LGPD vs CCPA
The LGPD covers both controllers and processors that process the data of Brazilian residents which was collected in Brazil, whether or not the business has an establishment in Brazil or if the processing of information takes place outside of Brazil.
The LGPD does not apply if the data being processed has originated outside of Brazil, is not a shared communication or has been used with a Brazilian processing agent or has been received via an international data transfer provided that the country of origin (from where the data came from) provides an equivalent level of protection to the data as LGPD.
CCPA covers any for-profit business that does business in California and processes the personal information of California residents. In addition, CCPA applies to businesses that meet any one of the following thresholds:
- Has an annual gross revenue of at least $25 million
- Processes personal information of 50,000 or more California consumers, households or devices
- Derives 50% (or more) of their profit by selling the personal information of California residents
Data controllers must respond immediately to a data subjects’ express request for deletion of their personal data. If this is not possible, the controller must:
- (i) send a reply to the data subject in which they communicate that they are not the data processing agent and indicate, whenever possible, who the agent is; or
- (ii) indicate the reasons of fact or of law that prevent the immediate adoption of the measure.
There is no requirement in LGPD for the controller to put in place mechanisms to identify the data subject whose personal data is to be deleted.
There are many exceptions which the controller and processor can benefit from so as to refuse the request including: (i) where storage of personal data was authorized for a study by a research entity, or (ii) to comply with a legal or regulatory obligation by the controller, or (iii) processing of personal data that is done exclusively for journalistic and artistic purposes, or academic purposes. (iv) Furthermore, the right to deletion does not apply to the processing of personal data that is done for purposes of public safety, national defence, state security or investigation and prosecution of criminal offenses.
The CCPA allows consumers to request that businesses delete their Personal Information upon receipt of a verified consumer request. The request must be complied with by the business free of charge unless:
- (i) the business refuses the request in which case it must inform the consumer with reasons for refusal and an option to appeal the decision.
- (ii) the business finds the requests to be excessive or manifestly unfounded due to their repetitive character in which case it may charge a reasonable fee or refuse to act on the request of the consumer.
Businesses are duty bound to verify that the request has been made by the consumer.
There are many exceptions which businesses may use to decline to comply with the request which include:
- (i) to complete the transaction for which the Personal Information was collected;
- (ii) provide a good or service requested by the Consumer or reasonably anticipated within the context of a Business’ ongoing relationship with the Consumer;
- (iii) or otherwise perform a contract between the Business and a Consumer;
- (iv) detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, or prosecute those responsible for that activity;
- (v) debug and to identify and repair errors that impair functionality;
- (vi) exercise or ensure free speech or other legal rights;
- (vii) comply with the California Electronic Communications Privacy Act;
- (viii) engage in certain research in the public interest that adheres to all other applicable ethics and privacy laws, when deletion is likely to render impossible or seriously impair such research,
- (ix) if the Consumer has provided informed consent;
- (x) undertake internal uses that are reasonably aligned with the expectations of the Consumer’s relationship with the Business;
- (xi) comply with a legal obligation; and
- (xii) otherwise undertake internal uses in a lawful manner that are compatible with the context in which the Consumer provided the information.
LGPD requires controllers to ensure that data subjects are aware of:
- The specific purpose of the processing
- The type of processing
- The duration of the processing as far as possible while preserving commercial and industrial secrecy
- The identity of the controller
- The contact information of the controller Information regarding the shared use of data by the controller and the purpose
- Responsibilities of the agents that will carry out the processing
- The data subjects' rights
If any change takes place in any of the factors listed above, the data subject should be informed so that their consent for processing can be taken again.
LGPD provides that whenever the processing of data of the data subject is a condition of carrying out a service, supplying a product, or complying with a data subject’s request, the data subject should be informed of this expressly.
When the processing of personal data involves childrens’ and adolescents' personal data, controllers shall make public the information about the types of data collected, the way it is used and the procedures for exercising the rights referred to under Article 18 of the LGPD.
The CCPA also stipulates that information on the following must be provided to consumers:
- At the point of collection, the categories of and specific pieces of personal information of the consumers collected for business purposes in the previous 12 months;
- Categories and specific pieces of personal information collected of consumers by the business along with the commercial purpose for collection, the categories of sources it is collected from and categories of third parties it is shared with;
- If the business sells/discloses personal information of the consumers, then it must inform the categories of personal information disclosed/sold along with the categories of third parties it was sold/disclosed to in the preceding 12 months. If the business does not sell/disclose any personal information of the consumer, it must state so as well.
- the rights of consumers to request for access or erasure of their personal information and the right to not be discriminated along with the mechanisms available to them to exercise those rights;
- The CCPA also provides that if any additional personal information of the consumer is collected the consumer must be informed about it before collection.
Controllers and processors must terminate the processing of personal data upon communication by the data subject of their revocation of consent as long as there are no public interest considerations.
Data subjects also have the right to oppose the processing carried out by controllers and processors based on one of the situations other than consent if there is non-compliance with the LGPD.
CCPA provides consumers with a right to opt out from the selling or disclosing for business purposes of their personal information. The opt-out can therefore only stop the selling of personal information, and it does not impact other uses of their information. However, the right to opt out of the sale is absolute i.e. that businesses cannot reject an opt-out request on the basis of their compelling legitimate grounds and it can be exercised whenever by the consumer.
Businesses must adhere to the language provided in CCPA, namely the homepage of their website must have a link titled ‘Do Not Sell My Personal Information’ and it must also be prominently featured in the Privacy Policy.
Consumers are also to be provided a notice and must be allowed to opt out of the sale of their personal information by a third party.
The LGPD only explicitly requires controllers and processors to provide information on receipt of a data subject’s request. The information must include:
- The origin of the data
- The existence of any records
- The purpose of the processing when a complete declaration is made.
The LGPD states that the information should be provided in a clear and concise form in either electronic or written form.
The LGPD states that personal data must be stored in a format that favours the exercise of the right to access and data subjects should be able to access their data freely.
There are no limitations to the data which can be accessed by the data subjects. However the LGPD does not specify any method to aid the exercise of the data subjects’ rights.
Data access must be provided to the Data Subject within 15 days.
The consumer has a right to request a report of all the personal information collected, disclosed, or sold by a business.
The report must contain:
- Categories of personal information collected,
- Categories of sources,
- The business or commercial purpose for which the information was collected or sold,
- Categories of third parties who were sold/disclosed the personal information,
- Specific pieces of personal information collected by the business,
- Categories of personal information that the business sold about the consumer and the categories of third parties to whom the personal information was sold, by category or categories of personal information for each category of third parties to whom the personal information was sold.
- The categories of personal information that the business disclosed about the consumer for a business purpose.
This right applies only to personal information collected in the 12 months prior to the request and it cannot be exercised more than twice in a month.
The LGPD defines the right to data portability as portability of the data to another service or product provider, by means of an express request and subject to commercial and industrial secrecy, pursuant to the regulation of the controlling agency.
Communication or shared use between controllers of sensitive personal data referring to health for the purpose of obtaining an economic advantage is prohibited.
Only In cases where the data subject has consented to the transfer or when health data is necessary to ensure the rendering of adequate supplementary health services, in other words, the adequate provision of health plans.
Under CCPA, consumers have the right to data portability that ensures access to information in a portable and readily usable format and that allows consumers to transmit information to another entity.
Right to data portability is part of the right to access under CCPA and is therefore subject to the same limitations.
The ANPD, an independent and specialized data protection authority, enforces LGPD in Brazil.
Depending on the violation, a simple fine of up to 2% of the revenues of a private legal person, group, or conglomerate in Brazil, for the prior financial year, excluding taxes, up to a total maximum of BRL 50,000,000 per infraction may be issued.
If the infraction continues, daily fines going up to BRL 50,000,000 per infraction may be issued, along with blockage of the personal data to which the infraction relates until it is brought within conformity of the law. The data can also be limited.
Partial suspension of the operation of the database and activity being exercised for a period of 6 months can also be enforced. The suspensions can be extended by a further 6 months.
Under LGPD, government agencies cannot be sanctioned with administrative fines.
The Attorney General Office which enforces CCPA can take civil action, which includes imposing an injunction and a civil penalty of $2,500 for each violation. If the violation is considered to be intentional in nature then this can increase to $7,500 for each violation.
There is also a private legal action which consumers can take if their unredacted or unencrypted personal information is breached. Damages between $100-750 or actual harm incurred (whichever is greater) can be recovered.
CCPA has no upper cap on penalties, and amounts can accumulate to well over any fine paid under LGPD or GDPR.
The monetary penalties collected through civil actions under CCPA form the Consumer Privacy Fund, which funds the activities of the Attorney General in this sector.
The ANPD prescribes minimum technical standards for controllers and processors to undertake for protection of data taking into account the nature of information, characteristics of processing and the current state of technology.
LGPD also states that the communication of a data breach to the ANPD must be done in a reasonable time period to be defined.
LGPD does not include further details with regard to the communication of a data breach directly aimed at data subjects.
The Attorney General has the power to independently start investigations and actions against alleged non-compliance from businesses.
The Attorney General also has the power to assess and prosecute a violation of CCPA. CCPA does not specify which activities are included in this assessment.
CCPA does not explicitly state the need for data encryption, but rather that a business is required to take “reasonable security measures” for the protection of Personal Information.
CCPA does not mention data breach notifications but a separate Californian law (AB-1130) requires businesses and agencies to inform consumers and the Attorney General if their data has been breached.
