The LGPD: A high-level overview
According to Article 1 of the LGPD, the law is guided by the principle of protecting “the fundamental rights of freedom and privacy and the free development of the personality of the natural person.” Like the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), the LGPD has extraterritorial scope. Subject to certain listed exceptions, according to Article 3, the LGPD applies to the processing of “personal data” (as such term is defined by the LGPD) by any natural person or entity, public or private, even if such natural person or entity is based outside of Brazil, provided that (1) the processing takes place in Brazil, (2) the purpose of the processing is to offer or provide goods or services in Brazil, or (3) the personal data being processed was collected in Brazil.
The LGPD also takes a broad view of what data falls within the definition of personal data, similar to the GDPR and CCPA. In Article 5, the LGPD defines personal data as information related to an identified or identifiable natural person. Arguably, because of its broad definition, personal data may include information such as online identifiers. Article 12 of the LGPD states that data may be considered personal when used to create behavioral profiles (which may include online profiles) of a natural person and when such profiles identify that person. The LGPD also provides heightened protection for sensitive personal data, such as information concerning racial origin or genetic or biometric data.