After GDPR and CCPA, there is yet another geography-based privacy law. Yes, Brazil has come up with LGPD to help the Brazilian citizens protect their data. And, it means publishers like you should consider getting and processing consent from the new set of users. We don’t want to dive into the implementation right off the bat. Let’s start with the basics.
Table of Contents
What is LGPD?
Passed in August 2018, the LGPD is the law that regulates the processing of personal data throughout the Federative Republic of Brazil. It will come in effect from August 15, 2020, and the law is being brought to unify the currently fragmented data protection and privacy laws in the country. At present, Brazil has more than 40 data and privacy-related legal norms but they are divided into various sectors like banking, real estate, etc.
In other words, this measure focuses on mitigating the incompetencies of the conflictive, confusing, and uncertain sectorial law by replacing it with a clear, unified, transparent, and comprehensive law.
LGPD grants the following rights to the data subjects (any person whose data is being collected):
- Confirmation of the existence of the processing.
- Access to the data.
- Correction of incomplete, inaccurate, or out-of-date data.
- Anonymization, blocking, or deletion of unnecessary or excessive data.
- Deletion of data processed in non compliance with the provisions of LGPD
- Deletion of personal data collected with the consent of the user.
- Portability of the data to another service or product provider.
- Information about the entities with which the user’s data has been shared.
- Information about the possibility of denying consent and the consequences of such denial
- Right to revocation of consent.
Please note that similar to GDPR, anonymized data shall not be deemed personal data
But does the LGPD apply to you?
It is apparent that the law applies to the country’s residents but its scope is global. All the companies processing data that originate from Brazil (online or offline) come under its purview. It doesn’t matter where the company and its headquarters are located, where the data is stored, or how the company collected the data. Even if you are not a company but just a person, still the law applies to you.
In the case of a security issue that may create risk or damage to the user then the controller needs to communicate the incident to the users and to the national authority. The communication should be done within a ‘reasonable’ time-frame. The ‘national authority’ that will govern the law is the newly formed ANPD (Autoridade Nacional de Proteção de Dados). The term ‘reasonable’ has not been defined yet.
So what happens when you do not comply with LGPD? If the authority decides then it can leave you by giving a warning with a time frame for taking corrective measures. However, a fine of up to 2% of your revenue (from the previous financial year) can be levied on you. In absolute terms, it can go up to 50 million reais. You may also be subjected to the deletion of the personal data to which the infraction refers to.
How does LGPD affect publishers?
As we have already discussed, the violation of the law can attract financial penalties, therefore it can definitely affect you in monetary terms. Additionally, you will have to make all the technical arrangements to comply with the law.
You have to update the website’s privacy policy and mention all the rights of the users in it. You have to mention what kind of data is being collected, why and how it is being collected, and to whom it is being sent. You have to check your website’s integration with all the third-party tools and make sure that no PII is being sent. If you are sending PII, you have to collect consent for it beforehand. You have to make provisions to provide the data if a user asks for it. And most importantly, appoint a Data Protection Officer.
Making Google Analytics Comply with LGPD
Google Analytics uses a JavaScript tag (gtag.js, analytics.js, and ga.js). The tag plants the first-party cookie to the user’s browser, the cookie has a Client-ID, and sometimes User ID. The ID generated by the cookie is used to track user behavior across the site.
The LGPD considers the persistent IDs like the Client and User IDs as PII, and since you are sharing them with Google, you need to disclose this information to the user. You should also ask for consent before starting to collect the PII.
- In your privacy policy, you need to disclose that you use Google Analytics. You assign randomly generated IDs to the users to track user behavior. Since Google Analytics also collects IP Addresses, you need to mention that too.
- You should mention why the data is being collected, probable reasons can be- improving user experience, determining the effectiveness of the website, etc.
- You should suggest the user contact you to find out what browsing data you have. Inform the user to delete the _ga cookies or install the Google Analytics Opt-Out Browser Add-On if the user wishes you to stop collecting the data.
- To block the data of non-consenting users from getting shared with Google, you can take the help of thirds party consent management platforms. Alternatively, you can direct the users to the GA Opt-out plugin.
- Accept Google’s Data Processing Agreement by going to Admin > Account Settings. Without DPA, sharing the data will be considered as a violation of LGPD.
- Make sure that the IPs are being anonymized
If a user requests you to delete the associated data, ask the user to provide you the user’s client ID by going to the browser’s Settings > Privacy and Security > Site Settings > Cookies and Site Data > See All Cookies and Site Data > “your website” > _ga. Under “Content”, the user can see the GA ID which can be copied and sent to you. After receiving the ID, you can go to Google Analytics and search for the ID in user explorer and access all the data associated with the client ID.
Prebid Compliance with LGPD
Prebid offers a Consent Management module to help you with privacy laws. You can integrate your Consent Management Platform with the module. Make sure you are using Prebid version 1.0 or above to use this module.
You will have to place the CMP provided code in the header. The code should be above the prebid code to make sure that it loads before the execution of the prebid code. The CMP will start fetching the strings that represent the user’s consent. Then it will communicate the consent status to the demand partners.
We assume that you are familiar with CMP setup and implementation. If not, you should.
Prebid Compliance with Google Ad Manager
For Google Ad Manager, you can alter the GPT ad tag to ensure you aren’t processing data of the opted-out users. Though there’s no specific documentation yet, Google says you can mark an ad request as non-personalized by including the following in your API call:
googletag.pubads().setRequestNonPersonalizedAds(int options);
Online Privacy laws are one of the raising concerns for the publishers. If you’re curious to know more about how you can deal with different upcoming and existing Privacy Laws, we have made a guide for you!
What’s Next?
Publishers do not need to worry about LGPD as it is quite similar to GDPR. You need to make provisions so that you are complying with the law. We should be prepared for more such regulations as the world is moving towards strict privacy laws. Start preparing and don’t try to bypass the law with temporary workarounds.
