The internet era has changed how society traditionally operates and how we go about our daily lives. It has brought numerous benefits to society, such as ease of communication and convenience of e-commerce. However, at the same time, this has posed challenges to individuals’ data privacy, including cyber security failures, data analytics, online tracking, etc.
To address these rising concerns of privacy, the need for a comprehensive legal framework was highlighted. In particular, most data regulations globally require businesses to be accountable to the individuals and fulfill their due diligence by informing them what data/information the organization has access to. Therefore, organizations must have a privacy notice or a privacy policy page on their website.
Such a page is typically required to contain information about what data the organization collects, how it collects, for what purposes it collects, and for how long. Having a privacy notice reflects an organization's accountability and transparency in handling data belonging to an individual, especially personal data, by letting the users decide how they want their personal data to be used. This helps gain users’ trust and confidence in an organization’s practices and reflects the commitment to protecting individual privacy.
The requirements of a privacy policy usually differ based on the regulation in question. Similarly, the Brazilian Lei Geral de Protecao de Dados (LGPD) is no different. Inspired by the European Union’s General Data Protection Regulation (GDPR), it has a strict list of requirements that all LGPD-covered businesses must comply with. One such requirement is a privacy policy page.
What exactly are these requirements, and what other vital information should organizations know about the LGPD’s take on privacy policy? Read on to learn more.
What is LGPD?
With more than 140 million internet users in Brazil, the country represents a tremendous potential opportunity for businesses of all sorts. Hence, it is no surprise that businesses have expanded their efforts to reach their target audiences effectively. The advent of modern digital marketing tools and techniques has only made it easier for them to do so.
At the same time, legislative efforts have ensured this does not come at the cost of users’ data privacy. There have been around 40 various legal regulations around data privacy management across various sectors. Compliance with these regulations was costly, with frequent overlaps and conflicts causing more harm than good.
The Lei Geral de Protecao de Dados (LGPD) was passed by the Brazilian National Congress in August 2018 and formally enacted in September 2020. It is Brazil’s most comprehensive data regulation to date that aims to alleviate all matters related to the data privacy of Brazil residents. Modeled closely to GDPR, LGPD applies to organizations processing the personal data of individuals residing in Brazil, irrespective of whether the organization is located outside or within Brazil.
Do All Organizations Need a Privacy Policy?
In short, yes.
LGPD does not contain an exclusive privacy policy or privacy notice requirement. However, there are other critical requirements,
- Transparency: Article 6 (IV) of LGPD requires the organization to carry out the processing in good faith whilst obligating with the transparency principle. This means that the organizations must provide data subjects with clear, accurate, and easily understandable information about how their data is processed and who is handling it.
- Access to information: As per Article 9 of LGPD, organizations must provide information to the data subjects regarding the specific processing of their personal data in a clear, adequate and ostensible manner. In particular, this should include the retention period, contact information, and rights of data subjects.
- Processing of children’s data: As per Article 14 of LGPD, if the organizations are processing data belonging to children or adolescents required to make publicly available information about the types of data collected and the way it is used. This notice should be in a simple, clear and accessible manner.
- Public legal authorities: According to Article 23 of LGPD, if the processing is carried out by legal entities of public law in discharging its duties under Brazilian Access to Information Law, they must provide clear and up-to-date information about the legal base, purpose, procedures and practices used to carry out these activities in an easily accessible media, preferably on their websites.
The most efficient way of communicating all the aforementioned information is via a well-drafted privacy policy.
What to Include in a LGPD Privacy Policy?
As mentioned earlier, each data regulation has its own take on what information must be available via the privacy policy. Per the LGPD, the following information is required at minimum:
- What data the website collects;
- The purpose for collection of data;
- How long the collected data will be retained;
- Provide a legal basis for the collection of data;
- Inform the users/individuals of their data subject rights per the LGPD;
- Educate the users about how they can exercise their data subject rights;
- Provide users with at least one way to contact the website and the organization behind it related to their data, such as email, phone, or any other means.
Deploying Privacy Policy to a Website
The privacy policy explains a website’s data processing practices and users’ privacy rights. On paper, the privacy policy can be created manually. Still, it would be a needless burden on resources. Considering how a website needs to revise and update its privacy policy sporadically, manually creating it is not the most efficient solution.
That’s why automation is the most obvious option to go for. By opting for Securiti’s privacy policy solution, organizations can not only automatically generate a fully LGPD-compliant privacy policy by leveraging several of its pre-defined templates but also customize the policy in any language based on the user’s location.
How Often Should the Privacy Policy be Updated?
Several data regulations require organizations to update their privacy policies within a specific time frame. However, the LGPD does not contain any such requirement.
At the same time, it is considered both a reflection of proactiveness on the part of the organization and good practice to have the policy reviewed and updated regularly to reflect the organization’s data processing practices.
Doing so ensures any changes in the organization’s data collection methods or purposes are reflected within the policy and avoids any unnecessary fallback later on.
Specific Language Requirements
Currently, there are no linguistic requirements. The only requirement as far as the language itself is concerned is for the terminology used to be clear, transparent, and easily understandable.
How Can Securiti Help?
As mentioned earlier, designing a compliant privacy policy or a privacy notice may seem reasonably straightforward, but it’s anything but easy. There are frequent changes needed depending on the regulations the website is subject to, as well as the need to ensure the information is comprehensible enough for the users to understand.
While this can be done manually, doing so would unnecessarily strain the organization’s resources. This is where Securiti Privacy Center can be of great help. Securiti’s Privacy Center allows websites to consolidate and address their privacy obligations easily.
Doing so not only makes it easier for users to access all relevant information related to their data rights and the website’s data processing practices but also allows the website to comply with its privacy policy and other such requirements engagingly.
Sign up for Securiti Privacy Center now and set up dynamic policies in just a few minutes.
