QUICK ANSWER
India's Digital Personal Data Protection (DPDP) Act, 2023 does not regulate AI directly — it regulates how digital personal data is processed. Because AI-powered customer conversations process names, phone numbers and behavioural data at scale, they fall squarely within its scope. With the DPDP Rules, 2025 notified on 13 November 2025 and full obligations phasing in by May 2027, 2026 is the year CX teams move from policy to operational readiness.
Key takeaways
|
Why the DPDP Act matters for customer-experience teams
A few years ago, customer-service teams rarely thought about privacy law when designing a support workflow. If a customer called, the conversation was recorded. If a chatbot collected information, the data was stored. Those decisions were largely operational.
AI changes that equation. Today's customer conversations are no longer just conversations — they are data streams being analysed, summarised, classified, routed, scored and sometimes used to improve future AI systems. Every interaction creates information that can move across multiple tools in seconds.
That is why the DPDP Act has become directly relevant to CX teams. The law is not about AI. But because AI relies heavily on customer data, the way organisations collect, process and use conversation data is now under far greater scrutiny. For the official text, see the DPDP Act, 2023 (MeitY).
Every customer interaction potentially involves personal information, including:
- Names, phone numbers and email addresses
- Account details and transaction history
- Behavioural data and conversation records
When AI systems process this information, the organisation remains responsible for ensuring it is collected, used, stored and managed appropriately under the law. Privacy is no longer limited to backend systems — it increasingly shapes how conversations themselves are designed.
What the DPDP Act actually regulates
A common misconception is that the DPDP Act regulates artificial intelligence directly. It does not. The Act regulates the processing of digital personal data. If an AI system processes personal data, that processing falls within the scope of the law.
In practice, the focus is the data, not the technology. Customer-service teams should worry less about whether a system is labelled “AI” and more about how customer information is being collected and used.
From data collection to data responsibility
Historically, many organisations operated on a simple assumption: collect first, figure out usage later. That approach is much harder to justify in a privacy-focused environment. The DPDP framework emphasises clear purposes for collection and greater transparency about use.
The new design principle for AI-powered experiences: only collect the information necessary to complete the intended task.
How AI conversations are different
Traditional customer interactions are limited by human capacity — an agent speaks to one customer at a time. An AI system can simultaneously process thousands of interactions. It can analyse conversations, generate responses, classify intent, detect sentiment, route requests and execute workflows.
This scale creates enormous opportunity. It also raises the stakes for governance. The more customer data flows through automated systems, the more important transparency, accountability and consent become.
Does AI need consent to call customers?
This is one of the most common questions businesses ask, and the answer is nuanced. The DPDP Act places significant emphasis on consent and lawful processing. Whether a specific outreach initiative requires consent depends on the nature of the interaction, the data involved and the applicable legal basis.
The relevant question is not who makes the call. It is whether customer data is being processed appropriately and whether the required permissions exist. Organisations should not assume AI-generated outreach is treated differently from human-generated outreach.
Why consent is becoming a strategic capability
For many organisations, consent management was historically a checkbox exercise. That mindset is changing. As privacy requirements mature, consent becomes an operational capability that directly affects marketing, support, onboarding, sales and retention.
Organisations increasingly need systems that can:
- Capture consent at the point of interaction
- Store consent records in an auditable form
- Update consent preferences as they change
- Process withdrawals promptly
- Demonstrate compliance when required
The ability to manage customer permissions at scale is becoming as important as the ability to communicate with customers in the first place.
AI training and customer conversations
Another area receiving growing attention is how customer conversations are used after they occur. Organisations increasingly use interaction data to improve experiences, train AI models, enhance automation, build knowledge bases and optimise workflows.
As privacy expectations evolve, businesses must pay closer attention to how conversational data is stored, retained and repurposed. The assumption that every conversation can automatically become training data is becoming harder to defend without appropriate governance.
What actually changes in 2026
The biggest change in 2026 is not a single new restriction — it is the transition from preparation to implementation. India's DPDP framework is being rolled out in phases following the notification of the DPDP Rules, 2025 on 13 November 2025.
Based on the government's phased commencement, the runway looks broadly like this:
Phase | Approx. timing | What becomes operational |
|---|---|---|
Phase 1 | From 13 Nov 2025 | Data Protection Board of India established; foundational provisions in force |
Phase 2 | ~12 months later (late 2026) | Consent-manager registration framework operational |
Phase 3 | ~18 months later (by ~13 May 2027) | Core obligations: notice, consent, security, breach reporting, data-principal rights |
Note: exact commencement dates are governed by official MeitY notifications and may be adjusted; treat the above as directional and confirm against the latest notification. The practical takeaway is that questions that were once theoretical are now active business priorities:
- How is consent captured?
- Where is customer data stored?
- Which AI systems process personal information?
- How are deletion requests handled?
- How are customer permissions tracked?
Why customer trust matters more than compliance
Organisations often approach privacy through a legal lens. Customers experience it differently — they care less about legislation and more about trust. They want confidence that their information is protected, their preferences respected, their data not misused and their interactions secure.
Privacy compliance helps establish that trust, but trust ultimately becomes a competitive advantage. As AI adoption grows, businesses that communicate transparently about data usage may find it easier to earn customer confidence.
What CX leaders should be doing now
CX leaders do not need to become privacy lawyers. They do need to understand how privacy affects customer journeys. Areas worth evaluating include:
- AI-powered customer interactions
- Consent-management processes
- Data-collection practices
- Customer-communication workflows
- Third-party technology providers
- Customer-data retention policies
The goal is not simply compliance — it is building customer experiences that remain effective while respecting evolving privacy expectations. For a deeper view on responsible AI outreach,
AI and privacy are no longer separate conversations
For much of the past decade, AI discussions focused on automation and efficiency, while privacy discussions focused on regulation and compliance. Those worlds are now converging. Every meaningful AI deployment depends on data, and every meaningful privacy framework governs how that data is used.
As a result, AI strategy and data-governance strategy are increasingly the same conversation. Organisations that recognise this early will be better positioned to scale AI responsibly.
Conclusion
The DPDP Act is not an AI law, but it is becoming one of the most important regulations shaping how AI-powered customer interactions are designed and governed in India. As implementation progresses through 2026 toward full enforcement, organisations are being pushed to think more carefully about consent, transparency, data usage and customer trust.
For CX leaders, the challenge is not choosing between AI and compliance. It is building customer experiences that achieve both. The businesses that succeed will not simply automate conversations — they will build conversations customers feel comfortable having.
Frequently asked questions
How does the DPDP Act affect customer communication?
The DPDP Act governs how organisations collect, process, store and use digital personal data. This directly impacts customer-service, marketing, support and AI-powered communication programmes, because each typically processes personal information.
Does AI need consent to call customers?
The key issue is not whether AI makes the call, but whether customer data is being processed appropriately and the necessary permissions or consent requirements are satisfied. Outreach should be designed with privacy obligations in mind.
What is changing in 2026?
2026 marks the shift from preparation to operational readiness. Following the DPDP Rules notification on 13 November 2025, consent-management structures and compliance obligations phase in toward full enforcement by around mid-2027.
Does the DPDP Act regulate AI directly?
No. The DPDP Act regulates the processing of digital personal data. AI systems become subject to the law when they process personal information.
Why should CX leaders care about DPDP compliance?
Because customer interactions increasingly involve AI systems, customer data and automated workflows. Privacy compliance is becoming a core part of designing trustworthy customer experiences.
