Jon Fletcher 2020-07-31

LGPD - Brazil’s new data protection law

In 2018, Brazil passed the Lei Geral de Proteção de Dados (LGPD), a law aiming to clarify and enforce all of the rules regarding data use and protection in Brazil. Consolidating over 40 existing regulations, effectively, LGPD is Brazil's version of GDPR. 

Although passed in 2018, LGPD is set to come into effect in August 2020, so publishers need to make sure they comply from now on.

I'm not in Brazil - do I have to care?

Sorry, the answer is yes. The law has extraterritorial application, which means the LGPD applies to anyone that may access the personal data of people in Brazil, no matter where their actual business or organization is actually located. 

The fines for breaching are less severe than GDPR but would still be a considerable blow to almost any company. Under LGPD, companies can be liable for fines up to 

"2% of a private legal entity's, group's, or conglomerate's revenue in Brazil, for the prior fiscal year, excluding taxes, up to a total maximum of 50 million reals" (this works out to roughly € 11 million). 
This means, if you have traffic from Brazil, or are not actively blocking users in Brazil, you really need to comply with LGPD.

What 'personal data' does LGPD protect? 

This is where things get a little less clear. LGPD defines 'personal data' as any data that, 'by itself or combined with other data, could identify a natural person or subject them to a specific treatment.' 

It's expected that this will be clarified further as this current definition seems to cover more information that could be labeled as 'personal data' than GDPR. The LGPD gives all users in Brazil nine 'fundamental rights' over their personal data.
  • The right to confirmation of the existence of the processing; 
  • The right to access the data; 
  • The right to correct incomplete, inaccurate or out-of-date data; 
  • The right to anonymize, block, or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD;
  • The right to the portability of data to another service or product provider, by means of an express request 
  • The right to delete personal data processed with the consent of the data subject; 
  • The right to information about public and private entities with which the controller has shared data; 
  • The right to information about the possibility of denying consent and the consequences of such denial
  • The right to revoke consent.

The difference between LGPD and GDPR

The good news is that the law is similar enough to GDPR, that if you're in compliance with GDPR, you are broadly in line with LGPD, too. GDPR gives users eight fundamental rights, compared to LGPD's nine. 

The main difference is that LGPD expands "The right to information about public and private entities with which the controller has shared data '' into two rules, that in GDPR is covered by the broader "Right to be informed". 

In addition, LGPD has further legal basis for when companies can access and use data, beyond just asking for user consent for data, which should make compliance easier in many cases.

How to comply with LGPD 

The good news is that if you are GDPR compliant, it's more than likely that you already comply with LGPD. 

It's often thought that GDPR means having to get user consent to process their data. While consent is one of the easiest ways to satisfy the regulators, GDPR actually has 6 legal bases for data processing. Another difference between the two regulations is that LGPD has 9 bases for processing user data - the most notable exception being that the protection of credit is good enough reason to process user data. 
The full list of legal bases are as follows:

  • With the consent of the data subject;
  • To comply with a legal or regulatory obligation of the controller;
  • To execute public policies provided in laws or regulations, or based on contracts, agreements, or similar instruments; 
  • To carry out studies by research entities that ensure, whenever possible, the anonymization of personal data; 
  • To execute a contract or preliminary procedures related to a contract of which the data subject is a party, at the request of the data subject; 
  • To exercise rights in judicial, administrative or arbitration procedures; 
  • To protect the life or physical safety of the data subject or a third party; 
  • To protect health, in a procedure carried out by health professionals or by health entities; 
  • To fulfill the legitimate interests of the controller or a third party, except when the data subject's fundamental rights and liberties, which require personal data protection, prevail; or To protect credit (referring to a credit score)

It's hard to imagine publishers using data to protect users 'life or execute public policy so the best way to be compliant is to obtain your users' consent via a consent management platform. 

You can check that the CMP you use is valid by using the IAB's compliance checker to validate it.

Latest Articles

‹ Back to Blog Home

Get the headlines

Sign up to get the best headlines direct to your inbox

Your name
Your email