A legislation called Lei Geral de Proteção de Dados Pessoais (LGPD) took effect in September 2020, with penalties becoming enforceable from August 2021. The LGPD is made up of 65 articles. Articles 17-22 deal with the rights of data subjects, those whose data is collected and/or processed, so mainly individuals or natural persons. It has 10 legal bases for the processing of personal data, four more than the GDPR.
All emails should include name and contact information. Emails should also include a clear unsubscribe/opt-out option. There's no clear mention of the time period necessary to process an unsubcribe.
The sending of unsolicited communications must be done based on one of the two legal grounds for processing: consent, and controller's legitimate interest.
The LGPD is currently vague in defining what would constitute the controller's legitimate interest. Due to this, it is not recommended that businesses send emails based on legitimate interest grounds before the National Authority on Data Protection has ruled on what is compliant.
The Email Marketing Self-Regulation Code (CAPEM) is a project undertaken by ISPs. The code is not legally binding and the ISPs only agree voluntarily to participate. It contains basic rules to protect internet users and asks marketers to include an opt-out link in every communication sent.
Soft opt-in is also allowed where an existing commercial or social interest can be demonstrated (effectively legitimate interest).
According to LGPD, non-compliance will result in the following sanctions:
- Warning, with an indication of the period for adopting corrective measures.
- Simple fine of up to 2% of the revenue in Brazil of a private legal entity, group or conglomerate. The revenue is based on that for the prior financial year (excluding taxes) up to a total maximum of 50 million BRL per infraction.
- Daily fine, subject to the total maximum referred above.