There’s no question data security is more critical than ever. According to CSO, 63% of companies experienced a data breach in the last twelve months. Meanwhile, attacks on IoT devices tripled in the first half of 2019. More ominously, social engineering attacks have increased by an eye-watering 400% in light of COVID-19.
Privacy laws like the CCPA, GDPR, and LGPD were made for times like these. Enforcement of CCPA officially begins July 1st, 2020. And, in August, 2020, Brazil’s new data protection law The Lei Geral de Proteção de Dados (LGPD) will officially go into effect. Inspired by the European Union’s General Data Protection Regulation (GDPR) law, LGPD is another landmark privacy bill that’s set to impact the way Brazilian businesses track, utilize, and store data. In the United States, the recent California Consumer Privacy Act (CCPA) also deals with similar privacy concerns as both the GDPR and LGPD.
For many businesses, navigating three differing sets of privacy legislation can be a logistics nightmare. Below, we highlight the differences between the GDPR, CCPA, and LGPD, and how your business can satisfy the requirements of all three.
Why the New Crop of Privacy Legislation is Critical
What’s the one thing that keeps Americans up at night? If you guessed hunger, jobs, or global conflicts, you’d be wrong. According to Harris Polls, it’s privacy. From the Equifax breach that compromised the driver’s licenses, social security numbers, and addresses of 143 million consumers to the recent Microsoft breach that exposed 250 million email addresses, data security is under threat.
At the same time, 81% of Americans say that the risks of data collection outweigh the benefits. Research shows that people are more concerned about their privacy when it comes to personalized ads than the ability to see relevant content. And, 60% of US adults worry that they can’t go about a typical day without their data being collected by companies.
This sentiment is echoed globally. To date, there are over 117 omnibus laws relating to privacy (such as the GDPR and LGPD) as well as a range of sectoral laws (like the CCPA) aimed at tackling privacy issues. Almost every state in the U.S. is contemplating or has passed data privacy laws. As countries continue to debate more legislation to supplement the GDPR, it’s important to understand the three major bills addressing privacy rights:
- The GDPR
- The LGPD
- The CCPA
The Differences and Similarities Between the GDPR, LGPD, and CCPA
First, we’ll look at the core similarities between these three bills. It’s important to note that, while the CCPA is a sectoral law, the scope of California’s consumer base essentially makes it an omnibus bill when it comes to impact.
When it comes to territorial scope, there are many similarities between the GDPR and LGPD. However, the CCPA contains nuances in the way it defines regulated parties.
The GDPR covers any party that processes EU personal data, whether or not they exist in the EU. Similarly, the LGPD covers any business that processes data in Brazil, whether or not they exist in Brazil. In other words, if you process consumer data in either the EU or Brazil, you’re subject to these laws.
The CCPA covers any for-profit business that does business in California and processes the personal information of California residents. In addition, the CCPA will apply to businesses that exceed the following thresholds:
- An annual gross revenue of at least $25 million
- Processes personal information from 50,000 or more consumers
- Derives 50% (or more) of their profit by selling the personal information of California residents
This means that virtually all businesses that make over $25 million in gross revenue must comply with the CCPA, as long as they do business with California consumers. However, this caveat also leaves many smaller businesses exempt from the regulation.
Let’s look at some examples:
Example A: Big Stuff is a large enterprise that does business across the United States. Since it’s a large enterprise that makes $25 million or more annually and does business with California residents, it must comply with the CCPA.
Example B: Small Stuff is a small business with fewer than 50,000 consumers in the United States. It makes roughly $18 million annually and doesn’t profit from selling personal information. Small Stuff doesn’t have to comply with the CCPA.
Example C: Both Small Stuff and Big Stuff have to comply with the GDPR and LGPD since both of their websites get visitors and do business with people in the EU and Brazil.
There are some other small caveats. The CCPA only covers individuals who are California residents. GDPR covers everyone in the EU — whether they’re citizens or not.
- Both the GDPR and the LGPD have an extraterritorial scope.
- The CCPA only applies to parties that either:
- Have an annual gross revenue of at least $25 million
- Process the personal information from 50,000 (or more) consumers
- Receive 50% (or more) of their profits from selling CA resident information
- Almost all businesses must comply with the GDPR and LGPD, yet some businesses may not have to comply with the CCPA.
Definition of Personal Data
The GDPR, CCPA, and LGPD all have their own definitions of “personal data.”
- The GDPR defines personal data as information that can reasonably be linked (either directly or indirectly) to identifiable or identified data subjects. This includes things such as names, social security numbers, and addresses. However, it also includes characteristics that express the “physical, physiological, genetic, mental, commercial, cultural or social identity” of data subjects or persons.
- The CCPA defines personal data as any information that can be used to identify a consumer or household, such as social security numbers, addresses, biometric information, internet/network activity data, geolocation data, etc.
- The LGPD also defines personal data as information related (directly or indirectly) to an identified or identifiable natural person. However, it doesn’t include specific details on what constitutes that type of data. In addition, the LGPD also considers any behavioral profiling data “personal data,” so long as it can be used to identify a person.
There are some key differences here. For starters, the GDPR only defines personal data at the individual level, while the CCPA also considers data related to households. The CCPA also excludes certain “publicly available” data. For the LGPD, the lack of any defining data types means that its scope is broad and can include any data that directly or indirectly links to an individual or household.
- The GDPR and LGPD are remarkably similar in their personal data definitions. However, the LGPD is broader in scope and has more stringent provisions for processing data.
- Both the GDPR and LGPD require businesses to hire DPOs (data protection officers).
- The GDPR covers publicly available data, while the CCPA doesn’t.
- The GDPR also protects personal information relating to health to a greater degree than the CCPA.
The Role of Pseudonymous, De-identified, and Aggregated Data
Many companies collect, retain, and sell data that has been anonymized using de-identification algorithms or aggregation. Under the CCPA, businesses can continue to utilize this data without disclosure. Under GDPR, pseudonymous data IS personal data. Meanwhile, businesses under the LGPD must comply with the law regardless of the data type — except in specific research circumstances.
- CCPA allows businesses to retain, collect, and sell anonymous, aggregated, and de-identified data without disclosure. However, under the GDPR, pseudonymous data is considered personal data.
- GDPR only allows businesses to retain, collect, and sell anonymous data without disclosure. Note that pseudonymization isn’t anonymization. Pseudonymous data still allows for re-identification, while anonymous data cannot be re-identified at all.
- LGPD doesn’t have any language relating to these types of data, meaning that they must be disclosed.
The Legal Basis for Data Processing
There are major differences between how each of these pieces of legislation allows data processing. Both the GDPR and the LGPD have “legal basis for processing” clauses. This means that companies are only allowed to process data for these particular reasons.
The GDPR has six:
- Explicit consent
- Legal responsibility
- Legitimate interest
- Public task
- Vital interest
- Contractual performance
The LGPD has ten:
- Legal obligation
- Life Protection
- Exercise of privileges in legal proceedings
- Legitimate Interest
- Protection to credit (likely related to recent reforms to the Positive Credit History Law)
- Health Protection
- Public task
- Research by public study entities
- Contractual performance
The CCPA has none. Of course, residents can opt-out of having their data processed and sold.
- GDPR has six legal bases for data processing
- LGPD has ten legal bases for data processing
- CCPA has no restrictions on legal bases for data processing
Data Access Rights
The GDPR, CCPA, and LGPD all offer rights to individuals when it comes to data privacy. Under the CCPA, consumers have the right to request a disclosure of their personal data to see what information businesses have collected about them. Consumers also have the right to request information on how businesses collect and utilize data. Both the GDPR and CCPA allow individuals to make these requests in several ways. The GDPR allows consumers to make requests electronically and orally. Meanwhile, the CCPA requires businesses to provide at least two methods by which consumers may access their data: a toll-free phone number or a webpage.
The GDPR also offers broader rights in terms of disclosures. For example, individuals can request disclosures beyond those written in a portable format — a right not intrinsically afforded by the CCPA.
The timeframes for delivering this information to consumers also differs between each of these laws.
- CCPA gives businesses 45 days to respond to access requests.
- GDPR gives businesses 30 days to respond to access requests.
- LGPD gives businesses 15 days to respond to access requests.
The CCPA gives consumers the right to opt-out of data collection. This requires businesses to provide an opt-out section on their website. The GDPR includes a “right to object,” which covers the right to object to data consumption that falls under specific guidelines. All three pieces of legislation give consumers the “right to delete” or “right to be forgotten.”
Overall, the GDPR and LGPD afford consumers more rights. The LGPD affords the right to:
- Access data
- Correct inaccurate data
- Easily move personal data from one platform to another (i.e. the right to portability of data)
- Delete personal data
- Get information about how entities are sharing personal data
- Revoke consent for sharing data
- Confirm the existence of data processing
- Access data that has been processed
- Get information about denied consent and the consequences of that denial
These are essentially the same as the eight rights afforded by the GDPR.
- The GDPR, CCPA, and LGPD protect the right of consumers to access their personal data.
- All three afford consumers the right to erase or delete data collected by organizations.
- However, the CCPA only allows opt-outs for data that will be sold.
- Each legislation gives businesses a set amount of time to respond to consumer access requests.
- The GDPR and LGPD offer the right to rectification (or erasure of data) and the right to restrict processing under specific circumstances.
Fines and Penalties
When it comes to penalties, all three laws differ significantly in scope.
The GDPR has, by far, the most significant fines of the three. Maximum GDPR fines are €20 million or 4% of annual global revenue, whichever is higher. LGPD fines are 2% of annual global revenue or 50 million reals (~$12 million). And the CCPA fines hit a maximum of $7,500.
- Maximum GDPR fines are €20 million or 4% of annual global revenue
- Maximum LGPD fines are 2% of annual global revenue, up to a total of 50 million reals
- CCPA fines are $2,500 for each violation and $7,500 for each intentional violation
*Note: As it currently stands, the LGPD has yet to confirm how quickly businesses should respond to a breach. The GDPR gives businesses 72 hours. However, the LGPD simply states that businesses must respond “within a reasonable time.”
The Privacy Wave Keeps Rising
The CCPA, GDPR, and LGPD all share similarities, but they also share some significant differences. These privacy laws will continue to play a strong role in protecting consumer rights in regions around the world. For example, many other U.S. states are working on their own versions of the CCPA, and many European countries are supplementing the GDPR with their own laws. Presently, South America has begun to make laws modeled after the GDPR in an attempt to keep its citizens’ data secure.
Is your business ready to create a scalable, regulatory-agnostic data privacy framework using best-in-class data subject recovery tools, context-based discovery, and data governance policies? If so, contact us today. Integris can help you comply with the GDPR, CCPA, and LGPD (and other privacy laws) to secure consumer privacy and your reputation.