LGPD vs CCPA

Products
By Use Cases By Roles
DataControls Cloud^TM
View
Learn more

Asset and Data Discovery

Discover Data Assets

Learn more

Data Access Intelligence & Governance

Identify which users have access to sensitive data and prevent unauthorized access

Learn more

Data Privacy Automation

PrivacyCenter.Cloud | Data Mapping | DSR Automation | Assessment Automation | Vendor Assessment | Breach Management | Privacy Notice

Learn more

Sensitive Data Intelligence

Discover & Classify Structured and Unstructured Data | People Data Graph

Learn more

Data Flow Intelligence & Governance

Discover & Classify Structured and Unstructured Streaming Data

Learn more

Data Consent Automation

First Party Consent | Third Party & Cookie Consent

Learn more

Data Security Posture Management

Protect data systems by discovering and automatically remediating misconfigurations

Learn more

Data Breach Impact Analysis & Response

Analyze impact of a data breach and coordinate response per global regulatory obligations

Learn more

Data Catalog

Automatically catalog enterprise datasets

Learn more

Data Lineage

Track changes and transformations of data throughout its lifecycle
Data Controls Orchestrator
View
DataControls Cloud^TM
View
Sensitive Data Intelligence
View

Asset Discovery
Data Discovery & Classification
Sensitive Data Catalog
People Data Graph
Learn more

Privacy

Automate compliance with global privacy regulations

Data Mapping Automation

View

Data Subject Request Automation

View

People Data Graph

View

Assessment Automation

View

Cookie Consent

View

Universal Consent

View

Vendor Risk Assessment

View

Breach Management

View

Privacy Policy Management

View

Privacy Center

View

Learn more

Security

Identify data risk and enable protection & control

Data Security Posture Management

View

Data Access Intelligence & Governance

View

Data Risk Management

View

Data Breach Analysis

View

Learn more

Governance

Optimize Data Governance with granular insights into your data

Data Catalog

View

Data Lineage

View

Data Quality

View
Data Controls Orchestrator
View
Solutions
Technologies

Covering you everywhere with 1000+ integrations across data systems.

Snowflake

View

AWS

View

Microsoft 365

View

Salesforce

View

Workday

View

GCP

View

Azure

View

Oracle

View

Learn more

Regulations

Automate compliance with global privacy regulations.

US California CCPA

View

US California CPRA

View

European Union GDPR

View

Brazil’s LGPD

View

Thailand’s PDPA

View

China PIPL

View

Canada PIPEDA

View

Thailand PDPA

View

+ More

View

Learn more

Roles

Identify data risk and enable protection & control.

Privacy

View

Security

View

Governance

View

Marketing

View
Resources

Blog

Read through our articles written by industry experts

Videos

Solution and customer videos.

Collateral

Product brochures, white papers, infographics, analyst reports and more.

Knowledge Center

Learn about the data privacy, security and governance landscape.

Securiti Education

Courses and Certifications for data privacy, security and governance professionals.
Company

About Us

Learn all about Securiti, our mission and history

Partner Program

Join our Partner Program

Contact Us

Contact us to learn more or schedule a demo

News Coverage

Read about Securiti in the news

Press Releases

Find our latest press releases

Careers

Join the talented Securiti team

Overview

In August 2018, in South America, the Brazilian government approved Law No. 13.709, named Lei Geral de Proteção de Dados Pessoais (LGPD), which provides consumers with control over their data and amends the Federal Law No. 12.965 of 23 April 2014. This new law went into effect in August 2020.

On June 28, 2018, in North America, a similar bill was passed in the California Legislative Assembly and signed by Jerry Brown due to the pressure of the public through an impending ballot initiative. This law was then amended heavily and in January, 2020, the California Consumer Privacy Act (CCPA), the first comprehensive data privacy law for consumers in the US, went into effect.

In their own ways both CCPA and LGPD are considered game-changers in the world of data privacy regulations, and have respectively caused shockwaves in regulatory and compliance circles. While both CCPA and LGPD share the aim of giving consumers more control over their personal data, there are a few significant differences between the two regulations. Here are some of the key differences between the two laws when it comes to scope, rights, and enforcement.

The LGPD covers both controllers and processors that process the data of Brazilian residents which was collected in Brazil, whether or not the business has an establishment in Brazil or if the processing of information takes place outside of Brazil.

The LGPD does not apply if the data being processed has originated outside of Brazil, is not a shared communication or has been used with a Brazilian processing agent or has been received via an international data transfer provided that the country of origin (from where the data came from) provides an equivalent level of protection to the data as LGPD.

CCPA covers any for-profit business that does business in California and processes the personal information of California residents. In addition, CCPA applies to businesses that meet any one of the following thresholds:

Has an annual gross revenue of at least $25 million
Processes personal information of 50,000 or more California consumers, households or devices
Derives 50% (or more) of their profit by selling the personal information of California residents

Rights

Both regulations give consumers rights relating to their personal information which they can exercise. The following section explains each right and how they differ across the two laws.

Generally, CCPA provides a time period of 45 days to businesses to grant the request, which can be extended a further 45 days without assigning any reason, and for an additional 90 days with justification. In contrast, LGPD says that entities must respond immediately without delay but does not prescribe any specific time duration within which the request must be complied with (though access requests are an exception).

Data controllers must respond immediately to a data subjects’ express request for deletion of their personal data. If this is not possible, the controller must:

(i) send a reply to the data subject in which they communicate that they are not the data processing agent and indicate, whenever possible, who the agent is; or
(ii) indicate the reasons of fact or of law that prevent the immediate adoption of the measure.

There is no requirement in LGPD for the controller to put in place mechanisms to identify the data subject whose personal data is to be deleted.

There are many exceptions which the controller and processor can benefit from so as to refuse the request including: (i) where storage of personal data was authorized for a study by a research entity, or (ii) to comply with a legal or regulatory obligation by the controller, or (iii) processing of personal data that is done exclusively for journalistic and artistic purposes, or academic purposes. (iv) Furthermore, the right to deletion does not apply to the processing of personal data that is done for purposes of public safety, national defence, state security or investigation and prosecution of criminal offenses.

The CCPA allows consumers to request that businesses delete their Personal Information upon receipt of a verified consumer request. The request must be complied with by the business free of charge unless:

the business refuses the request in which case it must inform the consumer with reasons for refusal and an option to appeal the decision.
the business finds the requests to be excessive or manifestly unfounded due to their repetitive character in which case it may charge a reasonable fee or refuse to act on the request of the consumer.

Businesses are duty bound to verify that the request has been made by the consumer. There are many exceptions which businesses may use to decline to comply with the request which include:

(i) to complete the transaction for which the Personal Information was collected;
(ii) provide a good or service requested by the Consumer or reasonably anticipated within the context of a Business’ ongoing relationship with the Consumer;
(iii) or otherwise perform a contract between the Business and a Consumer;
(iv) detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, or prosecute those responsible for that activity;
(v) debug and to identify and repair errors that impair functionality;
(vi) exercise or ensure free speech or other legal rights;
(vii) comply with the California Electronic Communications Privacy Act;
(viii) engage in certain research in the public interest that adheres to all other applicable ethics and privacy laws, when deletion is likely to render impossible or seriously impair such research,
(ix) if the Consumer has provided informed consent;
(x) undertake internal uses that are reasonably aligned with the expectations of the Consumer’s relationship with the Business;
(xi) comply with a legal obligation; and
(xii) otherwise undertake internal uses in a lawful manner that are compatible with the context in which the Consumer provided the information.

LGPD requires controllers to ensure that data subjects are aware of:

The specific purpose of the processing
The type of processing
The duration of the processing as far as possible while preserving commercial and industrial secrecy
The identity of the controller
The contact information of the controller Information regarding the shared use of data by the controller and the purpose
Responsibilities of the agents that will carry out the processing
>The data subjects' rights

If any change takes place in any of the factors listed above, the data subject should be informed so that their consent for processing can be taken again.

LGPD provides that whenever the processing of data of the data subject is a condition of carrying out a service, supplying a product, or complying with a data subject’s request, the data subject should be informed of this expressly.

When the processing of personal data involves childrens’ and adolescents' personal data, controllers shall make public the information about the types of data collected, the way it is used and the procedures for exercising >the rights referred to under Article 18 of the LGPD.

The CCPA also stipulates that information on the following must be provided to consumers:

At the point of collection, the categories of and specific pieces of personal information of the consumers collected for business purposes in the previous 12 months;
Categories and specific pieces of personal information collected of consumers by the business along with the commercial purpose for collection, the categories of sources it is collected from and categories of third parties it is shared with;
If the business sells/discloses personal information of the consumers, then it must inform the categories of personal information disclosed/sold along with the categories of third parties it was sold/disclosed to in the preceding 12 months. If the business does not sell/disclose any personal information of the consumer, it must state so as well.
the rights of consumers to request for access or erasure of their personal information and the right to not be discriminated along with the mechanisms available to them to exercise those rights;
The CCPA also provides that if any additional personal information of the consumer is collected the consumer must be informed about it before collection.

Controllers and processors must terminate the processing of personal data upon communication by the data subject of their revocation of consent as long as there are no public interest considerations.

Data subjects also have the right to oppose the processing carried out by controllers and processors based on one of the situations other than consent if there is non-compliance with the LGPD.

CCPA provides consumers with a right to opt out from the selling or disclosing for business purposes of their personal information. The opt-out can therefore only stop the selling of personal information, and it does not impact other uses of their information. However, the right to opt out of the sale is absolute i.e. that businesses cannot reject an opt-out request on the basis of their compelling legitimate grounds and it can be exercised whenever by the consumer.

Businesses must adhere to the language provided in CCPA, namely the homepage of their website must have a link titled ‘Do Not Sell My Personal Information’ and it must also be prominently featured in the Privacy Policy.

Consumers are also to be provided a notice and must be allowed to opt out of the sale of their personal information by a third party.

The LGPD only explicitly requires controllers and processors to provide information on receipt of a data subject’s request. The information must include:

The origin of the data
The existence of any records
The purpose of the processing when a complete declaration is made.

The LGPD states that the information should be provided in a clear and concise form in either electronic or written form.

The LGPD states that personal data must be stored in a format that favours the exercise of the right to access and data subjects should be able to access their data freely.

There are no limitations to the data which can be accessed by the data subjects. However the LGPD does not specify any method to aid the exercise of the data subjects’ rights.

Data access must be provided to the Data Subject within 15 days.

The consumer has a right to request a report of all the personal information collected, disclosed, or sold by a business.

The report must contain:

Categories of personal information collected,
Categories of sources,
The business or commercial purpose for which the information was collected or sold,
Categories of third parties who were sold/disclosed the personal information,
Specific pieces of personal information collected by the business,
Categories of personal information that the business sold about the consumer and the categories of third parties to whom the personal information was sold, by category or categories of personal information for each category of third parties to whom the personal information was sold.
The categories of personal information that the business disclosed about the consumer for a business purpose.

This right applies only to personal information collected in the 12 months prior to the request and it cannot be exercised more than twice in a month.

The LGPD defines the right to data portability as portability of the data to another service or product provider, by means of an express request and subject to commercial and industrial secrecy, pursuant to the regulation of the controlling agency.

Communication or shared use between controllers of sensitive personal data referring to health for the purpose of obtaining an economic advantage is prohibited.

Only In cases where the data subject has consented to the transfer or when health data is necessary to ensure the rendering of adequate supplementary health services, in other words, the adequate provision of health plans.

Under CCPA, consumers have the right to data portability that ensures access to information in a portable and readily usable format and that allows consumers to transmit information to another entity.

Right to data portability is part of the right to access under CCPA and is therefore subject to the same limitations.

The ANPD, an independent and specialized data protection authority, enforces LGPD in Brazil.

Depending on the violation, a simple fine of up to 2% of the revenues of a private legal person, group, or conglomerate in Brazil, for the prior financial year, excluding taxes, up to a total maximum of BRL 50,000,000 per infraction may be issued.
If the infraction continues, daily fines going up to BRL 50,000,000 per infraction may be issued, along with blockage of the personal data to which the infraction relates until it is brought within conformity of the law. The data can also be limited.

Partial suspension of the operation of the database and activity being exercised for a period of 6 months can also be enforced. The suspensions can be extended by a further 6 months.

Under LGPD, government agencies cannot be sanctioned with administrative fines.

The Attorney General Office which enforces CCPA can take civil action, which includes imposing an injunction and a civil penalty of $2,500 for each violation. If the violation is considered to be intentional in nature then this can increase to $7,500 for each violation.

There is also a private legal action which consumers can take if their unredacted or unencrypted personal information is breached. Damages between $100-750 or actual harm incurred (whichever is greater) can be recovered.

CCPA has no upper cap on penalties, and amounts can accumulate to well over any fine paid under LGPD or GDPR.

The monetary penalties collected through civil actions under CCPA form the Consumer Privacy Fund, which funds the activities of the Attorney General in this sector.

The ANPD prescribes minimum technical standards for controllers and processors to undertake for protection of data taking into account the nature of information, characteristics of processing and the current state of technology.

LGPD also states that the communication of a data breach to the ANPD must be done in a reasonable time period to be defined.

LGPD does not include further details with regard to the communication of a data breach directly aimed at data subjects.

The Attorney General has the power to independently start investigations and actions against alleged non-compliance from businesses.

The Attorney General also has the power to assess and prosecute a violation of CCPA. CCPA does not specify which activities are included in this assessment.

CCPA does not explicitly state the need for data encryption, but rather that a business is required to take “reasonable security measures” for the protection of Personal Information.

CCPA does not mention data breach notifications but a separate Californian law (AB-1130) requires businesses and agencies to inform consumers and the Attorney General if their data has been breached.

Benefits of automation

Global privacy regulations are encouraging organizations to automate their data privacy operations in order to seamlessly comply. Robotic automation is no longer a want, but rather a need in this current digital landscape. Several organizations are offering software that helps companies comply with global privacy regulations, but these solutions are restricted to mainly process-driven tasks or basic data-driven functions. AUTI is the only software created by SECURITI.ai, the pioneers of robotic automation, that can be called the perfect software. With its reliability, intelligence and simplicity of use, coupled with ended-to-end automation, AUTI is the only software that can help an organization comply with regulations fully and effectively.

At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.