IndoAI — The Programmable AI Camera Platform
Regulation · Research Deep-Dive

DPDP and CCTV: What You Should Demand From Your AI Camera Vendor

Under India's DPDP Act, CCTV footage is personal data and faces are biometric. The Data Protection Board is live now; substantive obligations bite on 13 May 2027. DPDP CCTV compliance cannot rest on consent — nobody can opt in at a gate. It rests on architecture: where video is processed, how long it is kept, what you can prove.

Dr. Vivek Gujar · 13 July 2026 · 16 min read

DPDP CCTV compliance: an unbranded camera at an Indian factory gate beside a bilingual privacy notice, with video processed on an on-premise edge appliance
The compliance question is no longer whether you have cameras. It is where the video goes after the lens.

For twenty years, the Indian video surveillance market ran on a single unspoken assumption: that footage was yours. You bought the camera, you owned the recorder, the video sat in a cupboard in the security room, and nobody asked what happened to it. Retention was "until the disk fills up." Access control was "the guard has the password." Deletion was an overwrite.

That era is over, and most of the market has not noticed.

The Digital Personal Data Protection Act and the DPDP Rules notified on 14 November 2025 do something quietly radical: they reclassify the contents of your NVR. Every face your camera resolves belongs to a person who now has rights over that image. You did not become a data company. You became one anyway.

This piece is not another compliance summary. There are plenty of those, and most of them are written to sell you a consent banner. This is a different argument, and it has an uncomfortable centre of gravity: the most useful thing a vendor can do right now is tell you what to demand from vendors — including from us.

The clock that is already running

Two separate regulatory tracks are converging on the same camera, and buyers routinely confuse them.

The first governs the device. MeitY's Essential Requirements for the security of CCTV, enforced through BIS ER-01, set a product security floor: secure boot and tamper resistance, no universal default passwords, a secure firmware update path, protection of data in transit and at rest, penetration-testing resilience, and documented secure development practice. Since 1 April 2026, only cameras certified against these requirements may be sold in India, and MeitY withdrew the remaining exemptions in January 2026. Analog cameras sit outside ER-01; every IP camera does not.

The second governs the data. The DPDP Act does not care what your camera costs or who made it. It cares that the video identifies people. And its enforcement is phased.

14 November 2025 — done
DPDP Rules notified. Data Protection Board constituted.
The Board is live and digital-first. Individuals can already file grievances, and the Board can already inquire into them. This is the part most CCTV operators have missed: the complaint mechanism does not wait for 2027.
1 April 2026 — done
BIS ER-01 hard stop on camera sales.
Only IP cameras certified against the six Essential Requirements may be sold. The capture layer now has a security floor. The intelligence layer still does not.

Ten months is not a long time to re-architect an estate of cameras. It is, however, exactly long enough to buy the wrong thing and be stuck with it for seven years.

₹250 crMax penalty · security safeguards
₹200 crMax penalty · breach not notified
72 hrsDetailed breach report window
12 moAudit logs to be retained

Why DPDP CCTV compliance is the hardest case in Indian privacy law

Almost every other category of personal data arrives through a door you control. A user signs up. A customer fills a form. A patient is admitted. There is a moment — a discrete, designable moment — where you can present a notice and take a consent.

Video has no such moment. A camera collects from everyone who walks into its frame, continuously, without any of them taking an action. The delivery driver did not sign up. The child who wandered past the society gate did not sign up. The job applicant in your reception did not sign up. And yet each of them is a Data Principal with rights over the images your system just captured.

This produces a structural problem that the law does not fully solve and that most vendors carefully avoid discussing: express, individual consent is not obtainable at a gate. It is not a matter of better UX. There is no interface between a camera and a stranger.

What remains is a set of second-best mechanisms — prominent notice at every point of entry, tight purpose limitation, short and enforced retention, and a genuine erasure path. That is not a loophole. It is the actual compliance strategy, and it has a consequence that the industry has been slow to state plainly:

If you cannot rely on consent, then every part of your compliance posture has to be carried by architecture. What the system technically cannot do becomes more important than what the policy document says it will not do.

This is the sentence that should govern your next procurement.

What customers should demand from us — and from every vendor

Here is the part where a vendor is supposed to explain why its product is compliant. We are going to do something more useful and slightly more dangerous: hand you the questions that make vendors uncomfortable, and commit to being held to them ourselves.

A well-run procurement interrogation takes about forty minutes and will tell you more than any brochure. Ask these fourteen questions. Notice that almost none of them are about the camera.

DemandWhat a good answer looks likeWhat a weak answer sounds like
1. Where does inference actually run?On an on-premise appliance. Raw frames never traverse the public internet. Demonstrable by pulling the WAN cable and watching detection continue."It's a hybrid architecture." "Processing happens securely in the cloud."
2. Prove video never leaves the site.A network diagram, an egress policy, and a live packet capture during a demo.A clause in the MSA saying they won't misuse it.
3. What is stored by default — footage or the event?The event and its metadata. Footage only for a defined window, tied to a stated purpose."Everything, so you have it if you need it."
4. Is retention technically enforced or merely configured?Deletion runs as a scheduled, logged system function that an operator cannot silently disable."You can set the retention period in settings."
5. Show me the audit log.Immutable, retained twelve months, records every view, export, search and model activation, tied to a named user."There's a login history."
6. Can analytics run without storing faces?Yes — count, detect, classify and alert on metadata alone, with identity as an opt-in module, not a default."Facial recognition is included free."
7. Is export redacted?Faces of uninvolved third parties blurred on export by default, with un-redacted export as a privileged, logged action."You can download the clip."
8. Is purpose bound per camera and per model?A camera authorised for fire detection cannot silently be used for attendance. Changing purpose is a logged, approved change."All models run on all cameras."
9. Does deletion propagate to derived data?Erasing a person removes footage, thumbnails, embeddings, vectors, backups and search indices. Vendor can describe how."We delete the video file."
10. Will you train on our footage?No — stated contractually, with no carve-out for "improving the service" or "anonymised aggregates."Silence, or a broad licence buried in the terms.
11. What exactly does each model infer?A per-model datasheet: input, output, what is and is not retained, known failure modes, accuracy under low light."65+ AI models" with no per-model documentation.
12. Do you sell emotion or sentiment detection for workplaces?No. And a vendor who understands why you asked.An enthusiastic yes.
13. Are the cameras ER-01 certified?Certificate numbers, per model, checkable."They're compliant."
14. Who is the Data Processor, and what does the contract say?A signed processing agreement, a named sub-processor list, breach-notification duties flowing back to you inside a window that lets you hit 72 hours."We're just the hardware supplier."

The liability point buyers keep getting wrong

Under the DPDP Act, the Data Fiduciary — the organisation that decides why and how video is processed — remains accountable to the Data Protection Board even when a vendor performs the processing. You cannot contract your way out of liability. The factory owner, the mall operator, the housing society and the hospital carry the exposure. The vendor carries none of it unless you make them. This is precisely why the fourteen questions above are not paranoia — they are the only leverage you have, and the only moment you have it is before you sign.

Six of those questions do most of the work

If forty minutes is more than you have, the six that separate a defensible deployment from an indefensible one are: where inference runs, whether retention is enforced or merely configured, whether the default artefact is the event or the footage, whether deletion reaches derived data, whether the audit log is immutable, and whether the vendor will train on your video.

Each of those is an architectural property. None of them can be retrofitted by a policy document, a privacy notice or a well-meaning security team. They are decided the day you choose the system — which is why DPDP is, in the end, a procurement problem wearing a legal costume.

Diagram of DPDP-compliant CCTV architecture: RTSP from cameras and NVR into an on-premise Edge Box, with only events and metadata crossing the site boundary while raw video stops on site
Compliance by architecture: video terminates on site; only events and metadata cross the boundary.

What other industries already learned — and what it cost them

India is not the first market to point a privacy law at a camera. The instructive thing is that every jurisdiction that tried it produced the same four lessons, in the same order, and the Indian market can simply read ahead.

Lesson one: the fine is not the lesson. The architecture is.

Between 2022 and 2024, five European supervisory authorities found Clearview AI's handling of biometric data unlawful and imposed penalties totalling more than €110 million — the Dutch DPA alone levied €30.5 million. Here is the part that matters: essentially none of it has been collected. There is no international mechanism to compel a foreign company to pay. The fines became symbolic.

The lesson European buyers absorbed is not "regulators are toothless." It is the opposite and far more useful: if you cannot rely on a penalty to protect you, you must rely on where the data physically sits. An organisation whose video never left its own premises had nothing to recover in the first place. Enforcement is a lagging indicator. Architecture is a leading one.

Lesson two: a private right of action changes everything — and India does not have one

Illinois passed a biometric privacy law with an unusual feature: individuals can sue directly, with statutory damages of $1,000 per negligent violation and $5,000 per intentional one. The result was not a few careful fines. It was an industry.

SettlementAmountWhat triggered it
Facebook (2020)$650 millionFace-tagging without biometric consent
Google (2022)$100 millionFace grouping in Photos
TikTok (2022)$92 millionFace and voice data collection
Clearview AI$51.75 millionScraped facial database
Cumulative, by 2023Over $2 billionAcross all biometric class actions

India's DPDP Act deliberately does not do this. Enforcement runs through the Data Protection Board, not through class actions. That is a meaningful relief for Indian operators — and it should not be mistaken for safety, because it relocates the pressure rather than removing it.

When litigation cannot punish a bad architecture, procurement does. Which brings us to the pattern that actually predicts what happens next.

Lesson three: compliance stops being a feature and becomes a gate

The closest parallel to where Indian video is heading is not another privacy law at all. It is PCI-DSS in payments.

When card-data security standards arrived, merchants treated them as a cost centre and vendors treated them as a differentiator — for roughly two years. Then something flipped. PCI-DSS stopped being a selling point and became an entry condition. No compliance, no merchant account. The market did not reward compliant vendors; it simply deleted the non-compliant ones from the shortlist. Compliance moved from the marketing page to the RFP's first mandatory filter, and once it did, it never generated a rupee of premium again.

Video surveillance in India is about eighteen months from that flip. Right now, "DPDP-ready" is still a differentiator that a vendor can put on a slide. By the second half of 2027 it will be a filter — an unglamorous checkbox that gets you into the room and earns you nothing once you are there. Vendors who build for it now will find it costs them nothing later. Vendors who defer it will discover that the retrofit is architectural, and architectural retrofits do not fit inside a quarter.

Lesson four: the label reshapes the product

India already ran this experiment, twice, in adjacent markets.

The BEE star rating did not merely inform air-conditioner buyers; it re-engineered the air-conditioner. Once efficiency became a comparable, visible number on the box, manufacturers competed on it, and the floor of the entire market rose. The same happened with vehicle safety: once crash ratings became public and comparable, safety migrated from an expensive optional extra to a standard fitment, because no manufacturer could afford to publish a bad number.

Expect the same in video, and expect it faster than feels reasonable. The moment a camera system's privacy posture becomes comparable — retention default, egress behaviour, redaction capability, audit granularity, whether identity is on or off by default — buyers will compare it, and the market floor will rise to meet the comparison. We would rather help write that scorecard than be graded by one written without us.

The counter-lesson: don't build cookie banners for cameras

Europe's most visible privacy artefact is the cookie consent banner — and it is widely regarded, including by regulators, as a failure. It generated enormous compliance activity and very little actual privacy. It taught users to click "accept" reflexively and taught companies that the appearance of consent was cheaper than the substance of data minimisation. The Indian equivalent is already visible on the horizon: a laminated privacy notice zip-tied to a gate, and nothing behind it. Signage is necessary. Signage is not compliance. If your vendor's DPDP story is mostly about the sign, you are buying theatre.

Where this leads: three shifts in the Indian video industry

Shift one: the capture layer and the intelligence layer come apart

ER-01 has already done half of this. By setting a hardware security floor and enforcing it at the point of sale, it commoditised a set of properties that camera vendors used to compete on. A certified camera is a certified camera. The differentiation moves up.

DPDP will finish the job, because the obligations it creates — purpose binding, retention enforcement, redaction, audit, erasure of derived data — are not properties of a lens. They are properties of the intelligence layer sitting above the camera. That layer can be replaced without replacing the estate; the camera cannot. Every Indian buyer with an existing CCTV estate is about to discover that the compliance question and the retrofit question are the same question. We have written elsewhere about why edge and cloud architectures diverge on exactly this axis, and why an upgradeable model layer is the only part of the stack that can keep pace with a regulation that phases in over eighteen months.

Shift two: video becomes metadata-first

The single most effective DPDP strategy is also the oldest engineering instinct: don't keep what you don't need. A system that stores "at 14:32, one person in Zone 4 without a helmet" and discards the frame has almost no privacy surface, almost no storage cost, and almost no breach exposure. A system that keeps thirty days of everything has all three.

The industry has resisted this because footage felt like insurance. That instinct will not survive a retention obligation with a ₹250 crore ceiling attached. Expect defaults to invert: the event becomes the artefact, and the footage becomes the exception — retained briefly, for a stated purpose, under a clock.

The technology to make that palatable already exists. On-site semantic video search — the ability to ask a natural-language question of your own footage, on your own premises, and get the moment back — removes the last honest argument for hoarding video, which was that you could never find anything in it anyway. When retrieval is good, retention can be short.

Shift three: compliance becomes a spec-sheet line, then disappears

Follow the PCI-DSS arc to its end. First compliance is a differentiator. Then it is a filter. Then it is invisible — assumed, unremarked, and fatal only in its absence. Video is on that curve now, and the window in which a buyer can extract real commitments from a vendor by asking hard questions is open right now and will not stay open. Once "DPDP-ready" is table stakes, everyone will claim it, and the claim will stop discriminating between vendors. Today it still does.

The uncomfortable part: hold us to this

It would be convenient to end here with a product pitch. Instead, the honest position:

IndoAI is an edge-first platform, and that gives us a structural advantage on most of the fourteen demands above — inference runs on an on-premise appliance, raw video does not need to leave the site, and the event rather than the footage can be the default artefact. That is architecture, and architecture is the part that cannot be faked.

But "edge" is not a compliance certificate, and any vendor — us included — who implies that processing locally makes you DPDP compliant is selling you a half-truth. Edge narrows the exposure surface dramatically. It does not write your privacy notice, define your retention period, run your impact assessment, or enforce purpose binding across your estate. Those are operator obligations, and a good vendor should be making them easier, not pretending they have evaporated.

So: ask us the fourteen questions. Ask our competitors the same fourteen. If any vendor — including this one — answers question four with "you can set it in settings," or question nine with "we delete the video file," you have learned something worth more than the demo.

A 90-day plan for buyers

Days 1–30 — Inventory. Every camera, its purpose, its retention, its viewers. Most organisations discover cameras nobody can justify. Those are pure liability; switch them off.
Days 31–60 — Interrogate. Run the fourteen questions against your incumbent vendor and two alternatives. Document the answers in writing; that document is itself evidence of diligence.
Days 61–90 — Fix the defaults. Notice at every entry point in the languages people actually read. A stated, enforced retention period. Role-bound access with logging. Redaction on export. Facial identity off unless there is a documented reason it is on.

None of this requires waiting for May 2027, and none of it is wasted if your architecture changes later.

Frequently asked questions

Is CCTV footage personal data under India's DPDP Act?
Yes. Video that can identify an individual is personal data under the DPDP Act, and facial data derived from it is treated as biometric information. This means the organisation running the cameras is a Data Fiduciary and carries obligations for notice, purpose limitation, retention limits, security safeguards and erasure.
When do DPDP obligations actually apply to CCTV operators?
The DPDP Rules were notified on 14 November 2025 and enforcement is phased. The Data Protection Board is already live and can inquire into complaints. Consent Manager provisions take effect 13 November 2026. The bulk of substantive obligations — notice, security safeguards, breach reporting, retention limits and data principal rights — become enforceable on 13 May 2027.
How do you obtain consent from everyone walking past a CCTV camera?
You realistically cannot. Individual express consent is not workable at a gate, a shop floor or a society entrance. The practical route is clear, prominent notice at every point of entry stating that surveillance is in operation, who is running it, for what purpose, and how to raise a grievance — supported by strict purpose limitation and retention discipline in the system itself.
What are the penalties for a DPDP breach involving CCTV?
The Data Protection Board can impose penalties of up to ₹250 crore for failure to take reasonable security safeguards, up to ₹200 crore for failure to notify a personal data breach, and up to ₹50 crore for other contraventions. Penalties attach to the organisation operating the cameras, not to the camera vendor.
Does edge processing make CCTV automatically DPDP compliant?
No. Edge processing dramatically narrows the exposure surface because video does not leave the premises, but compliance still requires notice, purpose limitation, enforced retention, access control, audit logs, breach detection and a working erasure path. Edge architecture makes compliance achievable; it does not make it automatic.
What is the difference between DPDP and BIS ER-01 for cameras?
They govern different layers. BIS ER-01 and the MeitY Essential Requirements set a product security floor for the camera hardware itself — secure boot, no universal default passwords, secure firmware updates, protected data in transit and at rest. From 1 April 2026 only certified cameras may be sold in India. DPDP governs what the operator does with the personal data those cameras capture.
How long can CCTV footage be retained under DPDP?
The Act does not set a single universal number for CCTV. It requires that personal data be erased once the purpose for which it was collected is no longer being served. In practice this means the operator must define, document and technically enforce a retention period tied to a stated purpose — and be able to show that deletion actually happens.
Can we use facial recognition on CCTV in India under DPDP?
There is no outright prohibition, but facial data is biometric and carries the highest risk weighting. A defensible deployment needs a documented lawful basis, a Data Protection Impact Assessment, tight purpose binding, strict access control, short retention on templates, and a genuine answer to whether a less intrusive method would achieve the same outcome.
Who is liable if the camera vendor causes the breach — the vendor or the buyer?
Under the DPDP Act the Data Fiduciary — the organisation that decides why and how the video is processed — remains accountable to the Data Protection Board, even where processing is carried out by a vendor acting as a Data Processor. The buyer cannot contract away liability, which is precisely why vendor architecture must be interrogated before purchase.
What should a CCTV privacy notice at a gate actually say?
In clear, plain language and in the languages people at that site actually read: that video surveillance is in operation, the identity of the organisation operating it, the purpose for which footage is used, how long it is retained, how a person can exercise their rights, and how to make a complaint to the Data Protection Board.
Does the DPDP Act give individuals the right to sue over CCTV?
The DPDP Act does not create a private right of action of the kind seen in Illinois' biometric privacy law. Enforcement runs through the Data Protection Board, which can inquire into complaints and impose penalties. The practical pressure on vendors will therefore come as much from procurement requirements as from litigation.
What does a DPDP-ready AI camera deployment look like in practice?
Inference runs on-premise so raw video never leaves the site. Retention is short and technically enforced rather than promised. What is stored by default is the event and its metadata, not the footage. Access is role-bound and logged. Exports are redacted. Deletion propagates to derived data. And every one of those claims is demonstrable, not asserted.

Sources and further reading

Every regulatory claim in this piece is traceable. Dates, penalty ceilings and enforcement milestones were verified against the following sources as at July 2026. Regulation moves — check the primary sources before relying on any figure for a procurement decision.

  1. Ministry of Electronics and Information Technology (MeitY) — the Digital Personal Data Protection Act, 2023, the DPDP Rules notified 14 November 2025, and the Essential Requirements for security of CCTV.
  2. Bureau of Indian Standards — CCTV Implementation Guidelines (PDF) — the ER-01 registration pathway and testing in recognised laboratories.
  3. Shardul Amarchand Mangaldas — Enforcement of the DPDP Act and notification of the DPDP Rules — the three notified enforcement dates: 14 November 2025, 13 November 2026 and 13 May 2027.
  4. India Briefing — India's DPDP compliance timeline, 2026–27 — phased obligations, the breach reporting window and audit log retention.
  5. EY India — Decoding the Digital Personal Data Protection Act — Data Fiduciary and Significant Data Fiduciary obligations, DPIA and audit requirements, and the penalty schedule.
  6. MediaNama — Can the DPDP Act protect citizens from CCTV surveillance? — the structural impossibility of express individual consent at a camera, and the notice-based alternative.
  7. Certification India — BIS ER compliance mandate for CCTV cameras — the 1 April 2026 sale restriction and the January 2026 withdrawal of exemptions.
  8. Pinsent Masons — Dutch DPA fines facial recognition company for GDPR breach — the €30.5 million penalty, part of over €110 million levied across five European authorities.
  9. Privacy World — Biometric privacy litigation, year in review — Illinois BIPA statutory damages, settlement volumes and filing trends.
  10. EU Artificial Intelligence Act, Article 5 — Prohibited AI Practices — bans on untargeted scraping of facial images and on emotion inference in workplaces and schools.

Scope it properly

Design a camera system that survives May 2027.

Describe your site in plain language and the IndoAI Advisor returns an itemised system — cameras, on-premise Edge Box, storage, models and retention posture — built on a real catalogue, not a price list. It takes under a minute, and it will tell you what your current estate is missing.

Open the AI Advisor →
VG
Dr. Vivek Gujar
Co-founder & Chief Science Officer, IndoAI

Vivek leads computer vision and edge model research at IndoAI, the Pune-based AI camera platform founded in 2021. He writes on the intersection of video intelligence, edge architecture and Indian data protection regulation. Related reading: what an AI camera actually is, and how a housing society deployed ANPR at the gate.