Regulations & Frameworks
Lei Geral de Protecao de Dados (LGPD)
The LGPD, or Lei Geral de Protecao de Dados, was unanimously approved on July 10, 2018, and will go into effect on August 15, 2020. Brazil’s General Data Protection Law requires companies to comply with requirements related to the processing of personal data. The LGPD carries many similarities with the EU’s General Data Protection Regulation (GDPR), however, it is leaner in comparison.
In terms of territorial scope, the LGPD applies to all companies offering goods or services to data subjects in Brazil, regardless of where they are located.
Failure to comply with the LGPD can result in maximum fines of up to 2% of the company’s Brazilian revenue of up to R$50 million (roughly $12.9 million USD or 11.2 million EUR).
Last Updated: March 12, 2020
What Is the LGPD?
The LGPD, or Lei Geral de Protecao de Dados, is Brazil’s version of the EU’s General Data Protection Regulation (GDPR). It goes into effect on August 15, 2020. Similar to the GDPR, the LGPD requires companies to comply with requirements related to the processing of personal data. By providing protection to personal data, Brazil is anticipating an increase in business investments, especially in the digital economy. The safety provided to consumers and businesses alike benefit everyone under LGPD.
The LGPD defines data processing principles, outlines what personal data is covered, and develops the ANPD, a new entity responsible for overseeing and enforcing data protection laws across Brazil.
Who Does the LGPD Apply To?
The LGPD applies to any individual, business or organization that gathers the personal data of anyone in Brazil. Specifically, the LGPD regulates data controllers and processors of personal data. Even companies that aren’t located in Brazil may need to comply if they have customers or clients in Brazil.
The information covered by the LGPD includes the collection, processing, use, and storage of all personal data in both electronic and physical form. There is no size specification for companies that must comply with the LGPD. Any business who handles even small-scale processing must comply if they gather personal data or provide goods to anyone in Brazil.
What is Personal Data Under the LGPD?
Personal data in the LGPD is similar to the definition of personal data outlined in the GDPR. The LGPD doesn’t outline a specific definition for personal data like the GDPR and CCPA do, but there are some clarifying factors that the regulation mentions.
Personal data is loosely defined as information that can identify a person, also known as a data subject. It can also apply to personal information that could subject an individual to “a specific treatment.” It applies to data processed in Brazil, data collected in Brazil, or is related to the supplying of goods and services to individuals in Brazil.
Anonymized data is not considered personal data unless it can easily be reversed to get the identifiable data.
What is the ANPD?
The Autoridade Nacional de Proteção de Dados (ANPD) is a new federal entity responsible for issuing guidelines and enforcing data protection laws in Brazil. While the entity operates under the president, it is still considered an organization with decision-making powers. It can also be referred to as the National Data Protection Authority.
It consists of two segments in the organization, the Board of Directors and the National Council. Altogether, the ANPD will have 28 members who play the role of an advisory board.
The ANPD will be responsible for—
- Provide guidelines for the implementation of the LGPD.
- Oversee complaints from consumers/data subjects.
- Investigate and audit specific sanctions to the law.
- Work cross-functionally with data protection organizations in other countries.
- The interpretation of the LGPD.
Any breaches must also be reported to the ANPD. They can then verify the seriousness of a breach and order the data controller to adopt measures to mitigate the effects and disclose the event.
Ten Legal Bases for Processing Personal Data
The LGPD lists ten legal bases for companies to lawfully process personal data in Article 7. The processing must be for “legitimate, specific and explicit purposes of which the data subject is informed.”
The ten legal bases outlined in the LGPD are:
- With consent from the data subject
- To comply with a legal or regulatory obligation of the controller
- To execute public policies provided in laws or regulations, or based on contracts, agreements, or similar instruments
- To execute a contract or preliminary procedures related to a contract of which the data subject is a party, at the request of the data subject
- For carrying out studies by research entities, ensuring, whenever possible, the anonymization of personal data
- For the regular exercise of rights in judicial, administrative or arbitration procedures, the last pursuant to the Brazilian Arbitration Law.
- For the protection of life or physical safety of the data subject or a third party
- To protect health, in a procedure carried out by health professionals or by health entities
- When necessary to fulfill the legitimate interests of the controller or a third party
- For the protection of credit
Compliance with LGPD
The LGPD is the biggest international data privacy regulation since GDPR. Brazil has nearly 140 million internet users, making it the largest market in Latin America. Because of this, many companies will be impacted by the enacting of the regulation in August 2020.
Complying with the LGPD is similar in many ways to the GDPR. Companies must obtain consent from a data subject before the company can gather their personal data on their website, and the consent must be freely given by the consumer before any gathering of personal data can take place.
Steps to LGPD Compliance:
- Inform data subjects on how their personal data will be processed in a clear, easy to understand way prior to the point of collection.
- Obtain consent from the data subject prior to the point of collection. The consent must be freely given and not implied, similar to the GDPR.
- Notify the data subjects and local authorities in the event of a data breach.
- Appoint a Data Protection Officer (DPO) who is responsible for receiving complaints and communications.
- Adopt technical and administrative security measures to protect personal data from unauthorized access, accidents, loss, destruction and more.
- Fulfill data subject requests in a reasonable time. There is not a specific deadline for when a company must provide the information that the data subject requests, only within a reasonable amount of time.
How CookiePro Helps with Cookie Compliance for LGPD
Consent and the right to opt-out
- Collect consent through any medium, including online web forms and mobile apps.
- CookiePro has resources that allow you to track consent and give data subjects the right to opt out of the processing of their personal data.
- Build a preference center customized to your brand and purpose to give data subjects complete control over their right to opt out.
Right of Information
- Handle the process of the data subject’s request in a timely and legally compliant manner.
- Create customized data subject request forms, verify identity, configure deadlines, assign tasks, use multilingual response templates, and communicate securely with data subjects in an encrypted, fully secure messaging portal.
- Maintain records of all data subject requests and interactions to demonstrate compliance
- Use roles-based access controls to develop region-specific workflows specific to LGPD.
Right of Access
- Capture consumer requests through customized intake forms on your website with CookiePro’s Data Subject Rights tool.
- Pinpoint where an individual’s personal data resides and how it’s used with detailed data lifecycle information.
- Locate the data by searching through your data inventory.
Rights for Data Subjects
Under the LGPD, consumers in Brazil have new rights in understanding and consenting to the processing of their personal data. Article 18 is where the nine fundamental rights that data subjects have under LGPD are outlined. GDPR provides very similar rights to EU residents as well.
Data subjects in Brazil will have the right to—
- Receive confirmation of the existence of the processing from the company gathering the data
- Access the data collected on them
- Correct incomplete, incorrect, or outdated data
- Anonymize or delete unnecessary data that does not comply with the LGPD
- Make an express request for the portability of data to another company or “product provider”
- Request the deletion of personal data processed, even if it was done with consent
- Information about public and private companies with whom the controller has shared personal data
- Revoke consent
- Information about the ability to deny consent and the consequences of the denial of consent
Here’s a broad overview of some of the most important rights afforded to data subjects in Brazil under LGPD.
Consent and Opt Out
The LGPD requires that consent is freely given, informed, and unambiguous. Data subjects can control how their personal data is collected and used. Data subjects must be informed about the processing of their data in a clear, adequate, easily accessible and transparent way. Consent must be provided by the data holder in writing or by other means that demonstrates their consent. The consent must be specific to the purposes and can be withdrawn by the data subject at any time.
Request the Data That A Company Holds on Them
If a data subject submits a request, the controller must respond with the confirmation of the existence of data processing operations.
The data controller must provide a clear and complete declaration that includes the—
- Origin of the data
- Purpose of the processing
- Controller contact information
- If the information is shared with other entities
- Rights of the data subject with explicit reference to Article 8 of the LGPD.
Access the Data Held on Them
The personal data must be stored in a format and provided to the data subject only on receipt of a “verifiable consumer request.” The data subject can determine whether the data will be provided electronically or physically in paper form.
The penalties for not complying with LGPD are slightly less harsh than the 4% gross revenue penalty in the GDPR. Noncompliance with the LGPD may result in fines of up to 2 percent of the organization’s economic gross revenue in Brazil or fifty million Brazilian Reais per violation.
The fines are applied separately for each violation, which poses significant consequences for data processors and data controllers in the event of noncompliance.
Remaining compliant is not only a best practice for handling the personal data you collect on individuals, it’s also a way to avoid these kinds of hefty fines.