What is the LGPD? A Guide for Publishers

Jane O'Hara
cardimage

With the EU’s GDPR and California’s CCPA now in effect, let’s explore the latest privacy law: Brazil’s LGPD.

This article will clarify what the LGPD is, outline compliance steps for publishers, and explain how the LGPD compares to the GDPR.

Please note: We are not a law firm and therefore do not offer legal advice. This article is informational. Please speak to a lawyer before determining how the LGPD affects your business.

What is the LGPD?

The LGPD, or Lei Geral de Proteção de Dados (General Data Protection Law), is a comprehensive data privacy law that guarantees individual rights to Brazil’s more than 150M internet users.

The LGPD was passed in August 2018 and was finalized by President Jair Bolsonaro last July. The LGPD will be effective August 15, 2020 and enforced by a new national authority, the Autoridade Nacional de Proteção de Dados (ANPD), similar to the European Data Protection Board (EDPB).

LGPD online privacy graphic
LGPD online privacy graphic

The LGPD applies to all data collection and processing in Brazil - and for all individuals within the territory of Brazil - regardless of the data processor’s headquarters.

Like the GDPR, the LGPD views personal data as any data that can identify someone. PII (personally identifiable information) includes: name, IP address, lat/long coordinates, cookie IDs, RFID numbers, user agents, mobile IDs, and biometric/genetic/financial/behavioral/demographic data.

Without consent from a Brazilian user, you cannot:

  • Send full IP addresses downstream; they must be truncated
  • Pass GPS data
  • Store PII in internal logs
  • Send any other PII via downstream OpenRTB fields, as you’d need consent for all DSPs, ad networks, data providers, etc. involved (we have a separate article on LGPD and Google Analytics)

If a user has opted in, however, you may continue to do cookie matching, interest targeting, frequency capping, programmatic ads, and so on.

LGPD vs. GDPR: Key similarities

The LGPD was inspired by the GDPR, so these privacy laws share a number of commonalities, including:

Personal data Any data that, by itself or combined with other data, could identify a person
Territorial scope Any data processing within the respective countries, irrespective of where the processor is headquartered
Data Protection Officers (DPOs) Required for “large-scale” data processing and monitoring (see below)
Data subjects Any individual whose data is processed or collected. Like the GDPR, the LGPD guarantees multiple rights to data subjects:
  • Confirmation
  • Access
  • Rectification
  • Anonymization
  • Portability
  • Deletion
  • Shared data disclosure
  • Objection
  • Revocation
NOTE: Neither law clearly defines “large-scale”; work with your legal counsel to evaluate the range and volume of PII you process, and the number of individuals and geographical areas it includes.

LGPD vs. GDPR: Key differences

Despite their similarities, the LGPD does have differences:
LGPD GDPR
When consent is not required for data processing Subject to 10 legal bases:
  • Explicit consent
  • Contractual performance
  • Legal obligation
  • Legitimate interest
  • Public task
  • Life protection
  • Health protection (medical procedures)
  • Protection of credit (credit score)
  • Research by public study entities
  • Exercise of privileges in legal proceedings
Subject to six legal bases:
  • Explicit consent
  • Contract performance
  • Legal responsibility
  • Legitimate interest
  • Public task
  • Vital interest
Penalties Capped at 50M Brazilian reais (aka reals) or 2% of annual revenue from Brazil, whichever is higher Capped at 20M Euros or 4% of global annual revenue, whichever is higher
Data breach notifications “Reasonable time period” to be defined by the national authority 72-hour timeline

LGPD compliance

LGPD graphic from Relentless Data Privacy
LGPD graphic from Relentless Data Privacy
Who needs to comply

Regardless of your company size, you’ll need to comply if your ad platform:

  • Includes activity in Brazil
  • Collects personal data in Brazil
  • Offers or supplies goods or services in Brazil, or relates to users geographically located in Brazil

Effectively, unless your site/app is unavailable in Brazil, you will need to enact some changes to be LGPD-compliant.

How to comply

The good news?

If you’re GDPR-compliant, you’ve done much of the heavy lifting required for LGPD compliance.

Like the GDPR, the LGPD qualifies consent as a freely-given indication of a users’ agreement for general data processing - and requires that information on personal data collection and use be clear, adequate, and easily accessible.

Consent must be provided by the data subject in writing or by other means, such as a consent banner on your website. The right to revoke consent must also be clearly disclosed.

As you prepare for the LGPD (by August 15, 2020), we suggest the following:

  1. Review the PII you collect from Brazil

    Conduct a detailed audit and risk assessment of the Brazilian user data you have, how it’s used, and with whom you share it. For programmatic advertising or data sales, this will include ad servers, DMPs, DSPs, etc.

  2. Avoid storing any PII in your logs for Brazilian users
  3. Ensure your CMP tool prompts consent for anyone in Brazil
  4. Enact a risk assessment plan

    Breach notifications for the LGPD are seemingly less stringent than the 72 hours mandated by the GDPR, but you’ll be held liable regardless of your awareness of a breach.

What’s next?

With the passage of the LGPD, Brazil - the largest country in South America and Latin America - joins more than 100 countries with personal data protection laws. Given heightened consumer concern and awareness, we expect more privacy laws to come - and we’ll be sure to help publishers prepare for them.

As you prepare your platform for LGPD compliance, here are a few additional sources that may prove helpful:

Official LGPD Texts

  • LGPD - Full English text
  • LGPD - Full Portuguese text

Additional Sources



Are you ready for the LGPD? Share your experiences with data compliance by joining the discussion below!

Join the Ad.Product community

Sign up for our upcoming newsletter and to be notified of our Ad.Product Slack channel and conference.

Ad.Product is the first community for product managers, engineers, and others to discover and discuss how to build innovative, user-first ad platforms.

Jane O'Hara

Recommended Articles