Brazil's LGPD

by Jennifer L. Legal writer.
Brazil's LGPD

If you sell goods or services in Brazil, or collect Brazilian personal data, then you need to comply with the Lei Geral de Proteção de Dados (LGPD).

The LGPD is essentially the Brazilian equivalent of the European Union's General Data Protection Regulation (GDPR). Its goal is to give Brazilians control over what happens to their personal or private data. That being said, although the laws are similar, they're not identical, so you need to learn them both.

But how do you know if the LGPD applies to your business, and what obligations does it place on you? Don't worry - we'll cover everything. So, let's walk through everything you should know about the LGPD, starting with the basics.


Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:

  1. Click on "Start creating your Privacy Policy" on our website.
  2. Select the platforms where your Privacy Policy will be used and go to the next step.
  3. PrivacyPolicies.com: Privacy Policy Generator - Select platforms - Step 1

  4. Add information about your business: your website and/or app.
  5. PrivacyPolicies.com: Privacy Policy Generator - Add your business info - Step 2

  6. Select the country:
  7. PrivacyPolicies.com: Privacy Policy Generator - Add your business info - Step 2

  8. Answer the questions from our wizard relating to what type of information you collect from your users.
  9. PrivacyPolicies.com: Privacy Policy Generator - Answer questions from our wizard - Step 3

  10. Enter your email address where you'd like your Privacy Policy sent and click "Generate".

    PrivacyPolicies.com: Privacy Policy Generator - Enter your email address - Step 4

    And you're done! Now you can copy or link to your hosted Privacy Policy.


The LGPD

The LGPD brings Brazilian data protection law in line with other privacy regulations around the world. Basically, it sets out clear rules for how people can collect, process, and use personal data collected in Brazil.

In total, there are 10 principles you should follow. We'll show you how later, but here's a summary first:

  • Legitimacy: You can't process personal data without a suitable reason
  • Necessity: Don't collect any more data than you need for a specific purpose
  • Adequacy: Provide adequate processes for safely handling the data
  • Accountability: You're responsible for the data in your control
  • Security: You can't collect personal data without proper cyber security protocols
  • Integrity: It's your responsibility to keep accurate and quality data records
  • Transparency: Make it easy for people to understand your data processing activities by publishing them somewhere obvious
  • Accessibility: Ensure data subjects know they can access the data held on them
  • Prevention: You must take steps to reduce the likelihood of a data breach
  • Non-discrimination: It's illegal to process data for discriminatory reasons

Before we look at complying with these principles, let's clear one thing up - what exactly is "personal data."

Personal Data

Under the LGPD, "personal data" is extremely broad. It's defined in Article 5, and as with the GDPR, it's basically any data we can use to identify a natural individual i.e. a real person:

LGDP Article 5 Sections 1 and 2: Definitions of personal data and sensitive personal data

You'll see there's a distinction between personal data, and "sensitive" personal data. "Sensitive" personal data is much like the GDPR's definition of simple personal data, which suggests that there's even more information considered "personal" under the LGPD than the GDPR.

What does this mean? Well, if you're collecting any data on a person at all, it's worth treating it as personal data to ensure you're following the law. If you want to collect sensitive data, you need even more safeguards in place.

Here's something else to keep in mind: The LGPD came into force on 15 August, 2020. So if the law applies to you and you're not already complying with it, you need to start now.

Goals of the LGPD

Goals of the LGPD

We can infer the goals of the LGPD by looking at its 10 principles.

  • The LGPD brings together various older data privacy laws into one cohesive, shorter regulation, which makes it easier for companies to follow the rules.
  • Brazilians now have the same legal rights over personal data as individuals elsewhere.
  • There's now a culture of accountability and transparency. People know what's happening to their data, and also companies understand their responsibilities.

Ultimately, like other privacy laws, the LGPD strikes a balance between:

  • Protecting someone's right to privacy, and
  • The need for companies to use marketing and data analytics to grow their businesses

Hopefully this is all clear enough now. But who actually needs to comply with the LGPD?

Here's what the law says.

Who the LGPD Applies to

Who the LGPD Applies to

The LGPD applies to any business or person collecting data belonging to Brazilian individuals. So it doesn't matter where in the world you set up your business.

If you serve the Brazilian market at all, you need to comply with this law:

LGDP Article 3: Applicability of the law

But just like the GDPR, the LGPD has some exemptions.

Exemptions

There are only a handful of occasions when the LGPD doesn't apply. In summary, you don't need to comply with the LGPD if:

  • You use the data purely for personal use e.g. a home address book
  • The data is for journalistic or artistic purposes
  • You're collecting data for academic reasons
  • Collection is for national security and crime prevention (applies to official bodies only)

The best option? Assume you need to comply with LGPD, because most companies do.

Before we move on, here are some key takeaways:

  • The LGPD protects sensitive and personal data belonging to Brazilians
  • If you process Brazilian data, or market goods and services to Brazilians, you need to comply with the rules unless the limited exceptions apply

Requirements of the LGPD

Requirements of the LGPD

Complying with the LGPD is relatively simple. Think of it like complying with the GDPR. All you need to do is comply with the 10 legal principles. So how do you do that?

Essentially, if you want to process personal data belonging to Brazilian individuals, you need to:

  • Appoint a Data Protection Officer
  • Draft a legally compliant Privacy Policy
  • Get clear and informed consent to the collection
  • Protect data in your control
  • Keep a record of your data processing activities
  • Report data breaches without undue delay

Let's go through these steps one at a time and look at some examples of compliance.

How to Comply With the LGPD

How to Comply With the LGPD

We'll start with appointing a Data Protection Officer (DPO) since it's the first thing you should do before you think about handling personal data.

Appoint a Data Protection Officer

According to Article 41 of the LGPD, every company needs a DPO to oversee cybersecurity and data protection compliance:

LGPD Article 41 Paragraph 2: Data Protection Officer activities

You can appoint a member of staff for this job. You don't necessarily need to hire someone new.

Have a Privacy Policy

A Privacy Policy is a key part of your compliance strategy. In your Privacy Policy, you should:

  • Confirm that you collect personal data
  • Set out your reasons for collecting it i.e. the legal basis
  • Inform people of their rights
  • Explain how they can contact you to exercise those rights

In this article, we're not covering every clause you should have in a Privacy Policy. You can find out more about them in our Privacy Policy Template article. But for our purposes, here are the clauses every LGPD-compliant Privacy Policy needs.

Declaration of Data Collection

This part's all about transparency and accountability. You need to tell people that you're collecting personal data.

Here's an example from American Airlines. First, the company declares that it's collecting personal data. Then, it helpfully explains the main ways the data is collected:

American Airlines Privacy Policy: Information we collect and how we collect it clause excerpt

The Data You Collect

Next, you should explain what data you actually collect. Ultimately, you're trying to ensure you can collect as much data as you need, particularly for marketing or analytics purposes. So, the goal is to keep this clause pretty broad.

Here's how Gymshark sets out a detailed list of the kinds of personal data it collects. You'll notice it uses language like "may collect" and "such as" so that people know the list isn't exhaustive:

Gymshark Privacy Notice: What personal information do we collect clause excerpt

Article 7 of the LGPD sets out 10 legal grounds for data processing. You can't collect personal data unless you can justify it under one of these grounds:

  • Individual consent
  • Performance of a contract with the individual
  • Complying with your legal obligations
  • Protecting a credit score
  • Legitimate interest
  • Public health
  • The individual's safety
  • Performing public statutory duties
  • Research
  • Legal proceedings

For example, Gymshark holds pictures and videos for legitimate marketing purposes. It also holds a customer's personal data to fulfill a contract and comply with its legal obligations. In other words, there are three legal grounds here, and like Gymshark, you need to set out a specific legal basis for all data you collect:

Gymshark Privacy Notice: What are our legal bases for processing personal information clause

User Rights

The LGPD gives people 9 specific rights that you need to tell them about. People have the right to:

  • Know about the data processing
  • Get access to the data
  • Amend their data
  • Revoke consent for processing their data
  • Have their data deleted
  • Ask for a portable copy of the data you hold
  • Request you anonymize their data
  • Ask who you share the data with i.e. third parties
  • Contact you or a supervisory body for more information

You need at least one clause covering these rights and telling people how they can exercise them.

Here's an example of how Rogue Fitness handles this requirement for its EU customers.

It sets out what rights people have and tells them where to turn for more information on privacy rights. Since the GDPR and LGPD requirements are so similar, if you draft something like this, you're complying with both:

Rogue Fitness Privacy Policy: Your Rights as a Data Subject clause

What's so great about this clause is how clear and simple it is. You should consider always using bullet points, or at least short sentences in your Privacy Policy to make it easy for everyone to read.

Contact Details

You need to include at least one, but preferably more ways for someone to contact you about their personal data. It's best if you include a free method, such as email, so everyone can reach you.

Here's an example from American Airlines:

American Airlines Privacy Policy: Contact us clause

While your Privacy Policy will need to include additional information, these are the key clauses for LGPD compliance.

You need someone's consent to collect their personal data. The best way to do this is by using a checkbox to get consent to your Privacy Policy. If someone consents to your Privacy Policy, it shows that they're okay with how you plan on using their data.

So where do you put these notices? It's a good idea to use them before someone enters a contract with you e.g. at the checkout screen or account registration area.

Here's an example from Holland & Barrett:

Holland and Barrett Account register form with I Agree checkbox

What matters is that consent is clear and informed i.e. people know what they're consenting to.

Keep Data Secure

Keep Data Secure

It's your responsibility to protect the personal data you collect, process, transfer, and store. So you need tools to keep data safe.

LGDP Article 46 Paragraph 1: Security measures for protecting personal data

In other words, you need to perform a risk assessment and design a cybersecurity program. If you're unsure what you need, maybe get help from an IT company or managed services provider. They'll point you in the right direction.

Record Data Processing Activities

You should record what data processing activities you're involved in and how you perform them.

There's no set format for record-keeping. All that matters is you keep clear records you can show the supervisory authorities if necessary.

Reporting Data Breaches

Reporting Data Breaches

If there's a data breach, and it puts personal data at risk, you need to report it. You'll need to report it as soon as possible.

The rules are in Article 48. Your breach notification should explain:

  • What happened
  • Who it affected
  • The possible risks
  • The steps you're taking to prevent it happening again

LGDP Article 48: Reporting data breaches

Send the data breach notification to the affected individuals and the supervisory authority.

Penalties for Not Complying with the LGPD

Penalties for Not Complying with the LGPD

If you don't comply with the LGPD, you'll likely end up receiving a fine. It's less than you're expected to pay if you breach the GDPR, but it's still a substantial penalty.

According to Article 52, the maximum fine you'll pay is 50 million Reais, or just under $9.3 million USD:

LGDP Article 52: Penalties

We aren't seeing cases coming through the courts yet, but we can assume, based on other privacy laws, that you'll only pay sums like this for the most serious offences. Most businesses will pay much less. Everyone will probably get at least a warning.

The good news? If you need to comply with strict privacy laws like the GDPR, you're probably already complying with the LGPD, so there's not much to worry about.

Conclusion

If you plan on selling goods or services to Brazilians, or you process personal data of Brazilian individuals, you need to comply with the LGPD.

  • You can't collect personal data unless you have a legitimate reason
  • You shouldn't use personal data for any reason other than why you collected it, unless you get consent again
  • It's on you to protect personal data with appropriate safeguards
  • If there's a data breach, you must report it

To comply, you must:

  • Appoint someone to act as your Data Protection Officer
  • Draft a legally compliant Privacy Policy
  • Put appropriate cybersecurity measures in place
  • Record all your processing activities
Last updated on 05 January 2021

Article categories

Jennifer L.

Legal writer.