Regulators Focus Attention on Privacy Crackdown in Brazil

Historically, the EU has been the darling of data protection initiatives. This past year, however, the privacy crackdown went well beyond the EU to growing economic areas such as Brazil.

Less than a month after the new “Marco Civil da Internet” went into effect on June 23, 2014, Brazilian regulators announced its first penalty by fining the telecom provider Oi a respectable 3.5 million reais ($1.59 million). Regulators alleged that Oi failed to notify Internet users that their browsing activities would be tracked and sold to third parties for use in behavioral advertisements.

This was a strong warning to multinational companies in the rapidly growing Brazilian economy that the country’s regulators would take swift action to ensure compliance with its new Internet law.

Prior Consent Necessary in Brazil

Under the new Brazilian law, a website operator or company must obtain a Brazilian citizen’s express consent before the collection and use of their personal data. In addition, the terms and conditions of a website or application regarding the collection, use, storage, and processing of personal data must be clearly stated in a manner easily identifiable by the respective user in the applicable agreement or terms of use.

The Brazilian Internet Act specifies that penalties can include warnings, fines of up to 10% of the gross revenues of the economic group in Brazil, and/or temporary/permanent suspension of activities. These penalties can be applied regardless of further civil, criminal, and administrative action.

If you do business in Brazil, it’s now imperative to ensure that your websites have cookie consent mechanisms in place set to require prior and express consent. An Internet user’s silence cannot be considered implied consent in Brazil.

It may also be necessary, as applicable to your company’s practice, to modify the language of your website’s terms and conditions to ensure that the collection, use, storage, and processing of personal data is clearly stated in a manner easily identifiable by the user.

If you represent a multi-national company, it’s a good idea to start the New Year with a refresh of your privacy policies and practices in Brazil.