GDPR vs CCPA vs LGPD: What are the Differences?
The General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and Lei Geral de Proteção de Dados (LGPD) are three of the most comprehensive data privacy and protection laws in the world.
If your business collects, stores, processes, or shares personal data of the EU, California, or Brazil residents, you need to be familiar with these regulations.
In this article, we’ll explore the differences and similarities between GDPR vs CCPA vs LGPD and why it matters for your business.
Let’s dive right in.
- While all three laws emphasize data subject rights, GDPR and LGPD are more extensive than the CCPA.
- Similarly, unlike GDPR and LGPD, CCPA does not provide the legal basis for data processing.
- However, the three laws still share the same goal - to protect the data privacy of the data subjects.
What is the GDPR?
The EU’s General Data Protection Regulation, or GDPR, is a set of regulations passed and adopted by the European Parliament and the Council of the EU on 14th April, 2016 and became enforceable on 25th May, 2018.
The regulation provides strict guidelines on how a business should collect, handle, store, and share personal data from consumers in the EU as well as provide consumers more control over their own data.
The GDPR has 7 principles:
- Lawfulness, fairness, and transparency: Data controllers must collect and process personal data in a legal, fair, and transparent manner.
- Purpose limitation: Personal data must be collected for specific, explicit, and legitimate purposes and not further processed in a way that is incompatible with those purposes.
- Data minimization: Personal data must be adequate, relevant, and limited to what is necessary concerning the purposes for which it is processed.
- Storage limitation: Personal data must be kept in a form that allows identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
- Integrity and confidentiality: Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage, using appropriate technical or organizational measures.
- Accuracy: The accuracy principle, as outlined in Article 5(1)(d) of the GDPR, emphasizes the importance of maintaining accurate and up-to-date personal data. This principle aims to ensure that organizations process and retain only correct, relevant, and reliable information about individuals.
- Accountability: The accountability principle, found in Article 5(2) of the GDPR, emphasizes the responsibility of organizations to demonstrate compliance with the GDPR's principles and provisions. It requires organizations to implement appropriate measures, processes, and documentation to ensure compliance and to be able to demonstrate such compliance upon request.
What is the CCPA?
The California Consumer Privacy Act, or CCPA, is a data privacy regulation that was passed by the state of California and signed by the Governor of California on 28th June, 2018. It officially became enforceable on 1st January, 2020.
The CCPA is a state-level law, meaning it applies only in regards to residents of California and businesses that process their data for profit.
As of 1st January 2023, the CCPA was replaced by the California Privacy Rights Act (CPRA), which amended many parts of the CCPA to better protect the data of California residents.
The CPRA also has three core principles, which include:
- Transparency: Businesses must be clear and open about how they collect, use, and share consumers' personal data.
- Accountability: Companies are responsible for managing the consumer's information in a safe manner that respects their privacy rights.
- Control: Consumers should have control over what happens with their data, including who has access to it or shares it.
What is the LGPD?
The Lei Geral de Proteção de Dados, or LGPD, is a data privacy regulation passed by the National Congress of Brazil on 14th August 2018. The law became official on 18th September 2020.
The main goal of this law is to better regulate how businesses that either operate in Brazil or outside but process personal data of Brazilian residents handle those data and to also give Brazilians more control over their data.
The 10 principles of LGPD include:
- Finalidade (Purpose Limitation): Data can only be processed for a specific and legitimate purpose
- Adequação (Adequacy): Processing must be necessary and relevant for the purpose it is collected for
- Necessidade (Necessity): Data controllers should process only the data necessary for the specific purpose
- Livre Acesso (Free Access): Individuals have the right to access their personal data that is being processed
- Qualidade dos Dados (Data Quality): The responsibility to ensure the quality, accuracy, and timeliness of the data processed is on the data controller
- Transparência (Transparency): The data controller must offer clear information about data processing activities its purpose, methods, and data subject rights and make this information easily accessible to the consumer
- Segurança (Security): Controllers and processors must ensure the security of data they are handling from data security incidents like data breaches through adequate security measures
- Prevenção (Prevention): Data controllers must also take measures to prevent security incidents, including appointing a data protection officer (DPO)
- Não Discriminação (No Discrimination): Data subjects can not be discriminated against based on their personal data
- Responsabilização e Prestação de Contas (Accountability & Responsibility): Data controllers need to be able to demonstrate their compliance with LGPD and are accountable for the data processing activities they perform
GDPR vs CCPA vs LGPD: Differences
Although there are plenty of similarities between these three data privacy regulations (more on them in a moment), there are also a few differences between GDPR vs CCPA vs LGPD.
Differences in Scope
The most obvious difference between these three laws is, of course, in their scope.
- The GDPR applies to businesses that process data of European Union citizens
- The CCPA to businesses that handle the personal data of the residents of California
- While the LGPD is enforceable only when it comes to data belonging to Brazilian residents
Data Subject Rights
Overall, GDPR, CCPA, and LGPD share common principles regarding data subjects or consumer rights.
Still, there are some differences that we will address:
GDPR and LGPD provide more rights than CCPA overall. All three laws include the right to access, to be informed about data processing, the right to withdraw or revoke previous consent, or to delete data.
However, CCPA does not explicitly include the right to data portability.
On the other hand, LGPD does not have the right to restrict processing.
Another important difference here is that CCPA only allows opt-out if that data are sold.
There are, of course, a few more differences here, but those are mostly in scope and terminology used.
Differences in Legal Basis for Data Processing
A legal basis for processing is basically justifications for why you need to be using consumer data. If the law specifies any of these, you will need to fall into one of them to be compliant.
The GDPR has six legal bases for data processing, LGPD has ten, while CCPA doesn’t have any.
Differences in Fines for Non-Compliance
All three laws have fines or other penalties for non-compliance. However, they significantly differ between GDPR vs CCPA vs LGPD.
GDPR has two types of fines, depending on the severity of the violation. For less severe violations, the fine is €10 million or 2% of the annual global turnover (whichever is higher), and for more severe violations, it’s €20 million or 4% of the annual global turnover.
CCPA includes fines of $2,500 for non-intentional violations and $7,500 for intentional ones and those that involve minors under 16 years of age.
LGPD includes administrative fines that can go up to a maximum of 50 million Brazilian Real ($10 million) or 2% of the business’s annual revenue in Brazil, and daily fines that vary on a case-by-case basis.
Differences in DPO Requirements
Both GDPR and LGDP require the appointment of a Data Protection Officer (DPO).
GDPR defines this in Article 37: Designation of the data protection officer, while LGPD does this in Article 41: DPO or person in charge of personal data.
CCPA does not officially require the appointment of a DPO.
Differences in Consent Definition and Approach
GDPR, CCPA, and LGPD define “consent” more or less similarly, but with some differences nevertheless.
GDPR defines consent as:
“Consent of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
CCPA does not define consent. However, CPRA defines consent as:
“Any freely given, specific, informed, and unambiguous indication of the consumer’s wishes by which he or she, or his or her legal guardian… by a statement or clear affirmative action, signifies agreement to the processing of personal information relating to him or her for a narrowly defined particular purpose.
Finally, LGPD defines consent as a:
“Free, informed, and unequivocal manifestation by which the data subject agrees to the processing of personal data for a specific purpose.”
The most obvious difference here is that CCPA does not have a definition of consent in its text. This is only added with the CPRA.
Additionally, GDPR and LGPD require an opt-in for consent to data processing, while CCPA takes an opt-out approach instead.
Differences in Defining Personal Information
All three laws define personal information similarly.
GDPR defines it as:
“Any information relating to an identified or identifiable natural person… who can be identified, directly or indirectly…”
CCPA defines personal information as:
“Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
LGPD finally defines personal data as:
“Information regarding an identified or identifiable natural person.”
Just from these short definitions, we can spot some key differences such as:
- LGPD has the broadest definition of personal data
- CCPA only includes data that can be directly linked to an identified natural person
- CCPA also includes information that can be used to identify a household
GDPR vs CCPA vs LGPD: Similarities
Despite many differences between GDPR vs CCPA vs LGPD, there are still similarities. Here’s a list of the similarities you will find:
All three laws share similar goals:
- To protect the personal data of data subjects
- To empower those data subjects to have better control over their personal data
- To promote accountability and transparency with businesses that process personal data
- To highlight the importance of data security and privacy
- To promote compliance through policies, procedures, and documentation
- To regulate data transfer across borders
- To help ensure timely responses to data breaches
Data Subject Rights
While there are differences in how data subject rights are defined between these laws, the overall idea is the same.
All three laws underline the importance of the individual’s rights concerning their personal data.
With that in mind, we can see the right to access, to be informed, the right to deletion, withdrawal, data portability, etc. between these regulations.
For the most part, these regulations share similar principles, including:
- Data subject rights: Individuals have the rights to access, correct, delete, object to processing, or data portability
- Purpose limitation: Data can only be processed for a specified purpose, that is also legitimate and lawful
- Data minimization: Only data that is necessary for the specified purpose can be collected
- Transparency: Business that collects personal data must provide a clear privacy notice to inform consumers about how they use their data
- Data breach notification: Any data breach must be reported promptly
- Cross-border data transfers: The laws also impose restrictions in terms of personal data transfer across borders
- Non-discrimination: Finally, GDPR, CCPA, and LGPD all outlaw discrimination of any kind against data subjects who wish to enjoy their privacy rights
The EU’s GDPR, California’s CCPA, and Brazil’s LGPD apply to more than 700 million people combined.
The chances of your business processing personal data belonging to consumers in either of these regions is very high, which is why you need to be familiar with them not just individually, but also with the differences and similarities between GDPR vs CCPA vs LGPD.
If any of these laws apply to your business or there’s an overlap of these laws, then you should get in touch with Captain Compliance so that we can help you ensure compliance.
Is LGPD the Same as GDPR?
LGPD is a data privacy law that applies to the residents of Brazil, while GDPR is a data privacy regulation that serves to protect the privacy of EU citizens. The laws are similar in terms of data privacy regulation but are not the same.
What is the LGPD Brazil’s Version of the GDPR?
The Lei Geral de Proteção de Dados, or LGPD in Brazil, is largely inspired by the EU’s General Data Protection Regulation (GDPR), sharing many of its principles but also having some differences such as in scope, justification, or data subject rights.
Does LGPD Require a Data Processing Agreement?
The Brazi’s LGPD does not explicitly require a data processing agreement in the way that the GDPR does.
There are, however, contractual terms and safeguards that both data controllers and data processors must adhere to when processing personal data.
Does Brazil Follow GDPR?
Brazillian businesses must follow the GDPR if they deal with any consumers in the EU.