CCPA vs GDPR: What Indian Businesses Selling to the US Need to Know
If your Indian business sells to customers in California or the EU, you're subject to two of the world's toughest privacy laws: CCPA and GDPR. Here's how they compare — and what you need to do.
The Quick Summary
GDPR (EU) and CCPA (California, USA) both regulate how businesses collect and use personal data. Both require you to disclose what data you collect and give users control over it. But the details differ in important ways.
Side-by-Side: GDPR vs CCPA
Who It Applies To
GDPR: Any business that processes data of EU residents, regardless of where the business is located.
CCPA: Businesses that collect data from California residents AND meet one of these thresholds — annual revenue over $25M, process data of 100,000+ consumers/year, or earn 50%+ of revenue from selling personal data.
Legal Basis for Processing
GDPR requires a specific legal basis for each processing activity. Consent is one option, but not the only one.
CCPA does not require consent to collect data — but you must disclose what you collect and give users the right to opt out of sale.
Cookie Consent
GDPR: Explicit opt-in required before non-essential cookies fire.
CCPA: No pre-consent required for cookies, but you must offer a "Do Not Sell My Personal Information" option.
User Rights
GDPR gives users: right of access, erasure, portability, restriction, and objection.
CCPA gives consumers: right to know, right to delete, right to opt out of sale, right to non-discrimination.
What Indian Businesses Often Get Wrong
**1. "We're not in the EU/US so it doesn't apply to us."**
Wrong. Both laws are extraterritorial. If you have EU or California visitors, you're covered.
**2. Using the same banner for all visitors.**
A compliant GDPR banner (opt-in) is too restrictive for CCPA (opt-out). You need geo-targeted consent logic.
**3. Not updating the Privacy Policy.**
Your privacy policy must list every category of data you collect, third parties you share with, and the purpose. A generic template won't pass a regulatory audit.
How CookieSeal Handles Both
CookieSeal automatically detects visitor location and serves the appropriate consent experience:
- EU visitors → GDPR opt-in banner with granular category controls - California visitors → CCPA "Do Not Sell" notice and opt-out - Indian visitors → DPDPA 2023 compliant banner
One script, three compliance regimes. No developer time required.