The internet era has changed how society traditionally operates and how we go about our daily lives. It has brought numerous benefits to society, such as ease of communication and convenience of e-commerce. However, at the same time, this has posed challenges to individuals’ data privacy, including cyber security failures, data analytics, online tracking, etc.
Such a page is typically required to contain information about what data the organization collects, how it collects, for what purposes it collects, and for how long. Having a privacy notice reflects an organization's accountability and transparency in handling data belonging to an individual, especially personal data, by letting the users decide how they want their personal data to be used. This helps gain users’ trust and confidence in an organization’s practices and reflects the commitment to protecting individual privacy.
What is LGPD?
With more than 140 million internet users in Brazil, the country represents a tremendous potential opportunity for businesses of all sorts. Hence, it is no surprise that businesses have expanded their efforts to reach their target audiences effectively. The advent of modern digital marketing tools and techniques has only made it easier for them to do so.
At the same time, legislative efforts have ensured this does not come at the cost of users’ data privacy. There have been around 40 various legal regulations around data privacy management across various sectors. Compliance with these regulations was costly, with frequent overlaps and conflicts causing more harm than good.
The Lei Geral de Protecao de Dados (LGPD) was passed by the Brazilian National Congress in August 2018 and formally enacted in September 2020. It is Brazil’s most comprehensive data regulation to date that aims to alleviate all matters related to the data privacy of Brazil residents. Modeled closely to GDPR, LGPD applies to organizations processing the personal data of individuals residing in Brazil, irrespective of whether the organization is located outside or within Brazil.
In short, yes.
- Transparency: Article 6 (IV) of LGPD requires the organization to carry out the processing in good faith whilst obligating with the transparency principle. This means that the organizations must provide data subjects with clear, accurate, and easily understandable information about how their data is processed and who is handling it.
- Access to information: As per Article 9 of LGPD, organizations must provide information to the data subjects regarding the specific processing of their personal data in a clear, adequate and ostensible manner. In particular, this should include the retention period, contact information, and rights of data subjects.
- Processing of children’s data: As per Article 14 of LGPD, if the organizations are processing data belonging to children or adolescents required to make publicly available information about the types of data collected and the way it is used. This notice should be in a simple, clear and accessible manner.
- Public legal authorities: According to Article 23 of LGPD, if the processing is carried out by legal entities of public law in discharging its duties under Brazilian Access to Information Law, they must provide clear and up-to-date information about the legal base, purpose, procedures and practices used to carry out these activities in an easily accessible media, preferably on their websites.
- What data the website collects;
- The purpose for collection of data;
- How long the collected data will be retained;
- Provide a legal basis for the collection of data;
- Inform the users/individuals of their data subject rights per the LGPD;
- Educate the users about how they can exercise their data subject rights;
- Provide users with at least one way to contact the website and the organization behind it related to their data, such as email, phone, or any other means.
Several data regulations require organizations to update their privacy policies within a specific time frame. However, the LGPD does not contain any such requirement.
At the same time, it is considered both a reflection of proactiveness on the part of the organization and good practice to have the policy reviewed and updated regularly to reflect the organization’s data processing practices.
Doing so ensures any changes in the organization’s data collection methods or purposes are reflected within the policy and avoids any unnecessary fallback later on.
Specific Language Requirements
Currently, there are no linguistic requirements. The only requirement as far as the language itself is concerned is for the terminology used to be clear, transparent, and easily understandable.
How Can Securiti Help?
While this can be done manually, doing so would unnecessarily strain the organization’s resources. This is where Securiti Privacy Center can be of great help. Securiti’s Privacy Center allows websites to consolidate and address their privacy obligations easily.
Sign up for Securiti Privacy Center now and set up dynamic policies in just a few minutes.