Book a personal demo and see how to make your website compliant today. Book a Demo now
LGPD Compliance
LGPD – Brazil’s New Data Privacy Law
In August 2018, Brazil enacted Lei Geral de Protecao de Dados (“LGPD”), the country’s data protection law, which it modeled after Europe’s General Data Protection Regulation (“GDPR”). With enforcement beginning in September 2020, LGPD requires companies to comply with strict requirements related to the collection and processing of Brazilian consumers’ personal data.
Clym has reviewed the LGPD and compiled the reference guide below to help companies navigate this new and complicated regulation
LGPD Compliance
Who needs to comply with LGPD?
The LGPD applies to any private or public individual or company with personal data processing activities that:
- Are carried out in Brazil;
- Collect personal data from Brazilian consumers;
- Involve offering and supplying goods or services in Brazil; or
- Relate to data subjects who are geographically located in Brazil.
The LGPD has an extraterritorial scope, meaning that even if businesses aren’t physically located in Brazil, they will need to comply with the regulation. Additionally, there is no small business exemption or revenue requirement, so any business meeting any one of these requirements has a compliance obligation. Companies across a broad spectrum of industries, from financial to technology to hospitality and travel to insurance, will be affected. To put it simply, if you’re collecting and processing data from Brazilian consumers, you need to comply with the LGPD.
Personal Data
What is personal data under the LGPD?
LGPD defines personal data as any information related to an identified or identifiable natural person. Essentially, if it can identify an individual (e.g. name, email, phone number, IP address, etc.) it’s in scope. Anonymized data should not be considered personal data under the LGPD, except when the process of anonymization has been reversed or if it can be reversed by applying reasonable efforts.
Legal Basis
What is the legal base for data processing?
Data privacy laws generally outline the legal base for processing data, which is one of the more important pieces of legislation to which a companies should pay attention; the LGPD is no different as its standards are quite similar to GDPR requirements. Processing must be:
- For legitimate, specific and explicit purposes of which the data subject is informed;
- Limited to the minimum necessary to achieve its purposes;
- Allow for free access, transparency to the data subject; and
- Protected by appropriate measures
For companies, the key legal base for data processing include:
- Consent, which includes all particular purposes of the processing;
- Fulfillment of legal, regulatory or contractual obligations; and
- For “the legitimate interests of the controller or a third party,” where those interests outweigh, on balance, the data subject’s rights and liberties.
As noted above, these legal bases are similar to GDPR in their requirements. Note that a person or company who is processing data strictly for personal, journalistic, artistic, literary, academic, national security, national defense, public safety, or criminal investigation purposes are generally exempt from LGPD requirements.
Privacy Regulation Chart
Differences between GDPR, CCPA and LGPD
| Issue | CCPA | GDPR | LGPD |
|---|---|---|---|
| Data Subjects | California residents | EU residents | Brazilian residents |
| Who Must Comply? | For-profit entities that process personal data of California residents (regardless of the company's location) and either: 1) Earn more than $25 million in annual revenues 2) Collect and process personal data of more than 50,000 consumers 3) Derives at least 50% of its revenues from “selling” personal data | Any organization (for-profit, non-profit and governmental) that processes personal data of European citizens and residents, regardless of the organization’s location | Any organization (for-profit, non-profit and governmental) that processes personal data of Brazilian citizens and residents, regardless of the organization’s location |
| Consent Management | Implied consent, opt-out processes (e.g. website links, etc.), “Do Not Sell” for 12 months | Explicit consent, consent preference tracking, consent withdrawal availability and fulfillment | Explicit consent, consent preference tracking, consent withdrawal availability and fulfillment |
| Privacy Notice | Provided to the consumer before or at the point of personal information collection | Provided to the data subject before or at the point of personal data collection | Provided to the data subject before or at the point of personal data collection |
| Processing Management | Purpose identification and disclosure, data minimization, purpose limitation, incentivization | Legal basis for collection, data minimization, purpose limitation, accuracy, and automated decision-making | Legal basis for collection, data minimization, purpose limitation, accuracy, and automated decision-making |
| Individual Rights Granted | Right to request information Right to data portability Right to opt-out Right to access data Right of disclosure Right to deletion Right to restrict sale of personal information | Right to be informed Right of access Right to rectification Right to erasure Right to restrict processing Right to data portability Right to object to processing Rights in relation to automated decision making and profiling | Right to be informed Right of access Right to rectification Right to erasure Right to restrict processing Right to data portability Right to object to processing Right to anonymization Right to deletion |
| Noncompliance Penalties | Up to $7,500 (or actual damages) for each violation if enforced by the Attorney General Up to $750 (or actual damages) for each violation if enforced by an individual | The greater of 4% of annual revenues or €20 million | Up to 2% of the company’s Brazilian revenue of up to R$50 million (about $12 million USD) per infraction |
| Response Time | 45 days | 30 Days | 15 days for "right of access", other requests are 30 days |
Consumer Rights
What rights do consumers have under LGPD?
Consumers are provided with certain rights under the LGPD and are empowered to access those rights through Data Subject Access Rights (“DSARs”). These include:
The right to confirmation of the existence of the processing
The right to access the data
The right to correct incomplete, inaccurate or out-of-date data
The right to anonymize, block, or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD
The right to the portability of data to another service or product provider, by means of an express request
The right to delete personal data processed with the consent of the data subject
The right to information about public and private entities with which the controller has shared data
The right to information about the possibility of denying consent and the consequences of such denial
The right to revoke consent
LGPD Compliance
What obligations do companies have under LGPD?
In order to protect the rights of consumers, companies doing business in Brazil and subject to LGPD must:
1) Delete customer data after the relevant relationship terminates;
2) Adopt technical and administrative data security measures to protect personal data from unauthorized access, accidents, destruction, loss etc.;
3) Appoint a DPO officer responsible for receiving complaints and communications; and
4) Provide a data breach notification to both the data subjects and local authorities in case of a breach.
LGPD Compliance
Can companies transfer data outside Brazil?
Yes, however the default rule, under Article 33 of the LGPD, is that such transfer is prohibited, absent certain enumerated exceptions. In some cases, transfer of data is permitted, including:
1) The receiving country or organization provides a level of data protection comparable to the LGPD’s;
2) The non-Brazilian data importer is bound by a contract or by global corporate policy to provide and demonstrate a level of data protection comparable to the LGPD’s;
3) International legal cooperation between government agencies; and
4) The data subject has given specific consent to the transfer. Note that with the recent decision and guidance that the EU-US Privacy Shield is not GDPR compliant, it may be the case that Brazil does not consider the US to have equivalent data protections that permit transfer from Brazil to the US.
LGPD Compliance
Do we need a Data Protection Officer?
Yes, the LGPD creates the position of Chief of Data Treatment, which is the data protection officer (“DPO”) in charge of the data processing operation. The DPO will be responsible for the following:
1) Accepting complaints and communications from data subjects and the national data protection authority;
2) Orienting employees about good practices; and
3) Carrying out other duties as determined by the controller or set forth in complementary rules.The law also provides that the Brazilian National Authority may further establish complementary rules about the definition and the duties of the DPO, including the situations when the appointment of such person may be waived, according to the nature and the size of the covered entity or the volume of data processing operations.
LGPD Compliance
What are the penalties for noncompliance with LGPD?
The maximum administrative sanctions under the LGPD is 2% of the company’s Brazilian revenue of up to R$50 million (about $12 million USD) per infraction, which is lower than the up to 4% of global revenue or up to EUR 20 million for GDPR, though still a significant amount for violators.
LGPD Compliance
Does LGPD apply to small and medium-sized businesses?
Yes, it does. The LGPD does not provide any exceptions for small/medium businesses or small-scale processing; if you’re processing personal data on Brazilian consumers, you’re in scope.
LGPD Compliance
How can I make my website LGPD compliant?
The good news is that if you’ve made your website GDPR compliant, you’re on the right track to being LGPD compliant (if you’ve not done this, you’ve got some work to do!). The three areas of focus should be on management of consent, access, and policies.
Do more with emails
Cookie Consent & Compliance for LGPD
Inform your users about any personal data collection activity you may perform and collect their consent for doing so in an unambiguous, informed and free way.
Let them know what categories of personal information you are collecting about them, why you are collecting it, how it will be used, for how long, and what other processors you are sharing this information with.
Don’t load any cookies or third party content on the website before obtaining your users’ explicit consent.
Do more with emails
Data Subject Rights And Requests (DSR)
Under the General Data Protection Regulation, data subjects have seven fundamental rights.
As a data processor or controller, you have the obligation to inform them about these rights, set up a mechanism for allowing users to exercise their rights, as well as to address these requests in a serious and timely manner.
Sign Up for Free today!
Website compliance in minutes.
Full access to all features
No credit card required until you’re ready to pick a paid plan
Let Us Show You What Our Tool Can Do
Book a Demo
Clym can help you make your website fully compliant with CCPA, GDPR, and LGPD and prepare you for upcoming privacy laws. Schedule a complimentary demo with one of our consultants and see how Clym can support your compliance journey.
Book a demo at your convenience
Let our experts show you how to make your website GDPR, CCPA and LGPD compliant in a 1:1 demo