For companies, valuing privacy isn’t always just about respecting user rights—it’s often plain business sense.

This, among other things, was what Mozilla sought to convey last week when it hosted a closed-door meeting in New Delhi with online companies from India. At the meeting, representatives of Mozilla, which, among other products, runs the Firefox web browser, discussed how principles of data privacy can be applied in an everyday business context.

Companies in attendance included homegrown food delivery app Zomato, medical platform Practo, and online travel agency Ibibo.

A wholly owned subsidiary of the non-profit Mozilla Foundation, Mozilla advocates for an open internet and has held similar roundtables in other countries before.

Urmika Shah, a senior company executive from Silicon Valley, led the discussion with other firms on Lean Data Practices: a playbook that Mozilla has developed on how they can respect people’s privacy by dealing responsibly with user data.

Shah was joined by Amba Kak, Mozilla’s public policy advisor in India.

Mozilla has also weighed in regularly on hot-button technology policy issues in India. It has issued a detailed public statement to the government about the draft law for privacy that may soon be put before parliament, besides urging India to reconsider its push towards data localisation.

Quartz spoke with both Shah and Kak about what they learned from the closed-door meeting, how businesses can champion user privacy, and what may lie ahead for technology policy in India.

Edited excerpts:

Why is it in companies’ best interests to engage in lean data practices?

There are many ways not only for other governments to access that data but also your own government.

Shah: It reduces risk. For now, breaches are very common. The more sensitive data you have around, the more risk of serious compromise when that does happen. You may not care about it, your investors, maybe, won’t care about it today, but the minute there is a problem, they’re going to care a lot. The other piece of it is a risk to your brand. I think once the Indian legislation does pass, that will bring more awareness to this issue, so more people will start caring about it. That’s something we heard from companies in the EU—that, honestly, people weren’t banging down our doors asking us questions prior to the General Data Protection Regulation, but with the advent of the legislation, that public awareness was huge.

What implications for privacy and data security would data localisation have?

The data protection authority needs to be more independent from the government.

Shah: I think some people have this sense that if you store data only in one country, then no other country can access it—but that’s not true. There are many ways not only for other governments to access that data but also your own government. And in the Indian context in particular, right now, the police and other types of law enforcement can request and compel companies for data in a very broad way. And so without parallel legislation that creates limits (on the government) to protect people, I think that’s actually a really strong concern when we have those conversations about data localisation in India.

How about the proposed data-protection law? What might you change about it, if you could?

Kak: We’ve actually made our case in our submission to the government that we want to see some primary changes. First, we think the data protection authority needs to be more independent from the government. The way that it’s currently drafted would make it kind of at the beck and call of the government. And that’s a problem given that the government is effectively one of the largest data processors as well. We also think it’s disappointing that the bill doesn’t include a right to object to certain types of data processing. The right to object usually applies where consent is not taken, so often when there is government collection of data, because it’s an imbalance in bargaining power, you might argue that relying on pure consent is inappropriate.

Do you have any advice for consumers who seek to protect their privacy online?

Shah: One thing would be to reach out to companies. One question we’ve asked at every roundtable is, “What do your users ask you?” And that’s a question where some companies say, “We hear crickets, we don’t hear anything.” And therefore they assume that people don’t care. So for people who do care, and who aren’t seeing what they want, it is important to go and ask—and to do so publicly. Push companies to realise that there is a public awareness on these issues.