Compliance USA
Sectoral & state model (HIPAA · GLBA · CCPA/CPRA)
Harmonized analysis of data governance and protection in the United States, from our Legal Department's perspective and the LGPD matrix.
CHAPTER I: INTRODUCTION TO THE FRAGMENTED (PATCHWORK) MODEL
Unlike the Brazilian legal system, which centralizes data protection in the General Data Protection Law (LGPD) at the national level, the United States of America does not have a single, unified federal law regulating the subject across all industries and economic sectors.
The U.S. landscape is structured through a decentralized, fragmented ecosystem, split between sector-specific federal rules and general rules under the jurisdiction of the federated states. From the standpoint of a Legal Department focused on mitigating international compliance risks, operations require detailed geographic and sectoral mapping to avoid sanctions and regulatory incidents.
CHAPTER II: FEDERAL SPHERE
At the U.S. federal level, regulation is limited and oriented strictly to the line of business or the nature of the commercial activity. Companies that do not fall within specific sectoral criteria are subject only to generic consumer-protection guidelines (such as Federal Trade Commission — FTC enforcement against deceptive practices).
Below are the main statutes in force in this sphere, framed in terms of data compliance:
Strictly regulates the handling of health data, medical records and related information. Under the LGPD lens, it corresponds to the rigorous protection of sensitive personal data (Art. 5, II, of Law 13.709/18).
Regulates the financial, credit and banking markets. It requires administrative and technical safeguards for the security of consumers' private financial data.
A rule aimed strictly at protecting the privacy of children online (under 13). It is strongly aligned with Art. 14 of the LGPD, requiring specific, prominent and unequivocal consent from a parent or legal guardian before collection.
CHAPTER III: STATE SPHERE
In the absence of a general federal law, the states have taken the regulatory lead, enacting robust and independent data-privacy rules. This creates a highly complex operational environment for corporations transacting data across different state borders.
A globally referenced state law, closely aligned with the principles of the LGPD and the European GDPR. It grants California residents fundamental rights such as the right to access collected information, the right to delete records, and the right to opt out of the sale or sharing of personal data (Do Not Sell My Personal Information).
States that have enacted their own privacy laws, imposing distinct corporate obligations regarding data protection impact reports and information-security governance.
CHAPTER IV: MUNICIPAL SPHERE
Strictly local or municipal regulation in the U.S. plays a residual or subsidiary role. Cities and counties have autonomy to create specific ordinances — often focused on limiting surveillance technologies, facial recognition by private entities or cybersecurity in local public contracts. For general compliance, the Legal Department should treat municipal rules as additional layers of protection, provided they do not conflict with applicable state rules.
CHAPTER V: CURRENT STATUS AND LEGAL DEPARTMENT OPINION
There are active discussions and bills before the U.S. Congress (such as the SECURE Data Act and equivalents) seeking to establish a single general federal law. However, until effective enactment, the system remains fragmented state by state.
Considering the rigorous standards of the Brazilian LGPD, the Legal Department recommends adopting the Principles of Prevention and Security. Brazilian companies with operations or partners in the U.S. should map data flows based on the data subject's location. We recommend implementing a global governance program based on the strictest available standard (CCPA/CPRA and LGPD), mitigating cross-cutting risks regardless of state or federal legislative fragmentation.
CONCEPTUAL EQUIVALENCE TABLE
| U.S. SCOPE | MAIN RULE / STATUS | CONCEPTUAL LGPD EQUIVALENCE |
|---|---|---|
| FEDERAL | HIPAA, GLBA, COPPA (sectoral) | Sensitive data rules (Art. 5) and minors' data (Art. 14). |
| STATE | CCPA, CPRA and laws of 20+ states | Data subject rights (Art. 18) and the free-access principle. |
| MUNICIPAL | Local ordinances and residual resolutions | Good governance and local security practices (Art. 50). |

