LGPD Fines: What Are The Fines & How to Avoid Them
Following the introduction of the General Protection Data Regulation (GDPR) in the EU, many other countries, like Brazil, created their own data protection laws. Brazil made a law called the LGPD, which is designed to keep consumer data safe.
If your business processes data of Brazilian residents, you want to be sure you understand the LGPD fines and how to avoid them.
So, if this applies to you and you want to learn more about the effects of LGPD non-compliance, you’ve come to the right place.
This article will cover what the LGPD is, the fines it imposes on businesses that don’t comply, and how your business can avoid them.
Let’s get started.
- The LGPD is Brazil’s data protection framework that regulates all businesses that process data and sell goods or services to anybody in Brazil.
- If your business is non-compliant with the LGPD, the ANDP will impose significant fines. After receiving an initial warning for not complying, your business can be fined up to 2% of your annual revenue or 50 million reals ($10 million).
- The most common reasons businesses face LGPD fines are not obtaining explicit consent from consumers, inadequate responses to data breaches, not complying with data subject rights, and not complying with data transfer protocols.
Brief Overview of the LGPD
Lei Geral de Proteção de Dados Pessoais, or the LGPD, is a data protection law created and led by Brazil's National Data Protection Authority (ANDP). The LGPD is similar to the GDPR and regulates data processing in the EU but features some key differences.
Brazil has a tremendous amount of e-commerce businesses and consumers. To ensure proper data protection of its citizens, Brazil had already had more than 40 data regulations in place before the LGPD, each specific to different industries.
The LGPD was implemented to protect data subjects (Brazilians) and give them several rights, granting them control over their personal data. The LGPD also provides a general framework for businesses to achieve compliance, which you must follow if the LGPD applies to your business.
Who is Subject to the LGPD?
The LGPD has specific criteria to determine if your business is subject to its regulation.
The first criterion is where a business collects data. If your business processes the data of any consumer in Brazil, then you meet the requirement. Even if your business is outside Brazil, you must follow the LGPD.
The next criterion is the purpose of processing consumer data. If your business sells a good or service and collects data for that purpose, you are subject to the LGPD.
LGPD Fines Overview
The LGPD imposes fines on businesses that do not comply with its rules and regulations, similar to the CCPA. The fines range depending on the severity and intentions of your business.
The lowest level consequence your business can receive is a warning. If your business is not compliant with the LGPD, you will be issued a warning and expected to change or implement new policies or procedures.
Moving into more severe consequences, the LGPD can issue daily fines on your business if you do not comply. These fines may be small but will add up quickly after paying them daily.
LGPD fines can amount to a maximum of 2% of your business’s annual revenue or 50 million reals, which is around $10 million or €9.3 million. Daily fines are also subject to this limit.
The National Data Protection Authority applies is in charge of giving fines to non-compliant businesses.
Other Consequences of LGPD Non-Compliance
Aside from significant fines imposed by the ANDP, there are other consequences of not complying with the LGPD. Here are some additional ramifications your business faces if found non-compliant:
Legal Action From Data Subjects
The LGPD dictates that consumers hold the right to seek legal reparations from businesses if they feel their privacy was breached.
If a data subject believes that their rights have been violated under the LGPD, they can take legal action against your business. This could result in lawsuits that cost money, time, and resources to manage. If these cases go public, they may cause substantial damage to a business's reputation.
Damaged Reputation/Consumer Trust
In addition to facing monetary loss, your business will lose face with consumers across Brazil and other countries if found not compliant. Your business’s reputation will be tainted, and you will have the image that you do not practice sufficient consumer data protection.
If consumers are not confident their data is secure with your business, they will lose trust and likely not purchase your goods or services from you again.
To ensure compliance with the LGPD and show consumers your commitment to compliance, your business can create a compliance plan. A compliance plan will outline and serve as a reference that details your business’s prioritization to comply with all legal standards.
Loss of Data Processing Privileges
The ANDP not only imposes fines on your business for not complying with the LGPD but may also revoke your business's data processing privileges. The ANDP can delete data from and restrict your access to databases if your business is not compliant.
In addition to the possibility of fines, suspension of data processing privileges, and other repercussions, criminal charges can be laid against officers or directors who knowingly breached the LGPD.
Criminal penalty provisions provide for imprisonment from three months up to two years with an associated fine. This penalty also applies to those who make, offer, distribute, or sell an instrument that allows the invasion of third parties’ devices and information without consent.
Common Reasons for LGPD Fines
The LGPD is a broad framework that regulates several aspects of data processing. As detailed above, if your business does not comply with even one area of the framework, it can face fines and other consequences. Below are some of the common reasons businesses face LGPD fines.
Lack of Consent
The first reason many businesses face LGPD fines is that they fail to obtain explicit consent from consumers before collecting their data.
Businesses must provide specific details on what data they collect from a consumer and a legal basis for why, then receive explicit consent from the consumer before collecting their data.
You can outsource compliance services from professionals to help your business create clear consent banners and process consumer data legally. Captain Compliance has a team of data compliance experts and various services to help your business maintain perfect compliance.
The next reason many businesses face LGPD fines is an inadequate response to data breaches, as defined by the LGPD. The LGPD requires that businesses report any breaches to the ANDP in a “reasonable time” frame after the breach.
This is a more vague time frame than the GDPR, which requires businesses to report breaches within 72 hours. In general, it’s good practice to report data breaches in 72 hours, as that is considered a reasonable time frame in most cases.
Non-compliance with Data Subject Rights
The LGPD set nine consumer rights businesses must grant to data subjects while collecting and processing their data. The rights are as follows:
- Confirmation of processing a consumer’s data
- Provide access to the consumer’s data
- A consumer can block, delete, or anonymize their data at any time
- Consumers can request their data be deleted
- Allow a consumer’s data to be portable and transferred to another data processor if requested
- Request to correct inaccurate data
- Access to the third parties that a business has shared the consumer’s data with
- The option to deny consent and the implications
- The option to revoke consent of any further processing of a consumer’s data
Your business must provide all these rights to data subjects if they request it. A violation of even one could mean LGPD fines.
Non-compliant data transfers
The final reason many businesses face LGPD fines is that they do not comply with the specific rules surrounding LGPD data transfers. Sensitive data like health and financial information must be handled with special care according to LGPD provisions, and businesses should also keep records of any transferred data
If your business conducts a data transfer that does not meet the ANDP’s standards, you may face LGPD fines.
Your business can utilize data compliance solutions to meet the ANDP’s data security standards and safely conduct data transfers in and out of Brazil.
What Happens if You’re Found to Be Non-Compliant?
Ultimately, if your business is found to be non-compliant with the LGPD, you may be subject to fines from the ANDP and a load of other nasty consequences.
First or minor violations may warrant your business a warning and a requirement to update your data security protocols. However, depending on the severity and intentions of your LGPD violation, your business can face fines of up to 2% of your business’s annual revenue or 50 million reals ($10 million).
In addition to the monetary damages, your business’s violations may be disclosed to the public, damaging your reputation and causing consumers to lose trust in your business.
The ANDP also has the authority to revoke your data processing privileges and block access to or delete data from your databases. Depending on the situation, this can be temporary or permanent.
Consumers are also granted the right to pursue legal reparations from your business if they feel their data privacy was violated. These lawsuits can be costly and cost your business a pretty penny.
You may also face criminal charges on top of all this. This shows that Brazil takes its data security seriously.
The LGPD is a broad compliance framework regulating businesses that process the data of Brazilians. If your business processes data or sells a good or service to Brazilian residents, you are subject to the LGPD.
To avoid fines of up to 2% of your annual revenue or 50 million reals ($10 million), your business should research and invest to ensure compliance with all data protection standards and data subject rights outlined in the LGPD.
At Captain Compliance, we offer an extensive range of compliance services backed by our team of experienced professionals. We can manage all aspects of LGPD compliance for your business, so you dont have to. Get in touch with us today and ensure you don’t get fined.
What is the maximum fine for LGPD?
The maximum fine for not complying with the LGPD is 2% of your business’s annual revenue or 50 million reals, which equals around $10 million or €9.3 million.
How do I comply with the LGPD?
To comply with the LGPD, you must research its requirements and the regulations set on data processing for businesses. You can utilize the help of Captain Compliance, a team of compliance experts that can help your business with LGPD compliance.
Who enforces the LGPD?
The LGPD is enforced by the National Data Protection Authority (ANDP) in Brazil.
Does the LGPD require my business to appoint a DPO?
The LGPD does not lay out explicit criteria for which businesses must hire a DPO, but in general, businesses that handle the personal data of Brazilians must appoint a data protection officer.