CCPA vs LGPD: California and Brazil Privacy Laws Compared

Compare CCPA and LGPD privacy regulations. Learn differences in consumer rights, enforcement, consent requirements, and compliance obligations.

CCPA

The California Consumer Privacy Act gives California residents control over their personal information through opt-out rights and transparency requirements for businesses that meet specific thresholds.

Pros

  • Strong opt-out rights for data sale and sharing
  • Private right of action for data breaches
  • Broad definition of personal information
  • Established enforcement by California AG and CPPA
  • Sets precedent for US state privacy laws

Cons

  • Limited to California residents
  • Business threshold exemptions
  • No comprehensive consent requirement
  • Complex sale and sharing definitions
  • No DPO requirement

Best For

US businesses with California customersCompanies selling or sharing consumer dataOrganizations preparing for US privacy law landscape

LGPD

Brazil's LGPD is a comprehensive data protection law providing individuals broad rights over their personal data with ten legal bases for processing and GDPR-aligned requirements.

Pros

  • Comprehensive framework with ten legal bases
  • Strong individual rights including portability
  • Covers all personal data processing
  • GDPR-aligned making international compliance easier
  • No business size thresholds for applicability

Cons

  • DPO required for all controllers
  • ANPD enforcement still building capacity
  • Lower penalty cap than GDPR
  • Complex legitimate interest assessments
  • Some provisions lack detailed guidance

Best For

Organizations operating in BrazilCompanies with Brazilian customersLatin American businesses

Feature Comparison

FeatureCCPALGPD
Regulatory Model
Consent ApproachOpt-out modelOpt-in with multiple legal bases
ApplicabilityBusinesses meeting revenue or data thresholdsAll organizations processing personal data
Data CoveragePersonal information of California residentsAll personal data of individuals in Brazil
Regulatory InfluenceUS state privacy law modelGDPR-aligned model
Individual Rights
Right to Know
Right to Delete
Right to Opt-OutOf sale and sharingNot specific (consent withdrawal instead)
Right to Portability
Right to Non-DiscriminationAddressed through general principles
Compliance Requirements
DPO RequiredRequired for all controllers
Privacy Impact AssessmentsRequired under CPRA for significant riskAt ANPD discretion
Breach NotificationWithout unreasonable delayReasonable timeframe to ANPD
Processing RecordsNot explicitly requiredRequired
Penalties
Maximum FineUSD 7,500 per intentional violation2% of revenue in Brazil, max BRL 50 million
Private Right of ActionYes, for data breachesYes, individuals can seek damages
Enforcement BodyCPPA and California AGANPD

Our Verdict

The CCPA and LGPD embody fundamentally different regulatory philosophies. The CCPA follows an American opt-out model where businesses can process data by default and consumers must actively opt out of certain practices like data sale. The LGPD follows the European opt-in model requiring a legal basis before any processing occurs. This difference shapes every aspect of compliance from consent management to data processing documentation.

The LGPD is more comprehensive in scope, applying to all organizations processing personal data without business size thresholds, while the CCPA only applies to businesses meeting specific revenue or data volume criteria. The LGPD also requires a DPO for all controllers and mandates processing records, creating higher baseline compliance obligations.

Organizations operating in both California and Brazil need to account for both frameworks in their privacy programs. The opt-out mechanisms required by CCPA and the consent management required by LGPD can be managed through a unified platform like ComplyIQ that adapts workflows to each jurisdiction.

Frequently Asked Questions

Which law is more comprehensive?

The LGPD is more comprehensive, covering all personal data processing without business thresholds and requiring multiple organizational measures like a DPO and processing records. The CCPA is focused on consumer rights and applies only to businesses meeting specific criteria.

Do both laws require consent?

They approach consent differently. LGPD requires a legal basis for processing which may include consent. CCPA operates on an opt-out model where consent is not required for most processing but consumers can opt out of data sale and sharing. The CCPA also requires opt-in consent for minors under 16.

How do penalty structures compare?

CCPA penalties are per-violation at up to USD 7,500 for intentional violations, which can accumulate quickly. LGPD penalties are up to 2 percent of revenue in Brazil capped at BRL 50 million per violation. The effective financial impact depends on the scale and nature of the violation.

Is there a private right of action under both?

Yes, but with different scopes. CCPA provides a private right of action specifically for data breaches with statutory damages of USD 100 to 750 per consumer per incident. LGPD allows individuals to seek compensation for damages caused by privacy violations more broadly, not just breaches.

Can I build one program for both?

Yes, but you need to address the fundamental difference between opt-in and opt-out models. A unified program should implement LGPD consent management as the baseline while adding CCPA-specific opt-out mechanisms. ComplyIQ helps manage both approaches from a single platform.

Related Comparisons

GDPR vs CCPA: Understanding the Key DifferencesLGPD vs GDPR: Brazil and EU Privacy Regulations ComparedDPDPA vs CCPA: India and California Privacy Laws Compared

See IQWorks in Action

Discover how IQWorks can help you with data protection and privacy compliance.

Request Demo