Protecting personal data has become a fundamental issue in the digital age, leading to the implementation of regulations worldwide to ensure individuals' privacy and security. Two of the most well-known and comprehensive regulations in this regard are the General Data Protection Law (LGPD) of Brazil and the General Data Protection Regulation (GDPR) of the European Union. After all, they cover vast populations in their territories, consequently resonating beyond their borders.

However, while both aim to protect individuals' rights regarding the processing of their personal data, there are some important differences between them.

The first significant difference between LGPD and GDPR lies in their geographical application. GDPR applies to all European Union (EU) member countries and also to companies outside the EU that process data of EU individuals.

On the other hand, LGPD applies to all organizations processing personal data in Brazil, regardless of their geographical location. This means that both Brazilian and foreign companies dealing with personal data of Brazilian individuals must comply with LGPD provisions. Hence the importance of transparency in international data transfers.

Another significant difference is the amount of non-compliance fines. Under GDPR, fines can reach up to 20 million euros or 4% of the company's global turnover, with the higher value prevailing. Meanwhile, LGPD establishes fines that can go up to 2% of the company's revenue in Brazil, capped at 50 million Brazilian reais per infringement.

It's important to note that these values represent maximum penalties, and the severity of the infringement and the organization's financial capacity are considered when determining the fine. Another point is that the fine is per infringement, meaning that 1 citizen who has their data compromised equals 1 infringement. How many infringements would be calculated for a database with thousands, millions of data?

The definition of sensitive data also differs between the two regulations. While GDPR includes specific categories of data such as race, ethnic origin, political opinions, religious beliefs, health, sexual orientation, among others, LGPD goes further and also includes biometric and genetic information as sensitive data.

This broadening of the definition of sensitive data in LGPD reflects the concern to protect even more sensitive personal information and ensure that it is processed with due care.

Consent for data processing is another aspect that differs between GDPR and LGPD. Under GDPR, consent must be explicit, specific, and freely given by the individual. In contrast, LGPD requires unequivocal consent, provided through a statement or other affirmative action by the data subject.

Both regulations emphasize the importance of informed and free consent, ensuring that individuals have control over how their personal data is used.

However, you might wonder: Wouldn't it be the same thing but worded differently?

Nevertheless, despite both regulations emphasizing the importance of consent, there are subtle differences in how they approach this aspect.

According to GDPR, consent must be explicit, meaning it must be given through a clear and specific affirmative action by the individual. This implies that consent cannot be presumed or obtained through omission or pre-selection. Furthermore, consent must be specific, clearly indicating the purpose for which the data will be processed. It must also be freely given, meaning the individual must have the freedom to choose to consent or not, without suffering pressure or coercion.

On the other hand, LGPD requires unequivocal consent, which means that consent must be clear and indisputable. It must be provided through a statement or other affirmative action by the data subject, indicating their agreement to process the data for a specific purpose. LGPD does not use the term "explicit" like GDPR but requires consent to be unequivocal, meaning it leaves no doubts or ambiguities.

Although the nomenclature and words used to describe consent may vary between the two regulations, the differences go beyond that. GDPR sets specific requirements for explicit consent, while LGPD emphasizes the need for unequivocal consent.

These differences reflect the distinct approaches taken by each regulation, although both aim to protect individuals' rights and privacy regarding the processing of their personal data.

In conclusion, LGPD - recently published its guidance on the use of cookies. In this regard, they draw heavily from GDPR's defaults regarding specific requirements for explicit consent in consent collection.

Another relevant point is the appointment of a Data Protection Officer (DPO). Under GDPR, some organizations are required to appoint a DPO to oversee compliance with the regulation and act as a point of contact for data protection-related issues. This obligation applies to organizations that carry out systematic monitoring on a large scale of personal data or process special categories of data, such as health-related or ethnic origin-related data.

In contrast, LGPD, while not requiring the appointment of a Data Protection Officer, recommends that companies designate a professional responsible for dealing with privacy and data protection issues. Ultimately, the company's managing partner would already be responsible for this aspect.

Regarding the impact of internet cookies, both GDPR and LGPD address the issue similarly. Cookies are small text files stored on users' devices when they visit a website. They play a crucial role in personalizing the online experience but can also collect personal information. Both regulations require websites to obtain user consent before storing or accessing cookies that collect personal data.

GDPR establishes that consent must be obtained through a clear affirmative action, such as checking a checkbox or clicking a button. Additionally, users must be informed about which cookies will be stored, for what purpose, and for how long. They also have the right to withdraw their consent at any time.

Similarly, LGPD follows a similar approach, requiring websites to obtain prior and unequivocal consent from users before using cookies that collect personal data. Users must be informed about the purpose of the cookies, as well as the option to refuse or revoke consent. Moreover, LGPD also provides users with the right to access, correct, and delete their personal data collected through cookies.

Therefore, both GDPR and LGPD aim to ensure that users have control over their personal data, including those collected through cookies. Companies operating in both the European Union and Brazil must be aware of the provisions of these regulations and take appropriate measures to ensure compliance.

In summary, GDPR and LGPD are comprehensive data protection regulations aimed at protecting individuals' rights and privacy. Although there are differences in their geographical applications, fines for non-compliance, definitions of sensitive data, and consent requirements, both share the goal of promoting transparency, control, and security in data processing.

Furthermore, both regulations recognize the importance of consent for the use of cookies and require websites to obtain user consent before collecting their data through these technologies. Therefore, companies operating in compliance with GDPR and LGPD must closely observe the guidelines related to internet cookies, ensuring they obtain appropriate consent and provide clear information about the collection, storage, and use of these cookies.

Learn more about the 10 risky processes in you marketing you should revise.

The impact of internet cookies is significant for companies that must comply with both GDPR and LGPD. Cookies are widely used to track user behavior, personalize ads, and enhance the browsing experience. However, they also raise concerns regarding privacy and the protection of personal data.

For companies operating in compliance with both regulations, it is crucial to ensure that cookies are set up and used in accordance with consent and transparency requirements established by the regulations. This entails obtaining explicit consent from users before activating cookies and providing clear information about the types of cookies used, their purpose, and storage duration. Additionally, companies should allow users to opt out of accepting cookies or easily manage their cookie preferences.

Non-compliance with provisions related to cookies can result in substantial fines, as well as loss of user trust and damage to the company's reputation. Therefore, it is essential for companies to be vigilant about the obligations imposed by both GDPR and LGPD regarding internet cookies.

To ensure compliance with GDPR and LGPD regarding cookies, companies should take the following measures:

1. Transparency: Companies must provide clear and accessible information about the use of cookies on their websites. This includes explaining what types of cookies are used, for what purpose, and how long data is stored.

2. Proper Consent: User consent must be obtained before activating cookies that collect personal data. Consent must be obtained clearly, specifically, and unequivocally. Users should have the option to consent or refuse the use of cookies and manage their cookie preferences.

3. Preference Management: Companies should offer users clear options to manage their cookie preferences. This may include the ability to accept or reject specific categories of cookies or revoke previously given consent.

4. Data Security: Companies should implement adequate security measures to protect personal data collected through cookies. This includes safeguarding this information against unauthorized access, misuse, or disclosure.

5. User Rights: Companies must respect users' rights regarding their personal data, as established in GDPR and LGPD. This includes the right to access, correct, update, or delete data collected through cookies.

By adopting these measures, companies can ensure they are acting in compliance with data protection regulations and demonstrating their commitment to user privacy and security.

Need assistance in implementing a cookie policy and consent collection on your company's websites? We at AdOpt can help!