Learn About LGPD and Website Compliance


What is LGPD?

What is LGPD and what does it stand for?


The LGPD or Lei Geral de Protecao de Dados, is a long-awaited Data Protection Law in Brazil. After years of debate and consultation, it was finally implemented on August 14, 2018 and was inspired by and very similar to the EU General Data Protection Regulation (GDPR). Beginning on August 2020 Brazil’s data protection law will go into effect and require companies to comply with strict requirements related to the processing of personal data.

While it’s much leaner than the GDPR and consists approximately 30 pages compared to GDPR’s 80+ pages almanac, LGPD is very reminiscent of the European Union regulation.

The LGPD focuses on national specifics, the principles of data protection law are being based on accountability, purpose limitation, data minimisation as well as security and privacy by design. When you are comparing this document to GDPR it definitely feels familiar.

Why LGPD?


The LGPD is a new standard that adds the new principles and will come into effect in August 2020, echoing the approximate timeframe of the GDPR’s implementation period. It will be useful to know details of new data protection law if your company is operating or planning to open a branch in Brazil.

Who does LGPD apply to?


The LGPD applies to any private or public individual or company with personal data processing activities that:

  • are carried out in Brazil;
  • personal data is collected in Brazil;
  • involve offering and supplying goods or services in Brazil or relate to individuals who are geographically located in Brazil;

The LGPD has the extraterritorial scope and will apply to global businesses that meet these criteria. At the same time, it doesn’t matter where these companies are headquartered. But LGPD is a different standard that doesn’t apply to data processing by:

  • A person, who is processing data for personal purposes;
  • For journalistic, artistic, literary or academic purposes;
  • For national security, national defence, public safety, criminal investigation etc.;

The new law affects companies in all sectors doing business in or with Brazil. Financial, technology, healthcare, insurance, airline and hotel companies are among those that will likely face substantial compliance obligations.

What are the penalties?


The LGPD is not as punitive as the GDPR, both in in sentiment and financial penalties. The maximum fine under the LGPD is 2% of the company’s Brazilian revenue of up to R$50 million (EUR 11.2 million) per infraction. This is compared to 4% of global revenue or up to EUR 20 million under GDPR.

What is personal data under the LGPD?


The LGPD defines personal data as any information related to an identified or identifiable natural person. Anonymised data should not be considered personal data, except when the process of anonymization has been reversed or if it can be reversed applying reasonable efforts.

Principles and legal bases for data processing


The LGPD sets out a set of general principles of processing of personal data, similar to GDPR.

A key principle is purpose limitation, which means that processing must be “for legitimate, specific and explicit purposes of which the data subject is informed.” The principle of necessity likewise requires “limitation of the processing to the minimum necessary to achieve its purposes.” Other key principles include free access, transparency to the data subject, data quality. The “accountability” principle requires demonstrating the adoption of effective measures to ensure protection of personal data. All principles are included in Article 6.

While the LGPD focuses mostly on data privacy, the ten principles also require serious data security options: companies must adopt technical and administrative measures to protect personal data from authorised access or illegal destruction.

For companies, the key legal bases for data processing include:

  • Consent, which include all particular purposes of the processing;
  • Fulfilment of legal, regulatory or contractual obligations;
  • For “the legitimate interests of the controller or a third party,” where those interests outweigh, on balance, the data subject’s rights and liberties;

What obligations does the LGPD impose to companies?


  • Inform, correct, anonymize, delete or provide a copy of the data if requested by the data subject;
  • Delete data after the relevant relationship terminates;
  • Adopt technical and administrative data security measures to protect personal data from unauthorized access, accidents, destruction, loss etc.;
  • Appoint a DPO officer responsible for receiving complaints and communications;
  • Notify the data subjects and local authorities if breach occurred;

Transferring data outside Brazil?


With the LGPD, Brazil joins the European Union and many other jurisdictions (but not the USA) that limit the transfer of personal data outside their borders. The default rule, under Article 33 of the LGPD, is that such transfer is prohibited, absent certain enumerated exceptions. In some cases, transfer of data is permitted, including:

  • The receiving country or organization provides a level of data protection comparable to the LGPD’s
  • The non-Brazilian data importer is bound by contract or by global corporate policy to provide and demonstrate a level of data protection comparable to the LGPD’s;
  • International legal cooperation between government agencies;
  • The data subject has given specific consent to the transfer

Who enforces LGPD?


The Brazilian ex-President Michel Temer vetoed the provision that would have created an independent National Data Protection Authority. That new agency presumably will issue further guidance on the LGPD. Until a regulatory body is created it is uncertain how the enforcement of the LGPD will be carried out.

Do we need a Data Protection Officer?


Yes, the LGPD creates the position of Chief of Data Treatment, which is the data protection officer (DPO) in charge for the data processing operation. The DPO will be responsible for the following:

  • Accepting complaints and communications from data subjects and the National Authority
  • Orienting employees about good practices and carrying out other duties as determined by the controller or set forth in complementary rules.

The LGPD provides that the Brazilian National Authority may further establish complementary rules about the definition and the duties of the DPO, including the situations when the appointment of such person may be waived, according to the nature and the size of the entity or the volume of data processing operations.

Does LGPD apply to small and medium sized businesses?


The LGPD does not provide any exceptions for small/medium businesses or small-scale processing.

What should we do in case of a data breach?


If the data breach occurred, the controller must report to the National Data Protection Authority (ANPD) and the data subject in a reasonable time period, which will be defined later, if the breach is likely to result in risk or harm to data subjects.

The breach notification notice must contain the following:

  • Description of the nature of the affected personal data
  • Information regarding the data subjects involved
  • Indication of the security measures used
  • The risks generated by the incident
  • The reasons for delay of communication (if any)
  • The measures that were or will be adopted

In addition, ANPD can verify the seriousness of the incident and may, if necessary to safeguard the data subject’s rights, order the controller to adopt measures, such as the broad disclosure of the event in communications media, as well as measures to reverse or mitigate the effects of the incident.

How can I make our organization LGPD compliant?


The LGPD will come into force in August 2020, giving companies 15 months to get ready. In this period of time the appropriate steps should be done, including:

  • A diligence process to identify what personal data processing activities, if any, the company is engaged in (including via vendors) that are covered by the LGPD;
  • A gap analysis to identify where any of these data processing activities do not satisfy the LGPD’s requirements;
  • A remediation process to close any identified gaps;
  • Revision, implementation and testing of internal policies and procedures needed to comply with LGPD;
  • Appropriate vendor agreements should be revised or created;

How do I make a website LGPD compliant?


The Lei Geral de Protecao de Dados (LGPD) is based on the risk-based approach, the same as GDPR. Companies/organisations processing personal data are encouraged to implement protective measures corresponding to the level of risk of their data processing activities. Therefore, the obligations on a company processing a lot of data are more onerous than on a company processing a small amount of data.

The LGPD focuses on national specifics, the principles of data protection law are being based on accountability, purpose limitation, data minimisation as well as security and privacy by design. When you are comparing this document to GDPR it definitely feels familiar.

Is my website affected by LGPD?


The LGPD applies to any private or public individual or company with personal data processing activities that:

  • are carried out in Brazil;
  • personal data is collected in Brazil;
  • involve offering and supplying goods or services in Brazil or relate to individuals who are geographically located in Brazil;

Are you aware what trackers you have on your website?


Many websites use tracking technologies, including cookies, pixels and tags, to advertise, collect statistics and perform marketing campaigns. Under the LGPD, you are responsible for providing notice and obtaining consent for each one of these technologies. Consent must be provided by the data holder in writing or by other means that demonstrates the data holder’s will. Controller is responsible for providing that the consent was obtained in accordance with the requirements of the LGPD. Consent must be specific to particular purposes.

Make sure to do a web audit of your website and see what trackers you have enabled and running. If you are unsure what trackers you have on your website, then use the tool for free. It is free and will provide you a result within 5 minutes or less.

Are you gathering consent the right way?


In order to obtain valid consent, you need to follow specific requirements. The consent must be informed, explicit, freely given, specific and have the right to withdraw and written in a plain language that it’s clearly visible.

  1. Consent should be affirmative, specific and unambiguous
  2. Details of recipients and data controller
  3. Purpose of processing and notification of profiling
  4. Duration
  5. Withdraw consent
  6. Link to complain, correct and transfer data
  7. Can decline

Are your privacy banners affirmative?


Your privacy banners must clearly identify each party for which the consent is being granted. It isn’t enough to state the category name, such as analytics, but should include the identity of the organisation, e.g. Google, which process the data.

Have you made it easy to withdraw consent?


The standard text phrase that is included in Cookie notices is “by using this site, you accept cookies” will not be sufficient under LGPD, as it only suggests implied consent, is ambiguous and generic. You will now need granular levels of control with separate consents for tracking and analytics cookies, as well as mechanisms to also signal customer consent.

Have you named the 3rd party plugins that process data?


Your privacy banners must clearly identify each party for which the consent is being granted. It isn’t enough to state the category name, such as analytics, but should include the identity of the organisation, e.g. Google, which process the data.

Can visitors contact you for their personal data?


Your customers may contact your company/organisation to exercise their rights under the LGPD (rights of access, rectification, erasure, portability, etc.). Your company should provide means for requests to be made electronically. The data protection officer’s contact information should be publicly available and their tasks should include communication with the data subjects and regulatory authority.

Do you have evidence of valid consent?


According to the LGPD, evidence of valid consent should be kept by businesses.

Have you updated your data and privacy policies?


You will need to update your data and privacy policies. The accuracy principle under the LGPD requires the organisations to ensure clarity, relevancy and timely updates of the personal data to achieve compatibility of the processing with the purposes communicated to the data subject.

Have you cleaned up your mailing lists?


It’s important to clean up your email databases. If you are collecting data not according to the LGPD standards, the necessary content needs to be validated. It means that your customers should receive emails with an option to opt out. It will make your business LGPD compliant.

Are you collecting too much information?


While it may be easy to add an extra field on your website to collect information about phone number, gender, and location, you have to evaluate whether you need it to process the request. Data minimisation principle under the LGPD requires the organisations to limit the amount and scope of personal data they process to the minimum necessary to achieve their purposes. Only data that are relevant, proportional and non-excessive in relation to the purposes of the data processing should be used.

Get a FREE Cookie Consent Banner to your Website