Skip to content
🚨 DPDP Rules 2025: Compliance Deadline 44 weeks awayRead handbook →

Uber's 'Record My Ride' Is the DPDP Act's First Real Consent Test — and India Doesn't Have a Clean Answer

Uber launched in-cabin video recording across 10 Indian cities on June 30. Under India's DPDP Act, notifying a passenger is not the same as getting their consent.

D
DPDPBot Research Team
🕐 10 min read

#Uber's 'Record My Ride' Is the DPDP Act's First Real Consent Test — and India Doesn't Have a Clean Answer

When Uber launched its "Record My Ride" feature across ten Indian cities on June 30, 2026, it framed the announcement as a safety win. What it didn't frame — and what India's data protection community has been arguing about since MediaNama's July 1 report broke the story — is whether the feature quietly tests the limits of India's Digital Personal Data Protection (DPDP) Act before enforcement has even begun.

Here is the legal problem in one sentence: under India's DPDP Act, notifying a data principal that something will happen is not the same as getting their consent for it to happen. Uber appears to be relying on the former while potentially needing the latter. If the Data Protection Board of India eventually agrees, every ride-hailing platform, delivery app, and business using ambient sensing technology in India faces the same reckoning.

#What Record My Ride Actually Does

Uber announced the feature at its Uber Surakshit safety conference in New Delhi, but the rollout had been quietly underway since a pilot that began in May 2025. As of June 30, 2026, it is live in Delhi, Mumbai, Bengaluru, Chennai, Hyderabad, and Kolkata, among other cities.

The mechanics: a driver opts in to the feature via their Uber app. Once activated, the driver's phone records video inside the cabin — capturing both the driver and all passengers — from the moment the ride begins. The footage is encrypted on the device itself. Neither Uber nor the driver can view it during or after the trip unless the driver files a safety incident report and explicitly uploads the recording.

If no report is filed within 14 days, the footage is automatically deleted. If a report is filed, Uber may access the recording and may also share it with police or law enforcement "with appropriate legal process or in emergency situations," according to Uber's privacy notice.

On the passenger side, the notification mechanism is an in-app alert before the ride confirming that the vehicle is equipped with a recording feature. Passengers cannot disable the recording. Their only option is to cancel the ride.

India's Digital Personal Data Protection Act, notified in August 2023 and given its full implementing Rules in November 2025, builds its entire framework around consent as the primary lawful basis for processing personal data.

This is meaningfully different from the European GDPR model, which offers six alternative lawful bases — including legitimate interests — that a company can invoke without seeking individual consent. The DPDP Act treats consent as the default and, outside a narrow list of "certain legitimate uses," does not offer a GDPR-style legitimate interests pathway.

Section 6 of the DPDP Act requires that consent must be "free, specific, informed, unconditional and unambiguous with a clear affirmative action." Each of those adjectives carries legal weight:

  • Free: not coerced by the conditions of a service
  • Specific: tied to a specific purpose, not blanket
  • Informed: preceded by a clear notice that explains what will happen and why
  • Unambiguous with a clear affirmative action: a positive, deliberate act of agreement — not silence, not inaction, not the fact of boarding a vehicle

The DPDP Rules further establish that consent must be separable from other terms. You cannot bundle agreement to data collection into a general terms-of-service acceptance. A data principal must be able to give or withhold consent for specific processing activities independently of the broader service relationship.

Separately, data principals retain the right to withdraw consent at any time (Section 13), and withdrawal must be as easy as giving consent in the first place.

#The Core Question: Is Notification Enough?

Uber's current implementation rests on a notify-and-proceed model. The company informs passengers via in-app notification that the vehicle records; passengers who object must cancel before entering. Uber appears to characterise this as the passenger making an informed choice.

The problem is that the DPDP Act draws a sharp distinction between notice (Section 5) and consent (Section 6). Notice is a precondition for consent — you must inform before you ask — but notice alone does not constitute consent. The Act is explicit that the data principal must take "a clear affirmative action" to signal agreement.

Cancelling a ride is a refusal action, not an affirmative consent action. The DPDP Act does not allow a company to structure its service so that the default is ongoing data collection and the only way to opt out is to stop using the service entirely. That would make consent effectively coerced — the opposite of "free."

Uber could argue that the recording is covered under the DPDP Act's legitimate use provisions, which allow processing without consent in specified circumstances. But the Act's enumerated legitimate uses (Rule 5 of the DPDP Rules) cover scenarios such as medical emergencies, legal proceedings the Data Fiduciary is a party to, and fulfilling state-mandated obligations — none of which obviously covers a private company's voluntary safety programme operating during commercial rides.

There is an argument available to Uber that recording for law-enforcement cooperation purposes falls within a legitimate use carve-out. But that argument requires the recording to be for law enforcement, not for Uber's own safety analytics — and the current implementation records every ride regardless of any law enforcement need.

The honest answer, as of July 4, 2026, is that no regulator has ruled on this. The DPDP Act is in its soft-enforcement phase, and the Data Protection Board has not yet received a formal complaint on Record My Ride. But the legal questions are sharp enough that Uber's compliance team is almost certainly thinking about them.

#What the Data Protection Board Could Do

The Data Protection Board of India was established under Section 18 of the DPDP Act and formally constituted following the Rules' November 2025 notification. It holds the power to investigate complaints, issue remediation directions, and impose monetary penalties.

If a data principal files a complaint about Record My Ride, the Board could:

  1. Issue a direction requiring Uber to implement an explicit opt-in consent mechanism for passengers before any recording begins — replacing the current notify-and-proceed model
  2. Impose a financial penalty of up to ₹200 crore for violations involving inadequate consent mechanisms (with a separate track of up to ₹250 crore for security safeguard failures)
  3. Order deletion of any recordings obtained without valid consent

Under the current implementation timeline, full enforcement powers activate from May 13, 2027. The Board is not idle in the interim — it has been conducting awareness activities and has initiated some early enforcement actions against app developers for inadequate consent practices. But a major platform like Uber would represent a higher-profile and more consequential test of the Board's authority.

For Uber, the business risk is not primarily the penalty quantum — ₹200 crore (approximately $24 million USD) is manageable for a global company. The risk is a Board direction requiring a fundamental redesign of the feature. If passengers must actively consent before each ride, take-up by drivers drops, and the safety case for the feature weakens.

#Why Every Platform in India Is Watching This

Record My Ride is not an isolated product decision. It is part of a wider category of ambient data collection — dashcams, in-store cameras, smart speakers, delivery tracking — where technology companies have long operated on the premise that informing users is sufficient and that continued use of the service implies agreement.

India's DPDP Act, as written, challenges that premise directly. If the Board were to rule that Uber's notify-and-proceed model violates the Act's affirmative consent requirement, the implications extend to:

  • Other ride-hailing platforms: Ola, Rapido, and Namma Yatri all operate dashcams or in-cabin monitoring in some configurations
  • E-commerce delivery: Platforms that track package locations (and by extension, recipient home addresses and presence patterns) face consent questions about whether tracking data constitutes personal data requiring consent
  • Smart home device makers: Amazon Alexa and Google Nest devices sold in India will need to rethink ambient listening disclosures
  • Hotels and hospitality: CCTV in corridors and common areas where guests have a reasonable privacy expectation

The DPDP Act makes no exception for "it's just how the industry works." Every Data Fiduciary processing personal data of Indian residents — regardless of sector — must have a lawful basis for every act of collection and processing. Notification without consent is not a lawful basis.

#The Tata Electronics Breach Adds Urgency

The Record My Ride debate is not happening in a vacuum. On June 22, 2026, Tata Electronics — one of India's largest iPhone assembly contractors — confirmed a data breach in which a ransomware group called World Leaks exfiltrated more than 630 gigabytes of data, including engineering documents for Apple's unreleased iPhone 18 Pro, supplier specifications, and employee identification records. India's MeitY confirmed an active investigation as recently as July 3.

This breach matters to DPDP compliance in two ways. First, it tests whether Tata Electronics notified CERT-In and the Data Protection Board within the required timelines — a breach notification obligation that attaches immediately under the Act regardless of enforcement phase. Second, it involves employee personal data (identification records), triggering the DPDP's full consent and security safeguard obligations for that category.

Together, Record My Ride and the Tata breach illustrate that DPDP obligations are no longer theoretical. Consent failures and breach notification failures are live issues today — not after May 2027.

#What Businesses Should Do Now

If your company is processing personal data in India — which, under the DPDP Act's broad scope, includes processing data of Indian residents anywhere in the world — the Uber situation should prompt an audit of three specific questions:

1. Are you relying on notification as a substitute for consent?
If your privacy notice discloses data collection but your onboarding flow does not capture an explicit affirmative consent action, you are likely not DPDP-compliant. Notice is a necessary first step, not a replacement for consent.

2. Do you offer a mechanism for withdrawing consent that is as simple as giving it?
If a user must cancel an entire account, contact customer support, or forgo the core service to withdraw consent from a data processing activity, that withdrawal mechanism is not "as easy" as consent — which the Act explicitly requires.

3. Are your legitimate use claims supported by the Act's enumerated categories?
If you are processing personal data without consent on the basis of a "legitimate business interest" framing borrowed from GDPR, that framing does not transfer to India. The DPDP Act's legitimate use categories are narrower and enumerated specifically. Check whether your use case is actually in the list.

The November 2026 deadline for the Consent Manager framework operationalisation is approaching. Businesses that have not designed their consent architectures yet are running out of the runway that the soft-enforcement period provides.

For a deeper look at building a DPDP-compliant consent workflow, see our /consent-manager resource — it covers the technical and legal requirements for structured consent collection, withdrawal mechanisms, and audit trails that will matter when the Board moves from guidance to enforcement.

#The Bottom Line

Uber's "Record My Ride" is a safety feature with a genuine rationale — in-cabin recordings could resolve disputed incident reports and may deter violence against drivers and passengers. The safety case is real.

So is the legal problem. India's DPDP Act does not offer a comfort zone for companies that notify but do not ask. The Act's consent standard — affirmative, specific, informed, freely given — is not met by telling someone something is happening and giving them a cancel button.

The Data Protection Board hasn't ruled on this yet. But the question is squarely in front of it, and the answer will shape how every platform in India handles ambient data collection for the next decade. Uber launched first; the rest of the industry is watching the outcome.


Sources: MediaNama, July 1 2026 · Harro, July 1 2026 · TechCrunch, June 22 2026 · DPDP Rules 2025, MeitY · India Briefing on DPDP Timeline · Chambers and Partners on MeitY SDF proposals

Automate your DPDP compliance

Capture consent, honour data principal rights, and stay audit-ready — all in one platform.

Start free trial