The Lei Geral de Proteção de Dados (LGPD) is a new Brazilian data protection law designed to police and protect how data is collected, stored, and shared for Brazil’s more than 150 million internet users.
You may have seen an email on this popup in your inbox from Google over the last few days. So to help you out further, this post will detail exactly what this law is, how it might affect you (even if you’re not based in Brazil) and what you have to do to get ready for it.
What is the LGPD privacy law?
The LGPD is a data protection law passed in August 2018. Enforced by a new national authority called the ANPD (Autoridade Nacional de Proteção de Dados) the LGPD states that you cannot collect and share personal user data without consent from Brazilian users.
Personal data in this law is defined as any that can be used to identify someone, such as their:
- Name
- IP address
- Coordinates
- Cookie IDs
- RFID numbers
- Mobile IDs
- Demographic information
In most ways, the LGPD is similar to the European GDPR. So if you’re already familiar with this law, there won’t be many other changes that you need to get used to.
What’s the difference between LGPD and GDPR?
Under GDPR, there are 6 cases in which content is not required for data processing. The LGPD has 10 legal bases instead. These are:
- Explicit consent
- Contractual performance
- Legal obligation
- Legitimate interest
- Public task
- Life protection
- Health protection (medical procedures)
- Protection of credit (credit score)
- Research by public study entities
- Exercise of privileges in legal proceedings
Like GDPR, there are no exact outlines for what ‘legitimate interest’ or ‘explicit consent’ consist of. To be on the safe side, it’s recommended that your business is able to present clear consent forms to protect your business.
If you’re found to be in breach of the LDGP, you also have a different timeline to fix this. Instead of the normal 72 hours, you now have a “reasonable time period” to rectify this which will be defined by the national authority.
Failure to comply will result in a penalty. The penalties are capped at 50 million Brazilian reais, or 2% of your annual revenue from Brazil, depending on which is higher.
Who does the LGPD effect?
The LGPD will affect any business that collects personal data, offers products or services into or out of Brazil or advertises to Brazilian users.
Basically, if your website or advertising can be accessed in Brazil, you need to comply with the new law.
How does it affect your PPC ads?
If your advertising is already GDPR compliant, this law won’t have much impact on your PPC ads. In effect, it will mean that Google will update its privacy laws to ensure that the way they handle and store data is compliant with the LGPD.
There are a number of Google Ads features that you can use to make sure that your ads won’t be caught out, such as:
- Data Retention controls, which manage how long your user and event data is held on Google’s servers.
- The User Deletion API, which lets you delete data associated with user identifiers from your Google Analytics of 360 properties.
- Remarketing, which allows you to disable advertising features for those that don’t want to receive personalised ads.
If you’re advertising a lot in Brazil, you can also use Google’s Non-Personalized Ads solution which allows you to serve non-personalised ads in Brazil to ensure that you are compliant with the LGDP laws.
When is the LGPD coming into effect?
This one is a little more complicated.
Currently, the LGPD is scheduled to come into effect on August 15th, 2020. However, if the National Congress does not approve, or offers any other amendments to the law, it will come into effect on May 3, 2021, as per the terms of the Provisional Measure No. 959.
At the moment, it’s unlikely that the law will be amended and thus businesses should prepare for it to come into effect on August 15th 2020.
What to do to prepare for LGDP
Before August 15th, it’s a good idea to review the personal information and data that you currently collect from Brazil, ensuring that it is compliant with the new LGPD laws.
If you have a large base in Brazil, it may be worth contacting a legal representative to guide you through any additional processes or procedures that your company may have to put in place. For example, in some cases, you may need to employ a Data Protection Officer (DPO) to ensure that your business is compliant.
Keep up to date with the latest advertising news and changes by subscribing to our newsletter or following us on Twitter.