Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.

View

LGPD Privacy Policy Requirements – The Basics To Know

Published February 7, 2023
Author

Omer Imran Malik

Data Privacy Legal Manager, Securiti

FIP, CIPT, CIPM, CIPP/US

Listen to the content

This post is also available in: Brazilian Portuguese

The internet era has changed how society traditionally operates and how we go about our daily lives. It has brought numerous benefits to society, such as ease of communication and convenience of e-commerce. However, at the same time, this has posed challenges to individuals’ data privacy, including cyber security failures, data analytics, online tracking, etc.

To address these rising concerns of privacy, the need for a comprehensive legal framework was highlighted. In particular, most data regulations globally require businesses to be accountable to the individuals and fulfill their due diligence by informing them what data/information the organization has access to. Therefore, organizations must have a privacy notice or a privacy policy page on their website.

Such a page is typically required to contain information about what data the organization collects, how it collects, for what purposes it collects, and for how long. Having a privacy notice reflects an organization's accountability and transparency in handling data belonging to an individual, especially personal data, by letting the users decide how they want their personal data to be used. This helps gain users’ trust and confidence in an organization’s practices and reflects the commitment to protecting individual privacy.

The requirements of a privacy policy usually differ based on the regulation in question. Similarly, the Brazilian Lei Geral de Protecao de Dados (LGPD) is no different. Inspired by the European Union’s General Data Protection Regulation (GDPR), it has a strict list of requirements that all LGPD-covered businesses must comply with. One such requirement is a privacy policy page.

What exactly are these requirements, and what other vital information should organizations know about the LGPD’s take on privacy policy? Read on to learn more.

What is LGPD?

With more than 140 million internet users in Brazil, the country represents a tremendous potential opportunity for businesses of all sorts. Hence, it is no surprise that businesses have expanded their efforts to reach their target audiences effectively. The advent of modern digital marketing tools and techniques has only made it easier for them to do so.

At the same time, legislative efforts have ensured this does not come at the cost of users’ data privacy. There have been around 40 various legal regulations around data privacy management across various sectors. Compliance with these regulations was costly, with frequent overlaps and conflicts causing more harm than good.

The Lei Geral de Protecao de Dados (LGPD) was passed by the Brazilian National Congress in August 2018 and formally enacted in September 2020. It is Brazil’s most comprehensive data regulation to date that aims to alleviate all matters related to the data privacy of Brazil residents. Modeled closely to GDPR, LGPD applies to organizations processing the personal data of individuals residing in Brazil, irrespective of whether the organization is located outside or within Brazil.

Do All Organizations Need a Privacy Policy?

In short, yes.

LGPD does not contain an exclusive privacy policy or privacy notice requirement. However, there are other critical requirements,

  1. Transparency: Article 6 (IV) of LGPD requires the organization to carry out the processing in good faith whilst obligating with the transparency principle. This means that the organizations must provide data subjects with clear, accurate, and easily understandable information about how their data is processed and who is handling it.
  2. Access to information: As per Article 9 of LGPD, organizations must provide information to the data subjects regarding the specific processing of their personal data in a clear, adequate and ostensible manner. In particular, this should include the retention period, contact information, and rights of data subjects.
  3. Processing of children’s data: As per Article 14 of LGPD, if the organizations are processing data belonging to children or adolescents required to make publicly available information about the types of data collected and the way it is used. This notice should be in a simple, clear and accessible manner.
  4. Public legal authorities: According to Article 23 of LGPD, if the processing is carried out by legal entities of public law in discharging its duties under Brazilian Access to Information Law, they must provide clear and up-to-date information about the legal base, purpose, procedures and practices used to carry out these activities in an easily accessible media, preferably on their websites.

The most efficient way of communicating all the aforementioned information is via a well-drafted privacy policy.

What to Include in a LGPD Privacy Policy?

As mentioned earlier, each data regulation has its own take on what information must be available via the privacy policy. Per the LGPD, the following information is required at minimum:

  • What data the website collects;
  • The purpose for collection of data;
  • How long the collected data will be retained;
  • Provide a legal basis for the collection of data;
  • Inform the users/individuals of their data subject rights per the LGPD;
  • Educate the users about how they can exercise their data subject rights;
  • Provide users with at least one way to contact the website and the organization behind it related to their data, such as email, phone, or any other means.

Deploying Privacy Policy to a Website

The privacy policy explains a website’s data processing practices and users’ privacy rights. On paper, the privacy policy can be created manually. Still, it would be a needless burden on resources. Considering how a website needs to revise and update its privacy policy sporadically, manually creating it is not the most efficient solution.

That’s why automation is the most obvious option to go for. By opting for Securiti’s privacy policy solution, organizations can not only automatically generate a fully LGPD-compliant privacy policy by leveraging several of its pre-defined templates but also customize the policy in any language based on the user’s location.

How Often Should the Privacy Policy be Updated?

Several data regulations require organizations to update their privacy policies within a specific time frame. However, the LGPD does not contain any such requirement.

At the same time, it is considered both a reflection of proactiveness on the part of the organization and good practice to have the policy reviewed and updated regularly to reflect the organization’s data processing practices.

Doing so ensures any changes in the organization’s data collection methods or purposes are reflected within the policy and avoids any unnecessary fallback later on.

Specific Language Requirements

Currently, there are no linguistic requirements. The only requirement as far as the language itself is concerned is for the terminology used to be clear, transparent, and easily understandable.

How Can Securiti Help?

As mentioned earlier, designing a compliant privacy policy or a privacy notice may seem reasonably straightforward, but it’s anything but easy. There are frequent changes needed depending on the regulations the website is subject to, as well as the need to ensure the information is comprehensible enough for the users to understand.

While this can be done manually, doing so would unnecessarily strain the organization’s resources. This is where Securiti Privacy Center can be of great help. Securiti’s Privacy Center allows websites to consolidate and address their privacy obligations easily.

Doing so not only makes it easier for users to access all relevant information related to their data rights and the website’s data processing practices but also allows the website to comply with its privacy policy and other such requirements engagingly.

Sign up for Securiti Privacy Center now and set up dynamic policies in just a few minutes.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share

More Stories that May Interest You
Videos
View More
Mitigating OWASP Top 10 for LLM Applications 2025
Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...
View More
Top 6 DSPM Use Cases
With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...
View More
Colorado Privacy Act (CPA)
What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...
View More
Securiti for Copilot in SaaS
Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...
View More
Top 10 Considerations for Safely Using Unstructured Data with GenAI
A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....
View More
Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes
As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...
View More
Navigating CPRA: Key Insights for Businesses
What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...
View More
Navigating the Shift: Transitioning to PCI DSS v4.0
What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...
View More
Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)
AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...
AWS Startup Showcase Cybersecurity Governance With Generative AI View More
AWS Startup Showcase Cybersecurity Governance With Generative AI
Balancing Innovation and Governance with Generative AI Generative AI has the potential to disrupt all aspects of business, with powerful new capabilities. However, with...

Spotlight Talks

Spotlight 11:29
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Watch Now View
Spotlight 11:18
Rewiring Real Estate Finance — How Walker & Dunlop Is Giving Its $135B Portfolio a Data-First Refresh
Watch Now View
Spotlight 13:38
Accelerating Miracles — How Sanofi is Embedding AI to Significantly Reduce Drug Development Timelines
Sanofi Thumbnail
Watch Now View
Spotlight 10:35
There’s Been a Material Shift in the Data Center of Gravity
Watch Now View
Spotlight 14:21
AI Governance Is Much More than Technology Risk Mitigation
AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3
You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge
Watch Now View
Spotlight 47:42
Cybersecurity – Where Leaders are Buying, Building, and Partnering
Rehan Jalil
Watch Now View
Spotlight 27:29
Building Safe AI with Databricks and Gencore
Rehan Jalil
Watch Now View
Spotlight 46:02
Building Safe Enterprise AI: A Practical Roadmap
Watch Now View
Spotlight 13:32
Ensuring Solid Governance Is Like Squeezing Jello
Watch Now View
Latest
Simplifying Global Direct Marketing Compliance with Securiti’s Rules Matrix View More
Simplifying Global Direct Marketing Compliance with Securiti’s Rules Matrix
The Challenge of Navigating Global Data Privacy Laws In today’s privacy-first world, navigating data protection laws and direct marketing compliance requirements is no easy...
View More
Databricks AI Summit (DAIS) 2025 Wrap Up
5 New Developments in Databricks and How Securiti Customers Benefit Concerns over the risk of leaking sensitive data are currently the number one blocker...
A Complete Guide on Uganda’s Data Protection and Privacy Act (DPPA) View More
A Complete Guide on Uganda’s Data Protection and Privacy Act (DPPA)
Delve into Uganda's Data Protection and Privacy Act (DPPA), including data subject rights, organizational obligations, and penalties for non-compliance.
Data Risk Management View More
What Is Data Risk Management?
Learn the ins and outs of data risk management, key reasons for data risk and best practices for managing data risks.
View More
Getting Ready for the EU AI Act: What You Should Know For Effective Compliance
Securiti's whitepaper provides a detailed overview of the three-phased approach to AI Act compliance, making it essential reading for businesses operating with AI.
Beyond DLP: Guide to Modern Data Protection with DSPM View More
Beyond DLP: Guide to Modern Data Protection with DSPM
Learn why traditional data security tools fall short in the cloud and AI era. Learn how DSPM helps secure sensitive data and ensure compliance.
View More
Unlock Amazon Q’s Full Potential with Secure, Governed Data
Learn how robust DSPM can help secure Amazon Q data access, automate sensitive data tagging, eliminate ROT data, and maximize AI productivity safely.
Singapore’s PDPA & Consent: Clear Guidelines for Enterprise Leaders View More
Singapore’s PDPA & Consent: Clear Guidelines for Enterprise Leaders
Download the essential infographic for enterprise leaders: A clear, actionable guide to Singapore’s PDPA and consent requirements. Stay compliant and protect your business.
Gencore AI and Amazon Bedrock View More
Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock
Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...
DSPM Vendor Due Diligence View More
DSPM Vendor Due Diligence
DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...
What's
New