Getting your privacy acronyms and their requirements rights: GDPR, CCPA, LGPD, PoPI

General Data Protection Regulation (GDPR)

As you may already know, GDPR came into effect on May 25, 2018, and caused a bit of a digital disruption around the globe. From nuisance emails asking prospects and existing customer to re-opt into privacy agreements to new cookie banner ads, there has been mass confusion around what marketers need to do and many stalled efforts to adopt the regulatory principles.

  1. Accountability & governance
  2. Consent & processing
  3. Notifications (customers/internal)
  4. Data rights & procedures
  5. Records processing
  6. Privacy design
  7. Children’s online privacy
  8. Data breach notification
  9. Data localization
  10. Contracting & procurement

California Consumer Privacy Act (CCPA)

Coming into effect January 2020, the CCPA is very similar to the GDPR. The two regulations share commonalities such as:

  • The Right to Opt Out
  • The Right to Access
  • The Right to Delete
  • Opt-in for Children (Note that you have to ask children under the age of 16 for parental consent, but COPPA which applies to all US states takes precedence and sets the age of a child at 13 and under.)

Brazil’s Data Protection Bill of Law (LGPD)

LGPD is Brazil’s version of the GDPR, and it heavily mirrors its EU counterpart. Commonalities include:

  • Establishment of a national data protection authority that will be responsible for regulating and enforcing data protection
  • Creation of a data protection officer (DPO) position by an organization
  • The requirement of legal basis (or explicit consent) for personal data processing
  • Notifications of the data breach to the data protection authority and data subjects
  • Restrictions upon data transfers
  • Creation of significant fines: 2% of gross country sales, limited to 50,000,000 Brazilian Real

Protection of Personal Information Act (PoPI)

PoPI was initiated in 2005, and while its exact enforcement is a bit unclear, South African authorities have signaled an intent to begin handing out fines for non-compliance in the next two years. The law mirrors the GDPR requirements in some ways, namely:

  • Personal information must be obtained in a lawful and fair manner, i.e., legitimate basis or consent must be present
  • Limiting the processing of personal information for any other reason except the one for which it was originally collected
  • Ensuring that information is appropriately protected and data breach notifications are required
  • The data controller is accountable for data processor activities


When creating your data privacy program and adjusting your digital marketing efforts, use GDPR as a benchmark but account for other data protection and privacy laws, including CCPA, LGPD, and PoPI. If you only have a handful of customers or partners in a country with data protection and privacy laws, ask yourself if the relationship is worth the time and resources it will take to become and stay compliant.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Kristina Podnar

Kristina Podnar


Digital policy innovator, helping organizations see policies as opportunities to free the organization from uncertainty, risk, internal chaos.