If your company has or is planning on having any customers in Brazil, the largest country in both Latin and South America, you need to comply with Lei Geral de Proteção de Dados (LGPD) compliance. It came into effect August, 14 2020 after review from the president.
The good news is: If you are already GDPR compliant, then you have already done a great deal of the work necessary to comply with the LGPD.
Make sure you comply with LGPD by following these simple steps:
|Steps ||Roadmap |
- Identify if you have to bother complying
- Your business processes the personal data of people in Brazil, regardless of where your business is located.
- Ensure it is easy to read, find and understand for the average user.
- Inform about e.g. whether third parties may have access to those cookies.
- Implementation: Make the information available in a Privacy Banner when the user visits your site (a CMP ensures you have all necessary information included ).
- Inform users about their Rights
- Inform about the nine fundamental rights that data subjects have under Article 18 LGPD e.g. Right to erasure, Right to be informed and Right to object.
- Let users know you are using cookies or other tracking technologies
- Ensure you inform users of your intentions at or before the point you start collecting data.
- Particularly inform users about:
- The specific purpose of the processing;
- The type and duration of the processing;
- The identity of the controller and his contact information;
- The shared use of data by the controller and the purpose;
- The responsibilities of the agents that will carry out the processing
- And as also stated under 3) the data subject’s rights, with explicit mention of the rights provided in Art. 18.
- Explain in the first layer what your cookies are doing and why
- Inform the users about the purpose of each cookie separately to ensure you obtain specific consent for each cookie objective (= granularity). The option to give/withdraw granular consent for each purpose has to be granted.
- It should be stated in the first layer of the Privacy Banner.
- Obtain your users valid consent to store a cookie on their device
- Necessary where cookies involve the collection and handling of personal data from a user (e.g., the information is linked or linkable to a particular user)
- Freely given consent is necessary: “Accept” and “Reject” button. Refusing has to be possible.
- Easy to withdraw: on the second layer users have to have the option to withdraw their consent.
- Documented: You have the burden of proof in the case of an audit.
- Collect and process data only after obtaining valid consent
- Ensure that cookies are not loaded until the user has given his consent.
- Once you have indeed obtained valid consent, you are free to collect and process personal data for the purposes you informed your user before.
- Document and store consent received from users
- Comply with your documentation obligation to ensure you are able to verify the users’ consent in case of an audit by the Autoridade Nacional de Proteção de Dados (ANPD), the Brazilian data protection authorities (DPA).
- After opt-out ensure that no further data is collected or forwarded
- Ensure that from the moment of the objection on, no further data is collected or forwarded.
LGPD Cookie Requirements
Cookies covered by LGPD
Identifiable data is protected by the LGPD. Thus, cookies and other tracking technologies which are associated with a natural person, have the same obligations stated by the Brazilian data protection law. The exception is anonymized data, which is not considered personal data under the LGPD.
Brazilian Internet Act
The Brazilian Internet Act has provisions concerning the storage, use, disclosure and other treatment of data collected on the Internet. Also, the established rights of privacy, intimacy and consumer rights apply equally to electronic media, such as mobile devices and the Internet. Violations subject to civil punishment.
Is generally necessary where they involve the collection and handling of personal data from a user (e.g., the information is linked or linkable to a particular user, IP address, a device or other particular identifier).
|Requirements LGPD (Brazil)||Is Usercentrics compliant?|
|Freely given consent is necessary||✔️|
|The purpose has to be provided on a first layer. ||✔️|
|The recipient has to be named (on a second layer)||✔️|
|Withdrawing consent has to be possible (on a second layer)||✔️|
|There has to be an option to refuse||✔️|
|Proof that consent has been given needs to be stored||✔️|
|The option to give/withdraw granular consent for each purpose has to be granted||✔️|
Here you can find more information about GDPR vs. LGPD
Would you like to learn more about Consent Management
and all the possibilities our CMP offers for a data privacy compliance implementation?
We would be happy to advise you.
These statements do not constitute legal advice. They merely serve to support and inform you about the current legal situation. Please consult a qualified lawyer should you have any legal questions.