is a lagging indicator. Architecture is a leading one.
Lesson two: a private right of action changes everything — and India does not have one
Illinois passed a biometric privacy law with an unusual feature: individuals can sue directly, with statutory damages of $1,000 per negligent violation and $5,000 per intentional one. The result was not a few careful fines. It was an industry.
| Settlement | Amount | What triggered it |
|---|---|---|
| Facebook (2020) | $650 million | Face-tagging without biometric consent |
| Google (2022) | $100 million | Face grouping in Photos |
| TikTok (2022) | $92 million | Face and voice data collection |
| Clearview AI | $51.75 million | Scraped facial database |
| Cumulative, by 2023 | Over $2 billion | Across all biometric class actions |
India's DPDP Act deliberately does not do this. Enforcement runs through the Data Protection Board, not through class actions. That is a meaningful relief for Indian operators — and it should not be mistaken for safety, because it relocates the pressure rather than removing it.
When litigation cannot punish a bad architecture, procurement does. Which brings us to the pattern that actually predicts what happens next.
Lesson three: compliance stops being a feature and becomes a gate
The closest parallel to where Indian video is heading is not another privacy law at all. It is PCI-DSS in payments.
When card-data security standards arrived, merchants treated them as a cost centre and vendors treated them as a differentiator — for roughly two years. Then something flipped. PCI-DSS stopped being a selling point and became an entry condition. No compliance, no merchant account. The market did not reward compliant vendors; it simply deleted the non-compliant ones from the shortlist. Compliance moved from the marketing page to the RFP's first mandatory filter, and once it did, it never generated a rupee of premium again.
Video surveillance in India is about eighteen months from that flip. Right now, "DPDP-ready" is still a differentiator that a vendor can put on a slide. By the second half of 2027 it will be a filter — an unglamorous checkbox that gets you into the room and earns you nothing once you are there. Vendors who build for it now will find it costs them nothing later. Vendors who defer it will discover that the retrofit is architectural, and architectural retrofits do not fit inside a quarter.
Lesson four: the label reshapes the product
India already ran this experiment, twice, in adjacent markets.
The BEE star rating did not merely inform air-conditioner buyers; it re-engineered the air-conditioner. Once efficiency became a comparable, visible number on the box, manufacturers competed on it, and the floor of the entire market rose. The same happened with vehicle safety: once crash ratings became public and comparable, safety migrated from an expensive optional extra to a standard fitment, because no manufacturer could afford to publish a bad number.
Expect the same in video, and expect it faster than feels reasonable. The moment a camera system's privacy posture becomes comparable — retention default, egress behaviour, redaction capability, audit granularity, whether identity is on or off by default — buyers will compare it, and the market floor will rise to meet the comparison. We would rather help write that scorecard than be graded by one written without us.
The counter-lesson: don't build cookie banners for cameras
Europe's most visible privacy artefact is the cookie consent banner — and it is widely regarded, including by regulators, as a failure. It generated enormous compliance activity and very little actual privacy. It taught users to click "accept" reflexively and taught companies that the appearance of consent was cheaper than the substance of data minimisation. The Indian equivalent is already visible on the horizon: a laminated privacy notice zip-tied to a gate, and nothing behind it. Signage is necessary. Signage is not compliance. If your vendor's DPDP story is mostly about the sign, you are buying theatre.
Where this leads: three shifts in the Indian video industry
Shift one: the capture layer and the intelligence layer come apart
ER-01 has already done half of this. By setting a hardware security floor and enforcing it at the point of sale, it commoditised a set of properties that camera vendors used to compete on. A certified camera is a certified camera. The differentiation moves up.
DPDP will finish the job, because the obligations it creates — purpose binding, retention enforcement, redaction, audit, erasure of derived data — are not properties of a lens. They are properties of the intelligence layer sitting above the camera. That layer can be replaced without replacing the estate; the camera cannot. Every Indian buyer with an existing CCTV estate is about to discover that the compliance question and the retrofit question are the same question. We have written elsewhere about why edge and cloud architectures diverge on exactly this axis, and why an upgradeable model layer is the only part of the stack that can keep pace with a regulation that phases in over eighteen months.
Shift two: video becomes metadata-first
The single most effective DPDP strategy is also the oldest engineering instinct: don't keep what you don't need. A system that stores "at 14:32, one person in Zone 4 without a helmet" and discards the frame has almost no privacy surface, almost no storage cost, and almost no breach exposure. A system that keeps thirty days of everything has all three.
The industry has resisted this because footage felt like insurance. That instinct will not survive a retention obligation with a ₹250 crore ceiling attached. Expect defaults to invert: the event becomes the artefact, and the footage becomes the exception — retained briefly, for a stated purpose, under a clock.
The technology to make that palatable already exists. On-site semantic video search — the ability to ask a natural-language question of your own footage, on your own premises, and get the moment back — removes the last honest argument for hoarding video, which was that you could never find anything in it anyway. When retrieval is good, retention can be short.
Shift three: compliance becomes a spec-sheet line, then disappears
Follow the PCI-DSS arc to its end. First compliance is a differentiator. Then it is a filter. Then it is invisible — assumed, unremarked, and fatal only in its absence. Video is on that curve now, and the window in which a buyer can extract real commitments from a vendor by asking hard questions is open right now and will not stay open. Once "DPDP-ready" is table stakes, everyone will claim it, and the claim will stop discriminating between vendors. Today it still does.
The uncomfortable part: hold us to this
It would be convenient to end here with a product pitch. Instead, the honest position:
IndoAI is an edge-first platform, and that gives us a structural advantage on most of the fourteen demands above — inference runs on an on-premise appliance, raw video does not need to leave the site, and the event rather than the footage can be the default artefact. That is architecture, and architecture is the part that cannot be faked.
But "edge" is not a compliance certificate, and any vendor — us included — who implies that processing locally makes you DPDP compliant is selling you a half-truth. Edge narrows the exposure surface dramatically. It does not write your privacy notice, define your retention period, run your impact assessment, or enforce purpose binding across your estate. Those are operator obligations, and a good vendor should be making them easier, not pretending they have evaporated.
So: ask us the fourteen questions. Ask our competitors the same fourteen. If any vendor — including this one — answers question four with "you can set it in settings," or question nine with "we delete the video file," you have learned something worth more than the demo.
A 90-day plan for buyers
Days 1–30 — Inventory. Every camera, its purpose, its retention, its viewers. Most organisations discover cameras nobody can justify. Those are pure liability; switch them off.
Days 31–60 — Interrogate. Run the fourteen questions against your incumbent vendor and two alternatives. Document the answers in writing; that document is itself evidence of diligence.
Days 61–90 — Fix the defaults. Notice at every entry point in the languages people actually read. A stated, enforced retention period. Role-bound access with logging. Redaction on export. Facial identity off unless there is a documented reason it is on.
None of this requires waiting for May 2027, and none of it is wasted if your architecture changes later.
Frequently asked questions
Is CCTV footage personal data under India's DPDP Act?
When do DPDP obligations actually apply to CCTV operators?
How do you obtain consent from everyone walking past a CCTV camera?
What are the penalties for a DPDP breach involving CCTV?
Does edge processing make CCTV automatically DPDP compliant?
What is the difference between DPDP and BIS ER-01 for cameras?
How long can CCTV footage be retained under DPDP?
Can we use facial recognition on CCTV in India under DPDP?
Who is liable if the camera vendor causes the breach — the vendor or the buyer?
What should a CCTV privacy notice at a gate actually say?
Does the DPDP Act give individuals the right to sue over CCTV?
What does a DPDP-ready AI camera deployment look like in practice?
Sources and further reading
Every regulatory claim in this piece is traceable. Dates, penalty ceilings and enforcement milestones were verified against the following sources as at July 2026. Regulation moves — check the primary sources before relying on any figure for a procurement decision.
- Ministry of Electronics and Information Technology (MeitY) — the Digital Personal Data Protection Act, 2023, the DPDP Rules notified 14 November 2025, and the Essential Requirements for security of CCTV.
- Bureau of Indian Standards — CCTV Implementation Guidelines (PDF) — the ER-01 registration pathway and testing in recognised laboratories.
- Shardul Amarchand Mangaldas — Enforcement of the DPDP Act and notification of the DPDP Rules — the three notified enforcement dates: 14 November 2025, 13 November 2026 and 13 May 2027.
- India Briefing — India's DPDP compliance timeline, 2026–27 — phased obligations, the breach reporting window and audit log retention.
- EY India — Decoding the Digital Personal Data Protection Act — Data Fiduciary and Significant Data Fiduciary obligations, DPIA and audit requirements, and the penalty schedule.
- MediaNama — Can the DPDP Act protect citizens from CCTV surveillance? — the structural impossibility of express individual consent at a camera, and the notice-based alternative.
- Certification India — BIS ER compliance mandate for CCTV cameras — the 1 April 2026 sale restriction and the January 2026 withdrawal of exemptions.
- Pinsent Masons — Dutch DPA fines facial recognition company for GDPR breach — the €30.5 million penalty, part of over €110 million levied across five European authorities.
- Privacy World — Biometric privacy litigation, year in review — Illinois BIPA statutory damages, settlement volumes and filing trends.
- EU Artificial Intelligence Act, Article 5 — Prohibited AI Practices — bans on untargeted scraping of facial images and on emotion inference in workplaces and schools.
Scope it properly
Design a camera system that survives May 2027.
Describe your site in plain language and the IndoAI Advisor returns an itemised system — cameras, on-premise Edge Box, storage, models and retention posture — built on a real catalogue, not a price list. It takes under a minute, and it will tell you what your current estate is missing.
Open the AI Advisor →Vivek leads computer vision and edge model research at IndoAI, the Pune-based AI camera platform founded in 2021. He writes on the intersection of video intelligence, edge architecture and Indian data protection regulation. Related reading: what an AI camera actually is, and how a housing society deployed ANPR at the gate.
