Recent years have seen a rise in data privacy laws that set privacy rights and standards for companies to follow regarding protecting consumers’ personal information. In the United States, the California Consumer Privacy Act (CCPA) came into effect on January 1, 2021. Meanwhile, in Brazil, there is Lei Geral de Proteção de Dados (LGPD), a privacy act modeled after the General Data Protection Regulation (GDPR) of the European Union, which became enforceable on August 1, 2021.

Compliance helps you stay in the right with the law and enables you to gain the trust of your audience. Let’s examine these privacy laws in greater detail.

Definition of Personal Data

Personal data is an umbrella term for all information used to define or describe an individual. The CCPA defines personal information as: “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

The following are considered personal information by the CCPA:

  • Direct identifiers (real names, alias, postal address, social security numbers, driver’s license, passport information, or signature)
  • Indirect identifiers (these include cookies, beacons, pixel tags, phone numbers, IP addresses, and account names)
  • Biometric data (human characteristics such as one’s face, retina, fingerprints, or DNA)
  • Geolocation data (such as one’s location history)
  • Internet activities (such as one’s browsing and search history, webpage, application, or advertisement interactions, and data)
  • Sensitive information (personal characteristics, behavior, religious or political convictions, sexual preferences, employment and education data, financial and medical information)

Bulleted List

The LGPD also describes personal data as information associated (directly or indirectly) with an identified or identifiable natural person but does not provide any specifics. Any behavioral profiling data is “personal data” if it can identify a person.

The lack of specifics makes the LGPD appear to be more expansive. In comparison, the CCPA is less rigorous since it’s very specific, pertaining only to those that explicitly identify a person.

Comparing the Differences Between CCPA & LGPD

Territorial Scope

The LGPC applies to companies that handle data from people in Brazil. The CCPA applies to any for-profit company that conducts business in California and deals with residents’ personal data.

The Role of Anonymous, Pseudonymous, De-identified, and Aggregated Data

Under the CCPA, businesses are permitted to use anonymized data gathered, stored, and marketed by other companies. The LGPD doesn’t cover data if it’s truly anonymized as it can’t be used directly or indirectly to identify a person with reasonable means. However, it will apply if the process is reversible or can be used for behavioral profiling.

The LGPD contains “legal basis for processing” clauses that limit the circumstances in which companies are allowed to process data. They are:

  • Consent
  • Legal obligation
  • Life protection
  • Exercise of privileges in legal proceedings
  • Legitimate interest
  • Protection to credit (likely related to recent reforms to the Positive Credit History Law)
  • Health protection
  • Public task
  • Research by public study entities
  • Contractual performance

Bulleted List

Meanwhile, the CCPA has no such restrictions, allowing companies to process data as needed, provided Californians can opt-out.

Scope & Requirements

If a company handles data from people in Brazil, irrespective of whether it’s physically located there or not, then LGPD applies. Specifically, if the company:

  • Uses servers located in Brazil to carry out data processing activities
  • Sells or distributes to Brazilian residents or citizens
  • Handles information about persons in Brazil (even if the subject was only in Brazil when the data was collected)

Bulleted List

The CCPA, on the other hand, applies to any for-profit company that conducts business in California and handles residents’ personal data. Covered parties must also meet one of these criteria:

  • Have a minimum annual gross revenue of $25 million
  • Handle 50,000 or more customers’ personal information
  • Sell California residents’ personal information to make at least 50% of their earnings

Bulleted List

This essentially indicates that having even a single California resident as a customer is sufficient for the CCPA to apply to any business with over $25 million in gross revenue. Such criteria also help exempt smaller businesses.

Consumer Rights

Both legislations provide personal information rights to customers. This includes the right to deletion, to be informed, to object, to access, and to data portability. The CCPA gives businesses 45 days to address a customer’s request. It can also be extended by 45 days (without reason) and 90 days (provided there’s an explanation). LGPD says entities must respond immediately but doesn’t specify a timeframe.

Enforcement

The CCPA is enforced by the California Attorney General (AG), and the LGPD is enforced by the National Data Protection Authority (ANPD). Both enforce financial penalties for non-compliance, although the amount and subjects vary.

Under the LGPD, a fine of 2% of a private legal person, group, or company’s income for the past financial year, minus taxes, may be applied. Daily fines of up to BRL 50,000,000 per infraction will be imposed if the violation repeats, along with the blocking of the personal data.

The Attorney General’s Office can pursue a lawsuit, including an injunction and a $2,500 civil penalty for every violation. If the infraction is found to be intentional, penalties can go up to $7,500.

Conclusion

As an e-commerce seller, it’s especially important to understand the difference between various privacy laws, because you’re not restricted by a physical location and can potentially supply customers internationally. Therefore, you must ensure your compliance to avoid violations and significant penalties. This includes researching other laws such as CCPA and CPRA vs GDPR and CCPA vs PIPEDA. There are various resources available that can provide guidance on data privacy for e-commerce and demonstrate how to ensure CCPA compliance and cookie consent on Shopify.

Get a
Demo
NOW

Fill up the form for 20% off on subscriptions!

First Name
Last Name
Company Email Address
Company URL

About the Author: Janet Low

Janet Low, based in Delray Beach, Florida, is a dynamic marketing leader with expertise spanning the USA and Asia Pacific. Renowned for driving brand growth and championing responsible marketing, Janet is dedicated to mentoring professionals and shaping modern marketing landscapes.

Share This

Request a demo of our data privacy solution today and take control of your privacy strategy.

Get a
Demo
NOW

See how our platform ensures compliance and builds trust.

Discussion

Related Posts

If you enjoyed reading this, please explore our other articles below:

Related Posts

New Jersey and New Hampshire Change the US Data Privacy Landscape
New Jersey and New Hampshire Change the US Data Privacy Landscape
Gallery

New Jersey and New Hampshire Change the US Data Privacy Landscape

February 5, 2024
Navigating the Digital Markets Act: A New Era for Online Privacy and Consent Management
Navigating the Digital Markets Act: A New Era for Online Privacy and Consent Management
Gallery

Navigating the Digital Markets Act: A New Era for Online Privacy and Consent Management

January 31, 2024
Data Privacy: The E-Commerce Edition – Navigating Indiana’s New Cyber Seas
Data Privacy: The E-Commerce Edition – Navigating Indiana’s New Cyber Seas
Gallery

Data Privacy: The E-Commerce Edition – Navigating Indiana’s New Cyber Seas

November 28, 2023
A New Shift in Europe: How New Data Privacy Rules Impact Your Facebook and Instagram Experience
A New Shift in Europe: How New Data Privacy Rules Impact Your Facebook and Instagram Experience
Gallery

A New Shift in Europe: How New Data Privacy Rules Impact Your Facebook and Instagram Experience

November 6, 2023