The LGPD, Brazil’s Data Protection Law, Is Here. Here's What It Means for Your Business.

A new data privacy law in Brazil 

Protecting customer data and privacy is a fundamental and essential requirement of running a business. In May 2018, we saw the introduction of the European data privacy law known as the General Data Protection Regulation (GDPR). Shortly thereafter, in August 2018, a similar privacy law in Brazil known as the Lei Geral de Proteção de Dados (“LGPD”) was introduced. The LGPD requires organizations to comply with requirements related to processing of personal data as well as sensitive personal data. 

While the LGPD is leaner than GDPR, there are a lot of similarities. On this page, we'll walk you through the basics of the LGPD, how the law relates to HubSpot customers, and how HubSpot is helping customers prepare for the law. As further guidance to the LGPD comes into effect, we'll continue to update this page as necessary.

Feeling underprepared? Don’t worry. HubSpot has a number of features that will help customers navigate this data privacy law. The GDPR and the LGPD are similar when it comes to their requirements and obligations. As we helped our customers prepare for the GDPR, most HubSpot customers won’t need to make many changes for LGPD because of HubSpot’s GDPR efforts. However, it’s important to check the specific requirements under the LGPD noted below. 

What is the LGPD?

In August 2018, Brazil approved the Lei Geral de Proteção de Dados (in Portuguese), commonly known as the LGPD, Brazil’s comprehensive data protection law. 

The LGPD creates new legal requirements for the use of personal data in Brazil, both online and offline, in the private and public sectors. The LGPD regulates controllers and processors of personal data. Controllers decide how and why to collect and process personal data. Processors are the entities who process the data according to the controller’s instructions. 

The LGPD covers activities of data controllers and processors, and also creates requirements on organizations processing information of data subjects. Data subjects is broadly defined as a person of whom you are processing personal data. This law also includes obligations on issues such as data protection officer appointments, legal basis for processing, data protection impact assessments, data transfers, and data breaches. The law will be enforced by the Brazilian data protection authority, the National Data Protection Authority (“ANPD”). The ANPD, when guidance is published and appointments of officers are established, will be expected to provide important guidelines and clarity on certain provisions of the LGPD.

Additionally, in case of violations of the LGPD, the ANPD must notify the data processors of any violation. The ANPD must determine a deadline for adopting remediation actions, such as deleting or blocking the personal data. 

When is the LGPD effective? 

The LGPD is now effective. 

The LGPD becoming effective this year was a surprise to many as its effective date was expected to be postponed due to COVID-19. However, the Brazilian Senate reversed it’s order on postponement. This made the LGPD immediately effective upon the Brazilian President’s signature of the amendment, which has now been signed. It is important to note, the enforcement date of the law is not until August 2021. Meaning, the data protection supervisory authority, ANPD, tasked with enforcing the law, will have no ability to bring penalties and fines under the LGPD until August 1, 2021. 

Who does the LGPD apply to?

As with the GDPR, the LGPD applies broadly to the processing of personal data, both online and offline. Both the LGPD and the GDPR are comprehensive in terms of personal, material, and territorial scope. The definitions of personal data are very similar in both, defined as having protection for any “information related to an identified or identifiable natural person.”

The LGPD applies across industry sectors and has an extraterritorial application. Meaning, any organization collecting or processing personal data that is subject to the LGPD would not need to have a physical presence in Brazil for the law to apply. Additionally, the LGPD’s applicability is not limited to businesses and organizations size. There are three main aspects to its application. The LGPD applies to any individual or organization, private or public, that:

• processes personal data in Brazil;
• processes personal data that was collected in Brazil; or
• processes personal data to offer or provide goods or services in Brazil.

While there are some exceptions to the applicability of the LGPD, for most organizations processing, selling, and/or marketing in Brazil, the law will apply. 

Does the LGPD apply to my organization?

Before being able to truly determine whether or not the LGPD applies to your organization, it is important to understand what the LGPD defines as “personal data.” As stated above, the LGPD definition of personal data is any “information related to an identified or identifiable natural person.” Therefore, if you are a HubSpot customer that meets the scope criteria, and you are processing personal data, as defined above, then the LGPD applies to you.

An example of how the LGPD may apply to your company is as follows:

Let’s say that Victor is a contact of yours and lives in Brazil. He's called the “data subject," and your company (let's call it Acme Corp.) is called the "controller" of his data. If you're a HubSpot customer, then HubSpot acts as the "processor" of Victor's data on behalf of Acme.

Here’s how Victor might interact with your company;

• Victor comes to Acme’s website for the first time
• Victor fills out a form (or gets created in Acme’s database manually / via API)
• Acme sends Victor an email
• Victor requests to see, modify, or delete the information Acme has about him

Below you can find ways on how HubSpot has got you covered with respect to how Victor may interact with your company, Acme Corp. This example can be further seen in HubSpot’s GDPR playbook. HubSpot has extensive resources on GDPR, including this playbook and knowledge base article. These resources explain our product and system features and functionality used by us and by our customers to support compliance with GDPR. These product and system features can also support compliance with the LGPD.

Individual Rights 

The LGPD grants certain rights to data subjects. The LGPD seeks to protect the personal data of data subjects and does not require a citizenship or residency requirement in order for a person to qualify as a data subject under LGPD. Under the LGPD, data subjects have the right to receive adequate notice of their rights.

The LGPD allows data subjects to obtain the following from a controller with respect to their personal data:

• Confirmation as to the existence of personal data processing; 
• Correction of incomplete inaccurate or out-of-date data; 
• Anonymization, blocking or deletion of unnecessary or excessive data or data processed in a noncompliance with the provisions of the LGPD; 
• Data portability; 
• Deletion of personal data processed with the data subject consent (subject to certain exceptions); 
• Information about public and private entities with which the controller has shared data; 
• Information about the possibility of denying consent and the consequences of such denial; 
• Revocation of consent 

The LGPD provides data subjects with the right to object and restrict the processing of their personal data, and allow individuals to request deletion of their personal data. Additionally, the right of access is recognized in both the GDPR and the LGPD. Therefore, organizations must provide individuals with access to their personal data when requested. Yet, there are a few differences between the GDPR and LGPD, including the time period in which an access request must be responded to. Organizations subject to the GDPR must generally respond to requests within a 30 day timeframe as of the receipt of a request. However, the LGPD is limited to a 15 day timeframe for complying with access requests, and requests for the exercise of other rights should be responded to immediately. It is important to note that the data subject requests under the LGPD are an area of the law that still needs guidance from the ANPD to further clarify. 

Internal expectations for your organization 

• Required disclosures: Just like the GDPR, organizations must notify data subjects of their rights under the LGPD, this includes all the rights listed above. These required discloses must be within the privacy policy, or at the time the personal data is collected. 

• Responding to data subject rights: As mentioned above, the LGPD requires organizations to understand data subject rights. Additionally, organizations must have a process to respond to data subjects asserting their rights. 

• Opt Out: The right to opt out is not limited to any specific processing activity, thus being applicable to any processing activity.  
• Legal grounds for processing personal data: The LGPD requires an organization to have a valid legal basis in order to process personal data.  
• Data Protection Officer (“DPO”): The LGPD requires an organization to have an established Data Protection Officer.
• Transferring data: Under the LGPD personal data can only be transferred to third countries that ensure an adequate level of protection (a list of such countries will be released in the future by the ANPD) or whenever it is based on appropriate safeguards (i.e., standard contractual clauses, specific contractual clauses, binding corporate rules, codes of conduct and certification mechanisms). The LGPD is silent in relation to the safeguards’ mechanics and requirements. 
• Cookie Requirements: The LGPD is based on the risk-based approach, which is similar to what is required for organizations to be GDPR compliant. Organizations processing personal data are encouraged to implement protective measures corresponding to the level of risk of their data processing activities. 

Differences between the LGPD and GDPR 

Both the GDPR and the LGPD are quite similar. However, there are a few differences between the two laws. For example, the GDPR has six lawful legal bases for processing, whereas the LGPD has ten. Additionally, the LGPD is more flexible when it comes to the legitimate interest balancing test. Moreover, the breach notification timing is different between the two laws. Under the GDPR, controllers need to notify supervisory authorities within 72 hrs versus the LGPD where controllers need to notify both the supervisory authority and data subjects within a reasonable time. Finally, one major difference between the two laws is that the LGPD has a mandatory requirement for an organization to appoint a data protection officer whereas in the GDPR it is not mandatory to all controllers. 

What happens if I don’t comply with the LGPD?

Currently, ANPD enforcement is not set to begin until August 1, 2021, when the administrative sanctions provisions of the LGPD go into effect.  For organizations that violate the LGPD, the LGPD provides penalties that may include fines of up to 2% of the organization’s revenues in Brazil for the prior financial year, up to a maximum of R 50,000,000.00 per violation.

Given that the ANPD was only just established, many questions still remain regarding how the ANPD will operate in practice and administer these sanctions. 

How is HubSpot helping you Prepare for the LGPD?

There is a significant amount of overlap between the LGPD and the GDPR. HubSpot has extensive resources on the GDPR, including this playbook, that explains our product and system features and functionality used by us and by our customers to support compliance with the GDPR and LGPD. 

A good portion of the existing product and system features, processes and policies (that are currently used for GDPR compliance) may be used in the same ways for compliance with LGPD. For example, they way you may handle lawful basis and deletion requests (these are currently requirements under both laws) by using our existing functionality. These functionalities are explained below and in the GDPR playbook and they are live to all HubSpot customers. 

Consider our example above: 

Let’s say that Victor is a contact of yours and lives in Brazil. He's called the “data subject," and your company (let's call it Acme Corp.) is called the "controller" of her data. If you're a HubSpot customer, then HubSpot acts as the "processor" of Victor's data on behalf of Acme.

Here’s how Victor might interact with your business;

• Victor comes to Acme’s website for the first time
• Victor fills out a form (or gets created in Acme’s database manually / via API)
• Acme sends Victor an email
• Victor requests to see, modify, or delete the information Acme has about him

Here's a summary of the product functionalities:

Lawful Basis: Under the LGPD, you need to have a legal reason (called a lawful basis in the regulation) to use someone’s data. In HubSpot, we’ve broken down lawful basis into two broad categories: lawful basis both to process (i.e. store data in your CRM or provide an ebook they requested) and to communicate (i.e. send a marketing email or have a sales rep call).

• We’ve added a default contact property to store lawful basis to process.
• Consider updating this property for your contacts.
• We’ve overhauled our subscription setup to make “lawful basis to communicate” easy to track too (including consent). You can now track opt-ins in HubSpot (rather than just “opt outs”). We’ve added these subscriptions to the contact record (so they’re easy to track/audit). And we’ve made them accessible via forms. 

You may need lawful basis to communicate with your contacts. If you don’t have it, consider creating subscription types, updating your existing database with those subscription types (with a permission pass campaign or another method), and setting up your forms to establish lawful basis moving forward.

Please see the HubSpot GDPR Playbook for further details on how to enable the setting for the LGPD obligations. 

Deletion: Under the LGPD, a data subject has the right to request that you delete all the personal data you have about him. 

In many cases, you’ll need to respond to her request immediately. The right to deletion is not absolute, and can depend on the context of the request, so it doesn’t always apply.

Please see the HubSpot GDPR Playbook and GDPR knowledge base article for further details on how to enable the setting for the LGPD obligations. 

Cookies: The LGPD is based on the risk-based approach, which is similar to what is required for organizations to be GDPR compliant. Organizations processing personal data are encouraged to implement protective measures corresponding to the level of risk of their data processing activities. Therefore you can give visitors to your website notice of the use of cookies. 

In HubSpot, you can capture a visitor’s consent for cookie tracking. And we’ve launched the ability to show different versions of the consent banner on different website pages.

Please see the HubSpot GDPR Playbook for further details on whether to consider to update your cookie settings and how to enable the setting for the LGPD obligations

**Disclaimer: This website is neither an exhaustive summary of Brazil's Lei Geral de Proteção de Dados (“LGPD”) nor legal advice for your organization to use in complying with it. Instead, it provides background information to help you better understand the LGPD and how it can apply to your organization. This legal information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so you should consult an attorney if you’d like advice on your interpretation of this information or its accuracy. You may not rely on this paper as legal advice, nor as an endorsement of any particular legal understanding. Further, while the LGPD is influenced by the GDPR, a organizations already in compliance with the GDPR may not automatically guarantee compliance with the LGPD. Additionally, the LGPD enforcement and guidance has not been finalized, therefore, HubSpot will continue to monitor the development of both LGPD and any guidance to the law. HubSpot will continue to update this page as necessary.