The purpose of this article is purely informative - AdOpt does not provide legal advice, and we are not responsible for any actions taken by third parties in the free interpretation of the law.
Summary: All the important information about the General Data Protection Law - LGPD: what it is, why it exists, how it works, when it came into force, who it applies to, potential fines, steps for compliance, and its legal principles.
This text was created to help you understand the law as a whole, from basic principles to compliance, its steps, and prepare you to make the necessary adjustments. Within each topic or subtopic, I've included other more advanced articles to help you delve deeper into individual subjects.
Note: This article serves as a comprehensive repository of everything we have read, know, and have recorded for our readers and clients. In the table of contents below, you can access each section individually.
Oh, and since we're always updating and adding new content here, you'll notice that there's always something new!
Best regards and happy studying!
The General Data Protection Law, known as the "Brazilian GDPR," was enacted during the Temer government in August 2018. It establishes the parameters for the collection, storage, processing, and sharing of personal data.
The General Data Protection Law (LGPD) is a Brazilian legislation that regulates how personal data is used. The law applies to both physical and digital data obtained via the internet.
With the growth of technology giants like Google, Facebook, Amazon, Apple, etc., the personal data of their users and customers became increasingly valuable, as it held the key to understanding the behavior and consumption patterns of these individuals.
Have you ever thought that the user base of Facebook is larger than the population of many countries in the world? Within this private and 100% controlled universe, there was no prevailing international legislation, and everyone was treated "equally," beyond international treaties or diplomatic orders.
Add to this the fact that over 50 million Facebook profiles were manipulated by a company, giving rise to the Cambridge Analytica scandal, which amplified the public debate on privacy and data usage. The way companies obtained data and shared it with third parties, relying on masked authorizations, began to be questioned.
Everyone leaves their traces on the internet: login data, passwords, age, location, preferences, personal tastes, political and religious opinions, credit cards, and even our faces. People constantly share this information, sometimes without being aware of it.
In this scenario of debates and insecurities about privacy, Brazil followed a global trend and created the General Data Protection Law. This measure will force all companies to adjust - and if they do not, the penalties are severe.
Diplomatic Risks Stemmed from Personal Data
Isn't this a risk of diplomatic and international proportions? Does Facebook wield more power than the president of your country?
Now, let's consider Amazon. What impact does it have on local commerce and entrepreneurs when it decides to enter a new market? The megalomania of the world's largest e-commerce platform continues to penetrate new markets and countries with extremely controlled and competitive prices, along with delivery and customer service standards that are, for many local businesses, an operational dream.
Here, we face yet another risk, the economic one. If internet-generated data informs me that you left a pair of shoes in your e-commerce cart, or that you have an interest in cooking, what power do I have in my hands if I sell shoes or kitchen items globally?
This is just to illustrate two aspects. We could also delve into the realm of communications, encompassing all devices (from Apple to Android), the servers that run all these digital technologies (AWS, Oracle, Microsoft), and even healthcare. Just like the shoe example above, imagine a scenario where data reveals an emergency or continuous-use medication need. Would a pharmaceutical company be interested in this data?
In the end, it's no wonder that in 2017, The Economist declared that data would be the new oil. And, just like any scarce and valuable resource, there's a race for it. Legislations come into play, and the international rule tends to be "grab what you can while it's unregulated."
It's common for companies to have forms on their websites collecting emails and information to send offers and personalized content to customers and prospects. E-commerce platforms require basic information to complete purchases: name, last name, email, address, and all the digits of your credit card.
What's the problem with this? None, if you work ethically. In fact, it's what a business needs to send its offers and satisfy its customers. But after scandals like the Cambridge Analytica incident, people started to worry more about their privacy and how their data was being used questionably (and dangerously) by some companies.
LGPD, which came into effect in 2020, will make this relationship between individuals and companies fairer and apply fines ranging from 2% of revenue up to 50 million reais. People will know what data is being collected and why. Companies interested in this data will provide this information, making their work ethical and transparent.
But, to better understand Brazilian legislation and its implications for individuals (CPF) and companies (CNPJ), it's necessary to look at a previous law: GDPR, a European law created in 2016.
The General Data Protection Regulation (GDPR), in Portuguese Regulamento Geral de Proteção de Dados, is a European law. This regulation was created in 2016 and implemented in 2018.
It's important to note that since data usage became relevant in Europe, around the 1980s, this topic began to be discussed. Before GDPR emerged, the European Union already had, since 1995, the Data Protection Directive aimed at personal data protection.
GDPR came into effect during a turbulent period, marked by scandals and cases of data misuse by companies. Consequently, pressure increased for other countries to adhere and create legislation with the same purpose.
For the first time in history, a European citizen could enter ANY company to ask if they had data about them, or on them, and demand that it be formally delivered to them, or even require its deletion, without prejudice to other laws. Companies faced hefty fines if they didn't comply with such requests.
Using a trendy term, citizens were empowered as never before.
GDPR revolutionized markets as a whole because, regardless of where you operated, it protected European citizens beyond borders. How so? If a European citizen accessed a Brazilian website, that site was obligated to handle the citizen's data in accordance with GDPR or an equivalent local law if such a law existed.
This is where the turmoil began because no country had - at that time - such legislation. Consequently, GDPR foresaw this and stated that if there was no local legislation or if the local legislation was less stringent in terms of privacy rights, GDPR would override local legislation in those terms.
With LGPD, Brazil joins a list of around 100 countries that have adequate data protection regulations. This step is also important for international trade relations because countries that follow the law only partner with those who adhere to the same security and privacy guidelines.
Can you then visualize the pressure this put on all countries that negotiated, sold, or accessed European citizens' data?
Soon, local legislations that were nearly a CTRL-C, CTRL-V of GDPR began to emerge to protect their own citizens and attempt to balance the market. Each country also had its interpretation not only in theory but could also observe what was happening in the European domestic market with companies there, which were already facing these changes in their day-to-day operations.
Fines, more fines against Google, Facebook, etc., were applied, and billions of euros were paid out until technologies and processes were properly adapted. And even today, much work is being done for the market to get used to this situation and navigate this sea, now completely demarcated.
In the end, this is the context that forced many countries to have their own privacy laws (even North Korea has a privacy law, believe it or not). So, Brazil quickly took the initiative to create the General Data Protection Law - LGPD so it could already argue for its own interests. Since its creation in 2018, until today it had a market adaptation period for companies to comply, a period that ended in August 2020, leaving only the fines to come into effect in August 2021.
According to articles one and three of the law, LGPD applies to any natural or legal person, whether public or private, as long as:
In other words, foreigners who contact Brazilian companies and provide their data should also have their privacy respected according to the law.
And to whom does the law not apply?
According to the fourth article, the law does not apply to natural persons who use data for non-economic and personal purposes. It also doesn't apply to data used exclusively for journalistic, artistic, academic, public safety, and national defense purposes, as well as investigations and criminal actions.
But, to better understand in which cases the law applies and in which it doesn't, we need to understand the principles behind the regulation, which is based on GDPR.
The sixth article of the General Data Protection Law specifies ten principles on which the regulation is based. These are the same principles as GDPR. It's important to understand them because the law relies on them, and by knowing them, you'll know how to act and how not to.
But, knowing the principles behind the law and how to act in accordance with them, a question arises: under what circumstances can data be used?
The direct or indirect act, online or offline, of accessing the personal data of Brazilian citizens.
Any "information related to an identified or identifiable natural person." In other words, data is considered personal when it allows the direct or indirect identification of the natural person behind the data, such as name, last name, date of birth, personal documents (such as CPF, RG, CNH, Work Permit, Passport, and voter ID, Reservist Card), addresses, phone numbers, personal emails, cookies, and IP addresses.
LGPD also defines sensitive personal data, those related to: "racial or ethnic origin, religious belief, political opinion, union membership or membership in a religious, philosophical, or political organization, data related to health or sexual life, genetic or biometric data, when linked to a natural person." Due to their greater potential for identification and even harmful and discriminatory qualifications, the processing of such data has even stricter rules.
It is important to note that when we have your data but it does not allow direct or indirect identification, we have what is called Anonymized Data. Many companies use encryption to anonymize all their data, thus avoiding even greater risks in case of leaks, for example.
This applies to all data collection interactions, online or offline, direct or indirect.
Any natural person, yes. It is important to note, however, that Legal Entities have specific legislation that regulates their data and the types of sensitive information or information that should be public.
Therefore, you as an employee of a particular company, when acting on behalf of that company, for example by sending an email on behalf of the company. Such data and information are considered part of the Legal Entity.
For this reason, your company's emails, phone number, employee registration, etc., are not your personal data and are subject to separate legislation, parallel to LGPD.
However, your CPF, RG, Work Permit, etc., which the company uses and processes to hire you or sell you a product or service, are yours and are covered by the General Data Protection Law LGPD.
There are numerous examples: when responding to satisfaction surveys in exchange for gifts, providing your CPF at the pharmacy for a discount, accessing your profile by giving your date of birth at your favorite store, identifying yourself and taking a photo to enter a commercial building... All these occasions constitute the collection of personal data, some sensitive (surveys by institutes mentioning race, sexual orientation, and religion), and are under the control of LGPD. Therefore, companies must accelerate the review of all their internal processes because any company with just 1 registered customer or 1 employee, for example, could already be questioned by citizens freely.
For this reason, in an age where Big Data with its numerous databases spread across the world and in the clouds is a very valuable asset, companies are studying numerous ways not only to be able to keep their operations running freely but also to reduce risks in compliance.
The General Data Protection Law grants some rights to data subjects. It is important to know this because 1) your company needs to know how to proceed and which rights to respect; 2) your own data is also shared with companies.
There are 10 rights:
But now let's focus on one of the most critical points: what are the penalties for companies that do not comply with this set of laws?
LGPD provides for six administrative penalties or fines. If companies and organizations do not fully comply with the law, they are subject to fines and measures, which vary according to the severity of the violation.
Let's see what these six fines are:
But, be cautious!
The ANPD - National Data Protection Authority will provide much more information on this, and we do not yet have a broad jurisprudence on the subject. Caution is advised, but we are still at the beginning of this chapter.
ANPD is the federal government agency responsible for the enforcement and implementation of LGPD (General Data Protection Law) in Brazil. Its role extends beyond just developing regulations aimed at promoting a culture of personal data protection, fostering adaptations and adjustments for the market. ANPD also conducts audits of companies and can apply fines and other administrative sanctions in cases of non-compliance with LGPD.
This agency falls under the federal branch of government and is currently not entirely independent.
Regardless of your company's size, focus on two perspectives that can guide you through the entire process: the Operational perspective and the lens of a Privacy Culture. They may not be your complete solution, but they are an excellent starting point. These perspectives will be the core of the other necessary steps, helping you deduce and measure things according to your company's size and sector.
Remember, your first challenge may indeed be compliance, but the next one will be maintaining that compliance. Therefore, it's not enough to have the best control spreadsheet if the company's culture does not support its maintenance. Below, we list some tasks that will help you better understand the steps you need to take, whether independently or with the help of a third-party consultancy, when viewed from an Operational and Cultural perspective.
Develop processes to assist you in mapping and managing all the data you control or operate. Transparency and awareness that data are now protected by law, and that "from the janitor to the CEO," everyone has responsibilities.
Review the company's processes, bringing co-responsibilities to the areas in order to list the handovers and contracts, internal and external responsibilities that each area is responsible for.
Always keep your Data Mapping / Data Inventory updated to facilitate consultation whenever necessary. Here you can delve into this subject
Risk analysis and security for potential data breaches. Both in online and offline environments, what are the risks of a data breach? This should be mapped and listed in your control.
List tools and points of contact between people and data. What is your responsibility and how does it reflect on your suppliers and technologies that you bring or participate in the operation of as a supplier?
Analysis of key internal and external contracts and compliance needs. Image rights, labor contracts, warranties, after-sales service. Every contractual relationship (LGPD's legal basis) needs to be rethought as a risk and/or an opportunity to access and process this data.
Alignment of the expertise required for LGPD to be implemented comprehensively and to emphasize the importance of this perspective, focused on personal data and its risks, throughout the day. You must have noticed that LGPD has a multidisciplinary nature. Who are the best people around you or on your team to help you with these new routines?
Parallel and complementary legislations that are reinforced or overwritten by LGPD. Consult lawyers, regional councils, and understand how your sector is responding to LGPD's guidelines.
Incorporate into the company's daily life a preference for appropriate planning and processes that prioritize the privacy of data subjects, regardless of the area and/or department.
Delegate to department managers the co-responsibility and custody of personal data that pass through their departments. Educate, reinforce, open channels for questions so that everyone - EVERYONE in the company has this awareness.
Just as fiscal laws mandated the obligation and right to issue invoices and later the possibility of adding CPFs to invoices, requiring many changes in specific departments, similarly, other previously exempt departments carry this responsibility in their processes. Convey to marketing, for example, that their actions now carry a different weight, and everyone is responsible for them.
So, always think long-term, about how to create routines and correct mistakes in order to stop them, not push them forward!
Understanding the principles of Privacy By Design - Embed this in your values and strengthen a culture of privacy.
Understanding the business model and the legal bases for your company and your customers. The entire chain is interconnected and co-responsible when this data is transmitted. Keep your processes and bring rigor to the others involved.
In short, this is quite an extensive list that we hope will help guide you through the challenge of compliance. Yes, it's significant, and yes, it's hard work, but it's necessary not only from a business perspective but primarily when we put ourselves in the shoes of the data subjects that we all are.
Now that you understand the principles behind LGPD, you've probably thought of various ways to comply with the regulation. All companies are making adjustments to align with best practices according to the regulations.
To assist you, we've listed 12 practical measures for your company to collect data in accordance with the regulations:
With this information in hand, you are prepared to comply with the General Data Protection Law. To assist you further, we've created a tool that will tell you if your website is compliant. You can access the tool here.
In the section above, I listed various tasks that will help you with compliance.
But it's all in vain if transparency doesn't speak loudly and is woven into all these steps. Obviously, your size and market directly impact the level of transparency that is already required of you.
For example: at first glance, we don't assume accounting transparency from a restaurant. Just as we don't seek the cleanliness of a law firm's kitchen. However, in terms of Personal Data and, above all, Sensitive Personal Data, both have a responsibility – still equivalent under LGPD. Because the way they collect, process, and operate this data can offer risks according to the law. And when we talk about a fine proportional to the size of our company (2% of gross revenue), every caution is warranted.
In other words, even before wanting to avoid your responsibility or justify your size and market, always put yourself in the shoes of the data subject, which we all are when we step out from behind the counter, and have respect for the data entrusted to us.
When we make a historical analysis, it's easy to understand that GDPR was the pioneer in this field and influenced all the others when it was created in 2016. The texts are all public and available for consultation on the internet by all of us.
So, here, we have listed the main points of similarity and difference:
In this link, you can find a more detailed explanation of each of the points mentioned above.
The law has been in force since August 2020, and the beginning of fines and penalties was set for August 2021. In other words, if you haven't started yet, you are already late because, on average, a company takes 18 months to become compliant.
Need some tips? In this very article, go to the section: Where to Begin LGPD Compliance for My Company? In it, we have several questions that you could start trying to answer, whether through independent compliance or via consultancies, for example.
In this link, we have prepared a series of texts that are practically an introductory e-book that will also help you with the topic.
There is much to do to create a mature jurisprudence, indeed. With each decision supported by LGPD, given by judges and appellate judges... or with each appeal that mentions LGPD in its defense, a new opportunity for our understanding is created.
However, we still don't have many definitions about this (Feb. 2021) because ANPD is still establishing its processes and operational guidelines. As soon as we have the direct action and fine(s) from ANPD, we will have these records for eventual consultations.
It's worth keeping an eye on these decisions at https://lgpdnews.com/ as they always provide us with up-to-date LGPD news.
We still don't have many definitions about this (Jun. 2022) because ANPD is still establishing its processes and operational guidelines. As soon as we have the direct action from ANPD, we will have these records for eventual consultations.
This depends a lot on the size of your company, the market you operate in, and your understanding of the law. Not to mention the maturity of your company's processes for the new processes and routines that LGPD brings with it.
In this article itself, go to the section: Where to Begin LGPD Compliance for My Company? In it, we have several questions that you could start trying to answer, whether through independent compliance or via consultancies, for example.
Without getting too legalistic or trying to give you a perfectly technical answer, the Legal Bases of the General Data Protection Law – LGPD are the reasons and justifications, supported by LGPD, for which companies not only can but must have access to the eventual data of data subjects in order to perform their functions.
It's essential that you understand them in detail and, above all, find the legal basis that allows for the direct or adjusted maintenance of your company's current operations.
Below are the 10 Legal Bases of the General Data Protection Law – LGPD.
There are numerous discussions and deep dives for each of them.
We've put together this article here that compiles descriptions for you to start delving into each of them.
Certainly, the most popular Legal Bases of LGPD are Consent and Legitimate Interest due to the ease with which one can attempt to justify access or an eventual need for Personal Data, manifest in the commercial relationship between the company and the data subject (you and me).
However, we must be very cautious about the subjectivity by which we can consider them as the basis for our data collection, processing, etc. According to Article 8 of LGPD, Consent cannot be generic, subjective, or biased. So make sure that the consents collected are detailed and 100% valid in accordance with the law.
In this article, we have a very detailed explanation: Demystifying the Legal Basis of Legitimate Interest.
Some argue this thesis, but it's not everything!
Biased consent can invalidate everything...
There are already studies comparing consent with the so-called "Adhesion Contracts," the famous "I Agree" in contracts we never read, which are easily broken by the other party's lawyers, mainly due to the lack of Clarity, Options for making a customized decision for that person/occasion, among others.
If this is your case, and you only see Consent as the Legal Basis for the use of personal data, consult a lawyer who specializes in LGPD to help you with the stages of communication, collection, storage, and management of these consents.
There is still a lot to discuss on this topic. For now, this is what we have, but we will soon provide further updates and study topics.
Surely you've already seen the predictions of fines and sanctions, processes. But, what does it mean to your company?
In the end, our goal has never been to predict doom for companies or to be part of the LGPD's Apocalypse Cavalry. But, since we've been in the market for some time, these kinds of issues always catch our attention when we start data mapping and having conversations with colleagues.
It's time to talk about one of the most impactful tasks, both for the company and for the visitors of your websites: tag categorization. But why is it so impactful? What is the relevance of this configuration and how can it affect us? It is precisely because of these common questions we receive from our clients that we have written this article on best practices in tag categorization.
Now that we have the data flow within your company, we need to highlight 2 aspects of LGPD that will help you determine the extent of your responsibility in relation to the many points listed in the company. I'm talking about the difference between Data Controller and Data Processor.
Despite cookies being more well-known, what is the main difference between cookies and session storage and local storage? Why choose one over the other? This article will help you with these doubts!
LGPD, GDPR, and CCPA are data privacy regulations. In this article, we discuss their similarities and differences for practical application.
With the data mapping we have a clear understanding of the 5 stages that every data goes through in a company.
While it's not exactly breaking news, discussions about privacy policies have been popping up more frequently since the start of GDPR in Europe. And despite it seeming coincidental, it's not!
Drawing an analogy from the world of soccer, we can think of the DPO as the "midfielder" of the team, responsible for connecting the defense and the attack.
Brazilian LGPD - General Data Protection Law brought with it several acronyms and specific terms. Many of them imported from other countries and legislations. One of them is ROPA (Record Of Processing Activities), adapted in Brazil to Registros das Atividades de Tratamento. An essential document for any DPO, Data Processor.
Want to understand why there are cookie banners on every website you visit today? This article is for you!
Tired of the ads from that site you visited following you around? Is your computer running slow when accessing a particular site? Want to delete all cookies from a specific service or site?
In this article, you will have a great introduction to the topic, as well as various other variations that revolve around the subject: Cookies and LGPD.
In this article, we will answer all your questions regarding fines under the LGPD (Brazil's General Data Protection Law).
While both regulations share the goal of safeguarding individuals' rights regarding the processing of their personal data, there are some important differences between them. It is crucial to understand these distinctions and their implications, particularly in the context of internet cookies.
What are the criteria for this choice, and what are the strengths and weaknesses of each option? Well, we're here to help you because this decision needs to be well thought out!
Every day, millions of users generate data on the web, which is used by companies around the globe to improve their offerings. Therefore, in 2018, a law was created to regulate the use of personal data by companies, and this directly impacts digital marketing. We're talking about LGPD.
© GO ADOPT, LLC since 2020 • Made by people who love🍪