If you sell goods or services in Brazil, or collect Brazilian personal data, then you need to comply with the Lei Geral de Proteção de Dados (LGPD).
The LGPD is essentially the Brazilian equivalent of the European Union's General Data Protection Regulation (GDPR). Its goal is to give Brazilians control over what happens to their personal or private data. That being said, although the laws are similar, they're not identical, so you need to learn them both.
But how do you know if the LGPD applies to your business, and what obligations does it place on you? Don't worry - we'll cover everything. So, let's walk through everything you should know about the LGPD, starting with the basics.
- 1. The LGPD
- 1.1. Personal Data
- 2. Goals of the LGPD
- 3. Who the LGPD Applies to
- 3.1. Exemptions
- 4. Requirements of the LGPD
- 5. How to Comply With the LGPD
- 5.1. Appoint a Data Protection Officer
- 5.2.1. Declaration of Data Collection
- 5.2.2. The Data You Collect
- 5.2.3. Your Legal Basis
- 5.2.4. User Rights
- 5.2.5. Contact Details
- 5.3. Get Consent to Collect Data
- 5.4. Keep Data Secure
- 5.5. Record Data Processing Activities
- 5.6. Reporting Data Breaches
- 6. Penalties for Not Complying with the LGPD
- 7. Conclusion
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
The LGPD brings Brazilian data protection law in line with other privacy regulations around the world. Basically, it sets out clear rules for how people can collect, process, and use personal data collected in Brazil.
In total, there are 10 principles you should follow. We'll show you how later, but here's a summary first:
- Legitimacy: You can't process personal data without a suitable reason
- Necessity: Don't collect any more data than you need for a specific purpose
- Adequacy: Provide adequate processes for safely handling the data
- Accountability: You're responsible for the data in your control
- Security: You can't collect personal data without proper cyber security protocols
- Integrity: It's your responsibility to keep accurate and quality data records
- Transparency: Make it easy for people to understand your data processing activities by publishing them somewhere obvious
- Accessibility: Ensure data subjects know they can access the data held on them
- Prevention: You must take steps to reduce the likelihood of a data breach
- Non-discrimination: It's illegal to process data for discriminatory reasons
Before we look at complying with these principles, let's clear one thing up - what exactly is "personal data."
Under the LGPD, "personal data" is extremely broad. It's defined in Article 5, and as with the GDPR, it's basically any data we can use to identify a natural individual i.e. a real person:
You'll see there's a distinction between personal data, and "sensitive" personal data. "Sensitive" personal data is much like the GDPR's definition of simple personal data, which suggests that there's even more information considered "personal" under the LGPD than the GDPR.
What does this mean? Well, if you're collecting any data on a person at all, it's worth treating it as personal data to ensure you're following the law. If you want to collect sensitive data, you need even more safeguards in place.
Here's something else to keep in mind: The LGPD came into force on 15 August, 2020. So if the law applies to you and you're not already complying with it, you need to start now.
Goals of the LGPD
We can infer the goals of the LGPD by looking at its 10 principles.
- The LGPD brings together various older data privacy laws into one cohesive, shorter regulation, which makes it easier for companies to follow the rules.
- Brazilians now have the same legal rights over personal data as individuals elsewhere.
- There's now a culture of accountability and transparency. People know what's happening to their data, and also companies understand their responsibilities.
Ultimately, like other privacy laws, the LGPD strikes a balance between:
- Protecting someone's right to privacy, and
- The need for companies to use marketing and data analytics to grow their businesses
Hopefully this is all clear enough now. But who actually needs to comply with the LGPD?
Here's what the law says.
Who the LGPD Applies to
The LGPD applies to any business or person collecting data belonging to Brazilian individuals. So it doesn't matter where in the world you set up your business.
If you serve the Brazilian market at all, you need to comply with this law:
But just like the GDPR, the LGPD has some exemptions.
There are only a handful of occasions when the LGPD doesn't apply. In summary, you don't need to comply with the LGPD if:
- You use the data purely for personal use e.g. a home address book
- The data is for journalistic or artistic purposes
- You're collecting data for academic reasons
- Collection is for national security and crime prevention (applies to official bodies only)
The best option? Assume you need to comply with LGPD, because most companies do.
Before we move on, here are some key takeaways:
- The LGPD protects sensitive and personal data belonging to Brazilians
- If you process Brazilian data, or market goods and services to Brazilians, you need to comply with the rules unless the limited exceptions apply
Requirements of the LGPD
Complying with the LGPD is relatively simple. Think of it like complying with the GDPR. All you need to do is comply with the 10 legal principles. So how do you do that?
Essentially, if you want to process personal data belonging to Brazilian individuals, you need to:
- Appoint a Data Protection Officer
- Get clear and informed consent to the collection
- Protect data in your control
- Keep a record of your data processing activities
- Report data breaches without undue delay
Let's go through these steps one at a time and look at some examples of compliance.
How to Comply With the LGPD
We'll start with appointing a Data Protection Officer (DPO) since it's the first thing you should do before you think about handling personal data.
Appoint a Data Protection Officer
According to Article 41 of the LGPD, every company needs a DPO to oversee cybersecurity and data protection compliance:
You can appoint a member of staff for this job. You don't necessarily need to hire someone new.
- Confirm that you collect personal data
- Set out your reasons for collecting it i.e. the legal basis
- Inform people of their rights
- Explain how they can contact you to exercise those rights
Declaration of Data Collection
This part's all about transparency and accountability. You need to tell people that you're collecting personal data.
Here's an example from American Airlines. First, the company declares that it's collecting personal data. Then, it helpfully explains the main ways the data is collected:
The Data You Collect
Next, you should explain what data you actually collect. Ultimately, you're trying to ensure you can collect as much data as you need, particularly for marketing or analytics purposes. So, the goal is to keep this clause pretty broad.
Here's how Gymshark sets out a detailed list of the kinds of personal data it collects. You'll notice it uses language like "may collect" and "such as" so that people know the list isn't exhaustive:
Your Legal Basis
Article 7 of the LGPD sets out 10 legal grounds for data processing. You can't collect personal data unless you can justify it under one of these grounds:
- Individual consent
- Performance of a contract with the individual
- Complying with your legal obligations
- Protecting a credit score
- Legitimate interest
- Public health
- The individual's safety
- Performing public statutory duties
- Legal proceedings
For example, Gymshark holds pictures and videos for legitimate marketing purposes. It also holds a customer's personal data to fulfill a contract and comply with its legal obligations. In other words, there are three legal grounds here, and like Gymshark, you need to set out a specific legal basis for all data you collect:
The LGPD gives people 9 specific rights that you need to tell them about. People have the right to:
- Know about the data processing
- Get access to the data
- Amend their data
- Revoke consent for processing their data
- Have their data deleted
- Ask for a portable copy of the data you hold
- Request you anonymize their data
- Ask who you share the data with i.e. third parties
- Contact you or a supervisory body for more information
You need at least one clause covering these rights and telling people how they can exercise them.
Here's an example of how Rogue Fitness handles this requirement for its EU customers.
It sets out what rights people have and tells them where to turn for more information on privacy rights. Since the GDPR and LGPD requirements are so similar, if you draft something like this, you're complying with both:
You need to include at least one, but preferably more ways for someone to contact you about their personal data. It's best if you include a free method, such as email, so everyone can reach you.
Here's an example from American Airlines:
Get Consent to Collect Data
So where do you put these notices? It's a good idea to use them before someone enters a contract with you e.g. at the checkout screen or account registration area.
Here's an example from Holland & Barrett:
What matters is that consent is clear and informed i.e. people know what they're consenting to.
Keep Data Secure
It's your responsibility to protect the personal data you collect, process, transfer, and store. So you need tools to keep data safe.
In other words, you need to perform a risk assessment and design a cybersecurity program. If you're unsure what you need, maybe get help from an IT company or managed services provider. They'll point you in the right direction.
Record Data Processing Activities
You should record what data processing activities you're involved in and how you perform them.
There's no set format for record-keeping. All that matters is you keep clear records you can show the supervisory authorities if necessary.
Reporting Data Breaches
If there's a data breach, and it puts personal data at risk, you need to report it. You'll need to report it as soon as possible.
The rules are in Article 48. Your breach notification should explain:
- What happened
- Who it affected
- The possible risks
- The steps you're taking to prevent it happening again
Send the data breach notification to the affected individuals and the supervisory authority.
Penalties for Not Complying with the LGPD
If you don't comply with the LGPD, you'll likely end up receiving a fine. It's less than you're expected to pay if you breach the GDPR, but it's still a substantial penalty.
According to Article 52, the maximum fine you'll pay is 50 million Reais, or just under $9.3 million USD:
We aren't seeing cases coming through the courts yet, but we can assume, based on other privacy laws, that you'll only pay sums like this for the most serious offences. Most businesses will pay much less. Everyone will probably get at least a warning.
The good news? If you need to comply with strict privacy laws like the GDPR, you're probably already complying with the LGPD, so there's not much to worry about.
If you plan on selling goods or services to Brazilians, or you process personal data of Brazilian individuals, you need to comply with the LGPD.
- You can't collect personal data unless you have a legitimate reason
- You shouldn't use personal data for any reason other than why you collected it, unless you get consent again
- It's on you to protect personal data with appropriate safeguards
- If there's a data breach, you must report it
To comply, you must:
- Appoint someone to act as your Data Protection Officer
- Put appropriate cybersecurity measures in place
- Record all your processing activities