What is LGPD?

Brazil, with over 140 million internet users, holds the title of the largest internet market in Latin America and the fourth largest in the world. Before the LGPD, Brazil had more than 40 federal regulations addressing data protection and privacy, which created a complicated legal framework.

Overview of LGPD
Who must comply with LGPD
Data subject rights under LGPD
Consequence of non-compliance
LGPD vs. GDPR
Fines for non-compliance
How Consentik ensures LGPD compliance

Overview of LGPD

The Lei Geral de Proteção de Dados (LGPD) is Brazil’s comprehensive data protection law, modeled after the EU’s GDPR. Enacted in 2018 and effective since 2020, the LGPD regulates the processing of personal data and aims to protect the privacy of individuals. It applies to any individual or organization, public or private, that processes personal data in Brazil or collects data from Brazilian residents.

The LGPD enhances consumer privacy rights, increases transparency in data handling practices, and promotes the secure and ethical use of personal data. Compliance with LGPD helps businesses build trust with customers and ensures they avoid hefty fines and legal penalties.

Who Must Comply with LGPD?

The LGPD applies to any organization or individual, public or private, that processes personal data of Brazilian residents, regardless of where the organization is located. This includes:

Businesses Operating in Brazil: Any company with operations in Brazil must comply with LGPD regulations.
Foreign Companies: Organizations outside Brazil that process personal data of Brazilian residents must adhere to LGPD.
Public Authorities: Government bodies and public institutions in Brazil are also subject to LGPD requirements.
Service Providers: Third-party service providers that handle personal data on behalf of other organizations must ensure LGPD compliance.

Data Subject Rights Under Brazil’s LGPD

Brazil’s LGPD grants nine key rights to data subjects, ensuring their control over personal data:
Confirmation: Verify whether their data is being processed.
Access: Obtain access to their personal data.
Correction: Correct incomplete, inaccurate, or outdated data.
Anonymization, Blocking, or Deletion: Anonymize, block, or delete unnecessary or non-compliant data.
Portability: Transfer their data to another service or processor.
Deletion: Have their personal data deleted.
Information Sharing: Know which public and private entities have accessed their data.
Consent Information: Be informed about the option to deny consent and its consequences.
Revoke Consent: Withdraw previously given consent at any time.

Consequences of Non-Compliance

Non-compliance with LGPD can result in significant penalties, including fines of up to 2% of a company’s Brazilian revenue, capped at 50 million Brazilian reals per violation. Additionally, businesses may face public sanctions, including suspension of data processing activities, and reputational damage that can erode consumer trust and impact business operations.

LGPD vs GDPR – Personal Data

Personal data under LGPD has a broader definition than under GDPR. According to LGPD, personal data includes any information related to an identifiable natural person. While GDPR specifies personal data with examples like names, addresses, and gender, LGPD’s broader definition covers all identifying information.

Sensitive data, which includes details on race, ethnicity, religious beliefs, political views, health, sexuality, genetics, and biometrics, is handled similarly in both regulations but with stricter processing restrictions under LGPD.

How Consentik Ensures LGPD Compliance

Not only gatekeepers are affected by the DMA; if you advertise on major platforms like Google, Microsoft, or Meta, your business will likely be impacted too. You might need to gather user consents on behalf of these gatekeepers, necessitating a review of your consent collection processes. It’s important to ensure that your methods for obtaining consent are clear and straightforward. This means users should easily understand what they are agreeing to and be able to give or withdraw their consent without difficulty. Improving these practices will help you stay compliant and maintain user trust.