On August 11, 2026, India enacted the Digital Personal Data Protection Act (DPDPA), marking a turning point in its approach to digital privacy. Less than a year later, in January 2026, Cleary Gottlieb published a detailed comparative analysis between this new text, the European GDPR, and US laws, including the California CCPA. Today, in May 2026, these three regimes coexist and influence the compliance strategies of companies operating internationally. But how do they really compare? And above all, what pitfalls should digital professionals avoid?
1. Scope: Who is affected?
The GDPR applies to any entity processing data of European residents, regardless of its location. The CCPA targets companies that meet certain revenue thresholds or process a significant volume of Californians' data. The DPDPA applies to the processing of digital personal data within Indian territory, including by foreign entities if the data concerns Indian residents.
According to a Cleary Cyberwatch analysis (January 2026), the DPDPA also covers data collected offline and then digitized, broadening its scope compared to the CCPA. However, it excludes processing for personal or household purposes, like the GDPR.
2. Consent and Purposes: Marked Differences
The GDPR requires explicit, free, specific, and revocable consent. The CCPA relies more on the right to opt-out for the sale of data, while the DPDPA requires prior consent for all processing, except for limited exceptions.
An article published on IGI Global in 2026 highlights that the DPDPA, like the GDPR, requires consent that is "free, specific, informed, and unambiguous," but introduces an additional notion: consent must be given by a "clear affirmative act." The authors criticize, however, the lack of details on the consent withdrawal mechanism, a central point in the GDPR.
3. Data Subject Rights: Which Protects Best?
The GDPR offers an extensive catalog of rights: access, rectification, erasure, restriction, portability, objection. The CCPA focuses on the rights to access, deletion, and opt-out of sale. The DPDPA, according to a comparison published by Nyusta in October 2026, adopts most of the GDPR rights but removes some, such as portability and automated profiling. A notable gap, highlighted by an IEEE study (2026), is the absence of clear provisions on automated decision-making and profiling, which are crucial in the age of AI.
4. Sanctions and Enforcement: The Cost of Non-Compliance
The GDPR can impose fines of up to 4% of annual global turnover or €20 million (whichever is higher). The CCPA provides for civil penalties of $2,500 per unintentional violation and $7,500 per intentional violation. The DPDPA sets fines of up to INR 250 crore (approximately €30 million) per violation. According to Global Privacy Blog (December 2026), this amount is comparable to the GDPR ceiling, but the DPDPA does not provide for a percentage of turnover, which may disproportionately penalize smaller businesses.
5. Pitfalls to Avoid for Professionals
Mistake #1: Thinking that CCPA and GDPR are interchangeable. The CCPA does not require prior consent for collection, unlike the GDPR. A company that mechanically transposes its GDPR procedures to California risks facing different obligations.
Mistake #2: Ignoring DPDPA specifics on parental consent. The DPDPA requires verifiable parental or guardian consent for processing children's data (under 18). No other regime imposes such a high threshold.
Mistake #3: Neglecting breach notification obligations. The GDPR requires notification within 72 hours, the CCPA within 30 days, and the DPDPA also within 72 hours. However, the notification criteria differ: the DPDPA requires notification of any breach likely to cause harm, which is broader than the GDPR.
6. Warning Signs to Watch
- Lack of a single point of contact: Unlike the GDPR with the lead supervisory authority, the DPDPA does not provide a one-stop-shop mechanism. A company operating in multiple Indian states must comply with each local authority.
- Compliance deadlines: The DPDPA came into force in 2026, but its implementing rules are still being developed. According to DLA Piper (2026), India has not yet designated its data protection authority, creating legal uncertainty.
- Government exemptions: The DPDPA allows the government to exempt certain processing for national security reasons, a provision absent from the GDPR and CCPA. This may weaken citizen protection.
7. Toward Convergence?
Despite their differences, these three laws share common principles: transparency, purpose limitation, data minimization. An article from USC Gould School of Law (undated) highlights that the GDPR served as a model for the DPDPA, but the latter adapted certain provisions to the Indian context, particularly regarding data sovereignty.
In practice, multinational companies must adopt a granular approach: map data flows, identify applicable regimes, and implement modular policies. Varonis reminds that compliance is not a one-time exercise but a continuous process.
To Learn More
- Globalprivacyblog - DPDPA vs GDPR Comparison
- Clearycyberwatch - Comparative Analysis of Three Regimes
- Gould Usc Edu - Article on Privacy in the Digital Age
- Dlapiperdataprotection - Overview of Data Protection Laws Worldwide
- Igi-global - Critical Study of Consent under DPDPA
- Varonis - Comprehensive Guide to US Privacy Laws
- Nyusta - Comparative Analysis DPDPA, GDPR, and CCPA
- Ieeexplore Ieee - Comparative Study of DPDPA with Other Laws