AI-Enabled CCTV Cameras Now Fall Under DPDP Rules

AI-Enabled CCTV Cameras Now Fall Under DPDP Rules: What Compliance Officers Must Know

08 April 2026 · Written by Vipul Abhishek, earlier practiced as an Advocate, Supreme Court of India.

The government has officially confirmed that AI-powered CCTV systems are covered under the Digital Personal Data Protection (DPDP) Act, 2023 and the DPDP Rules, 2025. In a Rajya Sabha reply, Minister of State for Electronics and Information Technology Jitin Prasada stated that the DPDP framework—supported by India AI Governance Guidelines—aims to address risks from expanded data collection through AI-enabled surveillance. The Data Protection Board of India (DPB) will oversee compliance, adjudicate breaches, and enforce penalties that can reach up to ₹250 crore.

Why This Matters for Your Organisation

AI-enabled CCTV does more than record video. It processes personal data—often including biometric information—through facial recognition, behaviour analysis, and real-time alerts. Under the DPDP Act, this is digital personal data processing, making the deploying entity a Data Fiduciary with obligations around lawful processing, notice, consent (where applicable), purpose limitation, retention, and data security.

The Hard Realities of DPDP Compliance for CCTV

Consent in high-footfall spaces: obtaining express, specific, informed, and unambiguous consent from everyone captured in malls, offices, airports, or streets is practically difficult. Clear entry-point notices are often used, but whether notices alone satisfy consent standards can depend on the lawful basis/structure used and future DPB guidance.

Who is the Data Fiduciary?: vendors, installers, and maintenance providers are typically not the Data Fiduciary if they only supply hardware or act on instructions. Responsibility usually falls on the entity that decides to deploy the cameras, defines the purpose, controls access, and determines retention—often the premises owner/operator.

Right to erasure and user rights: individuals may seek erasure/access, but exemptions tied to safety and other legal needs can limit feasibility. Technically, deleting specific clips from AI-processed pipelines can be complex and may conflict with retention requirements.

Practical Steps for DPDP-Ready AI-CCTV Compliance

Map your role clearly: document whether you are the primary Data Fiduciary and record purpose, placement, and data flows for every camera.

Implement robust notices: place clear signage at entry points stating CCTV use, purpose, and contact details for grievances.

Conduct a targeted risk assessment: evaluate biometric risks, algorithmic bias, retention periods, and sharing with vendors or law enforcement.

Strengthen safeguards: implement encryption, access controls, audit logs, and secure storage; align with ISO 27001/SOC 2 where present, and add DPDP-specific privacy governance.

Prepare grievance and rights workflows: create a process for handling access/erasure requests and complaints, even where exemptions may apply.

Monitor evolving guidance: track clarifications from the DPB and any surveillance-specific expectations as enforcement matures.

The Road Ahead

This development signals serious intent to regulate AI-driven surveillance. Turning high-level principles into audit-ready processes will test compliance teams in 2026 and beyond. If you deploy AI-enabled CCTV, treat it as a DPDP compliance program—covering notice, governance, controls, vendors, and response—not just a security install.