LGPD was passed in 2018 but didn’t go into effect until September 2020 and is the world’s third largest data privacy regulation. It takes inspiration from GDPR and CCPA but enforces less severe violation penalties. LGPD is modeled to protect data-holder rights, as well as ensure ethical data extraction and transfer. Companies that collect data while in Brazil and companies outside the country extracting data from Brazil must comply with LGPD. The statutory data protection law is authorized by the National Data Protection Authority in the Federal Republic of Brazil.
Brazil has more than 138 million online users. It’s the largest internet-consuming market in Latin America. LGPD unifies 40 pre-existing privacy laws, helping to refine its privacy protection laws for the safety of its people and businesses.
LGPD contains 65 distinct data protection and processing articles divided across 10 chapters:
Article 18 outlines basic online consumer/subject rights in front of the controller, including:
Article 3 talks about the application of data within the geographical boundaries of Brazil:
Article 4 defines situations when or where LGPD does not apply. This includes when personal data gets handled or processed by: