How Verified User Consent Can Keep a Check on How AI Accesses and Uses Data
India’s privacy landscape is undergoing a significant transformation. In November 2025, the Government of India formally adopted the Digital Personal Data Privacy Act (DPDPA), a landmark legislation that will fundamentally reshape how organizations handle personal data. Unlike its international counterparts, the DPDPA is primarily purpose-based, requiring data fiduciaries—entities that collect and process personal identifiable information of Indian citizens—to explicitly declare the purpose of data collection and obtain user consent for that specific purpose.
Co-founder & CEO
Qila.io
But what does this mean for artificial intelligence? How will this regulatory framework impact the way AI systems access, train on, and utilize data? These questions are increasingly urgent as AI becomes embedded in every aspect of business and society.
Understanding AI Data Access
To understand the implications of the DPDPA for AI, we first need to examine how AI systems access data. Large language models (LLMs) like those powering many commercial AI applications are typically trained on vast amounts of publicly available information: websites, social media platforms, user-contributed content, digital publications, and any data accessible without paywalls. Importantly, personally identifiable information (PII) is deliberately excluded from these datasets.
However, a different category of models—Small Language Models (SLMs)—operates on a different principle. These private, enterprise-specific models are often trained using PII to deliver more personalized and contextually relevant experiences. This is where consent becomes critical. When an organization deploys a private SLM trained on user data, it must ensure that every piece of personal information used was collected with proper, verified consent from the individual.
DPDPA – The Purpose-Based Consent Framework
The DPDPA is a purpose-based consent framework. This means that its not enough to simply put in measures defined as compliance but the need to capture and store explicit consent is required. While capturing this consent, its required to display and define the exact purpose (eg. Marketing or Logistics) for which the PII data is being stored, shared or processed. Additionally, the business has to provide a consent lifecycle management feature for the owner of that data. If a company wants to use customer emails for personalized marketing through an AI system, it must clearly state this specific purpose and obtain consent for it. If they later want to use that same data for product recommendations through a different AI model, they may need to seek additional consent. The challenge presented in this case is to ensure the AI forgets the data once consent is withdrawn else the enterprise or the AI can be held liable.
This granularity presents both a challenge and an opportunity. For enterprises deploying private SLMs, it means implementing systems that track which purposes each piece of data was consented for and ensuring the AI system never accesses data beyond its consented purpose.
The Enterprise Compliance Challenge
For organizations using AI to process personal data, compliance with the DPDPA requires a fundamental shift in their data governance approach. Along withanonymising the data, enterprises must implement verified consent mechanisms that operate at the point where the AI system accesses data.
This means creating systems where every access request from an AI model is checked against a database of verified consents. The user consent token must clearly indicate the approved purposes, and the AI system must verify its request falls within those purposes before accessing the data. This requires technical infrastructure that many organizations currently lack: consent management platforms, audit trails, and real-time access controls. Added to this, the consent management system should be capable of providing verified artefacts that are not AI generated, but system generated to ensure they are admissible in the court of law in the event of a grievance raised.
Reshaping the AI Ecosystem
Currently the AI ecosystem is still being trained or large troves of data. The privacy of personal information is already the centre of regulatory discussions and regulatory bodies are already at work in trying to reign in the extent to which AI can access and use personal information. The DPDP Act presents a great opportunity keeping the citizen best interest in mind. By making consent imperative, its possible to ensure AI agents function in a safe and ethical manner as the liability will always remain with the enterprise. More importantly, the regulation empowers users. Instead of being passive data subjects, individuals can now actively control how their information is used by AI systems. This shift toward user empowerment is not just a regulatory requirement—it’s becoming a competitive advantage, as customers increasingly expect organizations to respect their privacy and use their data responsibly.
-Authored by Sid Ugrankar, Co-founder & CEO, Qila.io