CCPA vs LGPD: California and Brazil Privacy Laws Compared
The CCPA and LGPD represent fundamentally different approaches to privacy regulation. The CCPA is an opt-out law that allows data collection by default and gives consumers the right to say no. The LGPD follows a consent-first model more similar to the GDPR, requiring a legal basis before processing personal data. They also differ in scope, penalties, and the rights granted to individuals.
| Feature | CCPA | LGPD |
|---|---|---|
| Geographic Scope | California, United States | Brazil (applies to processing of data of individuals in Brazil) |
| Who It Applies To | For-profit businesses meeting revenue, data volume, or data sale thresholds | Any organization processing personal data of individuals in Brazil, no minimum thresholds |
| Consent Requirements | Opt-out: data collection by default with right to opt out of sale | Consent-first: one of 10 legal bases required, consent most common |
| Cookie & Tracking Rules | No specific cookie law; sale via tracking triggers opt-out rights | No specific cookie law; consent principles apply to cookies and tracking |
| Individual Rights | Know, delete, opt-out of sale, non-discrimination | Access, correction, anonymization, deletion, portability, information on sharing, review of automated decisions |
| Maximum Penalties | $7,500 per intentional violation, $2,500 per unintentional violation | Up to 2% of revenue in Brazil, capped at BRL 50 million per infraction |
| Enforcement Body | California Attorney General and CPPA | ANPD (Autoridade Nacional de Protecao de Dados) |
Key Differences
The consent model is the most fundamental difference. The CCPA permits businesses to collect and use personal information by default, giving consumers the right to opt out of the sale of that information. The LGPD requires one of 10 legal bases before processing personal data, with consent being the most common. This means LGPD requires affirmative permission in many cases where the CCPA would not.
Penalty structures differ significantly. CCPA fines are per-violation ($7,500 for intentional, $2,500 for unintentional), which can accumulate but tend to be predictable. LGPD penalties are percentage-based, up to 2% of the company's revenue in Brazil, capped at BRL 50 million per infraction. For companies with large Brazilian operations, LGPD fines can be substantial.
Scope also differs. The CCPA applies only to for-profit businesses meeting specific thresholds and only protects California residents. The LGPD applies to any organization processing personal data of individuals located in Brazil, regardless of where the organization is based and without revenue or data volume thresholds. This extraterritorial reach is similar to the GDPR.
How Pryvii Helps
Pryvii scans your website against both CCPA and LGPD requirements in a single pass. It checks for opt-out mechanisms needed under CCPA, consent mechanisms required by LGPD, and ensures your privacy policy addresses both frameworks. The multi-regulation report clearly highlights where your site falls short for each law.
Frequently Asked Questions
If I comply with the CCPA, am I also compliant with the LGPD?
No. The CCPA's opt-out model is fundamentally different from the LGPD's consent-first approach. CCPA compliance alone does not satisfy LGPD requirements. You would need to implement consent mechanisms, establish a legal basis for processing, and potentially appoint a DPO (encarregado) to comply with the LGPD.
Does the LGPD apply to my business if I am based in the United States?
Yes, if you process personal data of individuals located in Brazil. The LGPD has extraterritorial reach similar to the GDPR, applying regardless of where the processing organization is headquartered. If your website collects data from Brazilian visitors, the LGPD may apply.
Which law gives consumers more rights?
The LGPD provides a broader set of individual rights, including access, correction, anonymization, deletion, portability, information about third-party sharing, and the right to review automated decisions. The CCPA provides the rights to know, delete, opt out of sale, and non-discrimination. The LGPD's rights framework is more comprehensive.
Related Comparisons
Check Your Compliance
Scan your website against multiple regulations in minutes.