Introduction
The global data protection landscape is defined by three landmark legislations: the European Union's General Data Protection Regulation (GDPR), India's Digital Personal Data Protection Act (DPDPA), and California's Consumer Privacy Act (CCPA, as amended by the CPRA). Together, these laws govern how organisations handle personal data for over two billion people. For businesses operating across these jurisdictions - and in today's digital economy, that includes a very large number of companies - understanding the similarities and differences between these frameworks is essential for building efficient, unified compliance programmes. Each law reflects its jurisdiction's priorities, legal traditions, and regulatory philosophy, resulting in significant variations in scope, definitions, individual rights, enforcement mechanisms, and cross-border data transfer rules. This comparison provides the detailed, side-by-side analysis that compliance teams need to navigate all three frameworks effectively.
Scope and Applicability
The three laws differ significantly in their scope and the entities they cover. The GDPR applies to any organisation processing personal data of EU residents, regardless of the organisation's location. It covers both automated and manual processing. The DPDPA applies to digital personal data processing within India or connected to offering goods or services to individuals in India. It covers only digital data - not manual records. The CCPA applies to for-profit businesses that meet specific thresholds: annual gross revenue exceeding $25 million, processing data of 100,000 or more consumers or households, or deriving 50% or more of annual revenue from selling or sharing consumer personal information. This threshold-based approach means many small and medium businesses are exempt from the CCPA, whereas the GDPR and DPDPA apply regardless of business size.
- GDPR: Universal applicability to all organisations processing EU residents' data, no size threshold
- DPDPA: Universal applicability to digital personal data processing, no size threshold, digital data only
- CCPA: Threshold-based - only applies to for-profit businesses meeting revenue or data volume criteria
- Extraterritorial reach: All three laws apply to organisations outside their jurisdiction under specific conditions
- GDPR covers the broadest scope of data types (including manual filing systems), followed by DPDPA (digital only), and CCPA (focused on consumer data)
Definitions: Personal Data, Consumer, and Related Concepts
The foundational definitions in each law shape their entire compliance frameworks. The GDPR defines 'personal data' broadly as any information relating to an identified or identifiable natural person. It further defines 'special category data' - health, biometric, genetic, racial, ethnic, political, religious, trade union, and sexual orientation data - which receives heightened protection. The DPDPA defines 'personal data' as any data about an individual who is identifiable by or in relation to such data. It does not create explicit sensitive data categories, though children's data receives enhanced protection. The CCPA uses 'personal information,' defined as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked to a particular consumer or household. The CCPA introduced the concept of 'sensitive personal information' through the CPRA amendment, covering SSNs, financial accounts, geolocation, race, religion, health, sex life, biometric data, and private communications. The terminology differences - Data Subject (GDPR), Data Principal (DPDPA), Consumer (CCPA) - reflect different legal traditions but refer to essentially the same concept.
Legal Bases for Processing
The three laws take markedly different approaches to establishing when organisations can lawfully process personal data. The GDPR provides six distinct legal bases: consent, contractual necessity, legal obligation, vital interests, public task, and legitimate interests. Organisations must identify and document a legal basis before processing begins. The DPDPA provides two primary bases: consent and 'legitimate uses' (covering voluntary data provision, government functions, legal obligations, medical emergencies, and employment). It does not include an equivalent to the GDPR's broad 'legitimate interests' basis. The CCPA takes the most permissive approach - it does not require a legal basis for collecting or using personal information. Instead, it focuses on giving consumers rights to know, delete, and opt out. Businesses can collect and use data freely unless the consumer exercises their rights. For sensitive personal information, the CCPA requires that businesses offer consumers the right to limit use and disclosure. This fundamental philosophical difference - consent-first (GDPR and DPDPA) versus notice-and-opt-out (CCPA) - has profound implications for how organisations design their data collection practices.
- GDPR: 6 legal bases, must be identified before processing. Consent-first model for many activities
- DPDPA: 2 bases (consent and legitimate uses). No legitimate interests equivalent
- CCPA: No pre-processing legal basis required. Notice-and-opt-out model. Sensitive data requires right to limit
- Consent standards: GDPR and DPDPA require opt-in. CCPA primarily uses opt-out
- GDPR and DPDPA require consent before processing. CCPA allows processing unless consumer objects
Individual Rights Comparison
Individual rights form the practical core of each law's protections. The GDPR provides the most comprehensive set: access, rectification, erasure, restriction, portability, objection, and protection against automated decision-making. The DPDPA provides four rights: information, correction and erasure, grievance redressal, and nomination. The CCPA provides the right to know, delete, correct, opt out of sale or sharing, limit use of sensitive information, and non-discrimination. Each framework approaches the right to erasure differently. Under the GDPR, erasure requests can be refused on multiple grounds including freedom of expression and legal claims. The DPDPA allows refusal where retention is required by law. The CCPA provides nine specific exceptions where businesses can refuse deletion requests. The CCPA's right to opt out of the sale or sharing of personal information has no direct equivalent in either the GDPR or DPDPA, reflecting California's focus on the commercial exploitation of consumer data. The DPDPA's nomination right - allowing individuals to designate someone to exercise their rights after death or incapacity - is unique among the three laws.
- Right to access/know: Available in all three laws
- Right to deletion/erasure: Available in all three, with different exemptions
- Right to correction/rectification: GDPR and DPDPA explicit, CCPA added through CPRA
- Right to data portability: GDPR and CCPA (limited), absent from DPDPA
- Right to opt out of sale/sharing: CCPA only
- Right to restrict processing: GDPR only
- Right to object: GDPR only
- Right to nominate: DPDPA only
Penalties and Enforcement
The penalty frameworks reflect each jurisdiction's enforcement philosophy. The GDPR imposes fines of up to EUR 20 million or 4% of global annual turnover, whichever is higher. Enforcement is through independent Data Protection Authorities in each member state. The GDPR also provides individuals with a private right of action to seek compensation for damages. The DPDPA imposes fixed maximum penalties up to ₹250 crore (approximately USD 30 million). Enforcement is exclusively through the Data Protection Board of India. There is no private right of action - individuals can only seek redress through the DPBI. The CCPA imposes penalties of up to $2,500 per unintentional violation and $7,500 per intentional violation, enforced by the California Attorney General and the California Privacy Protection Agency. The CCPA also provides consumers with a limited private right of action for data breaches, with statutory damages of $100 to $750 per consumer per incident. The cumulative effect of per-violation penalties under the CCPA can be enormous given the scale of consumer data processing, potentially exceeding GDPR fines in extreme cases.
Cross-Border Data Transfers
The three laws take fundamentally different approaches to regulating international data flows. The GDPR is the most restrictive, requiring a specific legal mechanism for every transfer outside the European Economic Area - adequacy decisions, Standard Contractual Clauses, Binding Corporate Rules, or derogations. Recent developments, including the Schrems II decision, have added transfer impact assessments to this already complex framework. The DPDPA takes a simpler approach through Section 16's negative list model - transfers are permitted to any country not on the government's restricted list. No SCCs, BCRs, or adequacy assessments are required. The CCPA does not restrict cross-border transfers per se, but requires that service providers and contractors receiving personal information agree to contractual protections. There is no government-approved country list or transfer mechanism. For organisations processing data across all three jurisdictions, the GDPR's transfer mechanisms effectively set the compliance floor, as they are the most demanding and will generally satisfy the requirements of the other two laws.
- GDPR: Requires adequacy decision, SCCs, BCRs, or derogation for each transfer. Transfer impact assessments may be needed
- DPDPA: Negative list approach - transfers permitted unless to a restricted country. Simpler but less predictable
- CCPA: No specific transfer restrictions. Contractual protections required for service providers
- GDPR compliance generally satisfies DPDPA and CCPA transfer requirements
- DPDPA's negative list can change without notice, requiring ongoing monitoring
Children's Data Protections
All three laws provide enhanced protections for children's data, but with varying age thresholds and requirements. The GDPR sets the digital consent age at 16 (member states can lower to 13) and requires verifiable parental consent below this age. It does not impose specific restrictions on types of processing involving children. The DPDPA sets the threshold at 18 years - the highest among the three - and goes further by prohibiting tracking, behavioural monitoring, and targeted advertising directed at children entirely. Verifiable parental consent is required, with specific verification methods prescribed in the rules. The CCPA, through its intersection with the federal Children's Online Privacy Protection Act (COPPA), applies heightened protections for children under 13 and requires opt-in consent for consumers aged 13-16 before the sale or sharing of their personal information. The DPDPA's approach is the most restrictive, combining a high age threshold with outright bans on specific processing activities, making it the standard-setting law for organisations targeting young audiences across multiple jurisdictions.
Choosing a Compliance Strategy for Multi-Jurisdictional Operations
For organisations subject to all three laws, the optimal compliance strategy is not to build three separate programmes but to identify the highest standard for each requirement and build a unified framework that satisfies all three simultaneously. In practice, this means adopting GDPR-level consent practices (which will satisfy DPDPA and exceed CCPA requirements), implementing the full set of individual rights across all three laws through unified workflows, using GDPR transfer mechanisms for international data flows, and applying DPDPA-level children's data protections as the global standard. The areas requiring jurisdiction-specific attention include the CCPA's sale and sharing opt-out requirements (not covered by GDPR or DPDPA), the DPDPA's multilingual notice requirements, and each law's specific breach notification timelines and procedures.
How Kraver.ai Manages Multi-Jurisdictional Compliance
Kraver.ai is built for the reality of multi-jurisdictional data protection compliance. Our platform maps your data processing activities against the GDPR, DPDPA, and CCPA simultaneously, identifying the highest applicable standard for each requirement and flagging jurisdiction-specific obligations that require separate attention. The unified consent management module supports GDPR-style lawful basis documentation, DPDPA multilingual standalone notices, and CCPA opt-out mechanisms through a single interface. Rights management workflows handle the full superset of rights across all three laws, automatically routing requests through the correct jurisdiction-specific process. Cross-border transfer management monitors GDPR adequacy and SCC requirements alongside DPDPA negative list updates. With Kraver.ai, global data protection compliance becomes a single, coherent programme rather than three competing initiatives.