Data Privacy

Brazil Has a Brand New Data Protection Law and You Should Know About It

minute read

Post Image

Brazil’s new data protection law, LGPD or Lei Geral de Proteção de Dados (General Data Protection Law), was unanimously approved by their National Congress, and sanctioned by the president on August 14th, 2018. It will come into effect on August 2020 (it was originally 18 months counting from when it’s published in the Diário Oficial da União, but the law was altered on December 27 of 2018, giving companies a bit more time to get ready).

Such law has been created to provide legal support for Brazilian citizens when dealing with the treatment of data of an identified or identifiable person, and it is very clear about the definition of what data treatment is, which according to article 5th:

“treatment: all operations performed with personal data, such as the ones referred as collection, production, reception, classification, utilization, access, reproduction, transmission, distribution, processment, archiving, storing, elimination, evaluation or control of information, modification, communication, transferring, diffusion or extraction;”

The law also contains many regulations to allow every person to have their privacy respected, and of course, the law is quite long, so I recommend to all that might be interested in knowing more, to look at the FAQ done by ABEMD, and also the Law n°13709 straight from Portal da Legislação.

How does the new law impact who uses personal data?
Going straight to what matters to us, this law will impact everyone that sends email marketing or makes use of any personal data.

The new law makes a bold statement: the data belong to the individuals. The data that your company has about people will need to have a legal basis. If your company wishes to use data that identifies or makes someone identifiable, they will have to obtain consent from the owner, and according to the law, consent is: “consent: manifestation by free will, informed and unmistakable by which the owner agrees with the treatment of his personal data for a specific purpose;”

This excerpt points out two important things:

  1. The way that consent is requested has to be clear and it can’t be hidden inside a privacy policy
  2. The purpose of the consent has to be determined.

In other words, if you obtained personal data to create a purchase receipt, under any circumstances that data can be used for another purpose, such as sending email marketing. So, if your company wishes to send email marketing, it will need to obtain a specific opt-in to use the data for the purpose of email marketing.

Personally, I see this change as something positive. We’ve seen great results when GDPR came into effect in the EU such as improved data quality and increased consumer trust.  These benefits and many others have been explained our very own Senior Director of Professional Services, Guy Hanson, in the article: GDPR – The Upside.

How to get ready starting now?
The first step is to realize that this is real, it is a law, and companies will have up to August 2020 to be compliant. Use this to your advantage and start preparing as soon as you can.

Second, it’s about the creation of the National Data Protection Authority, which will act as a regulating entity, overseeing the rules defined in the new law and applying fines for those that are non-compliant. In its original text, the Data Protection Authority was vetoed by president Temer, which made many companies that do email marketing argue that since that was vetoed there would be no oversight.

That original scenario without the national authority is no longer, changes were made via Executive Order n° 869, on December 27th, 2018. Therefore, this is real guys, and August 2020 is right around the corner.

Third, seek legal consultation that is specialized in this matter to help your company get ready for this new law. Return Path doesn’t do this kind of advisory, but our recommendations have always been aligned with most of the practices described in the law, such as the many best practices recommendations that are available in our blog.

The last step, don’t leave it to the last moment. We know that it is cultural for us Brazilians to adopt the “why do this today if I can do it tomorrow” policy. In this case, it is important to be proactive, as the fines are big. According to article 52nd:

  • Fine of 2 percent of the total revenue of the latest financial year limited to R$ 50 million
  • This can be applied daily or by infraction

I should also point out that these are just some important highlights that I picked out just to illustrate the importance of this new law and how it will impact all of us, so expect future blog posts with more details.

The beginning of a new era
Despite being frightening, this is only the beginning of a long journey that is ahead. Companies will have to adapt and there will be adjustments in the market as a result. Nevertheless, I see this with a positive mind what this law proposes, not only because Brazil is one of the first countries outside of the EU that is following this global trend on data privacy, but also due to the positive results that European companies have seen after GDPR.

Be sure to return here to Return Path’s blog to see new articles about the General Data Protection Law and e-mail marketing. In the meantime, here are some links to articles that have been produced by Return Path about the law that inspired our own, GDPR:

  • What is GDPR and Why is it Important?
  • GDPR: Return Path Readiness
  • Preparing for GDPR as a Digital Marketer
  • Making Sense of Consent Under the GDPR

Last but not least, this article isn’t a legal counsel, these are my opinions and a bundle of best practices and learnings which we’ve obtained when we observed EU companies after GDPR came into effect on May 25th, 2018.  It’s always best to bring this information to your internal legal counsel and privacy teams to discuss how your company will approach compliance.