E
Exposql Checklist
Start free
All guides
Privacy lawMay 22, 20268 min read

GDPR, CCPA and India DPDP: what software businesses actually need

A clear comparison of the three privacy regimes most software businesses run into, and the concrete steps each one asks of you.

Privacy law sounds intimidating because the names are acronyms and the texts are long. In practice, the three regimes most software businesses meet share the same spine: tell people what you collect, give them control, and protect what you hold. The differences are in the specifics, and the specifics are what trip people up.

GDPR, for the EU and UK

The General Data Protection Regulation applies if you offer goods or services to people in the European Union, regardless of where your company sits. The UK has its own near identical version. The core asks:

  • A lawful basis for each kind of processing, such as consent or legitimate interest.
  • A clear privacy notice and easy ways to exercise rights like access and deletion.
  • Consent for non essential cookies before they are set.
  • A representative in the region if your company is based outside it.
  • A Data Processing Addendum with any vendor that handles personal data for you.

CCPA and CPRA, for California

California's rules apply once you cross certain thresholds of revenue or data volume. The practical signals customers look for:

  • A privacy notice that lists the categories of data you collect and why.
  • A clear way to opt out of the sale or sharing of personal information, usually a footer link, that respects browser privacy signals.
  • Rights to access, delete and correct, handled within set timeframes.

India DPDP, for users in India

The Digital Personal Data Protection Act is newer and more prescriptive about consent. If you serve users in India, expect to:

  • Present an itemised consent notice in plain language, describing the data and the specific purposes.
  • Make withdrawing consent as easy as giving it.
  • Name a grievance officer who is reachable for complaints.

The overlap is your friend

If you build for the strictest regime that applies to you, you usually satisfy the others with small additions. A solid GDPR aligned privacy programme covers most of CCPA, and adding the India specific consent flow and grievance officer rounds it out. The mistake is treating each law as a separate project. Treat them as one privacy posture with regional add ons.

A simple way to stay current

Laws change, and the changes are often small clauses rather than rewrites. Keep your policies at hosted links you can update in one place, track which regions you actually serve, and review when something material shifts. A tailored checklist that knows your product and your regions turns this from a research project into a short list of actions.

Build your compliance checklist

Tailored to your product and the regions you serve. Free to start.

Start free

More guides

Compliance basics

The documents every software business needs before launch

A practical, plain English list of the policies and contracts a SaaS, mobile app or AI product should have in place before taking its first customer.

Operations

Why a compliance checklist beats a template pack

Downloading a folder of templates feels productive, but it leaves the hardest question unanswered: what do you actually need? Here is the difference.