Brazil's New Privacy Laws & Their Implications - Is Umbraco Prepared for LGPD?

Privacy is important to many consumers and new laws in Brazil, which follow those in Europe and California, mean that it is important for Marketers and Heads of Digital who target or trade in Brazil to ensure their digital platforms comply these new regulations.  After Umbraco released updates to the core CMS and Umbraco Forms it has been easier for marketers to maintain a compliant marketing platform.

Brazil's Own Version of GDPR 

Privacy protection for individuals and consumers has had a lot of much needed attention in recent years, first with the introduction of Europe's General Data Protection Regulation (GDPR) and more recently the the California Consumer Privacy Act (CCPA).  Now Brazil has followed suit with their Lei Geral de Proteção de Dados or LGPD, which has many similarities with GDPR, and of course, a few minor differences.

LGPD has extraterritorial scope, meaning it applies to companies outside of Brazil who provide services to data subjects in Brazil.  However, this scope is more limited than GDPR in relation to the transfer of data outside of Brazil.

LGPD doesn't specifically define personal data, however, data within the scope of LGPD would include any data item which alone, or if combined with other data, may be used to identify a natural person or subject them to specific treatment, perhaps through personalisation of your Umbraco site. 

Like GDPR, the LGPD requires Data Controllers to have a lawful basis to process personal data, and the bases are broadly similar to those of GDPR, including explicit consent of the Data Subject.  Helpfully Umbraco provides a ConsentService API which enables developers to track specific consents granted by an individual user.

Other features introduced by Umbraco for GDPR which may have relevance to sites operating in Brazil under the new LGPD regime include:

• the ability to track specific grants of privileges to individual users within Umbraco;
• the ability to mark certain users as sensitive so that their personal information can only be viewed by other users with the permission to view sensitive information;
• the ability in Umbraco Forms to mark certain fields and restrict access to them as with User management; and
• the ability to not store form data in the Umbraco database, but instead transfer it for persistence in some other data store.

When LGPD comes into force in August 2020, fines for non-compliance of up to 2% of total revenues in Brazil may be levied, as well as specific daily fines to ensure speedy compliance.  But more than that there is of course the reputational risk to businesses of a data breach or failure to comply, and so now more than ever it is important for Marketers and Heads of Digital to ensure that their Umbraco platform is safe and secure and respects the privacy of their users.