Brazil is another country with strong data privacy regulations – specifically, the Brazilian General Data Privacy Law, also known as LGPD. Beginning August 2020, it will give more than 210 million people new rights to access and control their own data and impact how companies manage their privacy.
You might be wondering how it will affect your business and the tools you’re using. Well, if you had sorted things out before GDPR came into force – good news – the laws are quite similar, so you’ve already done a lot of the groundwork. But the two pieces of legislation are not identical, so you need to check for certainty that you tick all the compliance boxes.
And if for whatever reason you missed the pre-GDPR frenzy – below are 9 steps to prepare your analytics stack for LGPD.
Also be sure to visit GDPR section on our website.
LGPD applies to any individual or legal entity, public or private, who processes personal data:
- in Brazil
- for the purpose of offering or supplying goods or services in Brazil
- collected in Brazil
Like GDPR, LGPD has extraterritorial scope and will apply to any business that meets these criteria regardless of where it’s headquartered.
However, LGPD doesn’t affect data processing carried out:
- for strictly personal purposes
- exclusively for journalistic, artistic, literary or academic purposes
- exclusively for national security, national defense, public safety, criminal investigation or punishment activities
Considering that Brazil is the fifth most populated country in the world, it’s safe to assume that almost every business with a global presence will need to adhere to the law.
LGPD describes personal data as any information related to an identified or identifiable natural person. Similarly to GDPR, the list includes cookies (after all, they serve to identify users). That’s why it’s highly likely that the data you collect through analytics will meet the definition of personal data. We’ll return to this issue later on.
Not sure if you’re collecting personal data? Then this cheat sheet may prove useful.
In the current version of LGPD, every data controller is obliged to appoint data protection officer. What’s particularly important is that a DPO doesn’t have to be a natural person. This means that companies, committees and working groups can perform the role. What’s more, the position of DPO can even be handled by a third party.
It’s likely that complementary regulations will clarify this rule and set exceptions, but for now that’s what the requirements look like.
The State of GDPR Consent
Overview and scoring of how websites have adapted to data privacy regulations
If you know that you’re collecting personal data and have a DPO in place, it’s time to find a legal ground allowing you to continue to process personal data. The LGPD provides 10 different legal bases for that. From the business point of view, two of them are particularly worth examining – legitimate interest and consent.
Legitimate interest may only be a basis for the processing of personal data in the following scenarios:
- to support and promote the activities of the controller
- for protection of data subjects or provision of services that benefit them
For companies that don’t want to, can’t or are afraid to rely on legitimate interest when collecting data, consent seems to be the right solution to adopt.
Let’s assume you’ll stick with consent as your ground for collecting personal data.
Just like with GDPR, consent is understood as a “free, informed and unequivocal pronouncement by means of which the data subjects agree to the processing of their personal data for a specific purpose.”
In the context of analytics, it means that as a site owner, you can’t simply assume that a user has opted to accept the cookies used on your site. That’s what we call implicit consent.
The regulation alone doesn’t specify how to collect consents. However, there are several solutions that have worked well under GDPR, including consent managers. We don’t want to brag, but Piwik PRO provides a quite handy GDPR Consent Manager, which can also work as an LGPD consent manager.
Consents are one thing. Another are data subject rights. LGPD introduces 9 new rights into the Brazilian data protection system – that’s more than under GDPR. The list includes:
- confirmation of the existence of processing
- access to the data
- correction of incomplete, inaccurate or outdated data
- anonymization, blocking or elimination of unnecessary or excessive data or of data processed in noncompliance with the provisions of this Law
- portability of data to other service providers or suppliers of product, at the express request, and observing the business and industrial secrets, in accordance with the regulation of the controlling body
- the elimination of the personal data processed with the consent of the data subjects, except in the events set forth in article 16 of this Law
- information of the public and private entities with which the controller carried out the shared use of data
- information on the possibility of not providing consent and on the consequences of the denial revocation of the consent
What’s important is that the law gives you only 15 days to process user requests (compared to 30 days under GDPR).
In the case of companies operating on a larger scale, you should consider automating this process using dedicated tools for handling data subject requests.
Part of the obligations arising from data subject requests will also lie with your business partners, including web analytics vendors. Their infrastructure should ensure that data can be freely removed, changed, transferred, and in the case of LGPD, also anonymized. We’ll continue discussing this topic in the next step.
A very good rule of thumb is to never assume a business partner operates in compliance with any data privacy law, even if they’ve always been trustworthy before. Proof of this is GDPR. It’s already been a year since its enactment and many companies still haven’t adopted their processes to the requirements of the law. The list includes Google. The Alphabet-owned company has been sued several times by European Union watchdogs for violating the requirements of GDPR. You can read more about it here, here, and here.
And LGPD is also coming into force in just over a year, so while it’s hard to expect that your business partners will have all their ducks in a row, they should have at least some LGPD-readiness roadmap in place.
Below is a list of signs that indicate your vendor takes privacy matters seriously:
The final version of the law isn’t ready yet. However, processing data on such a large scale – like with analytics tools – is likely to require a DPO be appointed.
The State of GDPR Consent
Overview and scoring of how websites have adapted to data privacy regulations
Your DPO or members of a designated LGPD team should be able to speak with your partner’s DPO and get a clear idea of what steps they have taken towards compliance with the new law. Their attitude should indicate that they’re willing to share the burden with you and facilitate your tasks related to the law.
Unfortunately, it seems like the strategy adopted by some web analytics vendors (including Google Analytics) is to get rid of all the information that can be classified as personal data and oblige you to anonymize every piece of information you collect using their tool. Be warned – this won’t solve the problem!
Although all your data will be anonymized, you can’t escape the fact that the tool stores a visitor online identifier in a cookie. Those kinds of identifiers are considered personal data under GDPR and you must have users’ permission to process them.
So, in other words, you end up with anonymized data and yet you still have to collect user consents and process data subject requests. Not such a great deal, is it? In this situation, you might consider another platform whose infrastructure will make it easier for you to store personal data, process data subject requests and respect users’ rights.
In these blog posts we tackle issues related to data subject rights:
- A Practical Guide to GDPR: How to Respect Data Subject Rights and Collect Consent
- GDPR Data Subject Rights – What You Need to Know
And if you’d like to learn more about data anonymization, check out these posts:
Article 33 of LGPD states that:
The international transfer of personal data is permitted solely in the following cases:
- to countries or international organizations that provide the appropriate level of protection of personal data provided for by this Law;
- where the controller provides and demonstrates guarantees of compliance with the principles, the rights of the data subject and data protection regime established in this Law, in the form of:
- specific contractual sections for a given transfer;
- standard contractual sections;
- global corporate rules;
- seals, certificates and codes of conduct regularly issued;
It means that if you or your partner are located offshore, they should prove that they can provide a similar level of data security to that required of Brazil-based companies (more about that in Article 46).
It’s a good sign when they comply with international security standards like ISO 27001 or have been successfully audited for data security by external auditors. If they have, you know that at the very least they have a basic data security framework in place.
An equally good solution will be if the vendor enables you to keep data on your own servers or in a private cloud. Thanks to this, you’ll be able to apply your own security standards to the analytics data.
Also, consider avoiding third-party scripts on your website. In recent months they’ve been a factor in multiple data breaches, so consider removing them from your ecosystem. Talk to your vendor to find out if their tool allows you to avoid these types of scripts.
If your business partner has presented some reasonable proof that they’ll provide a level of privacy appropriate for your users’ data, it’s now time to sign a Data Processing Agreement with them.
This contract should specify the data they have access to, the scope of use of that data, and any existing compliance plan that might be in effect. Also, it should specify the technical and organizational measures your web analytics vendor takes to protect the personal data of your clients.
Not sure what a proper DPA should look like? Read this:
7 Elements Every Data Processing Agreement Should Have
There is a good chance that the law will be revised between now and August 2020. Maybe the lobbying efforts of big business will strip the regulation of its teeth. Or maybe the opposite will happen – Brazil could implement the highest data privacy standards in the world. Who knows? That’s why you have to keep one ear to the ground and follow the changes in the law. We promise to keep you posted!
And if you’re interested in how Piwik PRO can help you comply with this and other privacy laws, be sure to contact our team. We’ll be happy to fill you in on the details!