The General Personal Data Protection Law (LGPD or Lei Geral de Proteção de Dados Pessoais) is a relatively new legislation passed by the Brazilian government in 2018. The law officially took effect on September 18, 2020, but was not enforced until August 1, 2021, due to complications from the COVID-19 pandemic.
For organisations that do business in Brazil and collect personal data, the LGPD has far-reaching implications, with 65 separate articles that outline how organisations must collect, process, disclose and erase personal data.
In this article, you’ll learn what the LGPD is, including its contents and how a legal entity can be compliant.
What is the LGPD?
The LGPD is a new data protection and privacy law passed by the Federal Brazilian Government on May 29, 2018. The purpose of the law is to unify the 40 previous Brazilian laws that regulated the processing of personal data.
Many of the older laws have been either updated or removed to accommodate this change. The LGPD comprises 65 separate articles, and each covers a different area of the legislation, such as the rights of data subjects and the legal bases on which personal data may be collected. It also sets out the responsibilities of the National Data Protection Authority (ANPD), a newly created agency responsible for the guidance, supervision and enforcement of the LGPD.
LGPD compliance is essential for organisations wishing to operate in Brazil and collect personal data for commercial purposes, whether online or offline. However, understanding the different rules and regulations and even figuring out if the LGPD applies to you can be challenging.
Fortunately, the LGPD is relatively easy to understand and shares many similarities with the General Data Protection Regulation (GDPR), the data protection law implemented on May 25, 2018, by the European Union. This may help you better understand why the LGPD was enacted, the policies it contains and the goals it hopes to achieve. Both laws are very similar, but some items are unique to Brazil, such as what qualifies as a legal basis for collecting personal data.
For these reasons, organisations should not apply a one-size-fits-all approach to GDPR and LGPD compliance, for they are different laws with different guiding principles and requirements.
Who does the LGPD apply to, and who is exempt?
The LGPD applies to any natural person, public entity and private entity that collects, processes and stores personal data for commercial purposes within the national territory of Brazil. The same also applies to those who process the personal data of Brazilian and non-Brazilian citizens within the national territory of Brazil, even if the data processor is outside of Brazil. It also applies to those who process personal data collected from the national territory of Brazil.
So, what does this all mean?
Regardless of your location, if you conduct any personal data processing activities in Brazil or you process data that was collected from Brazil, then there is a high possibility that the LGPD applies to you. This is especially true if the data processing is for commercial purposes; or, to be more precise, for the offering or provision of goods or services. It also means that subjects whose personal data is collected under these conditions are protected by the nine data subject rights.
There are exceptions where the LGPD does not apply to data processors. These include if you process personal data for private or non-commercial reasons; for artistic, journalistic and select academic purposes; and for the purpose of state security, public safety, national defence and activities related to the investigation and prosecution of criminal offenders. Also, if the processed data originates from a country with similar data protection laws to Brazil, such as any country in the European Union (where the GDPR applies), then the LGPD will not apply to that individual or organisation.
For these reasons, it is vital that you are familiar with the LGPD so that your data processing activities comply with the new standards. This is also important for the future, as an estimated 75% of the global population’s personal data will be protected by a privacy regulation. Getting things right now will make life easier moving forward.
What are the nine LGPD data subject rights?
The LGPD has nine data subject rights. These protect the rights and freedoms of subjects, regardless of their political opinion and religious belief.
These rights, listed under Article 19 of the LGPD, confirm that a data subject has the right to:
- Confirm the processing of their data.
- Access their data.
- Correct data that is incomplete, not accurate and out of date.
- Anonymize, block and delete data that is excessive, unnecessary and was not processed in compliance with the law.
- Move their data to a different service provider or product provider by special request.
- Delete or stop using personal data under certain circumstances.
- Gain information about who the data processor has shared the processed data with, including private and public entities.
- Be informed as to what the consequences may be for denying consent to the collection of personal data.
- Revoke consent to have their personal data processed under certain conditions.
Many of these data subject rights are like the GDPR. For example, both the GDPR and LGPD give data subjects the right to be informed, the right to access, the right to data portability and the right to rectify false data. However, while the LGPD has nine data subject rights, the GDPR has only eight. What is the extra data subject right? The right to gain information on who a data processor has shared your data with.
There are other slight differences between the GDPR and LGPD with regard to data subject rights. For instance, the GDPR has a clear right to restrict certain data processing activities, such as those related to automation. The LGPD has this, too. But the subject of data collection automation is under Article 20, separate from all the data subject rights listed under Article 19.
Under what conditions can personal data in Brazil be processed?
There are various conditions under which organisations can legally conduct personal data processing in Brazil. The aim of these conditions is to give data subjects confidence — that their personal data is processed for only safe, legal and ethical reasons. Also, the conditions help data processors, both individuals and organisations, determine if they have a legal basis for processing personal data in or in relation to Brazil.
According to Article 7 of the LGPD, data processing may only be carried out if done:
- With consent by the data subject.
- To comply with a legal or regulatory obligation.
- By public authorities to assist with the execution of a public policy, one established by law or regulation.
- To help research entities carry out studies; granted, when possible, subjects can anonymize their data.
- To carry out a contract or preliminary procedure, in particular, one related to a contract where the data subject is a party.
- To exercise the right of an arbitration, administration or judicial procedure.
- To protect the physical safety or life of someone
- To protect the health of someone about to undergo a procedure performed by health entities
- To fulfill the legitimate interests of a data processor, unless doing so would compromise a data subject’s fundamental rights and liberties.
- To protect one’s credit score.
Much like the nine data subject rights, there are key differences between the LGPD and GDPR. The GDPR has six lawful bases for data processing, while the LGPD has ten. One notable addition to the LGPD is for the protection of one’s credit score, which is not covered by the GDPR. Another reason to ensure compliance with both data protection laws separately.
LGPD vs. GDPR: How do they differ?
The LGPD was modeled closely on the GDPR, so it’s no surprise the two are similar.
Both laws ensure a high level of protection for the rights and freedoms of data subjects. They outline the legal justifications for data processing, establish the responsibilities of a data protection authority and lay out the penalties for non-compliance. That said, there are key differences between them.
First, data subject rights; the LGPD has nine, while the GDPR has eight. The GDPR gives data subjects the right to request a human review of automated decision-making, while the LGPD does not. Second, the legal bases for processing; the LGPD has ten, while the GDPR has six. The four legal bases unique to the LGPD are: for protection of credit, for protection of health, for protection of life and for research entities carrying out studies.
Both the LGPD and GDPR have different non-compliance penalties. The maximum fine for an infraction under the GDPR is up to €20 million (or 4% of the offender’s annual global revenue, whichever is higher). The maximum fine for an LGPD infraction is up to 50 million reais (around €9.2 million), or up to 2% of an offender’s revenue in Brazil, whichever is higher.
6 steps to LGPD compliance with Matomo
Below are steps you can follow to ensure your organisation is LGPD compliant. You’ll also learn how Matomo can help you comply quickly and easily.
Let’s dive in.
1. Appoint a DPO
A DPO is a person, group, or organisation that communicates with data processors, data subjects, and the ANDP.
Curiously, the LGPD lets you appoint your own DPO — even if they reside out of Brazil. So if the LGPD applies to you, you can appoint someone in your organisation to be a DPO. Just make sure that the nominated person has the understanding and capacity to perform the role’s duties.
2. Assess your data
Once you’re familiar with the LGPD and confirm your eligibility for LGPD compliance, take the time to assess your data. If you plan to collect data within the territory of Brazil, you’ll need to confirm the exact location of your data subjects.
To do this in Matomo, simply go to the previous year’s calendar. Then click on visitors, go to locations, and look for Brazil under the “Region” section. This will tell you how many of your web visitors are located in Brazil.
3. Review privacy practices
Review your existing privacy policies and practices, as there’s a good chance they’ll need to be updated to comply with the LGPD. Also, review your data sharing and third-party agreements, as you may need to communicate these new policies to partners that you rely on to deliver your services.
Lastly, review your procedures for tracking personal data and Personally Identifiable Information (PII). You may need to modify the type of data that you track to comply with the LGPD. You may even be tracking this data without your knowledge.
4. Anonymize tracking data
Data subjects under the LGPD have the right to request data anonymity. Therefore, to be LGPD compliant, your organisation must be able to accommodate for such a request.
Fortunately, Matomo has various data anonymization techniques that help you protect your data subject’s privacy and comply with the LGPD. These techniques include the ability to anonymize previously tracked raw data, anonymize visitor IP addresses, and anonymize relevant geo-location data such as regions, cities and countries.
5. Comply with LGPD consent laws without cookies
By using Matomo to anonymize the data of your data subjects, this enables you to comply with LGPD consent laws and remove the need to display cookie consent banners on your website. This is made possible by the fact that Matomo is a cookieless tracking web analytics platform.
Unlike other web analytics platforms like Google Analytics, which collect and use third-party cookies (persistent data that remains on your device, until that data expires or until you manually delete it) for their “own purposes,” Matomo is different. We use alternative means to identify web visitors, such as count the number of unique IP addresses and perform browser fingerprinting, neither of which involve the collection of personal data.
As a result, you don’t have to display cookie consent banners on your website, and you can track your web visitors even if they disable cookies.
6. Give users the right to opt-out
Under the LGPD, data subjects have the right to opt-out of your data collection procedures. For this reason, make sure that your web visitors can do this on your website.
You can do this in Matomo by adding an opt-out from tracking form to your website. To do this, click on the cog icon in the top menu, load the settings page, and click on the Users opt-out menu item in the Privacy section. Then follow the instructions to customise and publish the Matomo opt-out form.
Achieve LGPD compliance with Matomo
Like GDPR for Europe, the LGPD will impact organisations doing business in Brazil. And while they both share much of the same definitions and data subject rights, they differ on what qualifies as a legal basis for processing sensitive data. Complying with the GDPR and LGPD separately is non-negotiable and essential to avoiding maximum fines of €20 million and €9.2 million, respectively.
As a web analytics platform with LGPD compliance, Matomo prioritises data privacy without compromising performance. Switch to a powerful LGPD-compliant web analytics platform that respects users’ privacy.
Get a 21-day free trial of Matomo today. No credit card required.
We are not lawyers and don’t claim to be. The information provided here is to help give an introduction to LGPD. We encourage every business and website to take data privacy seriously and discuss these issues with your lawyer if you have any concerns.