- What is the Brazilian General Data Protection Law (LGPD)?
- Will Bound be compliant with the Brazilian General Data Protection Law (LGPD) on August 15, 2020?
- Will our customers be able to use Bound products and services without risking a breach of the LGPD?
- What are the roles within LGPD?
- How exactly does Bound comply with the LGPD?
- Will Bound’s approach to the LGPD change at a later date?
- Beyond the products and services, Bound has prepared for the LGPD by adjusting some of our processes and legal agreements. Which ones?
- Do these changes affect Bound customers in any way?
- Will this work impact Bound customers’ current (or planned) integration in any way?
- For those of you saying, “Wait, what is the LGPD?”
What is the Brazilian General Data Protection Law (LGPD)?
LGPD is a Brazilian law that regulates the collection and use of information of Website visitors from Brazil. The LGPD is enforced starting August 15, 2020. We recommend that you coordinate with legal counsel to understand how your business achieves compliance.
Will Bound be compliant with the Brazilian General Data Protection Law (LGPD) on August 15, 2020?
Yes. Bound is compliant prior to August 15, 2020, the date the LGPD comes into force.
Will our customers be able to use Bound products and services without risking a breach of the LGPD?
Yes. Bound reached LGPD compliance prior to August 15, 2020. However, it’s critical to note for our customers to whom the LGPD applies, Bound on its own does not make your business compliant. You will need to make certain your own business is compliant with the LGPD. If your businesses is not compliant, you still risk a breach of the LGPD by using Bound products and services — even though we are compliant.
What are the roles within LGPD?
Under the LGPD, the “Data Controller” has the relationship with the Website visitor who is within Brazil. In our relationships, Bound customers are Data Controllers and Bound is the “Data Processor”. Thus, we process data on behalf of our customers, the Data Controller, who has the primary and direct relationship with the Brazil Website visitor.
As part of our contractual relationship with our customers, Bound enters into a Data Collection, Processing, and Retention agreement for operating under the LGPD.
How exactly does Bound comply with the LGPD?
Bound’s policy is simple and straightforward: starting August 15, 2020, Bound will be using GeoIP lookup, and/or cookie based data, to identify a Website visitor’s location. If the Website visitor is identified as being in Brazil, Bound will not process, store or track the user’s data. Instead, upon Brazil location determination, Bound serves only default content or randomized content to the Brazil visitor. For auditing purposes, Bound securely logs only the visit containing the identification mode (GeoIP or cookie), a date and time stamp, and the associated “do-not-track” values required to demonstrate that we are compliant with the LGPD.
If our customers have a need to continue personalization for Brazil Website visitors, we can personalize if our customers complete our LGPD addendum confirming the customer is compliant and that they are handling all consent management with their Brazil Website visitors.
Will Bound’s approach to the LGPD change at a later date?
As with all things product and service related, Bound is always working to evolve. As the roles, strategies and technologies related to LGPD change, we anticipate that we will too. Any changes made to our approach will be clearly detailed for our partners and customers in advance, giving them the ability to select their preferred method of interaction with their Website visitors.
Beyond the products and services, Bound has prepared for the LGPD by adjusting some of our processes and legal agreements. Which ones?
As anybody involved with LGPD has experienced, this is a massive undertaking touching almost every aspect of the business. To date, we have identified and/or addressed:
- Privacy by Design: We are always reviewing the way we design, build and implement updates and new products and services to ensure data privacy remains a core part of our decision-making processes at every level.
- Data Security: We reviewed and amended our data practices and policies to ensure our approach to data is compliant, consistent and clear across the Bound ecosystem.
- Working with Customers: We are working with our customers to answer their questions and adjust or supplement our agreements to ensure customers can use Bound in compliance with LGPD.
- Data Management: You and/or your Website visitors own the data, not Bound. We’ll take whatever data-related actions you or your Website visitors request.
- Data Processing: As the Data Processor, Bound has adjusted terms and processes to fulfill commitments to customers in their role as Data Controller. Bound has worked to ensure our terms and conditions contain provisions that are appropriate to the data we store, and balance the risks and responsibilities between us and our customers fairly.
Do these changes affect Bound customers in any way?
Yes. We have updated legal terms to bring them into compliance with the LGPD and those changes now apply to Bound customers. We recommend Bound customers read the updated terms because using Bound products and services after the updated terms have gone live will be treated as acceptance of those terms.
Will this work impact Bound customers’ current (or planned) integration in any way?
The answer is, maybe. If you opt for our default serving, our Customer Success Manager(s) will work with you to determine alternate analytic and personalization strategies in these scenarios and no additional legal agreements are required. If you have active campaigns running for visitors within Brazil, we will no longer process, track or store their data associated with their Website interactions — unless you have executed the addendum allowing Bound to personalize for your Brazil Website visitors.
For those of you saying, “Wait, what is the LGPD?”
The Brazilian General Data Protection Law is a new data regulation that aims to strengthen the security and protection of personal data in Brazil. It is designed to give organizations a consistent framework on how personal data can be collected, processed, used, and shared within Brazil. The LGPD provides individuals with more control over how their personal data can be processed.