The LGPD is Brazil’s General Data Protection Law, passed by the National Data Protection Authority (Autoridade Nacional de Proteção de Dados). It came into effect August 16, 2020. The LGPD is very similar to Europe’s GDPR and is a framework containing 65 articles regulating the use and processing of personal data.
We have compiled the most important questions around LGPD for you:
What is the LGPD?
LGPD stands for Lei Geral de Proteção de Dados. It is the data protection law in Brazil. It came into effect on August 16th, 2020 but it will be enforceable as of August 1st, 2021.
What are the differences between the LGPD and GDPR?
The main difference between these two regulations is that LGPD has more legal bases. Besides the 6 legal bases that are also included in the GDPR they have 4 more:
- – to carry out studies by research entities that ensure, whenever possible, the anonymization of personal data,
- – to exercise judicial or administrative rights or arbitration procedures,
- – to protect health in procedures carried out by health professionals or by health entities,
- – to protect credit.
Regarding the data subject rights, the only difference is that in Brazil there is no right of restriction of processing (Art. 18 GDPR). There is also no direct right to object to the processing, but the user needs to be able to withdraw their consent.
What are the legal requirements regarding (1) providing the cookie descriptions to users (including requirements regarding the language of the descriptions), and (2) obtaining cookie consent in your jurisdiction (in particular, is opt-in consent required if consent must be obtained)? What are the requirements for the cookie banner text?
– The General Data Protection Regime (the ‘GDP’) does not establish specific requirements regarding providing cookie descriptions to users.
– Obtaining cookie consent would only be necessary as long as the information captured by cookies is deemed personal data. For consent to be valid it has to be:
– prior (before the processing takes place),
– express (through means where the data subject reveals unequivocal intention), and
Data subjects need to be informed about:
(i) the name and contact details of the data controller
(ii) their rights and means to exercise them;
(iv) that the authorization to process sensitive data is entirely optional
(v) the specific data that will be collected and processed (especially if sensitive data is involved), and
(vi) how the data will be used and for what purposes (the information and consent language must be provided in the Portuguese language, if the website is provided in Portuguese).
Can cookie consent be obtained by implementing a two-layer approach that consists of cookie categories in layer 1 and descriptions of the specific cookies in layer 2 in your jurisdiction?
Yes. Since there are no specific requirements in Brazil for obtaining cookie consent, the two-layer approach used on the Usercentrics website is sufficient to comply with the transparency and consent requirements established by Brazilian data protection laws.
Can a switch, i.e. a button that can be moved either to the left or right to confirm or decline, be used to obtain opt in or opt out in your jurisdiction?
Yes. It must be equally as easy to withdraw cookie consent as to give it. This requirement can be implemented by switches as used on the Usercentrics website.
How many buttons are required in a cookie banner, e.g. Accept/Decline/Only accept analytics cookies, in your jurisdiction? Are there specifications for positioning, color selection, or similar, e.g. nudging?
In Brazil, there are no specific regulations concerning the content of the cookie banner. In any event, the following is recommended:
(i) allow acceptance of specific categories of cookies, if consent will be sought
(ii) place the cookie banner prominently on the website
(iii) avoid nudge techniques to influence users’ preferences or consent
(iv) insert the cookie privacy notice link in the banner.
What are the requirements for proof of cookie consent in your jurisdiction? Is it sufficient to store (1) the cookie decision locally on the end user’s device, and (2) the cookie decision together with a consent ID in the database of the CMP provider? Are there specifications for the storage location?
Yes. Such implementation is sufficient. There are no requirements regarding the storage location for cookie consent.
Is there guidance by supervisory authorities on cookie consent and cookie descriptions? If yes, can you provide a link to the guidance? If there is no guidance, can you provide a link to the supervisory authority?
The Brazilian National Data Protection Authority (‘ANPD’) has been created but is not yet operational. Guidance has not been issued yet and no official ANPD website is available.
Please find general information on ANPD here:
Please specify the material and territorial scope of cookie rules in your country, in particular regarding the applicability of the terms "personal data" and "processing".
The LGPD applies to any personal data processing operation performed by an individual or organization, whether public or private, irrespective of the means, the country where it is headquartered, or the country where the data is located, provided that:
(i) the processing operation is carried out in Brazil
(ii) the purpose of the processing operation is to offer or provide goods or services or the processing of data of individuals located in Brazil (i.e. offering goods or services and addressing marketing campaigns in Brazilian reals or in the Portuguese language), or
(iii) the personal data is collected in Brazil (i.e. when the data subject is located in Brazil at the time of the collection).
Are there special regulations for minors/children?
Section 14 of the LGPD states that the processing of personal data of children – defined as individuals between 0 and 12 years old – and teenagers – defined as between 13 to 18 years old – must be performed in their best interest under LGPD and the applicable specific legislation, e.g. the Brazilian Civil Code and the Children and Teenagers Statute.
Section 14 (1) LGPD specifically mentions that the processing of personal data of children must be performed with the specific and express consent provided by at least one parent or legal guardian. Controllers shall employ reasonable efforts to confirm/validate this consent.
What are the regulations on fines?
The ANPD may apply administrative sanctions that will be enforceable as of August 2021.
These penalties are defined in Section 52 of the LGPD and include the following:
(ii) one-time fine of up to 2% of the net revenue of the infringing entity’s conglomerate in Brazil in its preceding fiscal year, excluding taxes, up to BRL 50,000,000.00 per violation
(iii) daily fine, which is also subject to the limit set before
(iv) press release
(v) blocking or deletion of personal data
(vi) suspension or prohibition of processing activities.
Even though administrative sanctions will only be enforceable as of August 2021, data subjects are already able to exercise their rights in court or before consumer protection bodies. Consumer protection bodies and public prosecution offices may also enforce some of the LGPD or Consumer Protection Code provisions in matters related to consumer protection and data subjects’ rights.