Your Guide to LGPD, Brazil’s New Data Privacy Law
Following a series of delays, Brazil's LGPD is now in effect. Recently, President Jair Bolsonaro issued a provisional measure that would have postponed the effective date of the LGPD until May 3, 2021. In an unexpected move, the Senate rejected the president’s provisional measure. Now the LGPD will become law — without ANPD in place — when the bill reaches the president's desk, sometime within the next two weeks.
Is Your Business LGPD Ready?
Even without the ANPD (the law’s enforcement arm) in place, private citizens can immediately begin filing lawsuits to seek damages related to misuse of personal data under LGPD. Currently, violators of LGPD's regulations can face prosecution under the nation’s numerous internet and consumer rights laws, as well as civil codes. Sanctions and enforcement proceedings are slated to begin on August 1, 2021, following Law No. 14,010.
Businesses that process the personal data of Brazilians will need to shift staffing priorities or hire new staff to meet the new law’s regulations. Some of the requirements businesses will need to prepare for in the general provisions include:
- Supplier and client contracts will need to be reworked to ensure the agreements acknowledge consent to the processing of personal data.
- Businesses will need to have staff in place to handle the compliance requirements of LGPD.
- Hire or train a data protection officer (DPO), as required by the law.
- To meet the data portability provision of the legislation, businesses will need to make considerable investments in building knowledgeable teams, creating privacy-centered practices, and technology.
The ANPD Explained
The ANPD (Autoridade Nacional de Proteção de Dados) is the enforcement side of the LGPD. As an independent authority, the ANPD Will be responsible for bringing sanctions against violators of the law, as well as handling the interpretation and application of the LGPD. The ANPD’s ability to begin enforcement is slated to begin August 1, 2021
The Rights of Brazilian Citizens Under LGPD
Article 18 of the LGPD lists the nine essential rights guaranteed to Brazilians under this legislation. A majority of these were listed under previous statutes, but with the creation of the ANPD, these statutes will soon have more legal sway.
Under Article 18, Brazilian citizens have a right to:
- Confirm that a business/organization is processing its personal data.
- View and access data collected on individuals.
- Fix personal information that is false, misleading, outdated, or incomplete.
- Right to make, alter, or delete personal data that does not comply with LGPD.
- Transfer their personal data to another service provider.
- Revoke consent (even retroactively).
- Request information on how to revoke/deny consent, as well as be informed on how revocation will affect how products/services are delivered.
- Be informed on which entities have access to an individual's personal data.
- Right to opt-in to having personal data collected and processed.
What is the difference between “Personal” and “Sensitive Personal Data?”
Like the GDPR and CCPA, LGPD does not offer a detailed definition of what constitutes ”personal data.” This is by design. By not explicitly defining what constitutes personal data, the ANPD will have some flexibility in terms of interpreting the law and closing loopholes that would otherwise circumvent the intent of the legislation. Personal data can include any type of information that could personally identify or augment the way a user is …treated by a service provider.
LGPD does distinguish between personal data and sensitive personal data, as follows:
Personal data. Personal data can include any piece of information which can be used to identify a natural person, such as name, identification codes, email address, CPF, etc. The term “natural person” is used in this context to differentiate between naturally born persons and legal persons (businesses, corporations, etc., which are not protected under LGPD).
Sensitive personal data. Sensitive personal data is expressly mentioned under LGPD. Sensitive personal data may include any piece of information that would identify a natural person under the following criteria:
- Race
- Ethnicity
- Religious views
- Sexual orientation
- Political affiliation
- Union involvement
- Health status
- Biometric data
Ready Your Operation for LGPD
Businesses that collect and/or process the personal data of Brazilians should take the following steps now:
- Modify data processing activities. Since the LGPD draws inspiration from other international personal data laws (GDPR, CCPA, etc.) businesses that have diligently adjusted their personal data practices won't have to start from scratch. For accountability purposes — and to satisfy the rules of LGPD — organizations should have a data protection officer in place.
- Name a Data Protection Officer (DPO). Larger organizations likely have an officer in place to ensure compliance with international data privacy laws. This role should be filled as soon as possible since LGPD is now in effect.
- Notify clients and customers. Reach out to clients and customers in Brazil. Help them understand their rights under LGPD and what your organization is doing to protect these rights.
What Businesses are Affected by LGPD?
Even if you do not have a physical presence in the country, if you have customers in Brazil, you should understand how your data collection and processing activities will be affected by LGPD.
LGPD applies to anyone collecting or utilizing personal data on Brazilian citizens. This law applies to anyone conducting commercial activities, including sole proprietors, small businesses, not-for-profits, and corporations.
The law applies… even if you don’t have a physical presence in Brazil. Like the EU’s GDPR, the LGPD has an extraterritorial reach. This means that a business entity only has to do business in Brazil (not have a physical presence), for the law to apply.
‘Effective’ and ‘Enforcement’ Dates: What is the Difference?
To smooth the transition into the LGPD, the Brazilian Congress has established two separate “effective” and “enforcement” dates. This two-stage process is modeled after other governments and is aimed at helping businesses get up to speed before the ANPD’s sanctions and penalties go into effect.
Confused with LGPD? CookieScript is Here to Help
Another data protection law? Brazil’s new data privacy law, LGPD, is now in effect. Is your business ready? CookieScript has tools in place to ensure your website and digital communications comply with LGPD, GDPR, and CCPA. Speak with a specialist today to get started!