Navigating Multiple Privacy Frameworks: LGPD, GDPR, and US State Laws

The Multi-Regulation Compliance Challenge

Global businesses now face a patchwork of overlapping privacy regulations. GDPR covers the EU/EEA, LGPD governs Brazil, and 20 US states have enacted comprehensive privacy laws (Bloomberg Law, April 2025). Each law has distinct requirements for consent mechanisms, user rights, enforcement, and penalties. Operating under a single, one-size-fits-all consent approach is no longer viable.

GDPR: The Gold Standard for Opt-In

GDPR requires prior, explicit, informed consent for non-essential cookies and tracking. Key requirements:

• Consent must be freely given, specific, informed, and unambiguous.
• Pre-ticked boxes are prohibited.
• Rejection must be as easy as acceptance.
• Consent can be withdrawn at any time.
• Controllers must demonstrate proof of consent (Article 7).

With EUR 5.88 billion in total fines since 2018, GDPR enforcement is robust and increasing.

LGPD: Brazil's Privacy Framework

Brazil's Lei Geral de Protecao de Dados (LGPD) shares many principles with GDPR but has important differences:

• Legal bases: LGPD defines 10 legal bases for processing (compared to GDPR's 6), including credit protection and health protection in emergencies.
• Consent requirements: Must be free, informed, and unambiguous, presented in a prominent manner.
• DPO requirement: Every data processing agent must appoint a DPO (more expansive than GDPR which only requires it in certain cases).
• Enforcement: The ANPD (Autoridade Nacional de Protecao de Dados) can impose fines up to 2% of revenue in Brazil, capped at BRL 50 million (~USD 10 million) per violation.
• Language: Consent notices must be in Portuguese for Brazilian users.

US State Privacy Laws: A Fragmented Landscape

The US lacks a federal privacy law, resulting in a state-by-state patchwork:

• California (CCPA/CPRA): Opt-out model with "Do Not Sell or Share" requirement and Global Privacy Control (GPC) support.
• Virginia (VCDPA): Opt-out for targeted advertising and sale of personal data; opt-in for sensitive data.
• Colorado (CPA): Universal opt-out mechanism recognition required.
• Connecticut (CTDPA): Similar to Virginia with additional provisions for children's data.
• Texas, Oregon, Montana, Delaware, Iowa, Tennessee, Indiana, Florida, New Hampshire, New Jersey, Kentucky, Nebraska, Maryland, Minnesota, and others: Each with varying effective dates and specific requirements.

Unified vs. Separate Consent Banners

Two approaches exist for multi-regulation consent:

Unified Banner (Highest Common Denominator)

Apply GDPR-level consent globally. Pros: simple to implement, maximum compliance. Cons: reduces opt-in rates in less-regulated regions, over-compliance in some markets.

Jurisdiction-Specific Banners

Use geolocation to serve regulation-specific banners. Pros: optimized user experience per region, better consent rates. Cons: more complex to configure and test.

Practical Harmonization Strategy

1. Map your jurisdictions: Identify where your users are and which laws apply.
2. Define jurisdiction groups: Group similar regulations (e.g., EU/EEA as one group, US opt-out states as another).
3. Configure region-specific consent flows: Use geolocation-based audience logic to serve the appropriate banner.
4. Maintain unified records: Store consent records in a single system regardless of jurisdiction.
5. Review quarterly: New laws take effect regularly; update rules accordingly.

Jerisaliant supports all major privacy frameworks with built-in jurisdiction mapping, automatic geolocation routing, and regulation-specific consent templates.