When India recently finally brought the 2025 rules of the Digital Personal Data Protection Act passed in 2023, many naysayers said: So what! Well, the India version is not a copy of either that of Europe or America.

Let us look at the trust issues first. India is by default used to the idea of clicking ‘accept’. Yes, doesn’t matter whether that is sharing Aadhaar or even OTPs sometimes. The companies gained. The Act now brings a twist. Trust is now something that can be measured. You are a fintech app and can’t give users a sense of safety, you lose. Trust is what counts in customer acquisition, or retention, or even how foreign partners may view your firm. It is now a moat.

Another issue is the timing. The Act is rolling out in phases. The Data Protection Board is still being set up and settling into its role. So, some may invest early in compliance unlike others with a wait-and-watch attitude. I may be wrong, but the slower group may end up paying more in the long run. How? Well, the faster ones will adapt quickly, buy consent tools, or hire privacy officers. A full-blown privacy services vendor market already exists. Audit-tech companies, breach response firms, and managed compliance services—all in the works. Yes, privacy is now a supply chain.

Consent is the daily struggle. The Act asks for clear and revocable consent. It sounds simple, but the real work is in design. How do you ask for permission without scaring the user? Many apps are reworking their prompts, menus, and language. And the consent UX arms race is on.

Is this only a compliance theatre?

The Act is not perfect. Legal experts are already pointing towards gaps in enforcement and rule design. That said, by supporting innovation while protecting personal data places India perhaps more favourably as compared to weaker regimes. And that is the idea of policy as a platform. Foreign partners may privilege Indian counterparts now. India is positing for a long position on AI.

Imperfections aside, the direction is clear. Trust, timing, supply chains, consent UX and AI ambitions—too many themes in one law? Yes but ‘it happens only in India,’ as they say—contradictions often sit side by side.

One may also recall that the concern for trust and proper handling of personal matters is not new to India. Kautilya, in the Arthashastra, used the ideas of “raksha” and “yogakshema” to show that protection and welfare must hold even when governance moves through uneven ground. He warned against “duspravritti” (harmful conduct) by officials and still worked within a world that was never fully orderly. Manu, in the Manusmriti, placed “dharma” (a mix of duty, fairness, and restraint) and “samya” (balanced treatment) at the centre of fair conduct, knowing well that real life often bends around contradictions. Both accepted that stability comes not from perfect conditions but from holding core principles intact in the middle of shifting undercurrents. That Indian DNA of balancing clarity with everyday messiness continues. 

Let us not miss the wood for the trees. The larger story is about trust being an asset, rollout timing a strategy game, consent a design battle, privacy services a new supply chain. And them all shaping India's place in AI. Not neat, but that is why it matters.

(The author is a C-suite+ and startup advisor, and researches and works at the intersection of human-AI collaboration. Views are personal.)