Skip to main content

On-demand webinar coming soon...

Blog

What are the differences between CCPA and GDPR and LGPD?

August 28, 2020

Blue and violet gradient background

The data security space heated up in 2020. Enforcement of CCPA officially started on July 1st and in August 2020, Brazil’s new data protection law The Lei Geral de Proteção de Dados (LGPD) officially came into effect. Inspired by the European Union’s General Data Protection Regulation (GDPR) law, LGPD is another landmark privacy bill that will impact the way that Brazilian businesses consume, utilize, and store data at scale. In the United States, the recent California Consumer Privacy Act (CCPA) also deals with the same privacy territory as both the GDPR and LGPD.

For many businesses, dealing with these three different yet similar pieces of privacy legislation can be nightmare fuel. What are the differences between GDPR, CCPA, and LGPD? And how can businesses successfully satisfy the requirements of all of these regulations?

With that in mind, let’s take a look at these three privacy bills and discuss where they’re similar, where they’re different, and how your business can satisfy these growing data privacy requirements.

What’s with all of these privacy bills?

What’s the one thing that Americans are most concerned about? If you guessed hunger, jobs, the economy, or conflict, you would be wrong. According to Harris Polls, it’s privacy. From the infamous Equifax breach that saw the driver’s licenses, social security numbers, birth dates, and addresses of 143 million consumers fall into threat actor hands to the recent Microsoft breach that exposed 250 million users email addresses; threat actor activity is rising.

At the same time, 81% of Americans say that the risks of data collection outweigh the benefits. Research shows that people are more concerned about their privacy when it comes to personalized ads than the ability to see relevant content. And 60% of US adults believe that they can’t go about a typical day without their data being collected by companies.

This sentiment is echoed globally. To date, there are over 117 omnibus laws relating to privacy (e.g., GDPR and LGPD) as well as a horde of sectoral laws (e.g., CCPA) aimed at tackling privacy issues. There’s no end in sight. Almost every state in the US is cooking up data privacy laws, and countries across the world are at the drawing board to devise their own ways to deal with privacy.

As countries continue to create legislature to supplement GDPR, it’s important to fully understand the three bills that — in the current landscape — are dictating business privacy compliance:

The differences and similarities between GPDR, LGPD, and CCPA

Let’s look at the core similarities between these three bills. It’s important to note that, while the CCPA is a sectoral law, the pure scope of California’s consumer base essentially makes it an omnibus bill when it comes to impact.

Territorial scope

When it comes to territorial scope, there are many similarities between GDPR and LGPD. However, CCPA is much smaller in scope and has some extra nuance to the way it defines regulated parties.

The GDPR covers any party that processes EU data subjects’ personal data, whether they exist in the EU or not. The LGPD also covers any business that processes data in Brazil, whether they exist in Brazil or not. In other words, if you process customer data in either the EU or Brazil, you’re subject to these laws.

The CCPA covers any for-profit business that does business in California and processes personal information of residents in California. In addition, covered parties must meet ONE or more of the following criteria:

  • An annual gross revenue of at least $25 million
  • Processes personal information from 50,000 or more consumers
  • Derives 50% (or more) of their profit by selling the personal information of California residents

This means that virtually all businesses that make over $25 million in gross revenue must comply with CCPA so long as they have at least one CA customer. However, this caveat also leaves many smaller businesses exempt from the regulation.

Let’s look at some examples:

Example A: Big Stuff is a large enterprise that does business across the United States. Since they are a large enterprise that makes $25 million or more annually, they must comply with CCPA since they do business with California residents.

Example B: Small Stuff is a small business with fewer than 50,000 consumers in the United States. They make roughly $18 million annually, and they do not make a profit from selling personal information. Small Stuff does not have to comply with CCPA.

Example C: Both Small Stuff and Big Stuff have to comply with GDPR  and LGPD since both of their websites get visitors and do business with people in the EU and Brazil.

There are some other small caveats. CCPA only covers individuals who are California residents. GDPR covers everyone in the EU — whether they are citizens or not.

Key points:

  • Both the GDPR and the LGPD have an extraterritorial scope.
  • The CCPA only applies to parties that either:
  • Have an annual gross revenue of at least $25 million
  • Process the personal information from 50,000 (or more) consumers
  • Receive 50% (or more) of their profits from selling CA resident information
  • Almost all businesses should comply with GDPR and LGPD, yet some businesses may not have to comply with CCPA.

Definition of personal data

The GDPR, CCPA, and LGPD all have their own definitions of “personal data.”

  • The GDPR defines personal data as information that can reasonably be linked with (either directly or indirectly) to identifiable or identified data subject. This includes things such as names, social security numbers, and addresses, but it also includes indirect data such as behavioral data, preferences, characteristics, etc. The GDPR also includes some exemptions, such as in the use of certain research purposes.
  • The CCPA defines personal data as information that can be used to identify a natural person, such as social security numbers, addresses, names, etc. In addition, the CCPA also includes information that can be used to identify a household or device.
  • The LGPD also defines personal data as information related (directly or indirectly) to an identified or identifiable natural person. But it does not include any other details on what that constitutes that type of data. In addition, the LGPD also considers any behavioral profiling data “personal data” so long as it could reasonably be used to identify a natural person.
  • There are some key differences here. For starters, GDPR only defines personal data at the individual level, while CCPA also considers data related to households. The CCPA also excludes certain “publicly available” data, and it doesn’t necessarily cover behavioral data or characteristics data.

The LGPD is very simple. The lack of any defining data types means that LGPD is very broad and basically includes all types of data that can be directly or indirectly linked to an individual or their household.

Key points:

  • GDPR and LGPD are remarkably similar in their personal data definitions. However, LGPD is broader in scope due to its technical simplicity.
  • CCPA is less strict than both GDPR and LGPD since it only includes certain types of data, and it only considers data that directly links to an identified natural person.

The role of anonymous, pseudonymous, de-identified and aggregated data

Many companies collect, retain, and sell data that has been anonymized using de-identification algorithms or through aggregation. Under the CCPA, businesses can continue to utilize this data without disclosure. Under GDPR, businesses are free to use anonymous data, but not pseudonymous data. Under LGPD, businesses must comply with LGPD regulation regardless of the data type — except in specific research circumstances.

Key points:

  • CCPA allows businesses to retain, collect, and sell anonymous, aggregated, and de-identified data without disclosure.
  • GDPR only allows businesses to retain, collect, and sell anonymous data without disclosure.
  • LGPD doesn’t have any language relating to these types of data, meaning that they must be disclosed.

The legal basis for data processing

There are major differences between how each of these pieces of legislation allows data processing. Both the GDPR and the LGPD have “legal basis for processing” clauses. This means that companies are only allowed to process data for these particular reasons.

The GDPR has six:

  • Explicit consent
  • Legal responsibility
  • Legitimate interest
  • Public task
  • Vital interest
  • Contractual performance

The LGPD has ten:

  • Consent
  • Legal obligation
  • Life Protection
  • Exercise of privileges in legal proceedings
  • Legitimate Interest
  • Protection to credit (likely related to recent reforms to the Positive Credit History Law)
  • Health Protection
  • Public task
  • Research by public study entities
  • Contractual performance

The CCPA has none. In other words, businesses can process data on California residents however they please under CCPA. Of course, residents can opt-out, but there aren’t restrictions on “the reason” that companies process data.

Key points:

  • GDPR has six legal bases for data processing
  • LGPA has ten legal bases for data processing
  • CCPA has no restrictions on legal bases for data processing

Data access rights

The GDPR, CCPA, and LGPD all offer rights to individuals when it comes to data privacy. Under CCPA, consumers have the right to request a disclosure of their personal information to see exactly what information businesses have on them. Consumers also have the right to request information on how businesses collect and utilize data, including how it uses third parties which it shares information with.

Under both the GDPR and the LGPD, consumers are afforded similar rights, though with a broader scope. For example, under GDPR, individuals can request disclosures that are written or portable — a right not intrinsically afforded by CCPA.

The timeframes for delivering this information to consumers also differs between each of these laws.

  • CCPA gives businesses 45 days to answer data subjects’ access requests.
  • GDPR gives businesses 30 days to answer data subjects’ access requests.
  • LGPD gives businesses 15 days to answer data subjects’ access requests.

The CCPA gives consumers the right to opt-out of data collection that will be sold, which requires that businesses provide an opt-out section on their website. The GDPR includes a “right to object,” which covers the right to object to data consumption that falls under specific guidelines. All three pieces of legislation give consumers the “right to delete” or “right to be forgotten.”

Overall, GDPR and LGPD afford consumers more rights. The LGPD has nine fundamental rights:

  1. Right to access data
  2. Right to correct inaccurate data
  3. Right to the portability of data
  4. Right to delete personal data
  5. Right to information about how entities are sharing your data
  6. Right to revoke consent
  7. Right to confirm the existence of data processing
  8. Right to access data that has been processed
  9. Right to information about denied consent and the consequences of that denial.

These are essentially the same as the eight rights afforded by the GDPR.

Key points:

  • GDPR, CCPA, and LGPD afford consumers’ rights to disclosure and access.
  • GDPR, CCPA, and LGPD afford consumers’ rights to deletion.
  • The CCPA only allows opt-outs for data that will be sold.
  • Each legislation gives businesses a different amount of time to answer data subjects’ access requests.
  • The GDPR and LGPD have the right to rectification and the right to restrict processing under specific circumstances.

Fines and penalties

When it comes to the teeth, all three of these laws differ significantly.

The GDPR has, by far, the most significant fines of the three. Maximum GDPR fines are €20 million or 4% of annual global revenue, whichever is higher. LGPD fines are 2% of annual global revenue or 50 million reals (~$12 million). And the CCPA fines hit a maximum of $7,500.

Key points:

  • Maximum GDPR fines are €20 million or 4% of annual global revenue
  • Maximum LGPD fines are 2% of annual global revenue or 50 million reals
  • Maximum CCPA fines are $7,500

*Note: As it currently stands, the LGPD has yet to confirm how quickly businesses should respond to a breach. GDPR gives businesses 72 hours. But LGPD simply states that they must apply in accordance with a time period dictated by the “national authority” — which doesn’t exist at this point in time.

Holistic solutions to the data privacy landscape in 2021

CCPAGDPR, and LGPD all share similarities, but they also share some significant differences. These privacy laws will continue to roll out in different territories. Most states are working on their own version of CCPA, and many European countries are supplementing GDPR with their own legislation. Now, South America has started to created laws modeled after GDPR in an attempt to keep its citizens’ data secure and private.

Is your business ready to create a scalable, regulatory-agnostic data privacy framework using best-in-class data subject recovery tools, context-based discovery, and data governance policies? Contact us. OneTrust can help you comply with GDPRCCPA, and LGPD to protect your customers’ privacy and your reputation.


You may also like

Webinar

Privacy Management

Data Privacy Day 2025

Join this webinar to hear from a panel of expert privacy professionals as they dissect the key happenings in 2024 and how privacy professionals can approach what may occur in 2025.

January 21, 2025

Learn more

Webinar

Privacy Management

Revisiting IAPP DPC 2024: Top trends on the latest data protection developments

Join OneTrust and PA Consulting as we dive deeper into the key takeaways from the IAPP Europe Data Protection Congress 2024. Our speakers will provide actionable insights from the event on the latest developments in data protection, privacy, and AI. 

December 12, 2024

Learn more

Infographic

Privacy Automation

GDPR: Dos and don'ts

Navigating GDPR compliance can feel daunting, especially for businesses with limited resources. This quick infographic guide of actionable “dos” and “don’ts” will help you develop the foundation of a broader privacy-first approach that keeps you aligned with your GDPR compliance goals.

December 10, 2024

Learn more

Webinar

Privacy Automation

PIA and DPIA demo webinar with Data Privacy Group

Join our webinar to learn the benefits of automating your PIAs and DPIAs using the OneTrust platform

November 28, 2024

Learn more

eBook

Consent & Preferences

Mastering GDPR consent: A marketer's guide to simplifying compliance

Learn how to simplify GDPR consent management, stay compliant, and build trust with your audience. Download this practical guide for marketers.

October 17, 2024

Learn more

eBook

Privacy Management

Maturing your GDPR compliance program

This comprehensive eBook explores the key elements of a GDPR compliance program.

September 11, 2024

Learn more

Webinar

Privacy Management

CPRA in action: OneTrust Live Demo

Join us for a deep dive tour of our suite of technology solutions for operationalizing and automating CPRA requirements across Do Not Share, Consumer Rights and privacy governance operations.

August 01, 2024

Learn more

Webinar

Privacy Management

Going beyond CCPA

Join us for an in-depth webinar on "Going Beyond CCPA," where we will explore the intricacies of privacy laws, compare major regulations, and provide guidance on enhancing your privacy policy.

July 25, 2024

Learn more

Webinar

Privacy Management

The evolution of CCPA

Join us for an insightful webinar on "The Evolution of CCPA" where we will delve into the latest amendments, understand their impact, and explore the new requirements and implications for businesses.

July 18, 2024

Learn more

Webinar

Privacy Management

Mastering data privacy: Navigating CCPA, CPRA, and beyond

Mastering Data Privacy: Expert Guidance on CCPA, CPRA, GDPR Compliance, Privacy Policy Best Practices, and Live Demo Insights

July 18, 2024

Learn more

eBook

Privacy Management

Understanding data transfers under the GDPR ebook

In the ebook, we delve into the fallout from Schrems II and explore how organizations based in Europe can best navigate international data transfers under the GDPR.

June 05, 2024

Learn more

Webinar

Privacy Management

Preparing for a new regulation: Lesson learned from the GDPR businesses can apply to the EU AI act?

Join our panel of experts as we celebrate GDPR Anniversary and take a closer look at the relationship between the GDPR and AI Act.

May 23, 2024

Learn more

Webinar

Privacy Management

Navigating data privacy in 2024: Global regulatory updates & compliance strategies

Join our webinar for a comprehensive overview of the latest global data privacy regulations and updates impacting businesses in 2024 and how to prepare.

March 20, 2024

Learn more

Infographic

Privacy Management

OneTrust announces partnership with Europrivacy

Learn how OneTrust and Europrivacy's partnership can help your organization achieve GDPR compliance and build trust with your customers.

December 06, 2023

Learn more

Webinar

Technology Risk & Compliance

Demonstrating GDPR compliance with Europrivacy criteria: The European Data Protection Seal

Join our webinar to learn more about the European Data Protection Seal and to find out what the key advantages of getting certified.

November 30, 2023

Learn more

Webinar

Privacy Management

Revisiting the ICO Data Protection Practitioner's Conference: Addressing your top challenges

Join OneTrust and KPMG UK to discuss the challenges of employee SARs, managing your breach response with third parties, and incident management.

October 25, 2023

Learn more

Infographic

Privacy & Data Governance

Understanding the EU Data Boundary

Download our free infographic and get the information you need to understand the EU Data Boundary and how to properly handle data in the European Union.

September 22, 2023

Learn more

Webinar

Privacy Management

Privacy in practice: PIA & DPIA with PA Consulting

Join OneTrust and PA Consulting as we discuss what makes an effective PIA, best practices, and the benefits of automation.

September 21, 2023

Learn more

Webinar

Privacy & Data Governance

Privacy in practice for data mapping: With PA Consulting and Syngenta

Join OneTrust and panelists from PA Consulting and Syngenta as we explore practical ways to build an effective data mapping program, best practices, and the need for automation.

September 14, 2023

Learn more

Webinar

Governance & Policy Management

EU-US DPF: What next for UK businesses?

Join our expert webinar as we discuss the upcoming UK-US DPF Extension and what UK businesses need to prepare to become DPF-certified.

September 06, 2023

Learn more

Webinar

Privacy Management

Unpacking the EU-US DPF

In this webinar, we cover the new EU-US Data Privacy Framework (EU-US DPF) and what privacy program managers need to know for post-Schrems II data transfers.

June 28, 2023

Learn more

Infographic

Privacy & Data Governance

The 3 priorities of the French DPO: Gain visibility, take action, automate

Download our infographic and learn about the 3 priorities of the French DPO.

May 30, 2023

Learn more

Webinar

Privacy Management

GDPR turns 5: Celebrating data protection

Northern Europe panel - Join our panel of experts as they recap the GDPR, its key concepts, and what it means for organizations and compliance. 

May 25, 2023

Learn more

Webinar

Privacy Management

Global Panel — GDPR & Tech: Key considerations of Privacy by Design and AI in tech

Join our panel of experts as we discuss the impact GDPR had on the tech industry during the past five years, the importance of privacy by design, and what to expect with AI and regulation.

May 25, 2023

Learn more

Webinar

Privacy Management

5 years of GDPR: Milestones, challenges, and opportunities

Eastern European panel - Watch our webinar as we look back on 5 years of the GDPR, AI, and their impact on Europe, the world, and your organization.

May 24, 2023

Learn more

Webinar

Privacy & Data Governance

Global Panel — GDPR & Healthcare: current regulatory guidance and enforcement

In this live webinar, our expert panel examines the first five years of the GDPR, how it changed the healthcare industry, and the changing global regulatory landscape.

May 24, 2023

Learn more

Webinar

Privacy Management

Global Panel — GDPR & Retail: building customer loyalty and trust with consent and privacy

Join us for a live panel as we discuss GDPR's impact on the retail and eCommerce industry and how companies evolved to meet the global regulatory landscape.

May 23, 2023

Learn more

eBook

Privacy Management

Getting started with GDPR compliance

This eBook covers the fundamental information you need to know in order to get your GDPR compliance program started and how OneTrust helps. 

May 23, 2023

Learn more

Infographic

Privacy Management

Comparing the FADP, Revised FADP, and the GDPR

Download our infographic to see how the Revised FADP compares with its original version and the GDPR.

May 23, 2023

Learn more

Webinar

Privacy Management

Global Panel — GDPR & Finance: Staying ahead of the regulatory and cyber landscape

How has the GDPR affected the financial industry? Join our live panel as we examine how it companies evolved to meet the regulatory challenges and what can be done to stay ahead of the curve.

May 22, 2023

Learn more

Webinar

Privacy Automation

OneTrust and Deloitte UK - Data transfers: Assessments & safeguards

OneTrust's Center of Excellence and Deloitte UK will discuss data transfers and GDPR compliance, covering the UK stance, ICO/EDBP guidance, and more.

April 04, 2023 1 min read

Learn more

eBook

Privacy Management

The 3 Priorities for DPOs in France: Gain Visibility, Take Action, Automate eBook | Resources | OneTrust

French DPOs should take three priorities into account when building their data protection and compliance programs and processes in 2023.

February 21, 2023

Learn more

Webinar

Privacy & Data Governance

Data Protection in Financial Services Week: Government keynote and international transfers

This session will examine some key issues and recent developments on international data transfers with contributions from key EU, UK, and US regulators.

February 07, 2023

Learn more

Webinar

Consent & Preferences

Belgian DPA approves TCF action plan: Where we go from here

Belgian DPA approves IAB Europe’s action plan to correct its Transparency & Consent Framework (TCF) violations of the GDPR.

January 12, 2023

Learn more

Webinar

Consent & Preferences

Global Privacy Control: CCPA enforcement of GPC opt-out signals webinar

Watch this on-demand webinar to gain an overview of what Global Privacy Control (GPC) is, the benefits of the signal, and how it works.

October 30, 2022

Learn more

Webinar

Privacy Management

Employee vs. consumer rights: Same concept, different reality

Join this webinar to learn about the rights request fulfillment complexities introduced by the end of the employee exclusion in the CPRA.

August 25, 2022

Learn more

Webinar

Privacy & Data Governance

Keeping pace with the changing regulatory landscape: UK And EU updates webinar

Learn more about the privacy updates for the UK and the EU, what to expect in the coming year, and how to manage regulatory change.

August 15, 2022

Learn more

Webinar

Ethics & Compliance

GDPR and the EU Whistleblower Protection Directive webinar

Join this webinar to learn how to review your whistleblowing processes to comply with the EU Whistleblower Protection Directive, the GDPR and others.

July 06, 2022

Learn more

White Paper

Privacy & Data Governance

How OneTrust helps with California privacy law compliance (CCPA & CPRA)

This guide to California privacy law compliance helps your organization understand the requirements under the CCPA and CPRA.

June 23, 2022

Learn more

Webinar

Privacy & Data Governance

4 years of GDPR

Watch our webinar on the last 4 years of GDPR compliance and trends for the future.

May 05, 2022

Learn more

Webinar

Privacy Management

Privacy rights poland: Enhance Your DSAR process with automation, discovery & redaction

As part of our Privacy Automation webinar series, we discuss why it's important to automate DSAR fulfillment and the latest regulatory trends. 

April 03, 2022

Learn more

Webinar

Privacy & Data Governance

Know your laws: Comparing CCPA & CPRA vs. GDPR

Watch this free webinar and see how the CCPA and CPRA compare with the GDPR.

January 04, 2022

Learn more

eBook

Privacy & Data Governance

The ultimate guide to CCPA compliance

The Ultimate Guide to CCPA Compliance eBook highlights key compliance areas of  the CCPA that you should consider when building a privacy program.

December 01, 2021

Learn more

Checklist

Privacy & Data Governance

Transfer Impact Assessment (TIA) checklist

This Transfer Impact Assessment checklist provides an overview of the key steps you can take as you perform a TIA.

December 01, 2021

Learn more

Webinar

Privacy Management

CCPA, CPRA, and Global Privacy Control: Moving toward a more private web

Watch this webinar to learn about Global Privacy Control (GPC), how it centralizes user opt-out preferences, and streamlines compliance with CCPA and CPRA. 

September 08, 2021

Learn more

Infographic

GDPR's 8 fundamental data subject rights

Download our GDPR's 8 Fundamental Data Subject Rights infographic and learn more about the individual rights guaranteed under the EU's major privacy law. 

August 27, 2021

Learn more

eBook

Privacy & Data Governance

The ultimate guide to GDPR compliance

Download this eBook to get an ultimate guide to understanding the GDPR and implementing steps towards compliance.

August 26, 2021

Learn more

Webinar

Privacy & Data Governance

Breaking update: New California Consumer Privacy Act

This webinar dives into the details of the California Consumer Privacy Act and how it will impact the companies handling their data.

July 23, 2021

Learn more

eBook

Privacy & Data Governance

10 steps to meeting the GDPR Article 30 requirement

Download this eBook and learn how to leverage data mapping for your GDPR Article 30 compliance program. 

July 22, 2021

Learn more

Infographic

Privacy & Data Governance

CCPA vs. CPRA infographic

Compare California's privacy laws: CCPA vs CPRA in this downloadable infographic.

July 22, 2021

Learn more

White Paper

Privacy Automation

Mastering PIAs & DPIAs: A complete handbook for privacy experts

Unlock the full potential of your privacy program with our complete handbook designed to equip privacy professionals with the essential tools and knowledge for establishing robust PIA and DPIA processes.

July 22, 2021

Learn more

Infographic

Privacy Management

CDPA vs CCPA: Comparing US privacy laws

Download this infographic comparing the Virginia CDPA to the California CCPA.

July 22, 2021

Learn more

Webinar

Privacy & Data Governance

CPRA vs CCPA: What you need to know

Join us for a webinar as our legal experts discuss the key differences between the CPRA vs the CCPA.

July 22, 2021

Learn more

Checklist

Privacy & Data Governance

GDPR compliance checklist

Download our GDPR compliance checklist for recommendations on improving your organization's privacy program. 

June 11, 2021

Learn more

Webinar

Privacy Management

CCPA identity verification

In this webinar we explore options for verifying a consumer's identity and how to fully automate this process with OneTrust.

August 13, 2019

Learn more

Webinar

Privacy & Data Governance

CCPA compliance masterclass

Watch our OneTrust CCPA Masterclass Series and learn how to prepare your organization for CCPA compliance.

Learn more