Data Privacy Across Regions: CCPA, PDPA, LGPD & PIPEDA Compared

Over 140 countries now have data privacy legislation, and the pace of new regulation is accelerating. For any business operating across borders --- which in eCommerce means virtually every business --- navigating this patchwork of privacy laws is one of the most complex compliance challenges in 2026.

The fundamental question is not whether you need to comply with multiple privacy laws. If you have a website accessible from multiple countries, you almost certainly do. The question is how to build a unified privacy program that satisfies all of them without maintaining separate compliance tracks for each jurisdiction.

Key Takeaways

• GDPR remains the global benchmark, and compliance with GDPR provides 70-80% coverage for most other privacy laws
• CCPA/CPRA is the strictest US privacy law but takes a fundamentally different approach from GDPR, focusing on opt-out rather than opt-in
• Cross-border data transfers require specific legal mechanisms (SCCs, BCRs, adequacy decisions) under most privacy laws
• A "highest common denominator" approach --- designing for the strictest requirements --- is more efficient than per-jurisdiction compliance

---

The Five Major Privacy Laws

Privacy Law Comparison Matrix

| Dimension | GDPR (EU) | CCPA/CPRA (California) | LGPD (Brazil) | PDPA (Thailand) | PIPEDA (Canada) | |-----------|----------|----------------------|--------------|----------------|----------------| | Effective date | May 2018 | Jan 2020 (CPRA: Jan 2023) | Sep 2020 | Jun 2022 | Apr 2000 (updated 2024) | | Scope | EU resident data | CA resident data, businesses > $25M revenue or 100K consumers | Brazilian resident data | Thai resident data | Canadian commercial activity | | Extraterritorial | Yes | Yes (businesses targeting CA) | Yes | Yes | Yes (limited) | | Legal basis required | Yes (6 bases) | No (opt-out model) | Yes (10 bases) | Yes (consent + others) | Yes (knowledge and consent) | | Consent model | Opt-in | Opt-out | Opt-in (mostly) | Opt-in | Opt-in (implied allowed) | | Right to access | Yes | Yes | Yes | Yes | Yes | | Right to delete | Yes | Yes | Yes | Yes | Yes (limited) | | Right to portability | Yes | Yes (limited) | Yes | Yes | No | | Right to opt-out of sale | N/A (different framework) | Yes (core right) | N/A | N/A | N/A | | DPO required | Conditional | No | Yes | Conditional | Yes (Privacy Officer) | | Breach notification | 72 hours | "Without unreasonable delay" | "Reasonable time" | 72 hours | "As soon as feasible" | | Max penalty | EUR 20M / 4% revenue | $7,500 per intentional violation | 2% of revenue (BRL 50M cap) | THB 5M (~$140K) | CAD 100K per violation | | Enforcement body | National DPAs | CA Privacy Protection Agency | ANPD | PDPC | OPC |

---

GDPR: The Global Standard

The EU's General Data Protection Regulation remains the most comprehensive and strictly enforced privacy law in the world. Its influence extends far beyond Europe --- most subsequent privacy laws are modeled on GDPR principles.

Key GDPR Characteristics

Broad definition of personal data. Any information relating to an identified or identifiable natural person, including IP addresses, device identifiers, and cookie data.

Six legal bases for processing. Consent, contract, legal obligation, vital interests, public task, or legitimate interest. Each processing activity must have a documented legal basis.

Strong data subject rights. Access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making.

Strict consent requirements. Consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes and bundled consent are invalid.

Data Protection Impact Assessments. Required for high-risk processing activities (profiling, large-scale monitoring, sensitive data processing).

For a detailed implementation guide, see our GDPR implementation guide for eCommerce and ERP.

---

CCPA/CPRA: The American Approach

California's Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is the most significant privacy law in the United States. It takes a fundamentally different approach from GDPR.

Key Differences from GDPR

Opt-out vs. opt-in. CCPA does not require consent to collect and process personal information. Instead, it gives consumers the right to opt out of the sale or sharing of their data. This is a philosophical inversion from GDPR.

"Sale" is broadly defined. Under CCPA, "sale" includes sharing personal information with third parties for monetary or other valuable consideration. This captures many advertising and analytics arrangements that companies do not think of as "sales."

Threshold applicability. CCPA applies to for-profit businesses that meet any one of three thresholds: annual gross revenue over $25 million, buy/sell/share personal information of 100,000+ consumers, or derive 50%+ of revenue from selling personal information.

Private right of action. Unlike GDPR, CCPA allows consumers to sue directly for data breaches involving unencrypted personal information ($100-$750 per consumer per incident).

CPRA Enhancements (2023)

CPRA strengthened CCPA significantly:

• Created the California Privacy Protection Agency (CPPA) as a dedicated enforcement body
• Added the right to correct inaccurate personal information
• Added the right to limit use of sensitive personal information
• Extended data minimization and purpose limitation requirements
• Added requirements for data processing agreements with service providers

Compliance Requirements

| Requirement | Details | |------------|---------| | Privacy policy | Must disclose categories of PI collected, purposes, third-party sharing, and consumer rights | | "Do Not Sell" link | Prominent link on homepage for opt-out | | Authorized agent requests | Must accept requests from authorized agents on behalf of consumers | | Verification process | Must verify consumer identity before fulfilling requests | | Non-discrimination | Cannot discriminate against consumers who exercise their rights | | Service provider agreements | Written agreements with all service providers receiving PI | | 12-month lookback | Access requests cover the preceding 12 months of data |

---

LGPD: Brazil's GDPR-Inspired Framework

Brazil's Lei Geral de Protecao de Dados (LGPD) is heavily modeled on GDPR but includes unique elements adapted to Brazil's legal and business environment.

Key LGPD Characteristics

Ten legal bases. LGPD provides ten legal bases for processing (compared to GDPR's six), including credit protection, health protection, and the protection of life. This gives businesses more flexibility in justifying data processing.

DPO is mandatory. Unlike GDPR (which requires a DPO only in specific circumstances), LGPD requires all data controllers to appoint a Data Protection Officer (called an "Encarregado").

International data transfers. LGPD allows cross-border transfers when the receiving country provides adequate protection, under standard contractual clauses, or with specific consent from the data subject.

ANPD enforcement. Brazil's Autoridade Nacional de Protecao de Dados (ANPD) has been actively issuing guidance and is ramping up enforcement. Penalties can reach 2% of revenue in Brazil (capped at BRL 50 million per violation).

LGPD vs. GDPR Differences

| Aspect | LGPD | GDPR | |--------|------|------| | Legal bases | 10 | 6 | | DPO required | Always | Conditional | | Penalty cap | 2% revenue / BRL 50M | 4% global revenue / EUR 20M | | Breach notification | "Reasonable time" | 72 hours | | Automated decision rights | Yes (similar to GDPR) | Yes (Art. 22) | | Data portability | Yes | Yes | | Legitimate interest | Yes (requires LIA) | Yes (requires LIA) |

---

PDPA: Thailand's Emerging Framework

Thailand's Personal Data Protection Act (PDPA), fully effective since June 2022, governs the collection, use, and disclosure of personal data in Thailand. It is one of the most significant privacy laws in Southeast Asia.

Key PDPA Characteristics

Consent-centric. PDPA requires explicit consent for the collection, use, and disclosure of personal data unless a specific exemption applies (contractual necessity, legitimate interest, legal obligation, vital interest, public interest, or research).

Sensitive data categories. PDPA defines sensitive personal data similarly to GDPR: racial/ethnic origin, political opinions, religious beliefs, criminal records, health data, disability, trade union membership, genetic data, biometric data, and sexual orientation.

Cross-border transfer restrictions. Data transfers to foreign countries are permitted only if the destination country has adequate data protection standards, the transfer is under appropriate safeguards, or the data subject has given explicit consent.

Penalties. Administrative fines up to THB 5 million (~$140,000), plus criminal penalties of up to one year imprisonment for certain violations. While the monetary penalties are lower than GDPR, the criminal provisions are notable.

---

PIPEDA: Canada's Balanced Approach

Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) takes a principles-based approach that has influenced privacy legislation globally.

Key PIPEDA Characteristics

10 fair information principles. PIPEDA is built on ten principles: accountability, identifying purposes, consent, limiting collection, limiting use/disclosure/retention, accuracy, safeguards, openness, individual access, and challenging compliance.

Implied consent allowed. Unlike GDPR, PIPEDA allows implied consent for non-sensitive information in certain contexts. This provides more operational flexibility while still protecting individuals.

Commercial activity focus. PIPEDA applies to personal information collected, used, or disclosed in the course of commercial activity. It does not apply to non-commercial organizations, federal government institutions (covered by the Privacy Act), or provincially regulated activity in provinces with substantially similar legislation (Alberta, BC, Quebec).

Adequacy status. The EU has granted Canada a partial adequacy decision under GDPR, meaning personal data can flow from the EU to Canada under PIPEDA-covered commercial activities without additional safeguards.

Bill C-27 and the Consumer Privacy Protection Act

Canada is modernizing its privacy framework through Bill C-27, which would replace the private-sector provisions of PIPEDA with the Consumer Privacy Protection Act (CPPA). Key proposed changes include:

• Fines up to 5% of global revenue or CAD 25 million (whichever is greater)
• Private right of action for privacy violations
• Strengthened consent requirements
• Algorithmic transparency requirements
• New provisions for minors' data

---

Building a Unified Privacy Program

Rather than building separate compliance programs for each jurisdiction, the most efficient approach is a unified privacy program designed to the highest common denominator.

The Highest Common Denominator Strategy

| Requirement | Strictest Standard | Apply Globally | |------------|-------------------|---------------| | Consent | GDPR (explicit opt-in) | Implement opt-in consent for all users | | Right to delete | GDPR (broad right) | Honor deletion requests regardless of jurisdiction | | Breach notification | GDPR (72 hours) | Aim for 72-hour notification globally | | Data minimization | GDPR/CPRA (purpose limitation) | Collect only what is needed everywhere | | DPO appointment | LGPD (always required) | Appoint DPO for all operations | | Privacy policy | CCPA (most detailed requirements) | Include all CCPA-required disclosures for all users | | Data transfers | GDPR (SCCs/adequacy) | Use SCCs for all cross-border transfers |

Implementation Architecture

1. Single privacy policy with jurisdiction-specific sections where requirements diverge (e.g., CCPA "Do Not Sell" rights)
2. Unified consent management platform that captures granular consent with jurisdiction tagging
3. Centralized DSAR workflow that handles access, deletion, correction, and portability requests from any jurisdiction
4. Single data map that documents processing activities, legal bases, retention periods, and cross-border transfers
5. Regional-aware data storage that respects data residency requirements where applicable

For guidance on how privacy laws fit into a broader compliance framework, see our enterprise compliance handbook.

---

Cross-Border Data Transfers

One of the most complex aspects of multi-jurisdictional privacy compliance is moving personal data across borders.

Transfer Mechanisms by Regulation

| Mechanism | GDPR | CCPA | LGPD | PDPA | PIPEDA | |-----------|------|------|------|------|--------| | Adequacy decision | Yes | N/A | Yes | Yes | Partial (EU→CA) | | Standard contractual clauses | Yes | N/A | Yes | Yes | N/A | | Binding corporate rules | Yes | N/A | Yes | No | N/A | | Explicit consent | Yes (limited) | N/A | Yes | Yes | Yes | | Contractual necessity | Yes | N/A | Yes | Yes | Yes |

Practical Recommendations

• Use Standard Contractual Clauses (SCCs) as your default mechanism for EU data transfers
• Monitor adequacy decisions --- the EU-US Data Privacy Framework provides a mechanism for transfers to certified US companies
• Select cloud regions that align with your primary customer base to minimize cross-border transfer complexity
• Document all cross-border transfers in your ROPA, including the specific mechanism relied upon

---

Frequently Asked Questions

Do I need to comply with CCPA if my business is not based in California?

Yes, if your business meets any of the three CCPA thresholds and collects personal information from California residents. Location of your business is irrelevant --- what matters is whether you serve California consumers. Given California's population of 39 million and its role as a technology hub, most online businesses with US customers will meet the threshold.

Can I use the same privacy policy for all jurisdictions?

Yes, a unified privacy policy is the recommended approach. Structure it with a core section covering universal privacy practices and jurisdiction-specific addenda for CCPA rights, GDPR-specific information, and other regional requirements. This is simpler to maintain than separate policies and avoids conflicting statements.

How do privacy laws interact with payment security regulations like PCI-DSS?

Privacy laws and PCI-DSS are complementary. Payment card data is personal data under GDPR, CCPA, and most other privacy laws, so you must comply with both. PCI-DSS provides the technical security framework for card data, while privacy laws add requirements around consent, purpose limitation, data subject rights, and breach notification. See our PCI-DSS compliance guide for more on payment security.

What happens if privacy laws conflict?

Genuine conflicts are rare because most privacy laws share common principles. Where differences exist (e.g., CCPA's opt-out model vs. GDPR's opt-in model), apply the stricter standard. If you implement GDPR-level consent globally, you satisfy both GDPR and CCPA. The most common challenge is not conflicting requirements but differing levels of specificity and enforcement emphasis.

Is there a global privacy standard emerging?

Not yet in a formal sense, but GDPR has become the de facto global standard. The OECD Privacy Guidelines and the APEC Cross-Border Privacy Rules (CBPR) system provide multilateral frameworks, and the emerging Global CBPR Framework aims to create interoperability between regional privacy systems. In practice, designing for GDPR compliance provides 70-80% coverage for most other privacy laws.

---

What Is Next

The global privacy landscape will continue to evolve, with new laws emerging and existing laws being strengthened. Rather than chasing individual regulations, invest in a privacy-by-design approach that bakes data protection into your systems and processes from the start.

ECOSIRE helps businesses build privacy-compliant systems that work across jurisdictions. Our Odoo ERP implementations include built-in consent management, DSAR handling, and data retention automation. For AI-powered privacy compliance monitoring, explore our OpenClaw AI platform. Contact us to discuss your multi-jurisdictional privacy strategy.

---

Published by ECOSIRE — helping businesses scale with AI-powered solutions across Odoo ERP, Shopify eCommerce, and OpenClaw AI.