LGPD - Brazil’s General Data Protection Law | Compliance with Cookiebot CMP

LGPD compliance with Cookiebot CMP

Updated January 17, 2022.

In this blogpost, we paint a broad overview of the LGPD (Lei Geral de Proteção de Dados Pessoais) – its substance and consequences for data protection in both Brazil and the rest of the world.

We look at its foundation and definitions, the rights it empowers data subjects with, what constitutes compliance with the LGPD and how it compares to the European GDPR.

Become compliant with Cookiebot consent management platform (CMP).

Update: Brazil’s LGPD now in effect!

Brazil’s LGPD took effect in August 2020 with a grace period of 12 months. Enforcement began in August 2021 and is led by the National Data Protection Authority (ANPD).

If your website, company or organization collect and process personal data from individuals inside Brazil’s territories, becoming compliant with Brazil’s LGPD is a legal necessity.

If you haven’t familiarized yourself with the LGPD or sought compliance with the law if you collect or process data in the territories of Brazil, read the following blogpost and try Cookiebot consent management platform (CMP) free for LGPD compliance today.

Cookiebot CMP is built around a world-leading scanning technology that detects and controls all cookies, trackers and third-party trojan horses on your website – completely plug-and-play and automated.

Cookiebot CMP by Usercentrics has been in operation since 2012 and offers full compliance with major data privacy laws like the European GDPR/ePR, California’s CCPA and Brazil’s LGPD and many other major data privacy laws.

Try Cookiebot CMP free for LGPD compliance today

Does my website use cookies?

Scan your website for free with Cookiebot CMP

With regard to the LGPD, the Brazilian Senate approved on August 31st, 2021 the PEC 17/19.

It alters the Federal Constitution to include the protection of personal data among the fundamental rights and guarantees, and it also establishes the Union’s private competence to legislate on the protection and processing of personal data.

One of the aims of the PEC is precisely to ensure that there is no risk of states and municipalities legislating or interfering in the application of the LGPD.

With the approval of the PEC 17/19, rules, laws, and regulations for the protection of personal data are consolidated, including the LGPD, and inserted in the Consumer Protection Code (Código de Proteção do Consumidor), which will provide more guarantees against violations and fraud so common with the current technological advances.

Try Cookiebot CMP free for 30 days – or forever if you have a small website.

Scan your website to see if your website collects and processes personal data from Brazil

LGPD – Brazil’s data protection law

Brazil has over 140 million internet users. It is the largest internet market in Latin America and the fourth largest in the world in number of users. Brazil already has more than forty legal norms at the federal level that in various ways deal with data protection and privacy, causing a crosswire legal framework.

However, these are sectoral in nature, meaning that they relate separately and specifically to banking, real estate, consumer protection and the likes.

Brazil’s data protection law – the LGPD (Lei Geral de Proteção de Dados Pessoais) – is intended to replace this fractured legal landscape with an overarching regulatory framework.

Any data collection or processing within Brazil is protected by the LGPD, even from data processors outside of the country.

It will empower individuals with a streamlined set of rights, rather than the partial protection of the sectoral laws in place today and is shaped with great inspiration from the EU’s General Data Protection Regulation.

Some even call it “Brazil’s GDPR”. And it’s true – if you’re already GDPR compliant, you are mostly within the provisions of the LGPD… though not completely!

There are some significant differences between the LGPD and GDPR, which we will sort out below.

Try Cookiebot CMP free for 30 days... or forever if you have a small website.

What is Brazil’s LGPD?

Brazil’s data protection law is Lei Geral de Proteção de Dados Pessoais, which means “general law of personal data protection”.

It is officially abbreviated to LGPDP, though it is most commonly known and referred to as the LGPD or Lei Geral de Proteção de Dados.

The Lei Geral de Proteção de Dados is closely modelled after the European GDPR and creates a legal framework for how personal data is allowed to be handled in Brazil. It contains sixty-five articles.

Brazil’s LGPD is in effect and enforcement
Sign up to Cookiebot CMP for free to make your website LGPD compliant

LGPD compliance in Brazil

Brazil’s LGPD (Lei Geral de Proteção de Dados) empowers data subjects with nine rights, defines what constitutes personal data, creates ten legal bases for lawful processing.

It also puts the responsibility on companies and organizations to appoint a Data Protection Officer (DPO) and establishes the Autoridade Nacional de Proteção de Dados (ANPD) with powers of supervision, guidance and enforcement of its administrative sanctions.

Brazil’s LGPD defines a data subject as “a natural person to whom the personal data that are the object of processing refer”. In other words, an individual whose data is being collected and/or processed is a data subject.

Brazil’s LGPD has “transversal” and “multi-sectoral application”, meaning that it applies to both public and private sectors, as well as online and offline.

Brazil’s LGPD also has “extraterritorial application”, which means that websites, companies or organizations that process personal data from individuals in Brazil are bound to comply with the LGPD, regardless of where in the world they are owned or operated from.

In Article 3, it is defined that the LGPD applies to:

data processing within the territory of Brazil,
data processing of individuals who are within the territory of Brazil, regardless of where in the world the data processor is located,
data processing of data collected in Brazil.

LGPD compliance in Brazil with Cookiebot CMP.

Brazil’s LGPD not only protects Brazilians, but all individuals whose data is collected or processed while in the national territory.

This means that Brazil’s LGPD applies to any individual whose data has been collected or is being processed while inside the territory of Brazil, and not only Brazilian citizens!

LGPD compliance and EU adequacy

It is no secret that Brazil’s LGPD (Lei Geral de Proteção de Dados) has been closely modelled on the GDPR with the intention to make it easier for Brazil to achieve a so-called adequacy agreement with the EU, ensuring a free flow of data between the two.

Yet, some significant changes were made to the law in July 2019, when it was sanctioned by President Bolsonaro.

These include the removal of a provision that mandated companies and organizations to review machine-automated decisions, the removal of technical skill requirements for data protection officers, as well as changes made to the enforcement power of Brazil’s coming data protection authority (the ANPD).

In the original draft, the National Data Protection Authority (ANPD) had the option of restricting a data processor’s access to databases and forbid them to process personal data altogether. This was scrapped by the time Bolsonaro sanctioned the final version of the LGPD.

Brazil’s LGPD In English

An English translation of the official LGPD law text can be found here, however, note that it is a previous draft and not the final law that was passed in July 2019. Some changes have been made to the law, but the overall scope, foundation and wording remains very much the same.

See the official LGPD law text (in Portuguese)

Brazil’s LGPD and Cookiebot CMP

At Usercentrics, the parent-company of Cookiebot CMP, we follow the implementation and enforcement phase of Brazil’s LGPD (Lei Geral de Proteção de Dados) very closely, since it deals with our area of expertise: protecting privacy.

Cookiebot CMP is a tool that enables websites to be compliant when it comes to the use of cookies and tracking, as required by the EU’s GDPR and by the coming ePrivacy Regulation (expected in 2021) and by the LGPD in Brazil.

The Cookiebot CMP scanner finds all cookies and similar tracking technology, and automatically holds everything back until the users give their specific, unambiguous consent to which types of cookies they will allow on their browser.

Cookiebot CMP consent banner for full cookie control.

Try Cookiebot CMP free for 30 days – or forever if you have a small website.

Scan your website for free to see what cookies are in use

LGPD overview

Brazil’s LGPD (Lei Geral de Proteção de Dados) creates nine rights for data subjects.

They are found in Article 18 and empower individuals with the rights to:

confirmation of the existence of the processing of their data,
access their data,
correct incomplete, inaccurate or out-of-date data,
anonymize, block, or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD,
have their data be portable, i.e. handed over to another service or processor if requested,
have their data deleted,
information about public and private entities with which the controller has shared data,
information about the possibility of denying consent and the consequences,
revoke consent.

These are closely modelled after the rights that the GDPR empower European citizens with and have direct implications for website owners and operators all over the world, who process and/or collect data within the territory of Brazil.

It means that if you have a website and that website has visitors from Brazil, or if you offer services to individuals in Brazil, or collect and process data within Brazil, you need to comply with the LGPD.

Try Cookiebot CMP free for 30 days – or forever if you have a small website.

LGPD overview – personal data

Brazil’s LGPD (Lei Geral de Proteção de Dados) defines its key terms and concepts in its Article 5. These include personal data, sensitive personal data, data subject and processor, among others.

Personal data in the LGPD

Personal data is defined broadly in the LGPD.

The law simply states that personal data is “information regarding an identified or identifiable natural person” (Article 5, I).

This can be anything from names, ID-numbers, location data, online identifiers to physical, physiological, genetic, mental, economic, cultural or social facts, although the LGPD does not list any of these examples itself.

ANPD guide for protecting personal data under the LGPD (in Portuguese)

Sensitive personal data in the LGPD

Sensitive personal data is defined as a subcategory to personal data and applies when the data processed concerns “racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organization membership, data concerning health or sex life, genetic or biometric data” (Article 5, II).

The LGPD specifies in Article 11 the limited situations in which the processing of sensitive personal data is allowed to occur.

Try Cookiebot CMP for free for compliance with Brazil's LGPD.

Personal information is similarly defined in the LGPD and GDPR, with minor differences.

They include “specific and distinct consent”, “by the public administration for the execution of public policies” and “studies carried out by a research entity”, the latter upon the guarantee that the data will be anonymized whenever possible.

Anonymized data in the LGPD

This subcategory refers to “data related to a data subject who cannot be identified” with the technical means of the time of processing. If anonymized data is in any way reversible, i.e. that if can be used to identify or used for behavioral profiling, it is not anonymized data.

Additional definitions important to the LGPD (found in Article 5)

Processing is defined by the LGPD as “any operation carried out with personal data”.
Consent is defined by the LGPD as “free, informed and unambigious manifestation whereby the data subject agrees to her/his processing of personal data for a given purpose”.
Database is defined by the LGPD as a “structured set of personal data, kept in one or several locations, in electronic or physical support”.
Controller is in the lGPD defined as a “natural person or legal entity, of public or private law, that has competence to make the decisions regarding the processing of personal data”.
Processor is defined by the LGPD as a “natural person or legal entity, of public or private law, that processes personal data in the name of the controller”.
Officer is defined in the LGPd as a “natural person, appointed by the controller, who acts as a communication channel between the controller and the data subjects and the national authority” (the ANPD).

IAPP’s English translation of the LGPD varies slightly from the original text in Portuguese, e.g. “Operador” is translated to “Controller”.

See the full 19 definitions in Article 5, take a look at the English translation here.

Of the ten legal bases for lawful processing that the LGPD lays out, consent is the first.

This is very important for our niche of the privacy field, because it has direct implication for how your website is allowed to set cookies, process user data and share this with third parties.

Article 8 of the LGPD makes it clear that consent cannot be obtained through “generic authorization”, rather it must refer to particular purposes.

This means that websites, companies and organizations must first obtain the specific, unambiguous consent of the data subject before any processing of personal data is allowed to take place.

Consent must be revocable at any time and must also be provided by the data subject “in writing or by other means”, e.g. a consent banner on a website.

When processing personal data, a website or company or organization must present a specific legal basis.

LGPD’s legal bases for processing

The ten legal bases in the LGPD (Article 7) for lawful processing of personal data are –

With the consent of the data subject,
To comply with a legal or regulatory obligation of the controller,
To execute public policies provided in laws or regulations, or based on contracts, agreements, or similar instruments,
To carry out studies by research entities that ensure, whenever possible, the anonymization of personal data,
To execute a contract or preliminary procedures related to a contract of which the data subject is a party,
To exercise rights judicial, administrative or arbitration procedures,
To protect the life or physical safety of the data subject or a third party,’
To protect health, in a procedure carried out by health professionals or by health entities,
To fulfill the legitimate interests of the controller or a third party, except when the data subject’s fundamental rights and liberties which require personal data protection prevail,
To protect credit.

The entire processing of personal or sensitive data must be documented from its initial collection to its termination. Also mandatory is a description of what kind of data is collected, the purpose of the collection and processing, its retention time, and who the data can be shared with.

Controllers or processors can be either jointly or separately liable to data breaches or non-compliance.

LGPD overview – data protection authorities

Brazil’s data protection law LGPD (Lei Geral de Proteção de Dados) establishes both a national data protection authority (the ANPD) and mandates companies and organizations to appoint a data protection officer.

Autoridade Nacional de Proteção de Dados (ANPD) – Brazil’s new data protection authority

The ANPD – Brazil’s national data protection authority – was established by a Presidential decree on August 26, 2020 and had its board of directors appointed on Monday November 9, 2020 – officially entering the national data protection authority into force.

Enforcement of the LGPD is supervised by the ANPD.

The ANPD’s main objectives is to new norms, establish technical standards, supervise and audit, educate about the law and its correct applications, deal with notifications of data breaches and enforce its sanctions.

The national data protection authority is directly tied to the office of the presidency.

It has two bodies – the Board of Directors consisting of five members with expertise from the privacy and data protection field, and the National Council, a 23-member advisory board with representation from government, civil society, research institutions and the private sector.

Data Protection Officer (DPO) and the LGPD

According to the final version of LGPD (Lei Geral de Proteção de Dados), companies will be responsible for appointing a Data Protection Officer. It will be the job of this entity to ensure compliance with the LGPD for the data controller, who appoints them.

In the original draft, certain technical skills were required for an individual to become a DPO. These were deleted from the final, sanctioned version. This has led to criticism by privacy experts.

LGPD fines

The LGPD (Lei Geral de Proteção de Dados) is clear when it comes to the consequences of non-compliance with the law.

The penalty system ranges from –

Warnings issued in case of violations and non-compliance with the intent of having the entity adopt corrective measures.
Daily fines.
Fines up to 2% of annual turnover in Brazil or R50 million per violation, app. €11 million.

Become compliant with Brazil's LGPD with Cookiebot CMP.

Maximum fines reach 50 million Brazilian reais or 2% of a company’s annual turnover for a LGPD violation.

It is the responsibility of the ANPD to enforce such sanctions in Brazil.

The LGPD (Lei Geral de Proteção de Dados) was informed and shaped by the EU’s GDPR (General Data Protection Regulation) that came before it. It also has global jurisdiction, since any website anywhere that processes personal data from individuals in Brazil is obligated to comply with it.

First off, when it comes to the number of rights given to the data subjects in each law, the LGPD and GDPR vary slightly, but only on surface: the GDPR provides data subjects with eight fundamental rights, while the LGPD grants nine rights.

This is in part because the LGPD has split the more general “right to be informed” in the GDPR into the “right to be informed of the parties the controller has shared the data with” and the “right to be informed about the possibility of denying consent”.

Secondly, the LGPD differs only on surface from the GDPR when it comes to its framework for what constitutes legal bases for processing of data. Again, the LGPD and GDPR basically aligns, with minor variations.

Where the GDPR has six lawful bases for processing, the LGPD has ten (as described above).

Again, the GDPR and LGPD basically align, but the LGPD splits the more general wording of the GDPR into more specific provisions.

The GDPR’s legal basis of “to save somebody’s life” has been split into first “protect the life or physical safety” and secondly “to protect health, in a procedure carried out by health professionals or by health entities” in the LGPD.

Other splits include the GDPR’s “necessary to perform a task in the public interest” into the LGPD’s “to execute public policies” and “to carry out studies by research entities”. Additionally, the LGPD includes a legal basis that the GDPR does not have at all, the basis of credit protection.

Additionally, the LGPD includes a legal basis that the GDPR does not have at all, the basis of credit protection.

Personal data has a broader definition in the LGPD than GDPR.

According to the LGPD, personal data is anything that relates to an identifiable natural person. In the GDPR, this is further specified with examples such as names, addresses, gender.

GDPR and LGPD compliance with Cookiebot CMP. — EU’s GDPR has more “teeth” than Brazil’s LGPD when it comes to enforcement.

Sensitive data is – like in the GDPR – a separate category from personal data that includes data on race, ethnicity, religious beliefs, political convictions, health, sexuality, genetics and biometrics. The restrictions for processing sensitive data in the LGPD are stricter than in the GDPR.

The LGPD does not give any definitions or provisions about pseudonymized data, as does the GDPR, except in context of research done by public health organizations. Where the GDPR is very specific in its requirements for the processing of personal data for marketing purposes, the LGPD does not specify at all.

In the GDPR, a so-called DPIA (Data Protection Impact Assessment) is instituted to evaluate the potential risks of data processing. It also requires processors to notify their respective data protection authorities if high risks associated with data processing are assessed.

The LGPD also institutes DPIAs but does not specify how these are to be used, nor does it lay out any requirements for notification of any supervisory authorities.

LGPD makes is mandatory for companies to have a data protection officer (DPO), whereas this is only required in certain circumstances in the GDPR.

Time limitations for the notification of data breaches are sharply defined in the GDPR as 72 hours, whereas the LGPD loosely mandates that data breaches are to be reported to the authorities in “reasonable time”.

Compared with the GDPR, the LGPD is much less severe in its abilities to fine and penalize violations and non-compliance.

Maximum fines for non-compliance in the GDPR are set at €20 million or 4% of a company’s annual global turnover. The LGPD sets its maximum fines at 50 million Brazilian reais (around €11 million) or 2% of a company’s annual turnover in Brazil per violation.

The LGPD treats the transfer of personal data internationally in much the same way as the GDPR, by assessments of whether the foreign country has an adequate level of data protection laws in place. And of course, based on the prior, specific and express consent of the data subject.

However, the LGPD (unlike GDPR) does not rule on data being transmitted through Brazil without further processing.

Summary

With Brazil’s new data protection law Lei Geral de Proteção de Dados Pessoais (LGPDP), the country is getting a whole new legal framework for data protection that spans beyond sectoral reach, includes all data processing and collection within the nation’s territory, and might very well reach an adequacy decision with the EU, since the LGPD is closely modelled after its European sibling, the GDPR.

Try Cookiebot CMP free for LGPD compliance today

FAQ

What is the LGPD?

The LGPD (Lei Geral de Proteção de Dados Pessoais) is Brazil’s federal data privacy law that governs all personal data processing within the country. It was passed in August 2018 and took effect in August 2020. LGPD empowers individuals inside Brazil with nine enforceable rights over their own personal data.

Try Cookiebot CMP free for 30 days for LGPD compliance

What is personal data under the LGPD?

The LGPD defines personal data as any kind of information regarding an identified or identifiable natural person. This includes anything from names, addresses, location data, information on physical, genetic, mental, economic, cultural or social facts, as well as online identifiers such as IP addresses, cookies, browser and search history.

Test for free to see what personal data your website processes

Who is required to comply with the LGPD?

Any website, company or organization that processes personal data within Brazil’s territory is required to comply with the LGPD – even foreign data processors. The LGPD has extraterritorial application, meaning that websites anywhere in the world will have to comply with the LGPD if they process personal data from individuals inside Brazil.

Try the free Cookiebot CMP compliance test today

How can my website become compliant with the LGPD?

Your website must have a legal basis for processing personal data from individuals inside Brazil. Your website is required to ask for and obtain the clear and unambiguous consent of its users before legally being allowed to process any personal data, e.g. through cookies and trackers in operation on your website.

Try Cookiebot CMP free for 30 days to control all cookies