Getting your privacy acronyms and their requirements rights: GDPR, CCPA, LGPD, PoPI

It’s not business as usual! The rise in data protection laws is impacting your digital marketing and online operations.

Kristina Podnar
September 14, 2018

It’s not business as usual! No doubt you have noticed that data protection laws are on the rise. If you want to build customer trust, avoid fines, lawsuits, and bad press, you are changing your approach to digital marketing and data collection. But do you understand the differences in the new laws? Here is a quick rundown of areas requiring your attention.

General Data Protection Regulation (GDPR)

As you may already know, GDPR came into effect on May 25, 2018, and caused a bit of a digital disruption around the globe. From nuisance emails asking prospects and existing customer to re-opt into privacy agreements to new cookie banner ads, there has been mass confusion around what marketers need to do and many stalled efforts to adopt the regulatory principles.  

GDPR is straightforward when you review the requirements, which fall across these ten categories:

  1. Accountability & governance
  2. Consent & processing
  3. Notifications (customers/internal)
  4. Data rights & procedures
  5. Records processing
  6. Privacy design
  7. Children’s online privacy
  8. Data breach notification
  9. Data localization
  10. Contracting & procurement

If you need a bit more GDPR insights, you can check out my short GDPR videos that explain the user rights.

The massive fines (€20 million or 4% of global revenues) and the startling realization that personal data belongs to an individual user and not the organization that collected the data are mostly to blame. After all, GDPR dictates a new online operating model, one that requires placement of a customer’s personal value and data protection above an organization’s product and pricing. While this is not a concept we have collectively been used to, I am finding that most organizations are reasonable and after the initial shock wore off, are settling well into developing their digital policy and GDPR roadmap, planning for adjustments over time, or the “GDPR journey” as I like to call it.

California Consumer Privacy Act (CCPA)

Coming into effect January 2020, the CCPA is very similar to the GDPR. The two regulations share commonalities such as:

  • The Right to Opt Out
  • The Right to Access
  • The Right to Delete
  • Opt-in for Children (Note that you have to ask children under the age of 16 for parental consent, but COPPA which applies to all US states takes precedence and sets the age of a child at 13 and under.)

Much like the GDPR, you don’t have to be a physical business in the area to be subject to CCPA compliance. You have to market to those in California or do business in the state. And while the penalties for non-compliance may seem different on the surface (CCPA calls for a US $7,500 fine per incident), they could add up to nearly the same. For example, a data breach involving 3,000 customers could end up costing a business US $22.5 million under CCPA.

The two regulations have different requirements, so it is worth delving into each. However, if you have been working on your GDPR compliance, you are likely to be well on your way to CCPA compliance as well. Need a hand deciphering the differences, get in touch, and I can give you a hand.

Brazil’s Data Protection Bill of Law (LGPD)

LGPD is Brazil’s version of the GDPR, and it heavily mirrors its EU counterpart. Commonalities include:

  • Establishment of a national data protection authority that will be responsible for regulating and enforcing data protection
  • Creation of a data protection officer (DPO) position by an organization
  • The requirement of legal basis (or explicit consent) for personal data processing
  • Notifications of the data breach to the data protection authority and data subjects
  • Restrictions upon data transfers
  • Creation of significant fines: 2% of gross country sales, limited to 50,000,000 Brazilian Real

Unlike the GDPR, the LGPD introduces specific requirements around the protection of health and credit of an individual. It also makes it clear that an individual waives the right to private data protection when the individual has made the data public.

If you have been preparing for the GDPR, you will find yourself well positioned for the LGPD. But make no mistake about it, these two regulations are not exact mirrors so you will need to spend some time understanding and preparing for the differences.

Protection of Personal Information Act (PoPI)

PoPI was initiated in 2005, and while its exact enforcement is a bit unclear, South African authorities have signaled an intent to begin handing out fines for non-compliance in the next two years. The law mirrors the GDPR requirements in some ways, namely:

  • Personal information must be obtained in a lawful and fair manner, i.e., legitimate basis or consent must be present
  • Limiting the processing of personal information for any other reason except the one for which it was originally collected
  • Ensuring that information is appropriately protected and data breach notifications are required
  • The data controller is accountable for data processor activities

The PoPI fines are less compared to GDPR: 10 million South African Rand or about $650,000. Unlike the GDPR, the law allows the issuance of a prison term for officers of non-compliant organizations and authorizes a civil action to be initiated by the protection agency on behalf of an individual data owner.


When creating your data privacy program and adjusting your digital marketing efforts, use GDPR as a benchmark but account for other data protection and privacy laws, including CCPA, LGPD, and PoPI. If you only have a handful of customers or partners in a country with data protection and privacy laws, ask yourself if the relationship is worth the time and resources it will take to become and stay compliant.

On the other hand, these data privacy laws are only the start of digital regulations that is a growing global trend. And having a comprehensive digital policy along with a roadmap to compliance can go a long way toward maximizing the opportunities and minimizing the risks of running a business in the digital age of privacy laws. The bottom line is that only you can ensure the right level of compliance – and that starts with knowing the acronyms and their requirements.

Related industries:
Related functions: