Top Gear: Useful Internet Marketing Strategies & Tips to Move You Forward: What Marketers Should Know About Privacy Regulations: GDPR, CCPA, LGPD, and More

As the privacy landscape, regulations, and guidelines continue to evolve, digital marketers must consider the impact to their marketing activities. While compliance is a requirement, transparency and building trust with your audience is also critical.

The data privacy space has been heating up for years, with new laws an enforcement taking place in 2020. Enforcement of California Consumer Privacy Act (CCPA) officially started July 1 of this year. Then in September, Brazil’s new data protection law, Lei Geral de Proteção de Dados (LGPD) came into effect. Inspired by the European Union’s General Data Protection Regulation (GDPR) law, the LGPD is another landmark privacy bill set to impact the way that Brazilian businesses consume, utilize, and store data at scale. In the United States, the CCPA also deals with the same privacy territory as both the GDPR and LGPD, and on November 3, 2020, the California Privacy Rights Act of 2020 (CPRA) was passed.

Let’s go into each of these privacy laws in a bit more detail.

New data privacy laws

California, U.S.: California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)

What is the CCPA and CPRA?
The California Consumer Privacy Act (CCPA) is one of the most comprehensive privacy laws in the U.S. and introduced significant compliance challenges for organizations. In particular, the CCPA established a new set of consumer rights, additional protections for children's data, and specific rules on the selling of personal information.

However, the framework provided by the current version of the CCPA is set to change following the passing of the California Privacy Rights Act of 2020 (CPRA) on November 3, 2020. The CPRA stipulates several amendments to the CCPA, including new consumer rights, provisions for a state privacy authority, and further obligations relating to children's data. Although the CPRA will not become operative until January 1, 2023, many of its provisions will be applicable to personal information collected from January 1, 2022.

What do marketers need to know about the CCPA and CPRA?

For marketers, the key consideration for CCPA and CPRA is user experience. To be in compliance, there are things that we must provide so our customers can exercise their privacy rights, but there is a lot we can do to enhance the user experience and educate our customers.

European Union: General Data Protection Regulation (GDPR)

What is the GDPR?

In 2016, the EU adopted the General Data Protection Regulation (GDPR). Member states had two years to ensure that it was fully implemented (by May 2018). EU General Data Protection Regulation (GDPR) requires organizations to undertake significant operational reform to meet the increased obligations of handling personal data. Appropriate record keeping is critical as the GDPR requires organizations to demonstrate compliance and accountability. The GDPR also introduced new data subject rights, giving EU citizens rights over their data, including access, deletion, and portability.

What do marketers need to know about the GDPR?

Because the GDPR requires a legal basis to process data, marketers must pay attention to what legal basis they are using when collecting customer data and leveraging that data for communications, campaigns, and more. Marketers are most likely to rely on legitimate interest or customer consent—read on to learn more.

Brazil: Lei Geral de Proteção de Dados (LGPD)

What is the LGPD?

On August 14, 2018, after eight years of debates and drafting, the Brazilian president sanctioned the Brazilian General Data Protection Law (LGPD). The LGPD aims to protect the privacy and fundamental rights of individuals whose personal data is collected and/or processed in Brazil. Organizations in Brazil, and anywhere else in the world, that process the personal data of individuals located in Brazil will have to comply with the LGPD. The LGPD mirrors many of the same principals as the GDPR and became effective in September 2020.

What do marketers need to know about the LGPD?

The LGPD is very broad and basically includes all types of data that can be directly or indirectly linked to an individual or their household, so it’s important for marketers to consider all types and sources of data used for marketing activities when looking at compliance.

Key components and comparisons of GDPR, CCPA, and LGPD

For many businesses, dealing with these three different, yet similar, pieces of privacy legislation can be challenging. What are the differences between GDPR, CCPA, and LGPD? And how can marketers successfully satisfy the requirements of all of these regulations?

Let’s take a look at these three privacy bills and discuss where they’re similar, where they’re different, and how your business can satisfy these growing data privacy requirements.

There are several key areas of these privacy laws that highlight similarities and differences:

Territorial scope
Definition of personal data
Anonymous, de-identified, and/or aggregated data
Legal basis for processing data
Data access
Fines / penalties

Territory scope

When it comes to territorial scope, there are many similarities between GDPR and LGPD. However, CCPA is much smaller in scope and has some extra nuance to the way it defines regulated parties.

The GDPR covers any party that processes EU data subjects’ personal data, whether they exist in the EU or not. The LGPD also covers any business that processes data in Brazil, whether they exist in Brazil or not. In other words, if you process customer data in either the EU or Brazil, you’re subject to these laws.

The CCPA covers any for-profit business that does business in California and processes personal information of residents in California. In addition, covered parties must meet ONE or more of the following criteria:

An annual gross revenue of at least $25 million
Processes personal information from 50,000 or more consumers
Derives 50% (or more) of their profit by selling the personal information of California residents

This means that virtually all businesses that make over $25 million in gross revenue must comply with CCPA so long as they have at least one CA customer. However, this caveat also leaves many smaller businesses exempt from the regulation. CCPA only covers individuals who are California residents.

Key points:

• Both the GDPR and the LGPD have an extraterritorial scope.
• The CCPA only applies to parties that either:
- Have an annual gross revenue of at least $25 million
- Process the personal information from 50,000 (or more) consumers
- Receive 50% (or more) of their profits from selling CA resident information
- Almost all businesses should comply with GDPR and LGPD, yet some businesses may not have to comply with CCPA.

Definition of personal data

The GDPR, CCPA, and LGPD all have their own definitions of “personal data.”

The GDPR defines personal data as information that can reasonably be linked (either directly or indirectly) to an identifiable or identified data subject. This includes things such as names, social security numbers, and addresses, but it also includes indirect data such as behavioral data, preferences, characteristics, etc. The GDPR also includes some exemptions, such as in the use of certain research purposes.

The CCPA defines personal data as information that can be used to identify a natural person, such as social security numbers, addresses, names, etc. In addition, the CCPA also includes information that can be used to identify a household or device.

The LGPD also defines personal data as information related (directly or indirectly) to an identified or identifiable natural person. But it does not include any other details on what that constitutes that type of data. In addition, the LGPD also considers any behavioral profiling data “personal data” so long as it reasonably could be used to identify a natural person.

There are some key differences here. For starters, GDPR only defines personal data at the individual level, while CCPA also considers data related to households. The CCPA also excludes certain “publicly available” data, and it doesn’t necessarily cover behavioral data or characteristics data.

The LGPD is very simple. The lack of any defining data types means that LGPD is very broad and basically includes all types of data that can be directly or indirectly linked to an individual or their household.

Key points:

GDPR and LGPD are remarkably similar in their personal data definitions. However, LGPD is broader in scope due to its technical simplicity.
CCPA is less strict than both GDPR and LGPD since it only includes certain types of data, and it only considers data that directly links to an identified natural person.

Anonymous, de-identified, and/or aggregated data

Many companies collect, retain, and sell data that has been anonymized using de-identification algorithms or through aggregation. Under the CCPA, businesses can continue to utilize this data without disclosure. Under GDPR, businesses are free to use anonymous data, but not pseudonymous data. Under LGPD, businesses must comply with LGPD regulation regardless of the data type — except in specific research circumstances.

Key points:

CCPA allows businesses to retain, collect, and sell anonymous, aggregated, and de-identified data without disclosure.
GDPR only allows businesses to retain, collect, and sell anonymous data without disclosure.
LGPD doesn’t have any language relating to these types of data, meaning that they must be disclosed.

The legal basis for data processing

There are major differences between how each of these pieces of legislation allows data processing. Both the GDPR and the LGPD have “legal basis for processing” clauses. This means that companies are only allowed to process data for these reasons.

The GDPR has six:

Explicit consent
Legal responsibility
Legitimate interest
Public task
Vital interest
Contractual performance

The LGPD has ten:

Consent
Legal obligation
Life protection
Exercise of privileges in legal proceedings
Legitimate Interest
Protection to credit (likely related to recent reforms to the Positive Credit History Law)
Health protection
Public task
Research by public study entities
Contractual performance

The CCPA has none. In other words, businesses can process data on California residents however they please under CCPA. Of course, residents can opt-out, but there aren’t restrictions on “the reason” that companies process data.

Key points:

GDPR has six legal bases for data processing (consent and legitimate interest are most relied upon for marketing purposes).
LGPA has ten legal bases for data processing.
CCPA has no restrictions on legal bases for data processing.

Data access rights

The GDPR, CCPA, and LGPD all offer rights to individuals when it comes to data privacy. Under CCPA, consumers have the right to request a disclosure of their personal information to see exactly what information businesses have on them. Consumers also have the right to request information on how businesses collect and utilize data, including how it uses third parties which it shares information with. 

Under both the GDPR and the LGPD, consumers are afforded similar rights, though with a broader scope. For example, under GDPR, individuals can request disclosures that are written or portable—a right not intrinsically afforded by CCPA.

The timeframes for delivering this information to consumers also differs between each of these laws.

CCPA gives businesses 45 days to answer data subjects’ access requests.
GDPR gives businesses 30 days to answer data subjects’ access requests.
LGPD gives businesses 15 days to answer data subjects’ access requests.

The CCPA gives consumers the right to opt-out of data collection that will be sold, which requires that businesses provide an opt-out section on their website. The GDPR includes a “right to object,” which covers the right to object to data consumption that falls under specific guidelines. All three pieces of legislation give consumers the “right to delete” or “right to be forgotten.”

Overall, GDPR and LGPD afford consumers more rights. The LGPD has nine fundamental rights:

Right to access data
Right to correct inaccurate data
Right to the portability of data
Right to delete personal data
Right to information about how entities are sharing your data
Right to revoke consent
Right to confirm the existence of data processing
Right to access data that has been processed
Right to information about denied consent and the consequences of that denial.

These are essentially the same as the eight rights afforded by the GDPR.

Key points:

GDPR, CCPA, and LGPD afford consumers’ rights to disclosure and access.
GDPR, CCPA, and LGPD afford consumers’ rights to deletion.
The CCPA only allows opt-outs for data that will be sold.
Each legislation gives businesses a different amount of time to answer data subjects’ access requests.
The GDPR and LGPD have the right to rectification and the right to restrict processing under specific circumstances.

Fines and Penalties

When it comes to the teeth, all three of these laws differ significantly.

The GDPR has, by far, the most significant fines of the three. Maximum GDPR fines are €20 million or 4% of annual global revenue, whichever is higher. LGPD fines are 2% of annual global revenue or 50 million reals (~$12 million). And, the CCPA fines hit a maximum of $7,500.

Key points:

Maximum GDPR fines are €20 million or 4% of annual global revenue
Maximum LGPD fines are 2% of annual global revenue or 50 million reals
Maximum CCPA fines are $7,500

*Note: As it currently stands, the LGPD has yet to confirm how quickly businesses should respond to a breach. GDPR gives businesses 72 hours. But LGPD simply states that they must apply in accordance with a time period dictated by the “national authority” —which doesn’t exist at this point in time.

What’s next for digital marketing and data privacy laws?

CCPA, GDPR, and LGPD all share similarities, but they also share some significant differences. Privacy laws will continue to roll out in different territories, and it’s important for marketers to keep up with what impact current and future legislation has on their campaigns, communications, email marketing, and other activities.

For more information about how data privacy laws will affect digital marketers, check out: