GDPR vs CCPA vs LGPD: Global Privacy Law Comparison

GDPR, CCPA, and LGPD each protect personal data but differ significantly in scope, legal basis requirements, and enforcement mechanisms. GDPR applies to anyone processing EU resident data and requires a lawful basis before processing begins. CCPA targets for-profit businesses meeting California revenue or data volume thresholds and focuses on opt-out rights rather than upfront consent.

Consent models diverge sharply across all three frameworks. GDPR demands affirmative opt-in consent for most non-essential processing, while CCPA allows data collection by default and gives consumers the right to opt out of sales and sharing. LGPD sits between the two, recognizing ten distinct legal bases including consent, legitimate interest, and credit protection — a category unique to Brazilian law.

Penalties also vary in structure and magnitude. GDPR fines can reach 4% of global annual turnover or 20 million euros, whichever is higher. CCPA penalties max at $7,500 per intentional violation but allow private rights of action for data breaches. LGPD caps fines at 2% of revenue in Brazil up to 50 million BRL per infraction, with ANPD as the sole enforcement authority.

For businesses operating across all three jurisdictions, the practical approach is to build a baseline privacy framework around GDPR's stricter requirements, then layer in CCPA opt-out mechanisms and LGPD-specific legal bases. This avoids maintaining three separate compliance programs while meeting each law's minimum obligations.

International data transfers add another layer of complexity. GDPR requires adequacy decisions or Standard Contractual Clauses for transfers outside the EEA. LGPD follows a similar model with ANPD-approved transfer mechanisms. CCPA does not restrict cross-border transfers directly but requires disclosure of data sharing with third parties regardless of location.