'Most Innovative Startup 2020' by RSA - Watch the videoLearn More
In August 2018, in South America, the Brazilian government approved Law No. 13.709, named Lei Geral de Proteção de Dados Pessoais (LGPD), which provides consumers with control over their data and amends the Federal Law No. 12.965 of 23 April 2014. This new law went into effect in August 2020.
On June 28, 2018, in North America, a similar bill was passed in the California Legislative Assembly and signed by Jerry Brown due to the pressure of the public through an impending ballot initiative. This law was then amended heavily and in January, 2020, the California Consumer Privacy Act (CCPA), the first comprehensive data privacy law for consumers in the US, went into effect.
In their own ways both CCPA and LGPD are considered game changers in the world of data privacy regulations, and have respectively caused shockwaves in regulatory and compliance circles. While both CCPA and LGPD share the aim of giving consumers more control over their personal data, there are a few significant differences between the two regulations. Here are some of the key differences between the two laws when it comes to scope, rights and enforcement.
When it comes to scope and compliance, CCPA and LGPD have different requirements on who needs to comply. This section explains the difference in scope between the two laws.
The LGPD covers both controllers and processors that process the data of Brazilian residents which was collected in Brazil, whether or not the business has an establishment in Brazil or if the processing of information takes place outside of Brazil.
The LGPD does not apply if the data being processed has originated outside of Brazil, is not a shared communication or has been used with a Brazilian processing agent or has been received via an international data transfer provided that the country of origin (from where the data came from) provides an equivalent level of protection to the data as LGPD.
CCPA covers any for-profit business that does business in California and processes the personal information of California residents. In addition, CCPA applies to businesses that meet any one of the following thresholds:
Both regulations give consumers rights relating to their personal information which they can exercise. The following section explains each right and how they differ across the two laws.
Generally, CCPA provides a time period of 45 days to businesses to grant the request, which can be extended a further 45 days without assigning any reason, and for an additional 90 days with justification. In contrast, LGPD says that entities must respond immediately without delay but does not prescribe any specific time duration within which the request must be complied with (though access requests are an exception).
Data controllers must respond immediately to a data subjects’ express request for deletion of their personal data. If this is not possible, the controller must:
There is no requirement in LGPD for the controller to put in place mechanisms to identify the data subject whose personal data is to be deleted.
There are many exceptions which the controller and processor can benefit from so as to refuse the request including: (i) where storage of personal data was authorized for a study by a research entity, or (ii) to comply with a legal or regulatory obligation by the controller, or (iii) processing of personal data that is done exclusively for journalistic and artistic purposes, or academic purposes. (iv) Furthermore, the right to deletion does not apply to the processing of personal data that is done for purposes of public safety, national defence, state security or investigation and prosecution of criminal offenses.
The CCPA allows consumers to request that businesses delete their Personal Information upon receipt of a verified consumer request. The request must be complied with by the business free of charge unless:
Businesses are duty bound to verify that the request has been made by the consumer.
There are many exceptions which businesses may use to decline to comply with the request which include:
LGPD requires controllers to ensure that data subjects are aware of:
If any change takes place in any of the factors listed above, the data subject should be informed so that their consent for processing can be taken again.
LGPD provides that whenever the processing of data of the data subject is a condition of carrying out a service, supplying a product, or complying with a data subject’s request, the data subject should be informed of this expressly.
When the processing of personal data involves childrens’ and adolescents' personal data, controllers shall make public the information about the types of data collected, the way it is used and the procedures for exercising the rights referred to under Article 18 of the LGPD.
The CCPA also stipulates that information on the following must be provided to consumers:
Controllers and processors must terminate the processing of personal data upon communication by the data subject of their revocation of consent as long as there are no public interest considerations.
Data subjects also have the right to oppose the processing carried out by controllers and processors based on one of the situations other than consent if there is non-compliance with the LGPD.
CCPA provides consumers with a right to opt out from the selling or disclosing for business purposes of their personal information. The opt-out can therefore only stop the selling of personal information, and it does not impact other uses of their information. However, the right to opt out of the sale is absolute i.e. that businesses cannot reject an opt-out request on the basis of their compelling legitimate grounds and it can be exercised whenever by the consumer.
Consumers are also to be provided a notice and must be allowed to opt out of the sale of their personal information by a third party.
The LGPD only explicitly requires controllers and processors to provide information on receipt of a data subject’s request. The information must include:
The LGPD states that the information should be provided in a clear and concise form in either electronic or written form.
The LGPD states that personal data must be stored in a format that favours the exercise of the right to access and data subjects should be able to access their data freely.
There are no limitations to the data which can be accessed by the data subjects. However the LGPD does not specify any method to aid the exercise of the data subjects’ rights.
Data access must be provided to the Data Subject within 15 days.
The consumer has a right to request a report of all the personal information collected, disclosed, or sold by a business.
The report must contain:
This right applies only to personal information collected in the 12 months prior to the request and it cannot be exercised more than twice in a month.
The LGPD defines the right to data portability as portability of the data to another service or product provider, by means of an express request and subject to commercial and industrial secrecy, pursuant to the regulation of the controlling agency.
Communication or shared use between controllers of sensitive personal data referring to health for the purpose of obtaining an economic advantage is prohibited.
Only In cases where the data subject has consented to the transfer or when health data is necessary to ensure the rendering of adequate supplementary health services, in other words, the adequate provision of health plans.
Under CCPA, consumers have the right to data portability that ensures access to information in a portable and readily usable format and that allows consumers to transmit information to another entity.
Right to data portability is part of the right to access under CCPA and is therefore subject to the same limitations.
Both the CCPA and the LGPD allow monetary penalties to be issued in cases of non-compliance. However, the nature of the penalties, the amount, and who is subject to them differ.
The ANPD, an independent and specialized data protection authority, enforces LGPD in Brazil.
Depending on the violation, a simple fine of up to 2% of the revenues of a private legal person, group, or conglomerate in Brazil, for the prior financial year, excluding taxes, up to a total maximum of BRL 50,000,000 per infraction may be issued.
If the infraction continues, daily fines going up to BRL 50,000,000 per infraction may be issued, along with blockage of the personal data to which the infraction relates until it is brought within conformity of the law. The data can also be limited.
Partial suspension of the operation of the database and activity being exercised for a period of 6 months can also be enforced. The suspensions can be extended by a further 6 months.
Under LGPD, government agencies cannot be sanctioned with administrative fines.
The Attorney General Office which enforces CCPA can take civil action, which includes imposing an injunction and a civil penalty of $2,500 for each violation. If the violation is considered to be intentional in nature then this can increase to $7,500 for each violation.
There is also a private legal action which consumers can take if their unredacted or unencrypted personal information is breached. Damages between $100-750 or actual harm incurred (whichever is greater) can be recovered.
CCPA has no upper cap on penalties, and amounts can accumulate to well over any fine paid under LGPD or GDPR.
The monetary penalties collected through civil actions under CCPA form the Consumer Privacy Fund, which funds the activities of the Attorney General in this sector.
Both CCPA and LGPD obligate controllers and processors to adopt reasonable and proportionate security measures to protect the personal data they process. LGPD empowers the ANPD to release guidance on which specific security measures are to be adopted.
The ANPD prescribes minimum technical standards for controllers and processors to undertake for protection of data taking into account the nature of information, characteristics of processing and the current state of technology.
LGPD also states that the communication of a data breach to the ANPD must be done in a reasonable time period to be defined.
LGPD does not include further details with regard to the communication of a data breach directly aimed at data subjects.
The Attorney General has the power to independently start investigations and actions against alleged non-compliance from businesses.
The Attorney General also has the power to assess and prosecute a violation of CCPA. CCPA does not specify which activities are included in this assessment.
CCPA does not explicitly state the need for data encryption, but rather that a business is required to take “reasonable security measures” for the protection of Personal Information.
CCPA does not mention data breach notifications but a separate Californian law (AB-1130) requires businesses and agencies to inform consumers and the Attorney General if their data has been breached.
Global privacy regulations are encouraging organizations to automate their data privacy operations in order to seamlessly comply. Robotic automation is no longer a want, but rather a need in this current digital landscape. Several organizations are offering software that helps companies comply with global privacy regulations, but these solutions are restricted to mainly process-driven tasks or basic data-driven functions. AUTI is the only software created by SECURITI.ai, the pioneers of robotic automation, that can be called the perfect software. With its reliability, intelligence and simplicity of use, coupled with ended-to-end automation, AUTI is the only software that can help an organization comply with regulations fully and effectively.