GDPR, LGPD, and CCPA: What Are These Laws, Similarities, and Differences

GDPR, LGPD, and CCPA: What Are These Laws, Similarities, and Differences

9 months ago
João Bruno Soares
6 minutes

LGPD, GDPR, and CCPA are data privacy regulations like so many others that are coming into force. And, like all regulations, their text is long and detailed.

To simplify understanding, we've outlined the key similarities and differences. There are six main differences:

1. Applicable Territory

  • LGPD applies throughout Brazilian territory.
  • GDPR is applicable across the entire European Union.
  • CCPA is specific to the state of California, USA. It's important to note that only data subjects residing in California fall under this law; in other words, the law applies to anyone doing business in the state.

However, it's a misconception to think that these regulations are mere replicas of each other just because they concern data protection and privacy. Compliance with one doesn't guarantee compliance with the others.

2. Scope of Data Subjects

  • GDPR applies to personal data of data subjects, which includes users, whether they are customers or mere visitors to a website.
  • CCPA applies to consumers, households, and residents.

3. Definition of Personal Data

  1. For LGPD, personal data refers to any information related to an identified or identifiable person. Some information doesn't personally identify you; you remain anonymous. However, other information, like names, emails, and personal documents, can identify you individually.
  2. For CCPA, personal data is any information that individually identifies a person or household. Anonymous data is not considered personal.
  3. For GDPR, all of the above is considered personal data. There are even two distinct categories: data made public by the data subject and data related to nonprofit organizations.

Among these definitions of personal data, there's a more special category: sensitive data.

Sensitive data includes information revealing racial or ethnic origin, political beliefs, religious or philosophical affiliations, union membership, and matters related to health and sexuality.

Unlike LGPD and CCPA, GDPR prohibits the use of sensitive data unless such use is provided for by law.

4. Data Controllers

LGPD and GDPR, within their respective territories, apply to all data processing except for personal use. Whether it's a company, NGO, or government institution, the law applies.

CCPA is different in this regard. It specifically applies to:

  1. Companies with an annual gross revenue exceeding $25 million.
  2. Companies that obtain data from more than 50,000 consumers, households, or devices.
  3. Companies that generate over 50% of their revenue from selling personal information.

5. Sale of Personal Data

In LGPD and GDPR, the sale of personal data requires a legal basis prescribed by the law. It's not something anyone can do.

On the other hand, CCPA doesn't prohibit the sale of data. It only provides the option for the data subject to opt out of having their data sold. In other words, a person can agree or disagree with the sale of their data, and the company must respect that choice.

6. Fines and Penalties

GDPR, LGPD, and CCPA impose different fines and penalties, so each one should be consulted separately. In this article, you can find more details about LGPD fines and penalties.

We've already seen that there are significant differences between the three regulations. So, what are the similarities?

Similarities Among LGPD, GDPR, and CCPA

1. Transparency About Data Use

All three regulations ensure transparency regarding data usage, including whether data is being processed, whether it can be sold, and the purpose behind these actions.

2. Power to Update and Delete Data

All three regulations allow users to revoke data consent and ensure they can update their data whenever they wish.

3. Regulatory Authority

The regulations establish a governmental authority to ensure compliance. In the case of LGPD, it's the National Data Protection Authority. For CCPA, it's the Attorney General of the State of California.

Do I Need to Comply with All Three Laws?

As discussed in the previous sections, the laws apply to their respective territories. If your company handles data from Californians and Brazilians, you need to be fully aware of CCPA and LGPD. If your company processes data of European Union customers, GDPR compliance is necessary.

However, in practice, this is simpler. Since LGPD is based on GDPR, it's easy to align with both regulations. Given that all three are based on principles of transparency and consent, three steps will ensure that your website doesn't run into issues with any of these laws.

3 Steps to Comply with LGPD, GDPR, and CCPA

1. Understand Consent and Transparency

One thing LGPD, GDPR, and CCPA have in common is their emphasis on transparency and consent, which underpin the entire law.

What does this mean in practice?

Every user needs to know that their data is being collected and for what purpose your company will process this data. This information needs to be explicit. Knowing this, the user needs to agree. This is transparency and consent.

If the user doesn't agree to data processing, they should be able to express this decision clearly and directly. Your company should respect this choice without pressuring the user to provide data.

However, manually managing this process would make operations for any company complex. To streamline this service, we move on to the second step.

2. Install a Cookie Banner

A cookie banner is a text notice, similar to what you saw when entering this blog. The cookie banner informs the user that the site collects data and requests the user's consent for data collection. The cookie banner also explains the purpose of collecting this information.

Most importantly, it records all of this. We can prove which data you agreed to provide, which is crucial for legal compliance. Moreover, through the cookie banner, you can specify which data you want to provide and which you don't, or even refuse to provide any information. And that's perfectly fine.

To ensure this operation runs smoothly, LGPD, GDPR, and CCPA require that each company has a responsible person. This professional is called a DPO: Data Protection Officer, which is the third step.

3. Appoint a DPO

DPO stands for Data Protection Officer. Your company can outsource this service or select an internal employee for this role.

The DPO is legally responsible for the company's data protection policy, acting as the liaison between the company and the data protection authority. In the case of LGPD, this authority is the ANPD. For CCPA, it's the Attorney General of California.

With these best practices, your company is assured in this ever-changing landscape and extensive debate on data usage.


Data Protection Officer - DPO

Related posts

Adopt post

How to delete cookies and cache in Chrome and other browsers?

Tired of the ads from that site you visited following you around? Is your computer running slow when accessing a particular website? Want to delete all cookies from a specific service or site?

Adopt post

Fines in LGPD - What are they, amounts, and compliance deadlines

In this article, we will answer all your questions regarding fines under the LGPD (Brazil's General Data Protection Law).

Adopt post

Key Differences between LGPD and GDPR and the Impact on Internet Cookies

While both regulations share the goal of safeguarding individuals' rights regarding the processing of their personal data, there are some important differences between them. It is crucial to understand these distinctions and their implications, particularly in the context of internet cookies.

Adopt post

What is a privacy policy?

A privacy policy is a document that outlines how an organization collects, uses, discloses, and manages a customer's data. It's essential for building trust with users and complying with legal requirements. However, if you're not familiar with it, don't worry as we're here to help you.

Adopt post

How to Choose a CMP (Consent Management Platform)?

Using a CMP (Consent Management Platform) is a great way to make efforts to adapt to new privacy regulations like GDPR, LGPD, DPDPA, CCPA and more...

Adopt post

LGPD: An Opportunity for Digital Marketing Agencies!

Have you ever thought that your marketing agency could find a great business opportunity in LGPD? Well, unlike what many think, it brings changes that can accelerate the demand for the services of these companies.

Adopt post

5 Signs Your Website Needs an Cookie Consent Strategy

How does your website handle LGPD? What strategies does it use to comply with the General Data Protection Law? Have you thought about using a cookie notice but don't know if your site has cookies or if it's enough? If you can't answer these questions, be cautious! Your page may be exposed to fines and other sanctions.

Adopt post

GDPR and Cookies all you need to know

Understanding the General Data Protection Regulation (GDPR) and its impact on cookies is essential. So, let's break it down, step by step.

Adopt post

GDPR Legal Basis: An Introduction

In this article, we'll explore the GDPR foundations and provide practical insights from the basics to more advanced concepts of its legal basis.

Adopt post

Understand the meaning of the LGPD for your company

Surely you've already seen the predictions of fines and sanctions, processes. But, what does it mean to your company?

Adopt post

10 Marketing Processes You Should Rethink under the LGPD!

In the end, our goal has never been to predict doom for companies or to be part of the LGPD's Apocalypse Cavalry. But, since we've been in the market for some time, these kinds of issues always catch our attention when we start data mapping and having conversations with colleagues.

Adopt post

Best practices in tag categorization

It's time to talk about one of the most impactful tasks, both for the company and for the visitors of your websites: tag categorization. But why is it so impactful? What is the relevance of this configuration and how can it affect us? It is precisely because of these common questions we receive from our clients that we have written this article on best practices in tag categorization.

Adopt post

The Differences Between Data Controller and Data Processor - LGPD

Now that we have the data flow within your company, we need to highlight 2 aspects of LGPD that will help you determine the extent of your responsibility in relation to the many points listed in the company. I'm talking about the difference between Data Controller and Data Processor.

Adopt post

What is the difference between cookies, local storage, and session storage?

Despite cookies being more well-known, what is the main difference between cookies and session storage and local storage? Why choose one over the other? This article will help you with these doubts!

Adopt post

Data Mapping or Data Inventory - a life jacket for the DPO!

With the data mapping we have a clear understanding of the 5 stages that every data goes through in a company.

Adopt post

Responsibilities of a data protection officer.

Drawing an analogy from the world of soccer, we can think of the DPO as the "midfielder" of the team, responsible for connecting the defense and the attack.

Adopt post

ROPA in LGPD? Get to Know the Records of Processing Activities.

Brazilian LGPD - General Data Protection Law brought with it several acronyms and specific terms. Many of them are imported from other countries and regulations. One of them is ROPA (Record Of Processing Activities), adapted in Brazil to Registros das Atividades de Tratamento. An essential document for any DPO, Data Processor.

Address: 7345 W Sand Lake Road, Ste 210 Office 5898 Orlando, FL 32819
EIN: 86-3965064
Phone: +1 (407) 768-3792



Legal Terms

© GO ADOPT, LLC since 2020 • Made by people who love