What It Is

California Consumer Privacy Act (CCPA), as amended by CPRA, is a state regulation establishing consumer privacy rights for California residents. It applies extraterritorially to for-profit businesses meeting thresholds like $25M revenue or handling data of 100K+ consumers/devices. Primary purpose: empower consumers with control over personal information (PI) via rights-based approach, including opt-out of sales/sharing and limits on sensitive PI.

Key Components

• Core consumer rights: know/access, delete, opt-out sale/share, correct, limit sensitive PI use, non-discrimination.
• Obligations: notices at collection, privacy policies, DSAR handling within 45 days, vendor contracts, GPC honoring.
• Enforcement by CPPA and AG with fines up to $7,500/violation; private action for breaches.
• No certification; compliance via documented practices.

Why Organizations Use It

Mandatory for qualifying businesses to avoid fines, litigation, reputational harm. Provides data governance, efficiency, trust-building, GDPR alignment, market differentiation.

Implementation Overview

Phased: scoping/gap analysis (0-3 months), policies/contracts (1-4 months), technical controls (2-6 months), operationalization/training, audits. Targets data-heavy industries globally; cross-functional, tech-intensive for enterprises.

What It Is

LGPD (Lei Geral de Proteção de Dados Pessoais, Law No. 13.709/2018) is Brazil's comprehensive data protection regulation. It safeguards personal data of natural persons with extraterritorial scope, applying to any processing targeting Brazilian residents. Modeled on GDPR but with Brazilian adaptations, it uses a risk-based approach emphasizing accountability and data minimization.

Key Components

• 10 core principles (purpose limitation, necessity, transparency, security, prevention, non-discrimination, accountability).
• Data subject rights (access, correction, deletion, portability, objection to automated decisions).
• Legal bases for processing (10 options including consent, legitimate interests).
• Governance via mandatory DPO for controllers, DPIAs for high-risk activities, enforced by ANPD with graduated sanctions up to 2% Brazilian revenue (R$50M cap).

Why Organizations Use It

• Legal compliance mandatory for entities processing Brazilian data.
• Mitigates fines, reputational damage, operational disruptions.
• Builds trust, enables market access in Brazil's digital economy.
• Enhances security, supports innovation via anonymization exemptions.

Implementation Overview

Phased approach: governance setup, data mapping/RoPA, policies, technical controls, DSR/incident processes, monitoring. Applies to all sizes/industries with Brazilian nexus; no certification but ANPD audits/enforcement.