*The information in this article about Brazil's new data protection law, LGPD or Lei Geral de Proteção de Dados, is not and should not be considered legal advice. Please consult your legal counsel to determine its impact on your company and your email program.
Brazil’s new data protection law, LGPD or Lei Geral de Proteção de Dados, was unanimously approved by the National Congress, and sanctioned by Brazil's President on August 14, 2018. The effective date for enforcement is May 3, 2021.
- LGPD text:
- Date the law is enforced:
- May 3, 2021
- Fines for non-compliance start August 1, 2021
- Penalties for non-compliance:
- Fine of 2 percent of the total revenue of the latest financial year limited to R$ 50 million (approximately US$ 12-13 million)
- This can be applied daily or by infraction
- Changes to the LGPD:
- Amendments to the LGPD may occur prior to the enforcement date. Be sure to consult your legal counsel for details about any amendments to the law.
What is the LGPD?
The LGPD is a law that gives Brazilian residents more control over the use of their personal information. It is similar to the European Union's General Data Protection Regulation (GDPR).
With this law, Brazilian residents have the right to:
- Confirmation of the existence of data processing
- Access the data
- Correct data that is incomplete, inaccurate, or out-of-date
- Anonymize, block, or delete unnecessary or excessive data or data that is not processed in compliance with the LGPD
- Portability of data to another service or product provider with express consent
- Delete personal data processed with consent from the data subject
- Information about public and private entities with which the controller has shared data
- Information about the possibility of denying consent and the consequences of denial
- Revoke consent
Source: GDPR vs LGPD; GDPR.eu
How does it impact me?
LGPD applies to any individual or organization (physical presence in Brazil not required):
- Collecting or processing personal data of Brazilian residents
- Offering or providing goods and services to Brazilian residents
Should you or your company meet the requirement for compliance, you must take action as outlined within the law by May 3, 2021.
You may be required to:
- Hire a Data Protection Officer or outsource the role to a third-party
- Implement a process to notify Brazilian authorities of a data breach
- Change your method of obtaining consent for email marketing communications
- Collect more information about where your customers live
- Keep better records about how personal data is collected
- Keep better records about to whom the personal data is sold
- Provide a free and easy opt-out process
- Be prepared to respond to a verifiable request for personal information (e.g. deleting the data) free of charge within 15 days of the request date
Be sure to consult your legal counsel to determine what changes are required to comply with the law.