Brazil LGPD

FAQ LGPD

The LGPD is Brazil’s General Data Protection Law, passed by the National Data Protection Authority (Autoridade Nacional de Proteção de Dados). It came into effect August 16, 2020. The LGPD is very similar to Europe's GDPR and is a framework containing 65 articles regulating the use and processing of...
by Usercentrics
May 3, 2021
Brazil LGPD
Table of contents
Show more Show less
Book a demo
Learn how our consent management solution can improve privacy and user experience for your users.
Get your free data privacy audit now!

The LGPD is Brazil’s General Data Protection Law, passed by the National Data Protection Authority (Autoridade Nacional de Proteção de Dados). It came into effect August 16, 2020. The LGPD is very similar to Europe’s GDPR and is a framework containing 65 articles regulating the use and processing of personal data.

 

 

We have compiled the most important questions around LGPD for you:

LGPD FAQ:

What is the LGPD?

LGPD stands for Lei Geral de Proteção de Dados. It is the data protection law in Brazil. It came into effect on August 16th, 2020 but it will be enforceable as of August 1st, 2021.

What are the differences between the LGPD and GDPR?

The main difference between these two regulations is that LGPD has more legal bases. Besides the 6 legal bases that are also included in the GDPR they have 4 more:

  • – to carry out studies by research entities that ensure, whenever possible, the anonymization of personal data,
  • – to exercise judicial or administrative rights or arbitration procedures,
  • – to protect health in procedures carried out by health professionals or by health entities,
  • – to protect credit.

Regarding the data subject rights, the only difference is that in Brazil there is no right of restriction of processing (Art. 18 GDPR). There is also no direct right to object to the processing, but the user needs to be able to withdraw their consent.

What legal bases are available to enable companies to use cookies on a website?

There are 10 legal bases that allow the processing of personal information. The most commonly used legal bases to enable the use of cookies and other technologies on a website, which collect personal information, are Consent and Legitimate Interest. The services that can be used under legitimate interest are ones that are essential, help with the functionality of the website, or are used for performance and analytics purposes.

What are the legal requirements regarding providing the cookie descriptions to users, obtaining cookie consent in your jurisdiction and cookie banner text?

– The General Data Protection Regime (the ‘GDP’) does not establish specific requirements regarding providing cookie descriptions to users.

– Obtaining cookie consent would only be necessary as long as the information captured by cookies is deemed personal data. For consent to be valid it has to be: 

– prior (before the processing takes place), 

– express (through means where the data subject reveals unequivocal intention), and 

– informed. 

Data subjects need to be informed about: 

(i) the name and contact details of the data controller 

(ii) their rights and means to exercise them;

(iii) where to consult the applicable privacy policy

(iv) that the authorization to process sensitive data is entirely optional

(v) the specific data that will be collected and processed (especially if sensitive data is involved), and 

(vi) how the data will be used and for what purposes (the information and consent language must be provided in the Portuguese language, if the website is provided in Portuguese).

Can cookie consent be obtained by implementing a two-layer approach that consists of cookie categories in layer 1 and descriptions of the specific cookies in layer 2 in your jurisdiction?

Yes. Since there are no specific requirements in Brazil for obtaining cookie consent, the two-layer approach used on the Usercentrics website is sufficient to comply with the transparency and consent requirements established by Brazilian data protection laws.

Can a switch, i.e. a button that can be moved either to the left or right to confirm or decline, be used to obtain opt in or opt out in your jurisdiction?

Yes. It must be equally as easy to withdraw cookie consent as to give it. This requirement can be implemented by switches as used on the Usercentrics website.

How many buttons are required in a cookie banner?

In Brazil, there are no specific regulations concerning the content of the cookie banner. In any event, the following is recommended:

(i) allow acceptance of specific categories of cookies, if consent will be sought

(ii) place the cookie banner prominently on the website

(iii) avoid nudge techniques to influence users’ preferences or consent

(iv) insert the cookie privacy notice link in the banner.

What are the requirements for proof of cookie consent in your jurisdiction?

Yes. Such implementation is sufficient. There are no requirements regarding the storage location for cookie consent.

Is there guidance by supervisory authorities on cookie consent and cookie descriptions?

The Brazilian National Data Protection Authority (‘ANPD’) has been created but is not yet operational. Guidance has not been issued yet and no official ANPD website is available.

Please find general information on ANPD here:

https://www.gov.br/secretariageral/pt-br/noticias/2020/agosto/governo-federal-publica-a-estrutura-regimental-da-autoridade-nacional-de-protecao-de-dados

Please specify the material and territorial scope of cookie rules in your country, in particular regarding the applicability of the terms "personal data" and "processing".

There are no specific rules related to the use of cookies in Brazil. However, since the data collected by cookies is deemed to be personal data, data protection laws such as the Brazilian Internet Act and, most importantly, the LGPD, will apply.

The LGPD applies to any personal data processing operation performed by an individual or organization, whether public or private, irrespective of the means, the country where it is headquartered, or the country where the data is located, provided that: 

(i) the processing operation is carried out in Brazil

(ii) the purpose of the processing operation is to offer or provide goods or services or the processing of data of individuals located in Brazil (i.e. offering goods or services and addressing marketing campaigns in Brazilian reals or in the Portuguese language), or 

(iii) the personal data is collected in Brazil (i.e. when the data subject is located in Brazil at the time of the collection).

Are there special regulations for minors/children within the LGPD?

Section 14 of the LGPD states that the processing of personal data of children – defined as individuals between 0 and 12 years old – and teenagers – defined as between 13 to 18 years old – must be performed in their best interest under LGPD and the applicable specific legislation, e.g. the Brazilian Civil Code and the Children and Teenagers Statute.

Section 14 (1) LGPD specifically mentions that the processing of personal data of children must be performed with the specific and express consent provided by at least one parent or legal guardian. Controllers shall employ reasonable efforts to confirm/validate this consent.

What are the regulations on fines for the LGPD?

The ANPD may apply administrative sanctions that will be enforceable as of August 2021.

These penalties are defined in Section 52 of the LGPD and include the following: 

(i) warning 

(ii) one-time fine of up to 2% of the net revenue of the infringing entity’s conglomerate in Brazil in its preceding fiscal year, excluding taxes, up to BRL 50,000,000.00 per violation

(iii) daily fine, which is also subject to the limit set before 

(iv) press release 

(v) blocking or deletion of personal data 

(vi) suspension or prohibition of processing activities.

Even though administrative sanctions will only be enforceable as of August 2021, data subjects are already able to exercise their rights in court or before consumer protection bodies. Consumer protection bodies and public prosecution offices may also enforce some of the LGPD or Consumer Protection Code provisions in matters related to consumer protection and data subjects’ rights.

Related Articles

California Privacy Rights Act (CPRA) and the future of privacy law

California Privacy Rights Act (CPRA) enforcement is starting: what you need to know

The California Privacy Rights Act (CPRA) has been in effect since January 1, 2023. CPRA enforcement was delayed due...

DMA Marketer

Implementing consent for Google ads personalization: A comprehensive guide to the Google Ads compliance alert

Google Ads’ notification to "implement consent for ads personalization" isn't just a policy change.