DPDPA for United States Companies

🇺🇸Your US privacy programme does not satisfy Indian law.

CCPA, state privacy laws, and sectoral frameworks like HIPAA do not map to DPDPA's consent-first architecture. Section 3 applies to every American company processing Indian residents' data — regardless of physical presence in India.

Request Country-Specific Briefing View Compliance Roadmap

1,500+

US companies operating in India

Years in Practice

Offices Across India

360°

Compliance Coverage

Bilateral Context

United States–India Data Compliance Landscape

Trade Relationship

The US is India's largest trading partner in services. Over 1,500 US companies operate in India, with significant data processing across IT services, BPOs, financial services, and e-commerce. The US-India bilateral trade exceeded $190 billion in FY2024.

Home-Country Privacy Framework

Primary LawCCPA/CPRA + State Laws

RegulatorFTC, State AGs, HHS (HIPAA)

Full FrameworkCalifornia Consumer Privacy Act (CCPA/CPRA), state-level privacy laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, etc.), sectoral laws (HIPAA, GLBA, FERPA, COPPA)

Key Industry Sectors

Technology & SaaSFinancial ServicesE-commerceHealthcare & PharmaEdTechBPO & IT Services

DPDPA Section 3 applies extraterritorially — United States companies processing personal data of Indian residents must comply regardless of physical presence in India. Your existing CCPA/CPRA + State Laws programme does not constitute DPDPA compliance.

Compliance Friction Analysis

Where CCPA/CPRA + State Laws and DPDPA Collide

Consent Architecture Gap

US privacy law is largely opt-out based (CCPA). DPDPA requires affirmative opt-in consent under Section 6 with itemised notice under Section 5. Your existing consent flows will not satisfy the Data Protection Board.

Cross-Border Transfer Regime

DPDPA Section 16 uses a negative-list model — transfers are permitted unless the destination is restricted. Unlike GDPR, there are no Standard Contractual Clauses. Your existing DPA templates need restructuring.

Children's Data Standards

DPDPA Section 9 prohibits tracking, behavioural monitoring, and targeted advertising for children. This goes beyond COPPA's parental consent requirements. EdTech and social media platforms face immediate compliance obligations.

No Federal Adequacy Framework

The US has no federal privacy law. India's negative list for cross-border transfers will assess the US based on sectoral and state-level protections — creating uncertainty for American companies.

Statutory Exposure Map

DPDPA Sections Most Relevant to United States Companies

Section 3

Extraterritorial Applicability

Applies to all US companies offering goods/services to Indian residents, regardless of physical India presence.

Section 5-6

Notice & Consent

US companies must redesign consent UX from opt-out to DPDPA's affirmative opt-in standard with itemised processing purposes.

Section 8(6)

Breach Notification

Dual notification to Board + affected individuals required. Different from state-level breach notification laws.

Section 16

Cross-Border Transfers

Data transfers to US servers permitted unless US is placed on negative list. Monitor government notifications.

Section 33

Penalties

Up to ₹250 Crore under the Schedule. No safe harbour or good-faith defence equivalent to US frameworks.

Implementation Pathway

United States Company DPDPA Compliance Roadmap

DPDPA Gap Assessment Against US Framework

Map existing US privacy programme against all 44 DPDPA Sections. Identify consent, notice, and processing gaps specific to Indian data subjects.

Consent Architecture Redesign

Rebuild consent flows from opt-out to opt-in for Indian users. Implement Section 5 itemised notices and Section 6 withdrawal mechanisms.

Cross-Border Transfer Structuring

Document Section 16 compliance. Prepare for potential negative-list inclusion. Structure contractual safeguards with Indian subsidiaries.

DPO Appointment & Board Readiness

If classified as SDF, appoint India-based DPO per Section 10. Establish Board-ready compliance documentation.

Vibe Pulse Score Assessment

Compute VPS using AMLEGALS' proprietary framework to produce Board-ready compliance metric.

Frequently Asked Questions

United States Companies & DPDPA

Does DPDPA apply to US companies without offices in India?+

Yes. Section 3 extends DPDPA to any entity processing digital personal data of Indian residents in connection with offering goods or services — regardless of physical presence in India. A US company with Indian customers or employees is within scope.

Can US companies transfer Indian data to US servers?+

Currently yes, under Section 16's negative-list framework. Transfers are permitted to all countries except those the government restricts. The US is not currently on the restricted list, but companies should prepare contingency plans.

How does CCPA compare to DPDPA?+

CCPA is fundamentally opt-out; DPDPA is opt-in. CCPA applies based on revenue/data volume thresholds; DPDPA has no threshold — all Data Fiduciaries are covered. CCPA provides a private right of action for breaches; DPDPA centralises adjudication at the Data Protection Board.

United States Advisory

Schedule a United States-Specific DPDPA Briefing

Our cross-border data privacy team specialises in helping United States companies navigate DPDPA. We understand both CCPA/CPRA + State Laws and Indian data protection law.

United States Company DPDPA Briefing

Tell us about your India operations. A senior practitioner with United States-India experience will respond within one working day.

Related Resources