The Brazilian General Data Protection Law (the “LGPD”—Lei Geral de Proteção de Dados) came into effect in September 2020. Given the LGPD’s relatively recent adoption, there has been uncertainty surrounding how public authorities and courts in Brazil will interpret and apply the law. On February 27, 2023, the Brazilian national data protection authority (the “ANPD” Autoridade Nacional de Proteção de Dados) addressed some of this uncertainty when it issued sanctioning guidelines for the LGPD (the “Sanctioning Guidelines”). The Sanctioning Guidelines offer insight into the types of sanctions companies may face and the factors the ANDP will consider when imposing such sanctions.
Notably, the LGPD applies not only to Brazilian companies, but also to U.S. and other foreign entities that process data collected in Brazil or offer any goods or services associated with data in Brazil.
By the same token, Brazilian companies processing data of U.S. residents are exposed to U.S. data privacy laws, which are more developed—yet still in flux. While the regulation and enforcement of data privacy in the United States can differ depending on the U.S. state and industry, the growing enforcement of data privacy by various regulators in the U.S. offers a potential playbook for the possible sanctions companies may face in connection with the ANDP’s enforcement of the LGPD.
Taking into account recent developments in both countries, we provide here an overview of the Brazilian data privacy rules and contrast them with equivalent rules in the U.S.
I. Data Privacy Protection in Brazil
Although the Brazilian Congress enacted the LGPD on August 14, 2018, it only came into effect two years later, in September 2020. The LGPD establishes rules for the use of personal data by individuals, companies, and the public sector in Brazil, and applies extraterritorially to foreign entities if the data are collected in Brazil or any goods or services associated with the data are offered in Brazil.
Modelled after the European Union’s General Data Protection Regime (“GDPR”), the LGPD has significantly overhauled data privacy requirements in Brazil. It requires that a data subject provide voluntary, informed, and unmistakable consent to the processing of their personal data for a specific purpose. In the absence of valid consent, the LGPD permits data processing under limited circumstances, such as for compliance with a legal or regulatory obligation by the controller. The law applies to companies of all sizes and provides exceptions only under a few enumerated circumstances, such as where data are collected exclusively for the purpose of public safety and national defense, or for journalistic, artistic, and academic purposes. In processing otherwise protected data, companies should observe the principles set forth by the LGPD, including good faith, transparency, and limitation of data processing to the minimum necessary, as well as the adoption of safety, technical, and governance measures to protect data against unauthorized access.
Similar to the GDPR, the LGPD requires companies to appoint a data protection officer (“DPO”) to respond to any matters concerning the processing of personal data. The DPO is responsible for communicating with the ANPD, providing guidance to employees and contractors on data protection best practices, and taking measures to safeguard the rights of data subjects. These rights include a data subject’s access to his or her personal data, information about third parties with whom the data controller shared the data, or the correction, anonymization, blocking, or deletion of “unnecessary or excessive data” or data processed in violation of the LGPD.
There has yet to be an enforcement action by the ANPD under the LGPD. However, the ANPD will apply the recently issued Sanctioning Guidelines when enforcing the LGPD.
- Sanctions: Breach of the LGPD may subject violators to pecuniary and non-pecuniary sanctions. Pecuniary sanctions entail (1) a single administrative fine of up to 2% of the company group’s revenues in Brazil in the preceding year, capped at R$50 million (currently about US $9.9 million) per offense, and/or (2) daily fines adding up to no more than R$50 million (currently about US $9.9 million) per day. The Sanctioning Guidelines provide formulae to determine the fine range based on a company’s revenues and a set of attenuating and aggravating circumstances. Non-pecuniary sanctions can include the publication of the violation, blocking or deletion of personal data related to the offense, or suspension of the personal data processing or related activities for six months (which may be extended).
- Determination: Under the Sanctioning Guidelines, ANPD regulators will consider a list of factors in determining appropriate sanctions for the violation of the Brazilian data protection regime. Among many others, these include the seriousness and nature of the violation and personal rights affected, the improper gains obtained, past misconduct (within the last 5 years from the final decision of the administrative proceeding), prompt remediation and effective compliance such as through the adoption of appropriate policies and procedures and best practices.
In adopting the Sanctioning Guidelines, Brazilian authorities continue to mirror the EU’s data privacy regulatory and enforcement efforts. Indeed, the ANDP’s Sanctioning Guidelines generally follow the same principles of the European Data Protection Board’s Guidelines on the Calculation of Administrative Fines under the GDPR.
II. U.S. Data Privacy Protection
Unlike Brazil and the EU, the United States does not have a comprehensive data privacy law at the federal level. Instead, U.S. law addresses data privacy issues on an industry-by-industry and a state-by-state basis. For instance, different federal laws govern data protection in the financial industry (the Gramm-Leach-Bliley Act of 1999) and the healthcare industry (the Health Insurance Portability and Accountability Act of 1996). In addition, some states have broader data privacy legislation than others, the most prominent being California’s Privacy Rights Act, which is the closest to a LGPD or GDPR-like regime in the United States.
Although there is no general federal law governing data privacy, the Federal Trade Commission (“FTC”) has brought several data privacy related actions under the FTC Act. To do so, the FTC has utilized its general statutory authority to regulate “unfair or deceptive acts or practices” targeting consumers under Section 5 of the FTC Act. The FTC has used this authority to assert that companies should (1) provide notice to consumers of how their information is collected, stored, and transferred, and (2) obtain consent to those terms, often through a right to opt in or out.
Similarly, the U.S. Securities and Exchange Commission (the “SEC”) has taken various initiatives to address data security-based threats, based on its authority to regulate companies that issue public securities and companies that hold and invest money on behalf of investors. In particular, in 2017, the SEC created a Cyber Unit within its Enforcement Division (recently renamed Crypto Assets and Cyber Unit), which has brought numerous actions against regulated companies for failure to maintain adequate cybersecurity controls and failure to appropriately disclose cyber-related risks and incidents.
However, much of the enforcement action in the U.S. has been at the state level, where legislatures have passed data breach notification laws and, more recently, comprehensive data security and privacy laws.
Given the patchwork of U.S. laws that regulate cybersecurity and privacy related conduct, the outcomes of U.S. enforcement actions have varied depending on the regulator.
For example, the FTC has brought enforcement actions against companies for failure to comply with their own representations about data privacy or security on the basis that such conduct amounts to an unfair or deceptive act. Similarly, the agency has taken action against companies that were victims of a data breach that exposed consumer personal information on the theory that the company’s security shortcomings themselves constituted an unfair or deceptive act.
- Sanctions: Like the ANPD in Brazil, the FTC employs non-pecuniary and pecuniary sanctions. Non-pecuniary sanctions include prohibitions against misrepresentations about security and privacy, requirements to implement an Information Security Program that protects the security, confidentiality, and integrity of personal information, information security assessments by a third party, compliance monitoring and reporting, as well as record-keeping of documents such as accounting and personnel records or records of consumer complaints. While the ANPD in Brazil may directly impose fines on a company that violates the LGPD’s data privacy regime, the FTC can only seek a civil monetary penalty from a company that violates a final order of the FTC. That means the FTC will always initially impose non-pecuniary sanctions in administrative proceedings before seeking to impose pecuniary ones through the courts. The maximum civil monetary penalty the FTC may impose for each violation is US $50,120. However, companies often end up paying substantial penalties as the FTC interprets “each” violation broadly and imposes total fines consisting of many multiples of US $50,120.
- Determination: Unlike the LGPD and the regulations implementing it, the FTC Act contains no list of factors the FTC staff considers in imposing sanctions for data privacy violations. However, examining the FTC’s orders related to data privacy and security suggests that the staff closely tailors sanctions to the wrongdoing at issue.
In 2012, the FTC entered into a settlement with Facebook resolving charges that Facebook had deceived users about their ability to control the privacy of their personal information. Among other things, the consent decree prohibited Facebook from making misrepresentations about the extent to which it maintains the privacy or security of personal information, required Facebook to make certain disclosures to customers prior to any sharing of user’s nonpublic information with third parties, required it to put in place a comprehensive data privacy program and implement procedures to ensure that personal information could not be accessed by third parties. In 2019, the FTC found that Facebook had violated its consent decree, and imposed a $5 billion penalty and sweeping new privacy restrictions through a consent order.
In addition to the enforcement activity by the FTC, since 2018, the SEC has brought four enforcement actions against public companies under the U.S. federal securities laws for allegedly misleading investors about data breach incidents and cybersecurity risks. In its first significant cybersecurity-related enforcement action, on April 24, 2018, Altaba Inc. (formerly known as Yahoo) agreed to pay $35 million to resolve allegations that Yahoo failed to disclose a material data breach of its user database. More recently, on March 9, 2023, the SEC ordered Blackbaud Inc. to pay a civil monetary penalty of $3 million for making allegedly misleading statements about the unauthorized access of customers’ personal data following a ransomware attack. Under the SEC’s guidelines, companies can mitigate penalties through prompt remediation and cooperation with the SEC. In determining the appropriate penalty, the SEC considers criteria such as the nature, origin, and duration of the misconduct, the way the misconduct was detected, as well as the processes the company followed to resolve the misconduct and learn the truth expeditiously, and the efforts in voluntarily and promptly disclosing violative conduct to the SEC.
Unlike the FTC and SEC, which largely enforce data privacy through laws that are only indirectly related to cybersecurity and privacy, U.S. states regulate data privacy directly through state laws requiring data breach notifications to state residents and, in some cases, imposing direct data security and privacy requirements on companies doing business within the state. The New York Stop Hacks and Improve Electronic Data Security Act (the “SHIELD Act”) is an example of a state law that requires both notification and affirmative data security requirements, but most states have laws that focus exclusively on the notification requirement in case of a data breach. Violations of such obligations to notify can lead to fines but to date they have been smaller than those in federal enforcement actions when state authorities have acted alone. For example, on June 30, 2022, grocery store chain Wegmans agreed to pay $400,000 for exposing the personal information of more than three million consumers nationwide, including more than 830,000 New Yorkers. However, when multiple state authorities have coordinated their investigations in connection with large incidents, the fines have approached those found at the federal level.
As noted above, more recently, certain states like California have implemented comprehensive privacy regimes similar to the LGPD and GDPR in addition to imposing notification and data security obligations. Enforcement of such privacy laws is expected to increase over the next several years. For instance, on August 24, 2022, a retailer agreed to pay $1.2 million in penalties to the California Attorney General for violating the California Consumer Privacy Act (the “CCPA”). The Attorney General alleged, among other things, that the retailer failed to disclose to consumers that it was selling their personal information and that it failed to properly process user requests to opt out of sale.
As shown above, the U.S. and Brazil differ in their approaches to data privacy. Brazil has one data privacy law (the LGPD) modelled after the European Union’s GDPR, whereas the U.S. has enforced data privacy through a range of federal and state laws, some of which are not specific to data privacy, particularly at the federal level. In addition, while the LGPD is primarily focused on data privacy and consumer rights, U.S. enforcement agencies have been mostly targeting data security, in particular, issues arising out of data breaches and related disclosures—although this is starting to change at the state-level with laws such as the CCPA, and there are ongoing efforts to pass a comprehensive data privacy law in the U.S. Congress.
Both the Brazilian and U.S. regimes are trending towards increased regulatory enforcement of companies’ treatment and protection of data. Importantly, the recent Brazilian Sanctioning Guidelines and U.S. precedents show that under both the Brazilian and U.S. regime, government authorities consider a range of factors in determining appropriate sanctions for companies that violate their data privacy and related rules. Companies can reduce their possible exposure to onerous fines and other penalties by developing an effective cybersecurity compliance program, implementing and testing a robust cybersecurity response plan, and by being transparent about their data uses and risks to both costumers and investors.
 See Decreto No. 13.709, Diário Oficial da União [D.O.U.] de 14.08.2018 (Braz.).
 See Resolution CD/ANDP No. 4 Approving the Regulation of Measurement and Application of Administrative Sanctions (Regulamento de Dosimetria e Aplicação de Sanções Administrativas), de 27.02.2023 (Braz.).
 Cleary Gottlieb does not practice Brazilian law, and this section is a high-level overview of the current rules and practices in the country based on our experience and discussions with Brazilian counsel. It is not intended to provide, and should not be relied on as, legal advice. Readers should seek and rely on legal advice from Brazilian counsel on these matters.
 See Agência Senado, “LGPD Enters Into Force” (Lei Geral de Proteção de Dados Entra em Vigor) (Sept. 18, 2020), https://www12.senado.leg.br/noticias/materias/2020/09/18/lei-geral-de-protecao-de-dados-entra-em-vigor.
 SeeLGPD, art. 3.
 Seeid. art. 5.V (defining “data subject” as “a natural person to whom the personal data that are the object of processing refer to”).
 See id. art. 9, art. 5.I (defining “personal data” broadly as “information regarding an identified or identifiable natural person”). The LGPD includes specific rules for “sensitive data,” which is defined as “personal data concerning racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organization membership, data concerning health or sex life, genetic or biometric data, when related to a natural person.” LGPD, art. 11.
 See id. arts. 5.VI (defining “controller” as “a natural person or legal entity of either public or private law in charge of making the decisions regarding the processing of personal data”); 7 (listing circumstances under which the processing of personal data is permitted).
 See id. art. 4.
 Upon the enactment of Brazilian Federal Law No. 14,460 on October 26, 2022, the ANPD became an independent agency of the Brazilian Government.
 See LGPD, arts. 9, 18.
 This is based on an exchange rate of US $ 1 = 5.04 BRL as of May 26, 2023.
 See Sanctioning Guidelines, arts. 11, § 1.IV; 15; 16 (providing that daily fines shall be levied to ensure compliance with non-monetary sanctions, other ANPD determinations, or when the violator fails to remedy a violation, obstructs inspection activities, or commits a permanent infraction after being notified).
 See Sanctioning Guidelines, arts. 11-19 and Appendix 1. Aggravating circumstances include, among others, past misconduct and violation of preventive measures taken as a result of administrative proceedings preceding sanctioning. See id. art. 12.
 See id. arts. 20-21.
 See id. art. 22-24.
 See id. art. 25-26. Other sanctions the ANPD may apply under the Sanctioning Guidelines include the partial suspension of the database related to the wrongdoing for six months (which may be expected). See id. art. 24.
 See LGPD, art. 52; Sanctioning Guidelines, art. 7 and Appendix 1.
 See Guidelines 04/2022 on the calculation of administrative fines under the GDPR, adopted on May 12, 2022.
 The California Privacy Rights Act came into effect on January 1, 2023, and amends the California Consumer Privacy Act. SeeCal. Civ. Code § 1798.100 et seq. It applies to any nonpublic information that can be linked to an individual or household and imposes affirmative notification obligations on companies that possess data regarding California residents. Id. It further permits residents to access, correct, delete, and prevent the sale of their personal data. Id. New York has the Stop Hacks and Improve Electronic Data Security Act, also known as the “SHIELD Act,” which expands data breach notification obligations under New York law and imposes affirmative cybersecurity obligations on covered entities. See our Alert Memorandum, “New York Lawmakers Introduce Biometric Privacy Bill with Private Right of Action,” dated January 21, 2021, https://www.clearycyberwatch.com/2021/01/new-york-lawmakers-introduce-biometric-privacy-bill-with-private-right-of-action/.
 The FTC has enforcement and administrative responsibilities under more than 70 laws. See FTC, “Enforcement”(as of Mar. 28, 2023), https://www.ftc.gov/enforcement. Among others, it has authority to enforce key portions of the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the EU-U.S. Privacy Shield Framework, the Swiss-U.S. Privacy Shield Framework, and the Children’s Online Privacy Protection Act of 1998. See FTC, “Privacy and Security” (as of Mar. 28, 2023), https://www.ftc.gov/business-guidance/privacy-security.
 See 15 U.S.C. § 45(a).
 See SEC, “SEC Nearly Doubles Size of Enforcement’s Crypto Assets and Cyber Unit” (May 3, 2022), https://www.sec.gov/news/press-release/2022-78.
 See our Alert Memorandum, “All 50 States Now Have Data Breach Notification Laws,” dated Apr. 13, 2018, https://www.clearycyberwatch.com/2018/04/50-states-now-data-breach-notification-laws/.
 See, e.g., FTC, “Privacy and Security Enforcement” (as of Apr. 10, 2023), https://www.ftc.gov/news-events/topics/protecting-consumer-privacy-security/privacy-security-enforcement.
 See, e.g., In re BLU Products Inc., Matter No. 1723025, Docket No. C-4657 (Sept. 6, 2018) (Decision and Order) (“In re BLU”); FTC v. LifeLock, Inc. (Mar. 9, 2010) (Stipulated Final Judgment and Order) (“Lifelock Initial Order”).
 See, e.g., In the Matter of InfoTrax Systems, L.C., Matter No. 1623130, Docket No. C-4696 (Dec. 30, 2019) (Decision and Order).
 See, e.g., Lifelock Initial Order.
 See, e.g., In re BLU.
 See AMG Cap. Mgmt., LLC v. Fed. Trade Comm’n, 141 S. Ct. 1341, 1349 (2021).
 See 15 U.S. Code § 45(l); 16 C.F.R. § 1.98.
 See In the Matter of Facebook, Inc., Docket No. C-4365 (Aug. 10, 2012) (Decision and Order).
 See id.
 See FTC, “FTC Imposes $5 Billion Penalty and Sweeping New Privacy Restrictions on Facebook” (July 24, 2019), https://www.ftc.gov/news-events/news/press-releases/2019/07/ftc-imposes-5-billion-penalty-sweeping-new-privacy-restrictions-facebook; see also United States v. Facebook, Inc., No. 19-CV-2184 (July 24, 2019) (Stipulated Order for Civil Penalty, Monetary Judgment, and Injunctive Relief).
 See In the Matter of Blackbaud, Inc., Securities Act Release No. 11165, Exchange Act Release No. 97098 (Mar. 9, 2023) (Cease-and-Desist Order), https://www.sec.gov/litigation/complaints/2023/comp-pr2023-48.pdf; In the Matter of Altaba Inc., f/d/b/a YAHOO! Inc., Securities Act Release No. 10485, Exchange Act Release No. 83096 (Apr. 24, 2018) (Cease-and-Desist Order), https://www.sec.gov/litigation/admin/2018/33-10485.pdf; In the Matter of First Am. Fin. Corp., Securities Act Release No. 92176 (June 14, 2021) (Cease-and-Desist Order), https://www.sec.gov/litigation/admin/2021/34-92176.pdf; In the Matter of Pearson plc., Securities Act Release No. 10963, Exchange Act Release No. 92676 (Aug. 16, 2021) (Cease-and-Desist Order), https://www.sec.gov/litigation/admin/2021/33-10963.pdf. Bolstering the SEC’s increased regulatory scrutiny of companies’ cybersecurity disclosures, the SEC has recently proposed new rules to impose additional disclosure requirements, including disclosure about material cybersecurity incidents within four business days and annual disclosure regarding a registrant’s policies and procedures for identifying and managing cybersecurity risks. See our Alert Memorandum, “SEC Proposes New Disclosure Rules for Cybersecurity Incidents and Governance,” dated Apr. 4, 2022, https://www.clearygottlieb.com/-/media/files/alert-memos-2022/2022_04_04-sec-proposes-new-disclosure-rules-for-cybersecurity-incidents-and-governance.pdf. In addition to bringing disclosure actions against public companies, the SEC has also used its existing authority to regulate the protection of customer data by broker dealers and investment advisors, impose cybersecurity requirements, and bring enforcement actions against such regulated entities. See our Blog Post, “SEC Proposes Major New Cybersecurity Rules for Market Participants,” dated Mar. 29, 2023, https://www.clearygottlieb.com/news-and-insights/publication-listing/sec-proposes-major-new-cybersecurity-rules-for-market-participants.
 See our Alert Memorandum, “Yahoo’s Successor Settles First-Ever Case Involving SEC Charges for Failing to Disclose a Cybersecurity Incident,” dated Apr. 27, 2018, https://www.clearygottlieb.com/-/media/files/alert-memos-2018/yahoos-successor-settles-first-ever-case-involving-sec-charges-for-failing.pdf.
 See our Alert Memorandum, “SEC Charges Public Company For Alleged Misleading Disclosures Surrounding Ransomware Attack,” dated Mar. 9, 2023, https://www.clearycyberwatch.com/2023/03/sec-charges-public-company-for-alleged-misleading-disclosures-surrounding-ransomware-attack/#_ftn1.
 See SEC, Enforcement Manual at 6.2.7 (Nov. 28, 2017), https://www.sec.gov/divisions/enforce/enforcementmanual.pdf; SEC, Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 and Commission Statement on the Relationship of Cooperation to Agency Enforcement Decisions, Exch. Act Release No. 44969 (Oct. 23, 2001), https://www.sec.gov/litigation/investreport/34-44969.htm.
 See our Blog Post, “New York Passes Expansive New Cybersecurity Law,” dated July 29, 2019, https://www.clearycyberwatch.com/2019/07/new-york-passes-expansive-new-cybersecurity-law/.
 See Tex. Bus. & Com. Code §§ 521.002, 521.053, 521.151-152; Pennsylvania Statutes § 73-2301, Breach of Personal Information Notification Act.
 See Off. of N.Y. State Attn’y Gen., “Attorney General James Secures $400,000 From Wegmans After Data Breach Exposed Consumers’ Personal Information” (Jun. 30, 2022), https://ag.ny.gov/press-release/2022/attorney-general-james-secures-400000-wegmans-after-data-breach-exposed-consumers.
 See Reuters, “Uber to pay $148 million to settle data breach cover-up with U.S. states” (Sep. 26, 2018), https://www.reuters.com/article/us-uber-databreach/uber-to-pay-148-million-to-settle-data-breach-cover-up-with-u-s-states-idUSKCN1M62AJ.
 See our Alert Memoranda comparing the California and Virginia legislations to the GDPR, “California’s Groundbreaking Privacy Law: The New Front Line in the U.S. Privacy Debate,” https://www.clearygottlieb.com/news-and-insights/publication-listing/californias-groundbreaking-privacy-law-the-new-front-line-in-the-us-privacy-debate; “The ‘New’ Dominion of Privacy Law: Virginia Becomes Second State to Pass Comprehensive Consumer Data Privacy Act,” https://www.clearycyberwatch.com/2021/04/the-new-dominion-of-privacy-law-virginia-becomes-second-state-to-pass-comprehensive-consumer-data-privacy-act/.
 See California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq.; Virginia Consumer Data Protection Act, 2021 H.B. 2307/2021 S.B. 1392. Some state agencies also regulate and enforce data privacy in particular industries within the state, such as the medical and banking industries. For instance, the Texas Medical Privacy Act Law regulates the collection, use, and disclosure of personal health information and lays out standards for protecting personal health information. See Texas Health and Safety Code, https://statutes.capitol.texas.gov/Docs/HS/htm/HS.181.htm. In New York, the Department of Financial Services (the “DFS”) was one of the first regulators to implement comprehensive cybersecurity regulations for its regulated entities. On August 1, 2022, crypto-currency trading platform Robinhood Crypto LLC agreed to pay a $30 million to the New York DFS to resolve allegations that it failed to maintain effective and compliance Bank Secrecy Act / Anti-Money Laundering and Cybersecurity Programs, among others. See N.Y. State, “DFS Superintendent Harris Announces $30 Million Penalty on Robinhood Crypto for Significant Anti-Money Laundering, Cybersecurity & Consumer Protection Violations,” https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202208021.
 See, e.g., Cal. Attn’y Gen., “CCPA Enforcement Case Examples,” https://oag.ca.gov/privacy/ccpa/enforcement (updated as of Aug. 24, 2022).
 See Cal. Dep’t of Just., “Attorney General Bonta Announces Settlement with Sephora as Part of Ongoing Enforcement of California Consumer Privacy Act” (Aug. 24, 2022), https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-settlement-sephora-part-ongoing-enforcement.
 See, e.g., American Data Privacy and Protection Act, H.R.8152, 117th Cong. (2021-2022).