What is the LGPD?

Brazil: Got clients or website visitors in Brazil? Then a new Data Protection Law is on its way and it impacts all national and international websites doing business in Brazil.
Table of Contents

If your company has any customers, clients, or website visitors in Brazil, you should begin preparing for LGPD compliance. If you are already GDPR compliant, then you have already done the bulk of the work necessary to comply with the LGPD. Here’s how to comply with the LGPD.

What is the LGPD?

The LGPD, or Lei Geral de Protecao de Dados, is Brazil’s new version of the EU’s General Data Protection Regulation (GDPR).
This comes into effect on August 15, 2020, and as the GDPR it is all about personal data processing.
It will bring clarification to the Brazilian legal framework as it unifies several statutes that currently govern personal data.

Defining of the principles and data process will be done by the new law, and will see the devolvement of a new Data Protection Authority (ANPD) which will oversee and enforce data protection laws across Brazil.

It will apply to any business, organization, or individual that processes the personal data of the people in Brazil, regardless of where that business, organization, or individual may be located.

Who does the LGPD apply to?

This means, that even if your company is not located in Brazil, but processes the data of Brazilian people, you are obligated to comply with the LGPD.

Requirements in the LGPD cover the collection, processing, use, and storage of personal data regardless of its online or offline form.

Therefore, if you have a Brazilian version of your website, or target Brazilian visitors and customers, the LGPD applies to your business.

What is personal data under the LGPD?

Personal data definition in the LGPD is very similar to the definition in the GDPR. The LGPD states that personal data can be any data that by itself or combined with other data can identify a natural person.

Although the LGPD does not express a specific definition of personal data like the GDPR or CCPA does, it takes a broad view of what qualifies as personal data, even more, extensive than the GDPR.

Legal basis for data processing

In article 7, the LGPD presents a list of ten legal bases for anyone to lawfully process Brazilian people’s data.
The 10 legal bases are:
  • With the consent of the data subject;
  • To comply with a legal or regulatory obligation of the controller;
  • To execute public policies provided in laws or regulations, or based on contracts, agreements, or similar instruments;
  • To carry out studies by research entities that ensure, whenever possible, the anonymization of personal data;
  • To execute a contract or preliminary procedure related to a contract of which the data subject is a party, at the request of the data subject;
  • To exercise rights in judicial, administrative, or arbitration procedures;
  • To protect the life or physical safety of the data subject or a third party;
  • To protect the health, in a procedure carried out by health professionals or by health entities;
  • To fulfill the legitimate interests of the controller or a third party, except when the data subject’s fundamental rights and liberties, which require personal data protection, prevail; or
  • To protect credit (referring to a credit score)

How to comply with the LGPD?

With the largest market in Latin America, Brazil is targeted by a vast number of international companies. Therefore, a lot of companies will be impacted by the LGPD once it comes into effect on August 15, 2020.
However, if your company is already GDPR compliant, you have done the bulk of the work. But here’s what you need to do if you have a website for Brazilian users:
Like the GDPR, you must obtain consent from the “data subjects” before you collect personal data on your website, and consent must be freely given.
So, if your website targets Brazilian people and you use services like Google Analytics, Facebook Pixel, LinkedIn Insight tag, CRM systems, or any other widget, application, or script that places cookies through your website, you need a cookie consent pop-up to collect and store your users’ valid consents.
Here is how to comply with the LGPD:
  • Inform visitors of cookies and data processing. Who is processing what data for what purpose?
  • Obtain your visitor’s consent before your website sets cookies. Consent must be freely given and be an active choice by the visitor.
  • Present a detailed privacy and cookie policy that clarifies the reason why your website is collecting data and who is processing it.
  • Give your users the option to decline cookies (the right to opt out).
  • Store consents so you can document consents to the ANPD.
In a larger context, you should also notify data subjects and authorities in case of a data breach; appoint a DPO who is responsible for LGPD compliance; adopt measures to protect personal data, and fulfill subjects’ requests for access and deletion in a reasonable time.

What are the penalties for non-compliance with the LGPD?

Under the LGPD, the fines are less severe than under the GDPR. The maximum fine for a violation is set at 2% of a company’s revenue in Brazil for the prior fiscal year excluding taxes – or up to 50M reals (~€11M).

How can Cookie Information help you with the LGPD?

Maintaining cookie compliance is important, also in Brazil.
Cookies collect your users’ data, even though they are set by some of the services you use on your website like Google Analytics, Facebook Pixel, YouTube embedded videos, and so on.
As the owner or operator of the website, you are the data controller and responsible for collecting valid consent to cookies.
Cookie Information can help you with that with a state-of-the-art cookie consent pop-up for your website. The consent pop-up is already GDPR and CCPA compliant and we will adjust it to your needs in the Brazilian market.
Contact Cookie Information for more information on how to achieve LGPD compliance.