The data security space heated up in 2020. Enforcement of CCPA officially started on July 1st and in August 2020, Brazil’s new data protection law The Lei Geral de Proteção de Dados (LGPD) officially came into effect. Inspired by the European Union’s General Data Protection Regulation (GDPR) law, LGPD is another landmark privacy bill that will impact the way that Brazilian businesses consume, utilize, and store data at scale. In the United States, the recent California Consumer Privacy Act (CCPA) also deals with the same privacy territory as both the GDPR and LGPD.
For many businesses, dealing with these three different yet similar pieces of privacy legislation can be nightmare fuel. What are the differences between GDPR, CCPA, and LGPD? And how can businesses successfully satisfy the requirements of all of these regulations?
With that in mind, let’s take a look at these three privacy bills and discuss where they’re similar, where they’re different, and how your business can satisfy these growing data privacy requirements.
What’s the one thing that Americans are most concerned about? If you guessed hunger, jobs, the economy, or conflict, you would be wrong. According to Harris Polls, it’s privacy. From the infamous Equifax breach that saw the driver’s licenses, social security numbers, birth dates, and addresses of 143 million consumers fall into threat actor hands to the recent Microsoft breach that exposed 250 million users email addresses; threat actor activity is rising.
At the same time, 81% of Americans say that the risks of data collection outweigh the benefits. Research shows that people are more concerned about their privacy when it comes to personalized ads than the ability to see relevant content. And 60% of US adults believe that they can’t go about a typical day without their data being collected by companies.
This sentiment is echoed globally. To date, there are over 117 omnibus laws relating to privacy (e.g., GDPR and LGPD) as well as a horde of sectoral laws (e.g., CCPA) aimed at tackling privacy issues. There’s no end in sight. Almost every state in the US is cooking up data privacy laws, and countries across the world are at the drawing board to devise their own ways to deal with privacy.
As countries continue to create legislature to supplement GDPR, it’s important to fully understand the three bills that — in the current landscape — are dictating business privacy compliance:
Let’s look at the core similarities between these three bills. It’s important to note that, while the CCPA is a sectoral law, the pure scope of California’s consumer base essentially makes it an omnibus bill when it comes to impact.
When it comes to territorial scope, there are many similarities between GDPR and LGPD. However, CCPA is much smaller in scope and has some extra nuance to the way it defines regulated parties.
The GDPR covers any party that processes EU data subjects’ personal data, whether they exist in the EU or not. The LGPD also covers any business that processes data in Brazil, whether they exist in Brazil or not. In other words, if you process customer data in either the EU or Brazil, you’re subject to these laws.
The CCPA covers any for-profit business that does business in California and processes personal information of residents in California. In addition, covered parties must meet ONE or more of the following criteria:
This means that virtually all businesses that make over $25 million in gross revenue must comply with CCPA so long as they have at least one CA customer. However, this caveat also leaves many smaller businesses exempt from the regulation.
Let’s look at some examples:
Example A: Big Stuff is a large enterprise that does business across the United States. Since they are a large enterprise that makes $25 million or more annually, they must comply with CCPA since they do business with California residents.
Example B: Small Stuff is a small business with fewer than 50,000 consumers in the United States. They make roughly $18 million annually, and they do not make a profit from selling personal information. Small Stuff does not have to comply with CCPA.
Example C: Both Small Stuff and Big Stuff have to comply with GDPR and LGPD since both of their websites get visitors and do business with people in the EU and Brazil.
There are some other small caveats. CCPA only covers individuals who are California residents. GDPR covers everyone in the EU — whether they are citizens or not.
Definition of personal data
The GDPR, CCPA, and LGPD all have their own definitions of “personal data.”
The LGPD is very simple. The lack of any defining data types means that LGPD is very broad and basically includes all types of data that can be directly or indirectly linked to an individual or their household.
The role of anonymous, pseudonymous, de-identified and aggregated data
Many companies collect, retain, and sell data that has been anonymized using de-identification algorithms or through aggregation. Under the CCPA, businesses can continue to utilize this data without disclosure. Under GDPR, businesses are free to use anonymous data, but not pseudonymous data. Under LGPD, businesses must comply with LGPD regulation regardless of the data type — except in specific research circumstances.
There are major differences between how each of these pieces of legislation allows data processing. Both the GDPR and the LGPD have “legal basis for processing” clauses. This means that companies are only allowed to process data for these particular reasons.
The GDPR has six:
The LGPD has ten:
The CCPA has none. In other words, businesses can process data on California residents however they please under CCPA. Of course, residents can opt-out, but there aren’t restrictions on “the reason” that companies process data.
Data access rights
The GDPR, CCPA, and LGPD all offer rights to individuals when it comes to data privacy. Under CCPA, consumers have the right to request a disclosure of their personal information to see exactly what information businesses have on them. Consumers also have the right to request information on how businesses collect and utilize data, including how it uses third parties which it shares information with.
Under both the GDPR and the LGPD, consumers are afforded similar rights, though with a broader scope. For example, under GDPR, individuals can request disclosures that are written or portable — a right not intrinsically afforded by CCPA.
The timeframes for delivering this information to consumers also differs between each of these laws.
The CCPA gives consumers the right to opt-out of data collection that will be sold, which requires that businesses provide an opt-out section on their website. The GDPR includes a “right to object,” which covers the right to object to data consumption that falls under specific guidelines. All three pieces of legislation give consumers the “right to delete” or “right to be forgotten.”
Overall, GDPR and LGPD afford consumers more rights. The LGPD has nine fundamental rights:
These are essentially the same as the eight rights afforded by the GDPR.
Fines and penalties
When it comes to the teeth, all three of these laws differ significantly.
The GDPR has, by far, the most significant fines of the three. Maximum GDPR fines are €20 million or 4% of annual global revenue, whichever is higher. LGPD fines are 2% of annual global revenue or 50 million reals (~$12 million). And the CCPA fines hit a maximum of $7,500.
*Note: As it currently stands, the LGPD has yet to confirm how quickly businesses should respond to a breach. GDPR gives businesses 72 hours. But LGPD simply states that they must apply in accordance with a time period dictated by the “national authority” — which doesn’t exist at this point in time.
CCPA, GDPR, and LGPD all share similarities, but they also share some significant differences. These privacy laws will continue to roll out in different territories. Most states are working on their own version of CCPA, and many European countries are supplementing GDPR with their own legislation. Now, South America has started to created laws modeled after GDPR in an attempt to keep its citizens’ data secure and private.
Is your business ready to create a scalable, regulatory-agnostic data privacy framework using best-in-class data subject recovery tools, context-based discovery, and data governance policies? Contact us. OneTrust can help you comply with GDPR, CCPA, and LGPD to protect your customers’ privacy and your reputation.