India's DPDP Act vs Global Privacy Laws: GDPR, CCPA, PDPA Comparison 2026

Why Global Privacy Law Comparison Matters for Indian Businesses India's Digital Personal Data Protection (DPDP) Act does not exist in isolation. It joins a growing family of global privacy regulations that collectively shape how businesses handle personal data worldwide. For Indian companies operating internationally, or multinational companies with operations in India, understanding how DPDP compares to other major privacy laws is essential for building efficient, multi-jurisdictional compliance programmes. This analysis compares the DPDP Act with four major global privacy laws: the European Union's General Data Protection Regulation (GDPR), California's Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), Singapore's Personal Data Protection Act (PDPA), and South Africa's Protection of Personal Information Act (POPIA). Each comparison highlights where DPDP is stricter, where it is more lenient, and where it takes a unique approach. Comprehensive Comparison Table The following table provides a side-by-side comparison across the most important compliance categories: Category DPDP Act (India) GDPR (EU) CCPA/CPRA (California) PDPA (Singapore) POPIA (South Africa) Year Enacted 2023 2016 (effective 2018) 2018/2020 (CPRA 2023) 2012 (amended 2020) 2013 (effective 2021) Scope Digital personal data processed in India or of Indian citizens Personal data of EU residents, regardless of processor location California residents' data, businesses meeting revenue/data thresholds Personal data collected in Singapore Personal information processed in South Africa Legal Bases for Processing Consent and legitimate uses (limited categories) Six legal bases including legitimate interest No consent requirement; opt-out model for sales/sharing Consent, deemed consent, legitimate interests Consent, legitimate interest, contractual necessity, legal obligation Consent Standard Free, specific, informed, unconditional, unambiguous Freely given, specific, informed, unambiguous Opt-out model (not opt-in for most processing) Deemed consent in many scenarios Voluntary, specific, informed Right to Access Yes Yes (detailed) Yes Yes Yes Right to Correction Yes Yes Yes (CPRA) Yes Yes Right to Erasure Yes (with exceptions) Yes (with exceptions) Yes Limited Yes (with exceptions) Right to Portability Not explicitly provided Yes Yes (CPRA) Yes (2020 amendment) Not explicitly provided Right to Object/Opt-Out Consent withdrawal Right to object to processing Right to opt out of sale/sharing Withdrawal of consent Right to object Children's Age Threshold 18 years 16 years (member states may lower to 13) Under 16 for opt-in to data sale Not specifically defined 18 years (competence to consent) Maximum Penalty INR 250 crores (approx. USD 30 million) EUR 20 million or 4% global turnover USD 7,500 per intentional violation SGD 1 million (up to 10% of turnover under 2020 amendment) ZAR 10 million or imprisonment Cross-Border Transfers Permitted except to restricted countries Adequacy decisions, SCCs, BCRs required No specific restrictions Comparable protection or consent Adequacy or binding agreements DPO Requirement Required for Significant Data Fiduciaries only Required for public bodies, large-scale processing, special categories No DPO requirement Required (at least one officer) Required (Information Officer) Breach Notification To DPB and affected individuals (timeline to be prescribed) 72 hours to supervisory authority No specific timeline (follows state breach notification law) As soon as practicable to PDPC and individuals As soon as reasonably possible to Regulator and data subjects Automated Decision-Making Not specifically addressed Right not to be subject to solely automated decisions Profiling opt-out under CPRA Not specifically addressed Right not to be subject to automated decisions Where DPDP Is Stricter Than Global Counterparts Despite being a newer law, DPDP introduces several provisions that are stricter than comparable global regulations. Children's Data Protection DPDP sets the children's age threshold at 18 years, higher than GDPR's 16 years (or 13 in some EU member states) and CCPA's focus on under-16 for sale opt-in. This means Indian businesses must implement age verification and parental consent mechanisms for a significantly larger population of users. Additionally, DPDP explicitly prohibits behavioural tracking and targeted advertising directed at children, a restriction that is less explicit in other frameworks. Consent as Primary Legal Basis While GDPR provides six legal bases for processing (including legitimate interest, which is widely used), DPDP primarily relies on consent and a narrow category of "legitimate uses." The absence of a broad legitimate interest basis means Indian businesses must obtain explicit consent for many processing activities that would be permissible under GDPR without consent. This is stricter than GDPR, CCPA (which uses an opt-out rather than opt-in model), and PDPA Sing