Logo Logo
Cookiebot

 The Lei Geral de Proteção de Dados Pessoais (LGPD) will be enforced in August 2020 and will affect how your website is allowed to track users in Brazil. It is closely modelled after the EU’s General Data Protection Regulation (GDPR).

Try our free compliance test to check if your website’s use of cookies and online tracking is LGPD/GDPR/ePR compliant.

The LGPD (Lei Geral de Proteção de Dados Pessoais) is Brazil's new data protection law.

In this blogpost, we will paint a broad overview of the LGPD (Lei Geral de Proteção de Dados Pessoais) – its substance and consequences for data protection in both Brazil and the rest of the world.

We will look at its foundation and definitions, the rights it empowers data subjects with, what constitutes compliance with the LGPD and how it compares to the European GDPR.

Brazil has over 140 million internet users. It is the largest internet market in Latin America and the fourth largest in the world in number of users. Brazil already has more than forty legal norms at the federal level that in various ways deal with data protection and privacy, causing a crosswire legal framework.

However, these are sectoral in nature, meaning that they relate separately and specifically to banking, real estate, consumer protection and the likes.

The new general data protection law of Brazil – the LGPD (Lei Geral de Proteção de Dados Pessoais) – is intended to replace this fractured legal landscape with an overarching regulatory framework.

It will empower individuals with a streamlined set of rights, rather than the partial protection of the sectoral laws in place today and is shaped with great inspiration from the EU’s General Data Protection Regulation.

Some even call it “Brazil’s GDPR”. And it’s true – if you’re already GDPR compliant, you are mostly within the provisions of the LGPD… though not completely!

There are some significant differences between the LGPD and GDPR, which we will sort out below.

What is the LGPD and when will it be enforced?


The official name of Brazil’s new law is Lei Geral de Proteção de Dados Pessoais, which means “general law of personal data protection”.

It is officially abbreviated to LGPDP, though it is most commonly known and referred to as the LGPD or Lei Geral de Proteção de Dados.

It was passed on August 14, 2018 and conclusively sanctioned by President Bolsonaro in July 2019.

The effective date of the LGPD enforcement is August 15, 2020.

The Lei Geral de Proteção de Dados is closely modelled after the European GDPR and creates a legal framework for how personal data is allowed to be handled in Brazil. It contains sixty-five articles.

Essence of the LGPD law

LGPD (Lei Geral de Proteção de Dados) empowers data subjects with nine rights, defines what constitutes personal data, creates ten legal bases for lawful processing.

It also puts the responsibility on companies and organizations to appoint a Data Protection Officer (DPO) and establishes the Autoridade Nacional de Proteção de Dados (or ANPD, Brazil’s new national data protection authority) with powers of supervision, guidance and enforcement of its administrative sanctions.

LGPD (Lei Geral de Proteção de Dados Pessoais) protects individuals in Brazil, like the GDPR in EU.

Any data processing within Brazil is protected by the LGPD, even from foreign data processors.

LGPD defines a data subject as “a natural person to whom the personal data that are the object of processing refer”. In other words, an individual whose data is being collected and/or processed is a data subject.

LGPD has “transversal” and “multi-sectoral application”, meaning that it applies to both public and private sectors, as well as online and offline.

It also has “extraterritorial application”, which means that websites, companies or organizations that process personal data from individuals in Brazil are bound to comply with the LGPD, regardless of where in the world they are owned or operated from.

In Article 3, it is defined that the LGPD applies to:

  1. data processing within the territory of Brazil,
  2. data processing of individuals who are within the territory of Brazil, regardless of where in the world the data processor is located,
  3. data processing of data collected in Brazil.

LGPD (Lei Geral de Proteção de Dados) will regulate all processing of personal data in the territory of Brazil.

Brazil's LGPD not only protects Brazilians, but all individuals whose data is collected or processed while in the national territory.

This means that the LGPD applies to any individual whose data has been collected or is being processed while inside the territory of Brazil, and not only Brazilian citizens!

LGPD and EU adequacy

It is no secret that the LGPD (Lei Geral de Proteção de Dados) has been closely modelled on the GDPR with the intention to make it easier for Brazil to achieve a so-called adequacy agreement with the EU, ensuring a free flow of data between the two.

Yet, some significant changes were made to the law in July 2019, when it was sanctioned by President Bolsonaro.

These include the removal of a provision that mandated companies and organizations to review machine-automated decisions, the removal of technical skill requirements for data protection officers, as well as changes made to the enforcement power of Brazil’s coming data protection authority (the ANPD).

In the original draft, the ANPD had the option of restricting a data processor’s access to databases and forbid them to process personal data altogether. This was scrapped by the time Bolsonaro sanctioned the final version of the LGPD.

Privacy watchdogs, as well as the country’s first data protection commissioner, have called it a watering down of the LGPD that could affect Brazil’s EU adequacy decision and take away the law’s enforcement teeth.

LGPD In English

An English translation of the official LGPD law text can be found here, however, note that it is a previous draft and not the final law that was passed in July 2019. Some changes have been made to the law, but the overall scope, foundation and wording remains very much the same.

LGPD Text in Portuguese

The official LGPD law text in Portuguese can be found here.

LGPD and Cookiebot


Here at Cookiebot, we follow the implementation and enforcement phase of the LGPD (Lei Geral de Proteção de Dados) very closely, since it deals with our area of expertise: protecting privacy.

Cookiebot is a tool that enables websites to be compliant when it comes to the use of cookies and tracking, as required by the European law of GDPR, by the coming ePrivacy Regulation (expected in 2019 or 2020) and by the LGPD in Brazil.

Our consent and compliance solution is unique on the market: the Cookiebot scanner finds all cookies and similar tracking technology, and automatically holds everything back until the users give their specific, unambiguous consent to which types of cookies they will allow on their browser.

LGPD requires cookie consent.

Cookiebot consent banner for LGPD compliance come August 2020.

Cookiebot enables 100% GDPR compliance.

When the LGPD takes effect in August 2020, Cookiebot will enable compliance with it as well.

LGPD Overview


The LGPD (Lei Geral de Proteção de Dados) creates nine rights for data subjects.

They are found in Article 18 and empower individuals with the rights to:

  1. confirmation of the existence of the processing of their data,
  2. access their data,
  3. correct incomplete, inaccurate or out-of-date data,
  4. anonymize, block, or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD,
  5. have their data be portable, i.e. handed over to another service or processor if requested,
  6. have their data deleted,
  7. information about public and private entities with which the controller has shared data,
  8. information about the possibility of denying consent and the consequences,
  9. revoke consent.

These are closely modelled after the rights that the GDPR empower European citizens with and have direct implications for website owners and operators all over the world, who process and/or collect data within the territory of Brazil.

It means that if you have a website and that website has visitors from Brazil, or if you offer services to individuals in Brazil, or collect and process data within Brazil, you need to comply with the LGPD.

A consent solution like Cookiebot can help you become compliant.

Try for free today.

LGPD Overview - personal data


The LGPD (Lei Geral de Proteção de Dados) defines its key terms and concepts in its Article 5. These include personal data, sensitive personal data, data subject and processor, among others.

Personal data in the LGPD

Personal data is defined broadly in the LGPD.

The law simply states that personal data is “information regarding an identified or identifiable natural person” (Article 5, I).

This can be anything from names, ID-numbers, location data, online identifiers to physical, physiological, genetic, mental, economic, cultural or social facts, although the LGPD does not list any of these examples itself.

Sensitive personal data in the LGPD

Sensitive personal data is defined as a subcategory to personal data and applies when the data processed concerns “racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organization membership, data concerning health or sex life, genetic or biometric data” (Article 5, II).

The LGPD specifies in Article 11 the limited situations in which the processing of sensitive personal data is allowed to occur.

LGPD secures personal data processing in Brazil.

Personal information is similarly defined in the LGPD and GDPR, with minor differences.

They include “specific and distinct consent”, “by the public administration for the execution of public policies” and “studies carried out by a research entity”, the latter upon the guarantee that the data will be anonymized whenever possible.

Anonymized data in the LGPD

This subcategory refers to “data related to a data subject who cannot be identified” with the technical means of the time of processing. If anonymized data is in any way reversible, i.e. that if can be used to identify or used for behavioral profiling, it is not anonymized data.

Additional definitions important to the LGPD (found in Article 5)

  1. Processing is defined by the LGPD as “any operation carried out with personal data”.
  2. Consent is defined by the LGPD as "free, informed and unambigious manifestation whereby the data subject agrees to her/his processing of personal data for a given purpose".
  3. Database is defined by the LGPD as a "structured set of personal data, kept in one or several locations, in electronic or physical support".
  4. Controller is in the lGPD defined as a "natural person or legal entity, of public or private law, that has competence to make the decisions regarding the processing of personal data".
  5. Processor is defined by the LGPD as a "natural person or legal entity, of public or private law, that processes personal data in the name of the controller".
  6. Officer is defined in the LGPd as a "natural person, appointed by the controller, who acts as a communication channel between the controller and the data subjects and the national authority" (the ANPD).

IAPP’s English translation of the LGPD varies slightly from the original text in Portuguese, e.g. “Operador” is translated to “Controller”.

See the full 19 definitions in Article 5, take a look at the English translation here.

LGPD Overview – consent and legal bases for processing


Of the ten legal bases for lawful processing that the LGPD lays out, consent is the first.

This is very important for our niche of the privacy field, because it has direct implication for how your website is allowed to set cookies, process user data and share this with third parties.

Article 8 of the LGPD makes it clear that consent cannot be obtained through “generic authorization”, rather it must refer to particular purposes.

This means that websites, companies and organizations must first obtain the specific, unambiguous consent of the data subject before any processing of personal data is allowed to take place.

Consent must be revocable at any time and must also be provided by the data subject “in writing or by other means”, e.g. a consent banner on a website.

When processing personal data, a website or company or organization must present a specific legal basis.

LGPD's legal bases for processing

The ten legal bases in the LGPD (Article 7) for lawful processing of personal data are –

  1. With the consent of the data subject,
  2. To comply with a legal or regulatory obligation of the controller,
  3. To execute public policies provided in laws or regulations, or based on contracts, agreements, or similar instruments,
  4. To carry out studies by research entities that ensure, whenever possible, the anonymization of personal data,
  5. To execute a contract or preliminary procedures related to a contract of which the data subject is a party,
  6. To exercise rights judicial, administrative or arbitration procedures,
  7. To protect the life or physical safety of the data subject or a third party,'
  8. To protect health, in a procedure carried out by health professionals or by health entities,
  9. To fulfill the legitimate interests of the controller or a third party, except when the data subject's fundamental rights and liberties which require personal data protection prevail,
  10. To protect credit.

The entire processing of personal or sensitive data must be documented from its initial collection to its termination. Also mandatory is a description of what kind of data is collected, the purpose of the collection and processing, its retention time, and who the data can be shared with.

Controllers or processors can be either jointly or separately liable to data breaches or non-compliance.

LGPD Overview - data protection authorities


The final version of the LGPD (Lei Geral de Proteção de Dados) that was sanctioned by the Brazilian president in July 2019 establishes both a national data protection authority (the ANPD) and mandates companies and organizations to appoint a data protection officer.

Autoridade Nacional de Proteção de Dados (ANPD) - Brazil's new data protection authority

First, it was in the original draft of the LGPD, then vetoed by the former president for fears that it was unconstitutional, then included again by the Federal Senate in May and sanctioned by the Office of the President.

LGPD (Lei Geral de Proteção de Dados) will be enforced by the ANPD.

Enforcement of the LGPD will be overseen by the newly created ANPD.

The ANPD’s main objectives will be to set new norms, establish technical standards, supervise and audit, educate about the law and its correct applications, deal with notifications of data breaches and enforce its sanctions.

The national data protection authority will be directly tied to the office of the presidency. It will have two bodies – the Board of Directors consisting of five members with expertise from the privacy and data protection field, and the National Council, a 23-member advisory board with representation from government, civil society, research institutions and the private sector.

Data Protection Officer (DPO) and the LGPD

According to the final version of LGPD (Lei Geral de Proteção de Dados), companies will be responsible for appointing a Data Protection Officer. It will be the job of this entity to ensure compliance with the LGPD for the data controller, who appoints them.

In the original draft, certain technical skills were required for an individual to become a DPO. These were deleted from the final, sanctioned version. This has led to criticism by privacy experts.

LGPD fines


The LGPD (Lei Geral de Proteção de Dados) is clear when it comes to the consequences of non-compliance with the law.

The penalty system ranges from –

LGPD vs. GDPR - fines are lower than in the EU

Maximum fines reach 50 million Brazilian reais or 2% of a company’s annual turnover for a LGPD violation.

It will be the ANPD that will enforce such sanctions, when the LGPD comes into enforcement.

LGPD vs. GDPR


The LGPD (Lei Geral de Proteção de Dados) was informed and shaped by the EU's GDPR (General Data Protection Regulation) that came before it. It also has global jurisdiction, since any website anywhere that processes personal data from individuals in Brazil is obligated to comply with it.

LGPD vs. GDPR - rights of the data subject

First off, when it comes to the number of rights given to the data subjects in each law, the LGPD and GDPR vary slightly, but only on surface: the GDPR provides data subjects with eight fundamental rights, while the LGPD grants nine rights.

This is in part because the LGPD has split the more general “right to be informed” in the GDPR into the “right to be informed of the parties the controller has shared the data with” and the “right to be informed about the possibility of denying consent”.

LGPD vs. GDPR - legal bases for processing of datat

Secondly, the LGPD differs only on surface from the GDPR when it comes to its framework for what constitutes legal bases for processing of data. Again, the LGPD and GDPR basically aligns, with minor variations.

Where the GDPR has six lawful bases for processing, the LGPD has ten (as described above).

Again, the GDPR and LGPD basically align, but the LGPD splits the more general wording of the GDPR into more specific provisions.

The GDPR’s legal basis of “to save somebody’s life” has been split into first “protect the life or physical safety” and secondly “to protect health, in a procedure carried out by health professionals or by health entities” in the LGPD.

Other splits include the GDPR’s “necessary to perform a task in the public interest” into the LGPD’s “to execute public policies” and “to carry out studies by research entities”. Additionally, the LGPD includes a legal basis that the GDPR does not have at all, the basis of credit protection.

Additionally, the LGPD includes a legal basis that the GDPR does not have at all, the basis of credit protection.

LGPD vs. GDPR - personal data

Personal data has a broader definition in the LGPD than GDPR.

According to the LGPD, personal data is anything that relates to an identifiable natural person. In the GDPR, this is further specified with examples such as names, addresses, gender.

Personal data is defined broader in the LGPD vs. GDPR

EU's GDPR has more "teeth" than Brazil's LGPD when it comes to enforcement.

Sensitive data is – like in the GDPR – a separate category from personal data that includes data on race, ethnicity, religious beliefs, political convictions, health, sexuality, genetics and biometrics. The restrictions for processing sensitive data in the LGPD are stricter than in the GDPR.

The LGPD does not give any definitions or provisions about pseudonymized data, as does the GDPR, except in context of research done by public health organizations. Where the GDPR is very specific in its requirements for the processing of personal data for marketing purposes, the LGPD does not specify at all.

LGPD vs. GDPR - DPO, DPIA and data breaches

In the GDPR, a so-called DPIA (Data Protection Impact Assessment) is instituted to evaluate the potential risks of data processing. It also requires processors to notify their respective data protection authorities if high risks associated with data processing are assessed.

The LGPD also institutes DPIAs but does not specify how these are to be used, nor does it lay out any requirements for notification of any supervisory authorities.

LGPD makes is mandatory for companies to have a data protection officer (DPO), whereas this is only required in certain circumstances in the GDPR.

Time limitations for the notification of data breaches are sharply defined in the GDPR as 72 hours, whereas the LGPD loosely mandates that data breaches are to be reported to the authorities in “reasonable time”.

LGPD vs. GDPR - fines

Compared with the GDPR, the LGPD is much less severe in its abilities to fine and penalize violations and non-compliance.

Maximum fines for non-compliance in the GDPR are set at €20 million or 4% of a company’s annual global turnover. The LGPD sets its maximum fines at 50 million Brazilian reais (around €11 million) or 2% of a company’s annual turnover in Brazil per violation.

LGPD vs. GDPR - territorial applications

The LGPD treats the transfer of personal data internationally in much the same way as the GDPR, by assessments of whether the foreign country has an adequate level of data protection laws in place. And of course, based on the prior, specific and express consent of the data subject.

However, the LGPD (unlike GDPR) does not rule on data being transmitted through Brazil without further processing.

Summary


With the Lei Geral de Proteção de Dados Pessoais (LGPDP) Brazil is getting a whole new legal framework for data protection that spans beyond sectoral reach, includes all data processing and collection within the nation’s territory, and might very well reach an adequacy decision with the EU, since the LGPD is closely modelled after its European sibling, the GDPR.

Cookiebot will, come enforcement date, enable compliance with the LGPD.

But you don’t have to wait – try our technology for free today.

Resources


The Lei Geral de Proteção de Dados Pessoais (LGPDP) official law text, translated into English

LGPDP law text (in Portuguese)

General overview of the LGPDP by the IAPP

The recent changes made to the final version of the LGPD

Brazilian lawmakers water down the LGPD, according to privacy experts

The eight fundamental rights of data subjects in the GDPR

GDPR consent requirement and lawful processing bases explained by the EU

The EU’s official comparison between its own GDPR and the Brazilian LGPD

Make your website’s use of cookies and online tracking GDPR/ePR compliant today

Try for free