Brazil LGPD LGPD vs CCPA

LGPD: define the exact products, services, processing, claims, entities, assets, or activities that bring this side into scope; record out-of-scope facts separately.

CCPA: test its own scope boundary, exclusions, and covered activity; do not copy the LGPD conclusion without a separate source-linked finding.

Write two scope findings first: where LGPD applies, where CCPA applies, and which facts are outside one side even if evidence can be reused.

LGPD: identify the controller, operator, joint controllers, encarregado, public body, or service provider operating under LGPD instructions that owns the duty.

CCPA: assign the comparator duty to its own accountable actor and note when counterparties, subsidiaries, importers, providers, or customers differ.

Name each role separately because one entity can hold different obligations in different workflows.

LGPD: state the fact that starts the obligation, such as market placement, processing, designation, incident, reporting period, transfer, data request, supplier change, or public claim.

CCPA is triggered only by the facts named in its source, such as thresholds, regulated status, risk tier, designation, incident, market placement, certification need, or supervisory notice.

Start with the trigger so teams do not apply the wrong regime to the wrong facts.

LGPD requires data controllers to establish a legal basis for every processing activity, appoint a Data Protection Officer, conduct a data protection impact assessment for high-risk processing, respond to data subject requests within 15 days, and report security incidents to the ANPD and affected individuals.

CCPA requires businesses that meet the size or revenue thresholds to provide opt-out rights for sale of personal information, respond to consumer requests to know, delete, and correct within 45 days, post a conspicuous Privacy Policy, and avoid discriminating against consumers who exercise their rights.

Translate obligations into tickets, notices, records, controls, or contract terms.

LGPD: keep the evidence that proves this side of the decision, including cited text, registers, policies, test records, contracts, notices, reports, approvals, or audit artifacts.

CCPA: keep comparator evidence in a distinct record set and link only the artifacts that genuinely satisfy both source-linked requirements.

Keep source links, factual analysis, owner approval, and implementation evidence together.

LGPD: capture the application date, commencement date, transition period, reporting clock, review cadence, remediation window, or certification renewal that controls this side.

CCPA: track the comparator schedule separately so a later deadline, recurring audit, or incident timer is not hidden by the other workstream.

Use current source dates; do not reuse old project plans after amendments or guidance updates.

LGPD: identify the competent authority, regulator, assessor, customer audit, certification body, contractual remedy, penalty, or supervisory process tied to this side.

CCPA: identify the comparator enforcement or assurance route and record where supervision, penalties, market access, certification, or contract leverage differs.

Escalate when enforcement routes differ because a regulator, market-surveillance authority, certification body, customer, or contract counterparty may require different proof.

LGPD: reuse controls only where the source-linked duty, evidence standard, owner, and timing align with the comparator; otherwise keep a bridge note.

CCPA can reuse evidence from the other side only when the same fact pattern, system boundary, control, owner, and source-linked requirement are genuinely aligned.

Document overlap explicitly instead of merging both tests into one vague compliance label.

LGPD: treat this as the controlling workstream when its scope trigger, deadline, regulator, or required artifact is the immediate blocker.

CCPA: run a parallel or follow-on workstream when this side adds separate actors, evidence, timing, penalties, customer assurances, or implementation constraints.

Choose one practical next step: proceed under LGPD, proceed under CCPA, run both in parallel, or document why neither side controls the present fact pattern.