Brazil: Got clients or website visitors in Brazil? Then a new Data Protection Law is on its way and it impacts all national and international websites doing business in Brazil.
If your company has any customers, clients or website visitors in Brazil, you should begin preparing for LGPD compliance. If you are already GDPR compliant, then you have already done the bulk of the work necessary to comply with the LGPD. Here’s how to comply with the LGPD.
What is the LGPD?
The LGPD, or Lei Geral de Protecao de Dados, is Brazil’s new version of the EU’s General Data Protection Regulation (GDPR).
It comes into effect on August 15, 2020, and like the GDPR it is all about personal data processing.
The LGPD will bring clarification to the Brazilian legal framework as it unifies a number of statutes that currently govern personal data.
The new law will define the principles of data processing and will see the devolvement of a new Data Protection Authority (ANPD) which will oversee and enforce data protection laws across Brazil.
Who does the LGPD apply to?
The LGPD will apply to any business, organization or individual that processes the personal data of the people in Brazil, regardless of where that business, organization or individual may be located.
This means, even if your company is not located in Brazil, but processes the data of Brazilian people, you are obligated to comply with the LGPD.
The requirements in the LGPD cover the collection, processing, use and storage of personal data regardless of its online or offline form.
Therefore, if you have a Brazilian version of your website, or targets Brazilian visitors and customers, the LGPD applies to your business.
What is personal data under the LGPD?
The definition of personal data in the LGPD is very similar to the definition in the GDPR. The LGPD states that personal data can be any data that by itself or combined with other data can identify a natural person.
Although the LGPD does not express a specific definition of personal data like the GDPR or CCPA do, it takes a broad view of what qualifies as personal data, even more extensive than the GDPR.
Legal basis for data processing
In article 7, the LGPD presents a list of ten legal bases for anyone to lawfully process Brazilian people’s personal data.
The 10 legal bases are:
- With the consent of the data subject;
- To comply with a legal or regulatory obligation of the controller;
- To execute public policies provided in laws or regulations, or based on contracts, agreements, or similar instruments;
- To carry out studies by research entities that ensure, whenever possible, the anonymization of personal data;
- To execute a contract or preliminary procedures related to a contract of which the data subject is a party, at the request of the data subject;
- To exercise rights in judicial, administrative or arbitration procedures;
- To protect the life or physical safety of the data subject or a third party;
- To protect health, in a procedure carried out by health professionals or by health entities;
- To fulfill the legitimate interests of the controller or a third party, except when the data subject’s fundamental rights and liberties, which require personal data protection, prevail; or
- To protect credit (referring to a credit score)
How to comply with the LGPD?
With the largest marked in Latin America, Brazil is targeted by a vast number of international companies. Therefore, a lot of companies will be impacted by the LGPD once it comes into effect on August 15, 2020.
However, if your company is already GDPR compliant, you have done bulk of the work. But here’s what you need to do, if you have a website for Brazilian users.
Like the GDPR, you must obtain consent from the “data subjects” before you collect personal data on your website, and consent must be freely given.
So, if your website targets Brazilian people and you use services like Google Analytics, Facebook Pixel, LinkedIn Insight tag, CRM systems or any other widget, application or script that places cookies through your website, you need a cookie consent pop-up to collect and store your users’ valid consents.
Here is how to comply with the LGPD:
- Inform visitors of cookies and data processing. Who is processing what data for what purpose?
- Obtain your visitors consent before your website sets cookies. Consent must be freely given and be an active choice by the visitor.
- Give your users the option to decline cookies (the right to opt-out).
- Store consents so you can document consents to the ANPD.
In a larger context, you should also notify data subjects and authorities in case of a data breach; appoint a DPO who is responsible for LGPD compliance; adopt measures to protect personal data; and fulfill subjects’ requests for access and deletion in a reasonable time.
What are the penalties for non-compliance to the LGPD?
The fines under the LGPD are less severe that in the GDPR. The maximum fine for a violation is set at 2% of a company’s revenue in Brazil for the prior fiscal year excluding taxes – or up to 50M reals (~€11M).
How can Cookie Information help you with LGPD?
Maintaining cookie compliance is important, also in Brazil.
Cookies collect your users’ personal data, even though they are set by some of the services you use on your website like Google Analytics, Facebook Pixel, YouTube embedded videos and so on.
As the owner or operator of the website, you are the data controller and responsible for collecting valid consent to cookies.
Cookie Information can help you with that with a state-of-the-art Cookie Consent Pop-up for your website. The consent pop-up is already GDPR and CCPA compliant and we will adjust it to your needs on the Brazilian market.
Contact Cookie Information for more information on how to achieve LGPD compliance.