Back in 2018, following the enactment of Europe’s GDPR (General Data Privacy Regulation) law, and the drafting of California’s CCPA (California Consumer Privacy Act), the Brazilian government decided to follow suit by drafting and approving their own internet privacy legislation.
The legislation, titled the “Lei Geral de Proteção de Dados Pessoais”, which translates to General Law on Protection of Personal Data or “LGPD” for short, was initially scheduled to go into effect on August 15th, 2020. Just as the GDPR gave organizations adequate time to prepare their websites before putting the law into effect, Brazilian organizations were provided two years of leeway to sufficiently update their privacy policies and data-processing methodologies. Due to COVID-19, the time to update your website was extended until May 2021, then reduced to December 31, 2020, then finally overturned back to the original deadline of August 13, 2020. Just in case any organizations got confused by the coronavirus-inspired deadline whirlwind, penalties and sanctions for non-compliance will thankfully not be enforced until August 1, 2021.
Ever since the European Union’s GDPR (General Data Privacy Legislation) went into effect in 2018 I have written several pieces on the evolution of internet privacy around the globe. For readers who are unfamiliar with recent privacy legislation, my article Preparing for the GDPR: Basic Information and Implications is a great starting point, particularly for US-based corporations who are still vulnerable to the GDPR law and have not yet updated their websites to comply (it’s never too late). For Californians and California-based organizations, you may want to read my other article The New California Consumer Privacy Act (CCPA) Explained. The enactment of the CCPA received less media coverage, but the law, while less strict in comparison to its GDPR cousin; still imposes fines for non-compliance, and more importantly provides new privacy rights for Cali-based citizens that they can now take advantage of. While the GDPR was more of a blanket legislation protecting the personal data of all citizens across the European Union, the CCPA was more granularly focused on the new right for California citizens to opt-out of their personal data being sold to third parties for commercial value.
Iubenda’s LGPD page provides an easily digestible yet comprehensive explanation of the new legislation; including who it applies to, what’s required for compliance, penalty risks, and finally, their compliance solutions.
If you do not want to click over to their page, here are the basics:
Does the LGPD Apply to You?
- Yes if you are an organization that processes data from any server based in Brazil.
- Yes, if your website processes data from any users located in Brazil (similar to GDPR) whether by citizenship or by location at the time of processing.
Much like the GDPR, the LGPD’s territorial scope extends outside of Brazil, so US-based corporations could be implicated by this.
- If the data you are processing is solely and exclusively for private, non-commercial purposes.
- If the data is processed for certain purposes including:
- Academic research
- Public safety
- Journalistic or artistic expression
- Investigation and prosecution of criminal offenses
- National defense and security
What is included in the scope of Personal Data?
- Any data that relates to an identified, or identifiable individual.
- Anonymized data falls outside the scope of LGPD unless the anonymization process can be reversed or is being used for behavioral profiling purposes.
- Biometric and genetic data
- IP addresses
- Email addresses
- Political opinions
- Sexual orientation data
- Ethnic origin
- Religious beliefs
Examples of Processing Operations
Any operation carried out with personal data such as:
- Evaluation or control of information
Main principles to keep in mind
- There must be a specific purpose for processing that is clearly communicated to the person.
- You must only process the data that is necessary for the fulfillment of your stated purpose of processing.
- Processors must provide users with unencumbered, easy access to any information about the processing of their personal data free of charge.
- Information about your data processing must be clear, accurate, and available to users.
- Processors must tell users what third-parties their data is shared with.
- A controller (the entity that determines the purpose for which and the means by which personal data is processed) must comply with the law and must be able to prove it.
Internal Processes and Policies to Adopt
Any organization who has made their website GDPR compliant is pretty close to being LGPD compliant themselves. Here’s a quick review of what’s required for compliance:
- The identity and contact details of the data controller
- Information on who data is shared with and why
- The specific purpose of the processing
- The type of processing and duration of processing
- The responsibilities of any processors or agents that will carry out processing
- Valid records of the Consent you collect
- The applicable user rights and how they can be exercised
In addition to the list above, please remember that:
- Consent must be “free, informed, and unambiguous”
- The burden of proof to show valid consent lies with you so it is imporant to keep records.
Consequences of Non-Compliance
The legal consequences for non-compliance can include fines up to 50 million Brazilian reais (currently roughly €8M or US$9M) or 2% of a company’s annual turnover in Brazil, per violation. Brazilian Data Protection Authority’s powers include issuing warnings and fines, publicizing the violation, and blocking or deleting the processing activities or personal data to which the infraction refers. This means that if an infraction was proved to occur while collecting an email address, the offending controller could risk losing the entire associated email list. Just as the GDPR, the LGPD allows users to seek pecuniary or moral civil damages for violating the new law.