If you work in Brazil or target your services to residents of the country, your business might fall under the legal threshold of the Lei Geral de Proteção de Dados (LGPD).
Brazil’s General Data Protection Law is similar to Europe’s General Data Protection Regulation (GDPR) and requires you to prove your lawful basis for collecting personal data.
Below, learn about the requirements of the LGPD, how it impacts businesses and consumers, and the penalties for violating this law.
- What Is Brazil's General Data Protection Law (LGPD)?
- Brazil's General Data Protection Law Key Terms and Definitions
- What Does Brazil's General Data Protection Law Cover?
- Requirements of the LGPD
- LGPD vs. Global Data Privacy Laws: Similarities and Differences
- How Does Brazil's General Data Protection Law Impact Consumers?
- How Does Brazil's General Data Protection Law Impact Businesses?
- Who Must Comply With Brazil's General Data Protection Law?
- How Can Businesses Prepare for the LGPD?
- How Is the LGPD Enforced?
- Fines and Penalties Under the LGPD
- How Does Termly Help With LGPD Compliance?
- Are There Other Privacy Related Laws in Brazil?
- Summary
What Is Brazil’s General Data Protection Law (LGPD)?
Brazil’s General Data Protection law, Lei Geral de Proteção de Dados (LGPD), is the country’s primary comprehensive consumer data privacy law.
It outlines the different requirements entities must follow to legally collect, process, and use personal information from internet users in Brazil and describes penalties for those who violate the law.
The LGPD is officially available in Portuguese, but the IAPP has a good unofficial English translation of the law.
When Did the LGPD Take Effect?
Brazil’s data protection law passed in 2018 and went into effect on September 18, 2020.
Brazil’s General Data Protection Law Key Terms and Definitions
Below, read through some key terms and definitions from Brazil’s data protection law translated into English.
What Does Brazil’s General Data Protection Law Cover?
Brazil’s General Data Protection Law covers the personal information of people in Brazil, regardless of whether they’re residents of the country or not.
The coverage is not limited to digital data — it also protects personal information collected offline and in person.
Requirements of the LGPD
Let’s discuss the major requirements outlined by Brazil’s General Data Protection Law.
Lawful Basis For Processing Data
Under Article 7 of the LGPD, organizations can only collect personal information from users that is reasonable and necessary for any of the following lawful bases:
- With the consent of the user
- To fulfill a contract with the user
- To fulfill legal obligations
- For legitimate interest
- To carry out studies by a research entity
- Fraud prevention measures
- Credit protection measures
- To protect the life or safety of the data subject
The data controller’s responsibility is to prove the legitimacy of their lawful basis for collecting the personal data.
Consent
The definition of consent under the LGPD is similar to the EU GDPR and must be:
- Freely given
- Informed
- Active
- Unambiguous
You must obtain opt-in consent from users and allow them to change their minds at any time to legally use consent as a lawful basis for processing data.
Additionally, consent is commonly misunderstood as a requisite for collecting sensitive personal data from users in Brazil.
However, the LGPD outlines several other legal grounds for such processing, emphasizing that there is no hierarchy among these lawful bases.
The Core Principles
The LGPD outlines ten core principles it requires covered entities to build into their data collection and processing activities, which include the following:
- Purpose
- Adequacy
- Necessity
- Free access
- Data quality
- Transparency
- Security
- Prevention
- Non-discrimination
- Accountability
These core principles are similar to the GDPR in scope, scale, and definition.
Data Retention Timeline
Article 40 of the LGPD states that organizations can only retain data for the shortest amount of time possible to accomplish the purpose of collecting the information as presented to the user.
While the law doesn’t give an actual length of time, it does state that processing cannot continue after the initial purpose is accomplished.
Data Protection Assessments
The data protection authority in Brazil can require data controllers to perform data protection assessments for various reasons.
The assessment must consider at least the types of information collected from users and the security measures in place to keep the data safe.
International Data Transfers
On August 15, 2023, Brazil’s data protection authority, the Autoridade Nacional de Proteção de Dados (ANPD), unveiled a draft resolution concerning the regulation of international data transfer and the models for standard contractual clauses.
The preliminary document invited contributions from the public as part of a broader effort to shape the regulatory landscape for the international movement of personal data from Brazil.
It’s part of Item 4 on the ANPD’s Regulatory Agenda for the 2023/2024 period.
The draft regulation addresses critical aspects such as the definitions of international data transfer, exporter, importer, and other key terms, and it:
- Outlines the prerequisites for conducting international transfers of personal data
- Delineates the duties of data processing agents
- Discusses various transfer modalities along with the application of standard contractual clauses
The goal of introducing these models of standard clauses is to provide a structured and secure framework for international data exchanges, ensuring that personal data transferred from Brazil is accorded protection consistent with the principles of the LGPD.
Such development is significant as it aims to align Brazil’s data protection standards with global practices, offering entities clear guidelines for compliance.
LGPD vs. Global Data Privacy Laws: Similarities and Differences
Brazil is one of several countries protected by a data protection law, and it shares some similarities to all of the following:
- The California Consumer Privacy Act (CCPA)
- Europe’s General Data Protection Regulation (GDPR)
- Argentina’s Personal Data Protection Act (Argentina PDPA)
- Canada’s Personal Information Protection and Electronics Documents Act (PIPEDA)
- South Africa’s Protection of Personal Information Act (POPIA)
- Thailand’s Personal Data Protection Act (PDPA)
- Australia’s Privacy Act 1988 (the Privacy Act)
- New Zealand’s Privacy Act 2020
Compare the LGPD to the other global privacy laws in the table below.
Data Privacy Law | Requires opt-in consent* | Mandates publishing a privacy policy | Outlines contractual obligations with third parties | Holds businesses accountable for data security | Has specific requirements for international data transfers | Requires additional guidelines for categories of sensitive (special) information |
Thailand PDPA | ✓ | ✓ | ✓ | ✓ | ✓ | |
Argentina PDPA | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
CCPA | ✓ | ✓ | ✓ | ✓ | ||
GDPR | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
LGPD | ✓ | ✓ | ✓ | ✓ | ✓ | |
PIPEDA | ✓ | ✓ | ✓ | |||
POPIA | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
Privacy Act 1988 | ✓ | ✓ | ✓ | ✓ | ||
Privacy Act 2020 | ✓ | ✓ | ✓ | ✓ | ✓ |
*With some exceptions for some laws.
How Does Brazil’s General Data Protection Law Impact Consumers?
Consumers under Brazil’s LGPD have more control over how their personal information gets collected and used by external entities, as explained in Article 18.
It grants them the right to:
- Data portability
- Be informed about how their information is being used, who’s processing it, and for what purpose
- Withdraw consent for data processing at any time
- Object to the processing of their data for direct marketing, automated decision-making, or profiling
- Review decisions based solely on automated decision-making
Covered entities must comply with consumer requests to act on these rights or risk facing harsh penalties.
Who Does the LGPD Apply To?
The LGPD applies to the personal data of anyone in Brazil, regardless of their citizenship status.
It protects information collected by entities online and offline and even covers some publicly available information.
However, the following data collection is exempt from the requirements of Brazil’s privacy law:
- Data processed for personal or household activities
- Data processed for artistic, academic, journalistic, or literary purposes
- Data used for public security, national defense, or criminal investigations
- The processing of anonymized data that cannot identify an individual
How Does Brazil’s General Data Protection Law Impact Businesses?
Besides the lawful basis, data protection assessments, and retention guidelines mentioned above, Brazil’s LGPD also impacts businesses’ privacy and cookie policies.
How Does the LGPD Affect My Privacy Policy?
Brazil’s data protection law affects your privacy policy by requiring the following details, as outlined in Article 9:
- Your purpose for processing the data
- The type of data processing and how long the processing lasts
- Your company identity and contact information
- Details about who the data is shared with and why
- The responsibilities of any data processor concerning data processing
- What rights users have over the data, and how to act on them
How Does the LGPD Affect My Cookie Policy?
The transparency requirements outlined by Brazil’s LGPD affect your cookie policy, as it obligates you to clearly explain to users:
- What cookies are used
- Why they’re used
- What data the cookies collect
- What rights users have over the cookies
- How to act on those rights
Ensure all of this information appears in your cookie policy, which you should link in a clause in your privacy policy so users can easily access these details.
Who Must Comply With Brazil’s General Data Protection Law?
The following types of businesses must comply with Brazil’s LGPD:
- Any organization operating in Brazil, including non-profits and government entities, that possess personal data.
- Any organization located outside of Brazil that processes the personal data of individuals in the country, even if the processing itself occurs outside of Brazil.
Overall, the law has a very broad scope and applies to organizations around the globe.
Who Is Exempt From Brazil’s General Data Protection Law?
The only exemptions to Brazil’s General Data Protection Law include:
- Individuals processing personal data for personal or household purposes.
- Data processed for artistic or academic purposes.
- Matters of public security, which are subject to different rules, like public authorities.
How Can Businesses Prepare for the LGPD?
To prepare for LGPD compliance, businesses must update their privacy policies and cookie policies to meet all transparency and notification requirements described by the law.
You must also determine your lawful basis for collecting personal data and use a consent management platform (CMP) to collect adequate consent from users if that’s one of your purposes for processing information.
Add a Data Subject Access Request (DSAR) form to your website so users can easily act on their rights under this law.
Finally, ensure you’re using appropriate contracts if you work with any data processors and perform data protection assessments as needed.
How Is the LGPD Enforced?
The data protection authority in Brazil, the Autoridade Nacional de Proteção de Dados (ANPD), enforces all aspects of the law.
They’re responsible for overseeing and enforcing all consequences for non-compliance, which includes performing investigations and issuing warnings and orders for fines or penalties.
Fines and Penalties Under the LGPD
Fines for non-compliance under the LGPD can reach up to 2% of a company’s annual revenue in Brazil.
Additionally, individuals have the right to pursue civil lawsuits if they suffer material or moral damages due to an organization violating the LGPD.
How Does Termly Help With LGPD Compliance?
Termly’s Consent Management Platform (CMP) is configurable to meet the opt-out requirements described by Brazil’s data protection law regarding cookies used for targeted advertising.
Additionally, our team is currently working on an update to our Privacy Policy Generator, so it will soon include the necessary clauses to help businesses comply with Brazil’s LGPD.
Updates take time, but Termly users will receive an email update when these changes are officially live.
Our Privacy Policy Generator takes only a few minutes to complete and makes a comprehensive policy based on your answers to simple questions about your business.
It’s easy to use, convenient, fast, and backed by our legal team and privacy experts.
Are There Other Privacy Related Laws in Brazil?
There are several other privacy-related laws in Brazil besides the LGPD, including the following:
- Marco Civil da Internet: This law sets out principles for using the Internet in Brazil. (Source)
- Código de Defesa do Consumidor: This code outlines provisions that require good faith and transparency in consumer relationships. (Source)
- Estatuto da Criança e do Adolescente: This law outlines provisions for protecting children and teens’ personal data. (Source)
Summary
If your organization collects data from users in Brazil, ensure you’re compliant with the LGPD:
- Update your privacy and cookie policy to meet all transparency and notification requirements.
- Ensure you request adequate opt-in consent from users as necessary by implementing a compatible Consent Management Platform.
- If you collect sensitive data, perform the appropriate data protection assessments.
- Use compliant contracts with any data processors or controllers you work with.
What’s the easiest way to simplify privacy compliance? Get help from Termly!
Check out our comprehensive suite of compliance solutions and start protecting your business and consumers.