What is LGPD?
LGPD or “Lei Geral de Proteção de Dados Pessoais” is Brazil’s equivalent to GDPR and their newly proposed data protection policy. Currently, the Brazilian data protection landscape is fractured and complicated. This new policy is aimed at simplifying the regulatory framework.
The law was passed on August 14, 2018, sanctioned in July 2019 and is set to be enforced starting August 15, 2020. Seeing as Brazil has over 140 million internet users, the most significant usage in Latin America, and the 4th largest internet market in the world, it’s no wonder the Brazilian government is taking data protection and compliance seriously.
In this article, we’ll dive further into LGPD by looking at how it works, penalties, compliance, and more!
How does LGPD work?
***Disclaimer: We are not lawyers nor have the qualifications to be lawyers. Therefore, none of the content in this article should be interpreted as legal advice. For any LGPD legal advice, please consult a qualified LGPD legal professional.***
Also, please be sure to study the regulatory guidelines presented by the Brazilian government for any further clarification. You can find the links below.
Portuguese version: http://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/L13709compilado.htm
Before understanding how LGDP works, you’ll need to know how data is defined:
Personal data: information regarding an identified or identifiable natural person.
Sensitive personal data: personal data concerning racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organization membership, data concerning health or sex life, genetic or biometric data, when related to a natural person.
Anonymized data: data related to a data subject who cannot be identified, considering the use of reasonable and available technical means at the time of the processing.
When should you adhere to the LGPD law?
If you’re a publisher that processes or collects data in any of the following ways, you need to comply with LGPD law.
- You collect/process personal data within the Brazilian territory
- You collect/process personal data within the Brazilian territory, regardless of whether you or your company is located in the territory of Brazil or not
- LGPD applies to any individual inside the Brazilian territory whose data has been collected or processed, even if they are not a Brazilian citizen.
What to do next?
LGPD imposes certain obligations on publishers that can be a good starting point in complying with the law.
Appoint a DPO: A DPO is a Data Protection Officer who is in charge of the data processing for your company, website, or operations as a whole. A DPO manages all data processing queries such as receiving complaints, educating employees on LGPD best practices, etc.
Ask for consent when collecting data: The easiest option here is to utilize a consent management platform that presents users with a consent pop up when visiting your website.
- When asking for consent, it’s also best to keep the following prerequisites in mind:
- Users must freely give consent for their data to be used
- Users must receive a clear explanation and sufficient information on how their personal data will be used and what the purpose thereof will be.
- Users must authorize data processing for a specific purpose as generic authorizations or those that are unclear can be void.
- Users may withdraw consent at any time.
Publishers also need to know the rules that apply to manage data:
- If a user requests data, publishers need to be able to provide a copy thereof or delete or correct it if requested.
- After your relationship ends with the user, data needs to be deleted
- Data security measures need to be put in place to prevent unauthorized access
- If a breach of data occurs, users need to be informed accordingly.
A quick recap
-Start by familiarizing yourself with the LGPD framework by reading the legal documentation
-Figure out whether your business falls under LGPD jurisdiction
-Apply practices needed to become LGPD compliant: consent collection & management, DPO, etc.
As with GDPR, if companies do not comply with the LGPD law, there will be severe penalties. This includes fines for up to 2% of a company’s annual turnover or up to R50 million (Brazilian real) per violation.
Understanding and becoming LGPD compliant can be a complicated process. In this article, we’ve provided you with the means to start the compliance process and before the law gets enforced in August 2020.
Want to find out how to maximize ad revenue from your LatAm traffic? MonetizeMore’s team of ad ops specialists can help you join the best ad networks, implement header bidding, optimize your ad layout, and much more. Sign up to MonetizeMore today!
Additional reading and resources: