DPDP Act VS DPDP vs CCPA: India vs California Data Protection
How does India's DPDP Act compare to California's Consumer Privacy Act? Key differences in consent models, opt-out rights, sale of data, and penalty structures.
DPDP vs CCPA: Two Approaches to Data Privacy
India’s DPDP Act 2023 and California’s Consumer Privacy Act (CCPA, amended by CPRA) represent two distinct philosophical approaches to data protection. CCPA gives consumers the right to opt out of data sales, while DPDP requires opt-in consent for most processing.
Side-by-Side Comparison
| Feature | DPDP Act 2023 | CCPA/CPRA |
|---|---|---|
| Consent model | Opt-in (consent before processing) | Opt-out (can process unless consumer objects) |
| “Sale” of data | Not a specific concept | Core concept — right to opt out of data sales |
| Applicability | All businesses processing Indian data | Businesses exceeding revenue/data thresholds |
| Children’s age | Under 18 | Under 16 (opt-in consent) |
| Enforcement | Data Protection Board | California Attorney General + Privacy Agency |
| Private right of action | No | Yes, for data breaches |
| Max penalty | â‚ą250 Crore (~$30M) per violation | $7,500 per intentional violation |
| Do Not Sell | Not applicable | Required prominent link |
| Financial incentives for data | Not addressed | Allowed with disclosure |
The Fundamental Difference: Opt-In vs Opt-Out
DPDP requires consent before processing personal data. You can’t collect data and then offer an opt-out — you need affirmative consent upfront. CCPA, by contrast, allows businesses to collect and process data by default, giving consumers the right to opt out of sales and certain sharing.
This means:
- DPDP is more privacy-protective in requiring upfront consent
- CCPA is more business-friendly in allowing default data collection
- Multi-national companies must follow the stricter standard when operating in both jurisdictions
”Sale” of Data: A CCPA-Specific Concept
CCPA’s definition of “sale” is uniquely broad — it includes sharing personal information with third parties for any valuable consideration, including ad-tech data sharing. DPDP doesn’t specifically address the “sale” of data. Instead, any third-party data sharing requires specific, informed consent.
Private Right of Action
CCPA allows consumers to sue businesses directly for data breaches (with statutory damages of $100-$750 per consumer per incident). DPDP does not include a private right of action — complaints go through the Data Protection Board, not courts.
For Companies Operating in Both Markets
- Default to DPDP’s opt-in model for Indian users — it’s stricter
- Implement consent management that supports both models — opt-in for India, opt-out for California
- Don’t assume CCPA compliance covers DPDP — the models are fundamentally different
- Children’s data requires extra attention — DPDP’s under-18 threshold is broader than CCPA’s under-16
Confused by the differences?
Dual compliance is tricky. Our experts can help you navigate both DPDP vs CCPA: India vs California Data Protection and DPDP requirements.
Book Strategy Call