Recent years have seen a rise in data privacy laws that set privacy rights and standards for companies to follow regarding protecting consumers’ personal information. In the United States, the California Consumer Privacy Act (CCPA) came into effect on January 1, 2021. Meanwhile, in Brazil, there is Lei Geral de Proteção de Dados (LGPD), a privacy act modeled after the General Data Protection Regulation (GDPR) of the European Union, which became enforceable on August 1, 2021.
Compliance helps you stay in the right with the law and enables you to gain the trust of your audience. Let’s examine these privacy laws in greater detail.
Definition of Personal Data
Personal data is an umbrella term for all information used to define or describe an individual. The CCPA defines personal information as: “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
The following are considered personal information by the CCPA:
- Direct identifiers (real names, alias, postal address, social security numbers, driver’s license, passport information, or signature)
- Indirect identifiers (these include cookies, beacons, pixel tags, phone numbers, IP addresses, and account names)
- Biometric data (human characteristics such as one’s face, retina, fingerprints, or DNA)
- Geolocation data (such as one’s location history)
- Internet activities (such as one’s browsing and search history, webpage, application, or advertisement interactions, and data)
- Sensitive information (personal characteristics, behavior, religious or political convictions, sexual preferences, employment and education data, financial and medical information)
Bulleted List
The LGPD also describes personal data as information associated (directly or indirectly) with an identified or identifiable natural person but does not provide any specifics. Any behavioral profiling data is “personal data” if it can identify a person.
The lack of specifics makes the LGPD appear to be more expansive. In comparison, the CCPA is less rigorous since it’s very specific, pertaining only to those that explicitly identify a person.
Comparing the Differences Between CCPA & LGPD
Territorial Scope
The LGPC applies to companies that handle data from people in Brazil. The CCPA applies to any for-profit company that conducts business in California and deals with residents’ personal data.
The Role of Anonymous, Pseudonymous, De-identified, and Aggregated Data
Under the CCPA, businesses are permitted to use anonymized data gathered, stored, and marketed by other companies. The LGPD doesn’t cover data if it’s truly anonymized as it can’t be used directly or indirectly to identify a person with reasonable means. However, it will apply if the process is reversible or can be used for behavioral profiling.
The Legal Basis for Data Processing
The LGPD contains “legal basis for processing” clauses that limit the circumstances in which companies are allowed to process data. They are:
- Consent
- Legal obligation
- Life protection
- Exercise of privileges in legal proceedings
- Legitimate interest
- Protection to credit (likely related to recent reforms to the Positive Credit History Law)
- Health protection
- Public task
- Research by public study entities
- Contractual performance
Bulleted List
Meanwhile, the CCPA has no such restrictions, allowing companies to process data as needed, provided Californians can opt-out.
Scope & Requirements
If a company handles data from people in Brazil, irrespective of whether it’s physically located there or not, then LGPD applies. Specifically, if the company:
- Uses servers located in Brazil to carry out data processing activities
- Sells or distributes to Brazilian residents or citizens
- Handles information about persons in Brazil (even if the subject was only in Brazil when the data was collected)
Bulleted List
The CCPA, on the other hand, applies to any for-profit company that conducts business in California and handles residents’ personal data. Covered parties must also meet one of these criteria:
- Have a minimum annual gross revenue of $25 million
- Handle 50,000 or more customers’ personal information
- Sell California residents’ personal information to make at least 50% of their earnings
Bulleted List
This essentially indicates that having even a single California resident as a customer is sufficient for the CCPA to apply to any business with over $25 million in gross revenue. Such criteria also help exempt smaller businesses.
Consumer Rights
Both legislations provide personal information rights to customers. This includes the right to deletion, to be informed, to object, to access, and to data portability. The CCPA gives businesses 45 days to address a customer’s request. It can also be extended by 45 days (without reason) and 90 days (provided there’s an explanation). LGPD says entities must respond immediately but doesn’t specify a timeframe.
Enforcement
The CCPA is enforced by the California Attorney General (AG), and the LGPD is enforced by the National Data Protection Authority (ANPD). Both enforce financial penalties for non-compliance, although the amount and subjects vary.
Under the LGPD, a fine of 2% of a private legal person, group, or company’s income for the past financial year, minus taxes, may be applied. Daily fines of up to BRL 50,000,000 per infraction will be imposed if the violation repeats, along with the blocking of the personal data.
The Attorney General’s Office can pursue a lawsuit, including an injunction and a $2,500 civil penalty for every violation. If the infraction is found to be intentional, penalties can go up to $7,500.
Conclusion
As an e-commerce seller, it’s especially important to understand the difference between various privacy laws, because you’re not restricted by a physical location and can potentially supply customers internationally. Therefore, you must ensure your compliance to avoid violations and significant penalties. This includes researching other laws such as CCPA and CPRA vs GDPR and CCPA vs PIPEDA. There are various resources available that can provide guidance on data privacy for e-commerce and demonstrate how to ensure CCPA compliance and cookie consent on Shopify.
Discussion
Related Posts
If you enjoyed reading this, please explore our other articles below: