Recherche avancée

Sur d’autres sites (11175)

• LGPD : Demystifying Brazil’s New Data Protection Law

  31 août 2023, par Erin — Privacy

  The General Personal Data Protection Law (LGPD or Lei Geral de Proteção de Dados Pessoais) is a relatively new legislation passed by the Brazilian government in 2018. The law officially took effect on September 18, 2020, but was not enforced until August 1, 2021, due to complications from the COVID-19 pandemic.

  For organisations that do business in Brazil and collect personal data, the LGPD has far-reaching implications, with 65 separate articles that outline how organisations must collect, process, disclose and erase personal data.

  In this article, you’ll learn what the LGPD is, including its contents and how a legal entity can be compliant.

  What is the LGPD ?

  The LGPD is a new data protection and privacy law passed by the Federal Brazilian Government on May 29, 2018. The purpose of the law is to unify the 40 previous Brazilian laws that regulated the processing of personal data.

  

  Many of the older laws have been either updated or removed to accommodate this change. The LGPD comprises 65 separate articles, and each covers a different area of the legislation, such as the rights of data subjects and the legal bases on which personal data may be collected. It also sets out the responsibilities of the National Data Protection Authority (ANPD), a newly created agency responsible for the guidance, supervision and enforcement of the LGPD.

  LGPD compliance is essential for organisations wishing to operate in Brazil and collect personal data for commercial purposes, whether online or offline. However, understanding the different rules and regulations and even figuring out if the LGPD applies to you can be challenging.

  Fortunately, the LGPD is relatively easy to understand and shares many similarities with the General Data Protection Regulation (GDPR), the data protection law implemented on May 25, 2018, by the European Union. This may help you better understand why the LGPD was enacted, the policies it contains and the goals it hopes to achieve. Both laws are very similar, but some items are unique to Brazil, such as what qualifies as a legal basis for collecting personal data.

  For these reasons, organisations should not apply a one-size-fits-all approach to GDPR and LGPD compliance, for they are different laws with different guiding principles and requirements.

  Who does the LGPD apply to, and who is exempt ?

  The LGPD applies to any natural person, public entity and private entity that collects, processes and stores personal data for commercial purposes within the national territory of Brazil. The same also applies to those who process the personal data of Brazilian and non-Brazilian citizens within the national territory of Brazil, even if the data processor is outside of Brazil. It also applies to those who process personal data collected from the national territory of Brazil.

  So, what does this all mean ? 

  Regardless of your location, if you conduct any personal data processing activities in Brazil or you process data that was collected from Brazil, then there is a high possibility that the LGPD applies to you. This is especially true if the data processing is for commercial purposes ; or, to be more precise, for the offering or provision of goods or services. It also means that subjects whose personal data is collected under these conditions are protected by the nine data subject rights.

  There are exceptions where the LGPD does not apply to data processors. These include if you process personal data for private or non-commercial reasons ; for artistic, journalistic and select academic purposes ; and for the purpose of state security, public safety, national defence and activities related to the investigation and prosecution of criminal offenders. Also, if the processed data originates from a country with similar data protection laws to Brazil, such as any country in the European Union (where the GDPR applies), then the LGPD will not apply to that individual or organisation.

  For these reasons, it is vital that you are familiar with the LGPD so that your data processing activities comply with the new standards. This is also important for the future, as an estimated 75% of the global population’s personal data will be protected by a privacy regulation. Getting things right now will make life easier moving forward.

  What are the nine LGPD data subject rights ?

  The LGPD has nine data subject rights. These protect the rights and freedoms of subjects, regardless of their political opinion and religious belief.

  

  These rights, listed under Article 19 of the LGPD, confirm that a data subject has the right to :

  1. Confirm the processing of their data.
  2. Access their data.
  3. Correct data that is incomplete, not accurate and out of date.
  4. Anonymize, block and delete data that is excessive, unnecessary and was not processed in compliance with the law.
  5. Move their data to a different service provider or product provider by special request.
  6. Delete or stop using personal data under certain circumstances.
  7. Gain information about who the data processor has shared the processed data with, including private and public entities.
  8. Be informed as to what the consequences may be for denying consent to the collection of personal data.
  9. Revoke consent to have their personal data processed under certain conditions.

  Many of these data subject rights are like the GDPR. For example, both the GDPR and LGPD give data subjects the right to be informed, the right to access, the right to data portability and the right to rectify false data. However, while the LGPD has nine data subject rights, the GDPR has only eight. What is the extra data subject right ? The right to gain information on who a data processor has shared your data with.

  There are other slight differences between the GDPR and LGPD with regard to data subject rights. For instance, the GDPR has a clear right to restrict certain data processing activities, such as those related to automation. The LGPD has this, too. But the subject of data collection automation is under Article 20, separate from all the data subject rights listed under Article 19.

  Under what conditions can personal data in Brazil be processed ?

  There are various conditions under which organisations can legally conduct personal data processing in Brazil. The aim of these conditions is to give data subjects confidence — that their personal data is processed for only safe, legal and ethical reasons. Also, the conditions help data processors, both individuals and organisations, determine if they have a legal basis for processing personal data in or in relation to Brazil.

  

  According to Article 7 of the LGPD, data processing may only be carried out if done :

  1. With consent by the data subject.
  2. To comply with a legal or regulatory obligation.
  3. By public authorities to assist with the execution of a public policy, one established by law or regulation.
  4. To help research entities carry out studies ; granted, when possible, subjects can anonymize their data.
  5. To carry out a contract or preliminary procedure, in particular, one related to a contract where the data subject is a party.
  6. To exercise the right of an arbitration, administration or judicial procedure.
  7. To protect the physical safety or life of someone
  8. To protect the health of someone about to undergo a procedure performed by health entities
  9. To fulfill the legitimate interests of a data processor, unless doing so would compromise a data subject’s fundamental rights and liberties.
  10. To protect one’s credit score.

  Much like the nine data subject rights, there are key differences between the LGPD and GDPR. The GDPR has six lawful bases for data processing, while the LGPD has ten. One notable addition to the LGPD is for the protection of one’s credit score, which is not covered by the GDPR. Another reason to ensure compliance with both data protection laws separately.

  LGPD vs. GDPR : How do they differ ?

  The LGPD was modeled closely on the GDPR, so it’s no surprise the two are similar. 

  Both laws ensure a high level of protection for the rights and freedoms of data subjects. They outline the legal justifications for data processing, establish the responsibilities of a data protection authority and lay out the penalties for non-compliance. That said, there are key differences between them.

  First, data subject rights ; the LGPD has nine, while the GDPR has eight. The GDPR gives data subjects the right to request a human review of automated decision-making, while the LGPD does not. Second, the legal bases for processing ; the LGPD has ten, while the GDPR has six. The four legal bases unique to the LGPD are : for protection of credit, for protection of health, for protection of life and for research entities carrying out studies.

  Both the LGPD and GDPR have different non-compliance penalties. The maximum fine for an infraction under the GDPR is up to €20 million (or 4% of the offender’s annual global revenue, whichever is higher). The maximum fine for an LGPD infraction is up to 50 million reais (around €9.2 million), or up to 2% of an offender’s revenue in Brazil, whichever is higher.

  6 steps to LGPD compliance with Matomo

  Below are steps you can follow to ensure your organisation is LGPD compliant. You’ll also learn how Matomo can help you comply quickly and easily.

  

  Let’s dive in.

  1. Appoint a DPO

  A DPO is a person, group, or organisation that communicates with data processors, data subjects, and the ANDP.

  Curiously, the LGPD lets you appoint your own DPO — even if they reside out of Brazil. So if the LGPD applies to you, you can appoint someone in your organisation to be a DPO. Just make sure that the nominated person has the understanding and capacity to perform the role’s duties.

  2. Assess your data

  Once you’re familiar with the LGPD and confirm your eligibility for LGPD compliance, take the time to assess your data. If you plan to collect data within the territory of Brazil, you’ll need to confirm the exact location of your data subjects. 

  To do this in Matomo, simply go to the previous year’s calendar. Then click on visitors, go to locations, and look for Brazil under the “Region” section. This will tell you how many of your web visitors are located in Brazil.

  

  3. Review privacy practices

  Review your existing privacy policies and practices, as there’s a good chance they’ll need to be updated to comply with the LGPD. Also, review your data sharing and third-party agreements, as you may need to communicate these new policies to partners that you rely on to deliver your services. 

  Lastly, review your procedures for tracking personal data and Personally Identifiable Information (PII). You may need to modify the type of data that you track to comply with the LGPD. You may even be tracking this data without your knowledge.

  4. Anonymize tracking data

  Data subjects under the LGPD have the right to request data anonymity. Therefore, to be LGPD compliant, your organisation must be able to accommodate for such a request.

  Fortunately, Matomo has various data anonymization techniques that help you protect your data subject’s privacy and comply with the LGPD. These techniques include the ability to anonymize previously tracked raw data, anonymize visitor IP addresses, and anonymize relevant geo-location data such as regions, cities and countries.

  

  You can find these features and more under the Anonymize data tab within the Privacy menu on the Matomo Settings page. Learn more about how to configure privacy settings in Matomo.

  5. Comply with LGPD consent laws without cookies

  By using Matomo to anonymize the data of your data subjects, this enables you to comply with LGPD consent laws and remove the need to display cookie consent banners on your website. This is made possible by the fact that Matomo is a cookieless tracking web analytics platform.

  Unlike other web analytics platforms like Google Analytics, which collect and use third-party cookies (persistent data that remains on your device, until that data expires or until you manually delete it) for their “own purposes,” Matomo is different. We use alternative means to identify web visitors, such as count the number of unique IP addresses and perform browser fingerprinting, neither of which involve the collection of personal data.

  As a result, you don’t have to display cookie consent banners on your website, and you can track your web visitors even if they disable cookies.

  6. Give users the right to opt-out

  Under the LGPD, data subjects have the right to opt-out of your data collection procedures. For this reason, make sure that your web visitors can do this on your website.

  

  You can do this in Matomo by adding an opt-out from tracking form to your website. To do this, click on the cog icon in the top menu, load the settings page, and click on the Users opt-out menu item in the Privacy section. Then follow the instructions to customise and publish the Matomo opt-out form.

  Achieve LGPD compliance with Matomo

  Like GDPR for Europe, the LGPD will impact organisations doing business in Brazil. And while they both share much of the same definitions and data subject rights, they differ on what qualifies as a legal basis for processing sensitive data. Complying with the GDPR and LGPD separately is non-negotiable and essential to avoiding maximum fines of €20 million and €9.2 million, respectively.

  

  As a web analytics platform with LGPD compliance, Matomo prioritises data privacy without compromising performance. Switch to a powerful LGPD-compliant web analytics platform that respects users’ privacy. 

  Get a 21-day free trial of Matomo today. No credit card required.

  Disclaimer

  We are not lawyers and don’t claim to be. The information provided here is to help give an introduction to LGPD. We encourage every business and website to take data privacy seriously and discuss these issues with your lawyer if you have any concerns.

• Virginia Consumer Data Protection Act (VCDPA) Guide

  27 septembre 2023, par Erin — Privacy

  Do you run a for-profit organisation in the United States that processes personal and sensitive consumer data ? If so, you may be concerned about the growing number of data privacy laws cropping up from state to state.

  Ever since the California Consumer Privacy Act (CCPA) came into effect on January 1, 2020, four other US states — Connecticut, Colorado, Utah and Virginia — have passed their own data privacy laws. Each law uses the CCPA as a foundation but slightly deviates from the formula. This is a problem for US organisations, as they cannot apply the same CCPA compliance framework everywhere else.

  In this article, you’ll learn what makes the Virginia Consumer Data Protection Act (VCDPA) unique and how to ensure compliance.

  What is the VCDPA ?

  Signed by Governor Ralph Northam on 2 March 2021, and brought into effect on 1 January 2023, the VCDPA is a new data privacy law. It gives Virginia residents certain rights regarding how organisations process their personal and sensitive consumer data.

  

  The law contains several provisions, which define :

  • Who must follow the VCDPA
  • Who is exempt from the VCDPA
  • The consumer rights of data subjects
  • Relevant terms, such as “consumers,” “personal data,” “sensitive data” and the “sale of personal data”
  • The rights and responsibilities of data controllers
  • What applicable organisations must do to ensure VCDPA compliance

  These guidelines define the data collection practices that VCDPA-compliant organisations must comply with. The practices are designed to protect the rights of Virginia residents who have their personal or sensitive data collected.

  What are the consumer rights of VCDPA data subjects ?

  There are seven consumer rights that protect residents who fit the definition of “data subjects” under the new Virginia data privacy law. 

  

  A data subject is an “identified or identifiable natural person” who has their information collected. Personally identifiable information includes a person’s name, address, date of birth, religious beliefs, immigration status, status of child protection assessments, ethnic origin and more.

  Below is a detailed breakdown of each VCDPA consumer right :

  1. Right to know, access and confirm personal data : Data subjects have the right to know that their data is being collected, the right to access their data and the right to confirm that the data being collected is accurate and up to date.
  2. Right to delete personal data : Data subjects have the right to request that their collected personal or sensitive consumer data be deleted.
  3. Right to correct inaccurate personal data : Data subjects have the right to request that their collected data be corrected.
  4. Right to data portability : Data subjects have the right to obtain their collected data and, when reasonable and possible, request that their collected data be transferred from one data controller to another.
  5. Right to opt out of data processing activity : Data subjects have the right to opt out of having their personal or sensitive data collected.
  6. Right to opt out of the sale of personal and sensitive consumer data : Data subjects have the right to opt out of having their collected data sold to third parties.

  Right to not be discriminated against for exercising one’s rights : Data subjects have the right to not be discriminated against for exercising their right to not have their personal or sensitive consumer data collected, processed and sold to third parties for targeted advertising or other purposes.

  Who must comply with the VCDPA ?

  The VCDPA applies to for-profit organisations. Specifically, those that operate and offer products or services in the state of Virginia.

  

  Additionally, for-profit organisations that fit under either of these two categories must comply with the VCDPA :

  • Collect and process the personal data of at least 100,000 Virginia residents within a financial year or
  • Collect and process the personal data of at least 25,000 Virginia residents and receive at least 50% of gross revenue by selling personal or sensitive data.

  If a for-profit organisation resides out of the state of Virginia and falls into one of the categories above, they must comply with the VCDPA. Eligibility requirements also apply, regardless of the revenue threshold of the organisation in question. Large organisations can avoid VCDPA compliance if they don’t meet either of the above two eligibility requirements.

  What types of consumer data does the VCDPA protect ?

  The two main types of data that apply to the VCDPA are personal and sensitive data. 

  

  Personal data is either identified or personally identifiable information, such as home address, date of birth or phone number. Information that is publicly available or has been de-identified (dissociated with a natural person or entity) is not considered personal data.

  Sensitive data is a category of personal data. It’s data that’s either the collected data of a known child or data that can be used to form an opinion about a natural person or individual. Examples of sensitive data include information about a person’s ethnicity, religion, political beliefs and sexual orientation. 

  It’s important that VCDPA-compliant organisations understand the difference between the two data types, as failure to do so could result in penalties of up to $7,500 per violation. For instance, if an organisation wants to collect sensitive data (and they have a valid reason to do so), they must first ask for consent from consumers. If the organisation in question fails to do so, then they’ll be in violation of the VCDPA, and may be subject to multiple penalties — equal to however many violations they incur.

  A 5-step VCDPA compliance framework

  Getting up to speed with the terms of the VCDPA can be challenging, especially if this is your first time encountering such a law. That said, even organisations that have experience with data privacy laws should still take the time to understand the VCDPA.

  

  Here’s a simple 5-step VCDPA compliance framework to follow.

  1. Assess data

  First off, take the time to become familiar with the Virginia Consumer Data Protection Act (VCDPA). Then, read the content from the ‘Who does the VCDPA apply to’ section of this article, and use this information to determine if the law applies to your organisation.

  How do you know if you reach the data subject threshold ? Easy. Use a web analytics platform like Matomo to see where your web visitors are, how many of them (from that specific region) are visiting your website and how many of them you’re collecting personal or sensitive data from.

  To do this in Matomo, simply open the dashboard, look at the “Locations” section and use the information on display to see how many Virginia residents are visiting your website.

  

  Using the dashboard will help you determine if the VCDPA applies to your company.

  2. Evaluate your privacy practices

  Review your existing privacy policies and practices and update them to comply with the VCDPA. Ensure your data collection practices protect the confidentiality, integrity and accessibility of your visitors.

  One way to do this is to automatically anonymise visitor IPs, which you can do in Matomo — in fact, the feature is automatically set to default. 

  

  Another great thing about IP anonymisation is that after a visitor leaves your website, any evidence of them ever visiting is gone, and such information cannot be tracked by anyone else. 

  3. Inform data subjects of their rights

  To ensure VCDPA compliance in your organisation, you must inform your data subjects of their rights, including their right to access their data, their right to transfer their data to another controller and their right to opt out of your data collection efforts.

  That last point is one of the most important, and to ensure that you’re ready to respond to consumer rights requests, you should prepare an opt-out form in advance. If a visitor wants to opt out from tracking, they’ll be able to do so quickly and easily. Not only will this help you be VCDPA compliant, but your visitors will also appreciate the fact that you take their privacy seriously.

  

  To create an opt-out form in Matomo, visit the privacy settings section (click on the cog icon in the top menu) and click on the “Users opt-out” menu item under the Privacy section. After creating the form, you can then customise and publish the form as a snippet of HTML code that you can place on the pages of your website.

  4. Review vendor contracts

  Depending on the nature of your organisation, you may have vendor contracts with a third-party business associate. These are individuals or organisations, separate from your own, that contribute to the successful delivery of your products and services.

  You may also engage with third parties that process the data you collect, as is the case for many website owners that use Google Analytics (to which there are many alternatives) to convert visitor data into insights. 

  Financial institutions, such as stock exchange companies, also rely on third-party data for trading. If this is the case for you, then you likely have a Data Processing Agreement (DPA) in place — a legally binding document between you (the data controller, who dictates how and why the collected data is used) and the data processor (who processes the data you provide to them).

  To ensure that your DPA is VCDPA compliant, make sure it contains the following items :

  • Definition of terms
  • Instructions for processing data
  • Limits of use (explain what all parties can and cannot do with the collected data)
  • Physical data security practices (e.g., potential risks, risk of harm and control measures)
  • Data subject rights
  • Consumer request policies (i.e., must respond within 45 days of receipt)
  • Privacy notices and policies

  5. Seek expert legal advice

  To ensure your organisation is fully VCDPA compliant, consider speaking to a data and privacy lawyer. They can help you better understand the specifics of the law, advise you on where you fall short of compliance and what you must do to become VCDPA compliant.

  Data privacy lawyers can also help you draft a meaningful privacy notice, which may be useful in modifying your existing DPAs or creating new ones. If needed, they can also advise you on areas of compliance with other state-specific data protection acts, such as the CCPA and newly released laws in Colorado, Connecticut and Utah.

  How does the VCDPA differ from the CCPA ?

  Although the VCDPA has many similarities to the CCPA, the two laws still have their own approach to applying the law. 

  Here’s a quick breakdown of the main differences that set these laws apart.

  Definition of a consumer

  Under the VCDPA, a consumer is a “natural person who is a Virginia resident acting in an individual or household context.” Meanwhile, under the CCPA, a consumer is a “natural person who is a California resident acting in an individual or household context.” However, the VCDPA omits people in employment contexts, while the CCPA doesn’t. Hence, organisations don’t need to consider employee data.

  Sale of personal data

  The VCDPA defines the “sale of personal data” as an exchange “for monetary consideration” by the data controller to a data processor or third party. This means that, under the VCDPA, an act is only considered a “sale of personal data” if there is monetary value attached to the transaction.

  This contrasts with the CCPA, where that law also counts “other valuable considerations” as a factor when determining if the sale of personal data has occurred.

  Right to opt out

  Just like the CCPA, the VCDPA clearly outlines that organisations must respond to a user request to opt out of tracking. However, unlike the CCPA, the VCDPA does not give organisations any exceptions to such a right. This means that, even if the organisation believes that the request is impractical or hard to pull off, it must comply with the request under any circumstances, even in instances of hardship.

  Ensure VCDPA compliance with Matomo

  The VCDPA, like many other data privacy laws in the US, is designed to enhance the rights of Virginia consumers who have their personal or sensitive data collected and processed. Fortunately, this is where platforms like Matomo can help.

  Matomo is a powerful web analytics platform that has built-in features to help you comply with the VCDPA. These include options like :

  • Cookie-less tracking
  • Creating consumer consent and opt-out forms
  • Giving consumers access to their personal data

  Try out the free 21-day Matomo trial today. No credit card required.

• The new GDPR data protection regulation and potential consequences on Piwik

  7 septembre 2017, par Piwik Core Team — About, Privacy

  GDPR is a new data protection related regulation in Europe. GDPR stands for General Data Protection Regulation.

  The purpose of this European regulation is to strengthen and unify data protection for all individuals within the European Union. This also includes entities outside Europe willing to do business with European citizens. GDPR is a set of processes you need to follow within your organization to protect the privacy of European citizens.

  GDPR will start to apply in May 2018. It is recognized to be dissuasive because of the potential penalty of up to 4% of the yearly turnover, in case of infringement.

  Many articles have been written about GDPR including our previous article. Few of them are explaining how it will affect web analytics vendors : this is what this article is about.

  Am I really impacted by GDPR if I am a Piwik user ?

  As Piwik can collect personal data, the answer is yes. Piwik analytics data is impacted by the GDPR.

  As GDPR is a general concept, we decided from the official guidelines to assume what will be the potential consequences on the use of Piwik.

  There are 2 potential scenarios we can identify :

  • 1 – You are collecting personal data with Piwik
  • 2 – You are not collecting personal data with Piwik

  1 – Personal data collection with Piwik

  According to GDPR : IP addresses, cookies, UserID are personal data.

  IP addresses are personal data, so you will have to anonymize them unless you receive explicit consent from the visitor. Please view the following article in order to learn : how can I anonymize IP addresses in Piwik ?

  According to GDPR, cookies are personal data too. But as all cookies are not created equal it may be possible that some need to require user consent whereas other not. Whatever will be the final decision, you can learn about the first-party cookies created by Piwik and how to disable all tracking cookies in Piwik ?

  User ID, you are impacted if the User ID you assign is specific to an individual or if you can cross the User ID data further and find back the individual personal data.

  Any extra personal data you may collect with Piwik, it could be for example : first names, family names, e-mail address… You are able to collect such data using custom dimensions, custom variables…

  What are the rules I have to comply with ?

  By collecting personal data, you will have to respect EU citizens rights, which include :

  • The possibility for them to view the data you collected on them
  • The possibility to rectify some data concerning them
  • The possibility to delete their data when they request about it

  As you can imagine, for the first obligation, you will have to export all the data. So if a user is requesting it, you will have to export the data linked to his IP address(es). It can be easily exported as a .csv file for example.
  In order to do that, just create a segment according to the IP address of the user who requested it and then export the “Visitor log” report.
  If the personal data is not linked with the IP address but other attributes such as User ID or a custom dimension, you can provide the same data export by using the segment function and filtering on the personal data field.

  The data edit and deletion process on Piwik is a bit trickier as it currently requires administration system skills. We are planning to develop a new plugin for GDPR compliance (which will be available for free on the Marketplace). This plugin will let you edit and easily delete data of a particular user. Currently you can delete a specific user’s data by accessing the Piwik database and directly delete the different records for this specific user.

  2 – You are not collecting personal data with Piwik

  Unfortunately it is not because you do not collect personal data that you will not be affected by GDPR.
  The details of GDPR are not confirmed yet and GDPR could involve enabling the DoNotTrack setting by default on all browsers.
  Yes, you read it well, by default, unless the internet user uncheck this option, Piwik respecting DoNoTrack would not be able to track any user. If one needed to collect data anyway, Piwik Log Analytics and server-side tracking can be considered.

  If you need help regarding how to set up your Piwik installation in order to be GDPR compliant :

  Contact us

  Do you have a Piwik experience you would like to share with the community ? Please share it with us by contacting Piwik core team.