BrazilBrazil’s New Privacy Law: What Your Business Needs To Know

Brazil’s New Privacy Law: What Your Business Needs To Know

Brazil’s New Privacy Law: What Your Business Needs To Know

The Lei Geral de Proteção de Dados (LGPD) is Brazil’s General Data Protection law that creates a legal framework for the use of personal data that is processed or related to individuals in Brazil. The LGPD is largely aligned with the EU’s General Data Protection Regulation (GDPR), one of the  toughest privacy and security laws in the world that imposes obligations on organizations that target and collect data from subjects in the EU. Similarly, the LGPD is a comprehensive approach to personal data protection for individuals in Brazil. The LGPD goes into effect on August 16, 2020.

Does the LGPD Apply to My Business?

The LGPD applies to any business, regardless of its location in the world, that processes personal data of the people of Brazil, personal data collected in Brazil, and personal data associated with the offering of goods or services in Brazil. Personal data is broadly defined by the LGPD to include any information related to an identified or identifiable natural person. Personal data can include names, identification numbers, online identifiers and locators, or can extend to psychological, mental, or economic facts. Anonymized data is not considered personal data. Similar to the GDPR, an organization must have a valid basis for processing personal data under the LGPD. The LGPD also grants Brazilian residents a number of rights over their personal data including access to personal data, deletion of personal data processed with consent, and access to information about entities with whom the organization has shared the individual’s personal data.

There are a few exceptions to the LGPD, namely:

1. Data processed by a person strictly for personal reasons,

2. Data processed exclusively for journalistic, artistic, literary, or academic purposes, and

3. Data exclusively processed for national security, national defense, public safety, a criminal investigation, etc.

Other fundamental rights under the LGPD include:

• Right to confirmation of the existence of the processing

• Right to correct incomplete, inaccurate, or out-of-date data

• Right to anonymize, block, or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD

• Right to the portability of data to another service or product provider, by means of an express request

• Right to information about possibility of denying consent and consequences of such denial, and

• Right to revoke consent.

Similar to what we have seen under other privacy paradigms such as the GDPR, CCPA and NY Shield Act, the LGPD requires controllers and processors to adopt technical and administrative security measures to protect personal data from unauthorized access. Organizations, in most cases, must appoint a data protection officer responsible for receiving complaints and communications. Additionally, organizations are responsible to report data breaches to the Brazilian authorities and notify the data subject in a “reasonable amount of time” if the breach is likely of risk or harm. If necessary, the National Data Protection Authority can order the controller to adopt privacy protection measures to mitigate the effects of the incident.

The LGPD is not as punitive as the GDPR in sentiment and financial penalties. The LGPD establishes fines of up to 2% of a company’s sales revenue of up to 50 million Brazilian Real, equaling $12,894,500 USD, or 11.2 million Euros. This is compared to the GDPR’s 4% of revenue, up to 20 million Euros per violation.

Brazil’s newly implemented law, reminiscent of the GDPR, requires compliance with strict requirements related to the processing of personal data. Octillo’s team of highly experienced attorneys can work with your business to evaluate whether, and to what extent, privacy laws such as the LGPD, GDPR, CCPA and NY Shield Act apply. Understanding what data your business is collecting, how it is being processed, and with whom that data is being shared are just some of the critical questions that need to be explored with counsel.  Our Octillo team can help you align with the LGPD’s business requirements while implementing controls and mitigating risk.

*Attorney Advertising. Prior results do not guarantee a similar outcome.

Subscribe to our newsletter.

CAN-SPAMCAN-SPAM, TCPA and CASL – Best Practices for Marketing Teams

CAN-SPAM, TCPA and CASL – Best Practices for Marketing Teams

Using digital communications to reach customers has never been more popular, especially as the pandemic pushes more businesses to make consumer interactions contactless. From email to SMS, marketing teams have taken business online—but doing so brings a specific set of risks regarding data security and privacy. It is easy to get tripped up if you do not have a good grasp of the basic legal guidelines that govern commercial emails.  

In the U.S., the most relevant law when launching a digital marketing campaign is CAN-SPAM. This law sets the rules that all companies need to follow when sending marketing messages via email. The Telephone Consumer Protection Act of 1991 (TCPA) covers SMS messages and phone calls. Canada’s Anti-Spam Legislation (CASL) covers digital communications originating in that country. If you are wondering why businesses should be paying attention to these regulations, take note: according to the FTC, each separate email in violation of the CAN-SPAM Act is subject to penalties of up to $43,280.

What Kinds of Emails are Regulated?

Under CAN-SPAM, the rules only apply to commercial emails (or Commercial Electronic

Messages (CEM) under CASL). These are messages sent with the purpose of advertising or promoting a product or service. When evaluating the overall purpose of an email, it is important to look at the content of the message, hyperlinks and even contact information. In general, ask if the message:

• Includes offers to purchase, sell, barter or lease a product, goods or a service

• Includes offers to provide a business or investment opportunity

• Promotes a person who can do any of the above things

If the email contains both commercial sales promotion and transactional information (a receipt, a confirmation, notifications about an existing subscription or service, etc.), then the email is regulated if the recipient would regard the primary purpose of the email to be commercial in nature.

What About Social Media and Text Messaging?

Messages transmitted via social networking sites is a bit of a grey area. Some federal courts have ruled that CAN-SPAM’s definition of “electronic mail message” includes messages transmitted to a social network user’s inbox, news feed or wall. It is also important to check the terms and conditions of each social media platform you intend to use – many have limits on how marketers can use them.

And because social media, email and SMS marketing are all intertwined, it is important to note that the TCPA restricts telephone solicitations and the use of automated phone equipment. It lays out very strict solicitation rules that require explicit customer consent for commercial SMS messages.

Basic Guidelines for Sending Commercial Emails

If you are ready to draft commercial email campaign, these 7 basic guidelines outlined by the FTC are a good place to start:

1. Don’t use false or misleading header information in the “From” and “To” lines.

2. Don’t use deceptive subject lines.

3. Identify the message as an ad.

4. Tell recipients where you are located.  

5. Provide a clear way to unsubscribe.  

6. Honor opt-out requests promptly.

7. Monitor contractors or vendors working on your behalf.  

It is important to note that in Canada, marketers must have consent for both commercial email and text messages. If not, you need to send an email requesting express consent or find another way for the recipient to opt in to receive future emails or text messages. Acheck box at checkout or on your website is not sufficient.

Additional Resources For Marketing

Many businesses, regardless of size, leverage some form of marketing on a regular basis to market and communicate with their client population. Whether its regular email marketing newsletters or text messages designed to communicate and market to your customers, there are some best practices that we at Octillo recommend following.  Our attorneys are also technologists and certified privacy professionals.

Additionally, our experienced team at Octillo helps client navigate those rules and any other similar regulations as your organization’s data security and privacy program is evaluated from a compliance standpoint. There are many low-cost, high-impact protective measures that can be implemented with the assistance of counsel to make sure your business has a legally defensible compliance posture.

*Attorney Advertising: Prior results do not guarantee a similar outcome.

Subscribe to our newsletter.

SecurityEU-US Privacy Shield Invalidated: Schrems II Decision Released

EU-US Privacy Shield Invalidated: Schrems II Decision Released

Yesterday, the Court of Justice of the European Union issued the long-awaited decision in Schrems II (Case C-311/18) in which it invalidated the EU-US Privacy Shield data transfer mechanism.  The Court’s decision was based on ongoing concerns that the American surveillance programs, as initially revealed by Edward Snowden, undermine the guaranteed privacy rights of EU-based individuals under Europe’s General Data Protection Regulation.  

Among the takeaways of the decision:

• Privacy Shield Invalidated; immediate effect on Privacy Shield certifications is unknown, although some grace period is expected.

• Immediate disruption in international data transfers where prior basis for such transfers has been invalidated.

• Use of Standard Contractual Clauses remains valid, for now.  However, the Court expressly requires importers and exporters relying on SCCs to verify the legal systems and adequate safeguards in place in the receiving organization’s country.

• Expect to see increase use in Binding Corporate Rules (BCRs), though these can only go so far as they are used for intra-organizational or joint company transfers.

• Expect to see increase use of Data Processing Agreements as organizations rely on contractual basis for consent.

• Organizations must evaluate other bases for transfer, to include consent.  

While the use of Standard Contractual Clauses (SCCs) is allowable, for now, their long-term fate has been called into question by the decision.  Following release of the Schrems II decision, the Irish Data Protection Commission, issued a  statement: “[…] it is clear that, in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable.” It adds that the issue “will require further and careful examination, not least because assessments will need to be made on a case by case basis.”

Of note, the Schrems II decision does not concern so called ‘necessary’ data transfers.  Rather, this decision involves the bulk outsourcing of data processing from the EU to the US (typically undertaken for cost/ease reasons).  Accordingly, the impact of the decision may be that more and more companies switch to regional data processing companies for European users.

One thing is clear: the impact of the Schrems II decision will have a significant impact on organizations which rely on the Privacy Shield for international data transfers.  These organizations will need to quickly evaluate data transfer activities and determine whether alternative transfer bases exist.  

Octillo works with clients to evaluate bases for international data transfers, including the use of DPAs, SCCs and on the development of Binding Corporate Rules.  Octillo’s attorneys include dedicated information privacy professionals (CIPP/US) and (CIPP/EU), as certified by the International Association of Privacy Professionals.  

The Schrems II decision is found here:

*Attorney Advertising: Prior results do not guarantee a similar outcome.

Subscribe to our newsletter.

Data BreachBreach Response Checklist

Breach Response Checklist

Having handled numerous headline-making data breaches, we are often asked what are some of the key considerations in incident response.  Below are a few key considerations, but each incident should be evaluated on a case-by-case basis with experienced legal counsel with technology backgrounds.

First Engage Your In-House and Outside Counsel

Legal counsel plays an important role in any data incident, including maintaining the confidentiality of the investigation, protecting applicable internal communication under the attorney-client privilege and work product protections, and anticipating litigation and other legal risks. Counsel will assist in identifying your legal obligations following a data incident, including any customer notification requirements or reporting to government and other authorities. Time is of the essence in any incident response so it’s important to act quickly and engage legal counsel as soon as becoming aware of an incident.

Notify Insurance Broker/Cyber Insurance Carrier

Legal counsel can assist in reviewing insurance policies, determining when notification is needed to preserve coverage rights, and making reports to carriers as appropriate. Insurance will have their own questions and requirements and it is important to provide accurate and timely information as necessary.

Execute Your Data Incident Response Plan

Every organization should have an incident response plan, and test that plan regularly.  Assemble your pre-identified incident response team as soon as there is a reasonable belief that a breach may have occurred.  The incident response team is responsible for managing the organization’s response and mitigation efforts and executing the organization’s incident response plan.  When investigating an incident, the incident response team should make sure legal counsel is part of any communications wherein legal advice is sought in order to help protect the attorney-client privilege and confidentiality.

Once sufficient information about the incident is recorded, deploy your communications team to control internal and external messaging in accordance with your incident response plan. Internal and external communications should be clear, concise, and consistent with other reporting – so be sure legal counsel has reviewed.

Investigate the Incident

At the direction of legal counsel, your designated incident response team member should identify and collect information about the incident, including interviewing involved personnel and documenting the forensic position of the organization (i.e., was any data viewed, modified, or exfiltrated; what personal information was compromised; what measures are necessary to restore the system, etc.).

Mitigate risks by determining whether you have any security gaps or risks, or whether other systems are under threat of immediate danger.  Companies should take steps to address and remediate the source of the breach and evaluate additional protection measures needed to contain the breach and prevent future damage.

Satisfy Any Legal Obligations To Provide Notice To Consumers or Report To Agencies

As of 2018, all 50 states have data breach notification laws with various legal requirements.  Certain states require notification of law enforcement when there is a security breach.  Determine the location of any impacted customers, employees, and/or systems affected by the incident to determine the impact and involvement of various jurisdictional laws.

Learn From the Incident

Data incidents expose the vulnerabilities in an organization’s computer systems. Those vulnerabilities should be addressed to prevent the systems from being exploited in a similar manner in the future. Address any identified weaknesses and determine whether any changes need to be made in your incident response plan or other policies and practices.


If you have questions about creating a legally defensive Incident Response Plan contact sophisticated tech counsel, we would be happy to help. Octillo is a law firm focused only on tech, data security and privacy. Its lawyers are also technologist and former tech business owners. Octillo is also proud to be a certified Minority and/or Women Owned Business Enterprise (MWBE).

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our newsletter.


HardwareNew Potential NYSB Training Requirement Highlights Interplay of Cybersecurity and Ethical Obligations

New Potential NYSB Training Requirement Highlights Interplay of Cybersecurity and Ethical Obligations

The New York State Bar Association (NYSBA) has approved a report from the NYSBA Committee on Technology and the Legal Profession that recommends amending the mandatory continuing legal education (CLE) rule to include cybersecurity training. If approved by the CLE board, the new rule would require New York attorneys to take one CLE cybersecurity credit every two years and would make New York State the first to implement a specific cybersecurity requirement.

The recommendation comes on the heels of the SHIELD Act, a law that took effect this past March and requires businesses (including law firms) to use reasonable safeguards to protect New York residents’ personal information, and the COVID-19 pandemic, which has forced nearly everyone to move business online. As lawyers do more work from home on personal devices and networks without the safety net of their corporate security systems, it’s more important than ever for them to understand the cybersecurity risks and safeguards that need to be in place.

What are an attorney’s ethical obligations regarding cybersecurity?

The ethical guidelines that every attorney must adhere to certainly cover cybersecurity in broad terms. Protecting client information is a top priority, for example, whether that information is on paper or online. There are also many ethics obligations focused on communications and confidentiality, including safeguarding confidences competently and acting responsibly if an unauthorized disclosure occurs. Generally, lawyers are expected to implement reasonable administrative, technical, and physical safeguards to protect their clients. These safeguards are particularly important when dealing with PHI and are mandated by HIPPA:

Administrative safeguards are the policies and procedures that help protect against a breach, including documentation processes, training requirements, data maintenance policies and more. These administrative protections also ensure that the physical and technical safeguards are implemented correctly.

Physical Safeguards make sure data is physically protected. Security systems, video surveillance, locks on the doors and even rules about mobile device usage are physical safeguards.

Technical safeguards are the technologies and related policies that lawyers and firms enlist to protect data from unauthorized access.

The American Bar Association has issued some guidance on data privacy and cybersecurity obligations that echo these safeguards, noting that attorneys are expected to develop and implement data privacy and security programs, monitor for data breaches and understand the basic features of relevant technology to competently service their clients. The new potential CLE requirement will help ensure that NY attorneys are familiar with these obligations and hopefully better equipped to fulfill them. Cybersecurity is becoming an increasingly important part of any law practice, and it’s critical that attorneys have the tools and knowledge to uphold their ethical responsibilities in the digital age. Our Octillo team works with law firms of various sizes and scope to implement data security programs designed to protect the security, confidentiality, and integrity of private information.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our newsletter.

1 2