Compliance USA

Sectoral & state model (HIPAA · GLBA · CCPA/CPRA)

Harmonized analysis of data governance and protection in the United States, from our Legal Department's perspective and the LGPD matrix.

DATA COMPLIANCE AND GOVERNANCE — UNITED STATES

Harmonized Analysis

CHAPTER I: INTRODUCTION TO THE FRAGMENTED (PATCHWORK) MODEL

Unlike the Brazilian legal system, which centralizes data protection in the General Data Protection Law (LGPD) at the national level, the United States of America does not have a single, unified federal law regulating the subject across all industries and economic sectors.

The U.S. landscape is structured through a decentralized, fragmented ecosystem, split between sector-specific federal rules and general rules under the jurisdiction of the federated states. From the standpoint of a Legal Department focused on mitigating international compliance risks, operations require detailed geographic and sectoral mapping to avoid sanctions and regulatory incidents.

CHAPTER II: FEDERAL SPHERE

At the U.S. federal level, regulation is limited and oriented strictly to the line of business or the nature of the commercial activity. Companies that do not fall within specific sectoral criteria are subject only to generic consumer-protection guidelines (such as Federal Trade Commission — FTC enforcement against deceptive practices).

Below are the main statutes in force in this sphere, framed in terms of data compliance:

HIPAA (HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT):

Strictly regulates the handling of health data, medical records and related information. Under the LGPD lens, it corresponds to the rigorous protection of sensitive personal data (Art. 5, II, of Law 13.709/18).

GLBA (GRAMM-LEACH-BLILEY ACT):

Regulates the financial, credit and banking markets. It requires administrative and technical safeguards for the security of consumers' private financial data.

COPPA (CHILDREN'S ONLINE PRIVACY PROTECTION ACT):

A rule aimed strictly at protecting the privacy of children online (under 13). It is strongly aligned with Art. 14 of the LGPD, requiring specific, prominent and unequivocal consent from a parent or legal guardian before collection.

CHAPTER III: STATE SPHERE

In the absence of a general federal law, the states have taken the regulatory lead, enacting robust and independent data-privacy rules. This creates a highly complex operational environment for corporations transacting data across different state borders.

CCPA / CPRA (CALIFORNIA CONSUMER PRIVACY ACT / CALIFORNIA PRIVACY RIGHTS ACT):

A globally referenced state law, closely aligned with the principles of the LGPD and the European GDPR. It grants California residents fundamental rights such as the right to access collected information, the right to delete records, and the right to opt out of the sale or sharing of personal data (Do Not Sell My Personal Information).

OTHER STATES (VIRGINIA, COLORADO, UTAH, INDIANA AND KENTUCKY):

States that have enacted their own privacy laws, imposing distinct corporate obligations regarding data protection impact reports and information-security governance.

CHAPTER IV: MUNICIPAL SPHERE

Strictly local or municipal regulation in the U.S. plays a residual or subsidiary role. Cities and counties have autonomy to create specific ordinances — often focused on limiting surveillance technologies, facial recognition by private entities or cybersecurity in local public contracts. For general compliance, the Legal Department should treat municipal rules as additional layers of protection, provided they do not conflict with applicable state rules.

CHAPTER V: CURRENT STATUS AND LEGAL DEPARTMENT OPINION

CURRENT SITUATION AND UNIFICATION EFFORTS

There are active discussions and bills before the U.S. Congress (such as the SECURE Data Act and equivalents) seeking to establish a single general federal law. However, until effective enactment, the system remains fragmented state by state.

COMPLIANCE USING THE LGPD MATRIX

Considering the rigorous standards of the Brazilian LGPD, the Legal Department recommends adopting the Principles of Prevention and Security. Brazilian companies with operations or partners in the U.S. should map data flows based on the data subject's location. We recommend implementing a global governance program based on the strictest available standard (CCPA/CPRA and LGPD), mitigating cross-cutting risks regardless of state or federal legislative fragmentation.

CONCEPTUAL EQUIVALENCE TABLE

U.S. SCOPE	MAIN RULE / STATUS	CONCEPTUAL LGPD EQUIVALENCE
FEDERAL	HIPAA, GLBA, COPPA (sectoral)	Sensitive data rules (Art. 5) and minors' data (Art. 14).
STATE	CCPA, CPRA and laws of 20+ states	Data subject rights (Art. 18) and the free-access principle.
MUNICIPAL	Local ordinances and residual resolutions	Good governance and local security practices (Art. 50).