DPDP Act VS DPDP vs CCPA: Comparing India and California Privacy Laws
Compare India's DPDP Act 2023 with California's CCPA. Learn about differences in consent, rights, and cross-border data transfer requirements.
Discuss this page with an LLM
What This Means In Practice
Use this table to brief your legal, product and marketing teams.
| Question | DPDP Direction | DPDP vs CCPA: Comparing India and California Privacy Laws Direction | Practical Impact |
|---|---|---|---|
| Can we process by default? | Often consent-first | Often depends on a different legal model | India flows may need earlier consent design. |
| Is a global privacy model enough? | No | Not always | Global privacy work does not map one-to-one to DPDP. |
| Are children protected differently? | Under 18 | Check local age thresholds | Indian child-user products need stricter review. |
| Is breach risk enough to trigger work? | Yes | Yes | Security, response and evidence matter in both systems. |
Three Questions To Ask Internally
- Are we copying a non-India privacy model into an Indian product?
- Do our consent flows work for Indian users?
- Which global privacy controls can be reused, and which must be redesigned for DPDP?
If you operate across India and another market, do not assume one privacy program covers both. Use the stricter flow where user trust and evidence matter most.
Consent and Opt-out Models
The DPDP Act uses an opt-in model for all data processing. You must obtain clear permission before you collect or use any personal data. California’s CCPA uses an opt-out model. This allows you to collect and process data immediately, provided you give users a way to stop you from selling or sharing it later. For Indian software companies serving California clients, this requires maintaining two separate user interface workflows for data collection.
Business Size and Applicability
DPDP applies to every entity that processes digital personal data in India regardless of their revenue. There is no minimum turnover required to be covered by the law. CCPA only applies to for-profit businesses that meet specific triggers. These triggers include having over $25 million in annual gross revenue or buying and selling the personal data of at least 50,000 California residents. A small Indian startup will likely need to comply with DPDP even if they are still too small to fall under CCPA.
Side-by-Side Comparison
| Feature | DPDP Act 2023 | CCPA / CPRA |
|---|---|---|
| Scope | All digital personal data | California resident consumers |
| Consent | Clear permission required first | Right to opt-out of sales |
| Children | Everyone under 18 | Everyone under 16 |
| Penalties | Based on violation category | Per violation or per consumer record |
| Cross-border | Permitted unless restricted by government | No specific country-based limits |
| Rights | Access, correct, and erase | Access, delete, and stop sales |
| Enforcement | Data Protection Board of India | California Privacy Protection Agency |
This week
Map your data flow to determine if you are “selling” or “sharing” data as defined by the CCPA. If you are, you must add a specific link to your website footer that is not required by the DPDP Act.
FAQ
Q: Does DPDP require a “Do Not Sell My Personal Information” link? A: No. DPDP does not use the concept of “selling” data. Instead, it requires you to get consent for every specific reason you process data.
Q: Can I use the same privacy notice for both laws? A: No. DPDP notices must be available in multiple Indian languages upon request. CCPA notices must include specific links for opting out of data sales and sharing.
Q: Is the age of a child the same in both regions? A: No. India defines a child as anyone under 18. California defines a child as anyone under 16 for purposes of opting into data sales.
Confused by the differences?
Dual compliance is tricky. Our experts can help you navigate both DPDP vs CCPA: Comparing India and California Privacy Laws and DPDP requirements.
Book Strategy Call