Unless you’ve been off the grid for the past few years, you’ve probably heard about new data collection and privacy laws being passed by various regional and national governments (if not, don’t worry—keep reading to learn more). The way companies can collect and manage your personal data has evolved rapidly over the past decade; however, data protection and privacy laws haven’t kept up with these changes. For example, until the EU passed the General Data Protection Regulation (GDPR) policy in 2016 and GDPR compliance became mandatory in 2018, Europe’s data protection laws hadn’t been significantly updated since the mid-1990s. As such, governments around the world are now playing catch-up to protect their citizens online.
The most recent data privacy law is Brazil’s Lei Geral de Proteção de Dados, passed in 2018 and going into effect as soon as August 15, 2020 (it may be pushed back to May 2021, but it’s usually better to be prepared sooner vs. later). Known also as LGPD, Brazil’s new data privacy law shares quite a few similarities with the EU’s GDPR and the California Consumer Privacy Act (CCPA). However, it also has its own unique features that companies should know about, especially if they do business in or with Brazil. Below, we’ll provide a brief overview of Brazil’s LGPD and the key things your company needs to do to achieve LGPD compliance. Even though we’re focusing on the LGPD in this piece, we’ll also include a comparison between the LGPD and GDPR and the CCPA as well.
What is the LGPD?
As mentioned above, the LGPD is Brazil’s data privacy law that could go into effect as soon as this month. It was passed as a measure to harmonize the more than 40 different statutes in Brazilian law that governed personal data and simultaneously refresh and update these laws to meet present-day needs. The LGPD applies to any person, company or entity (both public and private) that processes/uses the personal data of Brazilian citizens or people located in Brazil at the time of data collection for the purposes of offering or selling goods and services. The LGPD has an extraterritorial application, meaning that whether or not you or your company are located in Brazil, as long as you’re collecting and using Brazilian peoples’ personal data to try and sell or offer them something, this Law applies to you.
In terms of what defines “personal data,” the LGPD defines this as “information regarding an identified or identifiable natural person.” The definition is rather broad, but this basically means that if the data you are collecting can be used, either by itself or in combination with other data, to identify someone, this would be considered personal data.
In Article 18 of the LGPD, the Law states that subjects from whom personal data was collected have the following fundamental rights to their data:
- Confirmation of the existence of the processing (i.e. to know that their personal data is being collected/used)
- Access to the data collected
- Correction of incomplete, inaccurate or outdated data
- Anonymization, blocking or deletion of unnecessary or excessive data or data that was not processed in compliance with the LGPD
- Portability of the data to another service or product provider, by means of an express request (i.e. to receive a secure transfer of their data from one company/entity to another if they ask you to do so)
- Deletion of personal data processed with the consent of the data subject
- Information about public and private entities with which their data has been shared
- Information about the possibility of denying consent and the consequences of doing so
- Revocation of consent
What do companies need to know about LGPD compliance?
First and foremost, as mentioned above if you do business in or with Brazil, you need to become compliant with LGPD regulations. The good news is that if you’re already processing data in compliance with GDPR regulations, you’ve probably done most of what you need to do to comply with the LGPD (more on that later).
If not, the most important thing to know is that without the consent of the data subject, you are not allowed to collect any personal data from them. You must notify the person that their data is being collected and be prepared to reveal, modify, delete, anonymize, or give a copy of the data collected upon their request. Should the business relationship end and/or a subject’s personal data otherwise no longer be needed, the company must delete the data collected from the subject. In addition, all companies should appoint a Data Protection Officer or someone with an equivalent title/list of responsibilities to address and resolve disputes and cases related to subjects’ personal data.
If a data breach should occur, the LGPD requires a company to report this to the national authority within “a reasonable time period” to be determined. In this event, a company must report at minimum:
- A description of the nature of the affected personal data (e.g. emails, credit card info)
- Information on the data subjects involved
- An indication of the technical and security measures used to protect the data
- The risks related to the incident
- The reasons for delay, if communication of the data breach was not immediate
- The measures that were or will be adopted to reverse or mitigate the effects of the damage
The Brazilian government may choose to impose additional sanctions if it deems a company’s response was not satisfactory for any reason, e.g. if the company tried to keep the breach under wraps as it worked on a solution. However, if a company follows LGPD guidelines on how to address a data breach and acts promptly, chances are it’ll avoid the most severe penalties (as you can see, data breaches are a massive headache for more than one reason). So, if you’re collecting personal data, make sure to invest in security measures like a website SSL to encrypt data and lower the risk of these breaches.
The LGPD protects data subjects’ rights to notify the Brazilian government if it believes your company is violating their data privacy and protection rights under the LGPD. If your company is found to be in violation of the LGPD, you may be fined 2% of your Brazilian revenue from the past fiscal year, up to a maximum of 50 million reals, equal to a little over 9 million USD as of this writing.
Although an official national agency to oversee the LGPD has not yet been determined at the time of this writing, this doesn’t mean that a company won’t need to comply with these regulations: it just means that the timeline for enforcing the LGPD has yet to be finalized. Though one could argue that this means companies can wait to become LGPD-compliant, we believe it’s in a company’s best interest to use this time to ensure it takes the necessary key measures to comply with the LGPD if it does business in Brazil. Not only will companies that do so get a head start and take care of compliance measures early, but it can also be used as a competitive advantage to show customers that you care about their privacy and security.
How does the LGPD compare to GDPR and CCPA?
When comparing the LGPD vs. GDPR, one will see several key similarities: so much so that many claim that the LGPD took direct inspiration from the GDPR. At a high level, both laws have extraterritorial application, which means that any company or entity doing business in Brazil or the EU must comply with LGPD and GDPR requirements, respectively. The LGPD and GDPR both require subjects to give unambiguous consent before personal data can be collected, which means they must actively opt in. Both define personal data similarly and prohibit the unsecured transfer of data outside of their protection areas; they also grant data subjects similar rights, compared below:
|LGPD Rights of Data Subjects (from above)||GDPR Rights of Data Subjects|
|– Confirmation of the existence of the processing|
– Access to the data collected
– Correction of incomplete, inaccurate or outdated data
– Anonymization, blocking or deletion of unnecessary or excessive data or data that was not processed in compliance with the LGPD
– Portability of the data to another service or product provider, by means of an express request
– Deletion of personal data processed Information about public and private entities with which their data has been shared
– Information about the possibility of denying consent and the consequences of doing so
– Revocation of consent
|– Right to be informed|
– Right of access
– Right to rectification (i.e. correcting/modifying data collected)
– Right to erasure
– Right to restrict processing
– Right to data portability
– Right to object (i.e. opt out of data processing)
– Rights in relation to automated decision making and profiling (can only do this when either necessary for the entry into or performance of a contract, permitted by EU Member state law, or if given the data subject’s explicit consent.
Both the LGPD and GDPR require prompt reporting of any data breaches, although the GDPR specifies that this must be done within 72 hours. Similar to the LGPD, the GDPR requires companies to, at minimum:
- Describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned
- Communicate the name and contact details of the data protection officer or other contact point where more information can be obtained
- Describe the likely consequences of the personal data breach
- Describe the measures taken or proposed to be taken to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
The main differences between the LGPD and GDPR lie primarily in the enforcement methods and some specific requirements. For example, while the GDPR specifies that companies must hire a Data Protection Officer, the LGPD does not specify the title of this role. In terms of punishments, both laws punish non-compliant companies with fines. However, GDPR fines can amount up to 20 million euros (about 22.8 million USD) or 4% of annual global revenue, whichever is higher. The LGPD punishes companies up to about $9 million or 2% of Brazilian revenue, which means that while potentially significant, the punishments for non-compliance in Brazil are less severe. A major difference between the GDPR and LGPD is that the LGPD permits companies to process personal data if it will be used for the purposes of protecting business credit (aka credit score): the GDPR does not include this as a valid reason for data processing.
Looking at the LGPD vs. GDPR vs. CCPA, all three are similar in the way that they apply to companies doing business within their respective jurisdictions. However, the key difference is that the CCPA’s regulations have specific thresholds companies must meet before its regulations apply. The CCPA applies to any business with either an annual revenue over $25 million, processing personal data of 50,000 or more people, households, or devices, or make at least 50% of their profit by selling the information of California residents; otherwise, any for-profit companies doing business in the state and processing personal data of California residents must comply with the CCPA.
These acts also differ in how they define personal data. While the GDPR and LGPD focus on individual data, the CCPA extends its regulations to cover data that can be used to identify households (and devices in some parts of the Legislation). In addition, while both the GDPR and LGPD restrict how data can be processed and require explicit, unambiguous consent from the data subject, the CCPA does not outline any consent requirements to begin data processing; it only provides subjects’ rights similar to what the LGPD and GDPR provide (e.g. right to know the data collected and to whom it was sold, right to refuse sale of data, right to access data collected). In addition, the CCPA only allows residents to opt out of data collection if their data will be sold, although they may still request for their data that was already collected to be deleted.
The CCPA levies fines of $2,500 for every violation and $7,500 for every intentional violation, but may choose not to fine businesses if they correct violations within 30 days of being notified. These fines are far less severe than the millions of dollars in fines that may be levied by the GDPR and LGPD.
General data protection policies are becoming more commonplace as governments adapt to the new ways companies can collect, access, and use consumer personal data. Although each regional/national legislation has its own nuances and intricacies, they all provide consumers with greater access to their personal data that companies have collected and protect their rights to delete and modify any data that has been collected. As consumers gain greater control over how their personal data is used, companies should adapt accordingly to act in compliance with applicable regulations and show consumers that they respect their rights as autonomous individuals.