As many already know, since the approval of the General Data Protection Regulation (GDPR) the US is going through a phase of behavioral change and transition regarding the care given to information security and protection of personal data of customers and employees.

Major technology companies are hiring multinationals to provide services such as compliance and review of information security policies.

In addition, these giants are hiring a Data Protection Officer (DPO) to fit LGPD and GDPR. 

This change in attitude has been a reflection of the effective action of the Public Prosecution Service in overseeing incidents related to the sale, sharing, and leakage of personal customer data.

The Public Prosecution Service has been imposing several data protection fines based on the Internet Civil Framework, and the Consumer Protection Code, several Conduct Adjustment Terms (TACs) have been signed-in in recent months.

Although the LGPD/GDPR has not come into force (this will happen in August 2020), the creation of this Law together with the project to create the National Data Protection Authority already causes a change of perspective, taking into account citizens are more attentive to the matter.

Thus, there is a popular commotion to defend privacy and personal data as fundamental rights to life in society in the 21st century.

What does this very law have to do with a startup, a small business intelligence (BI) or digital marketing company?

Now, if your business processes personal data, which includes simply collecting, storing, reading, sharing or complex analysis of information such as name, social security number, email, IP, click mapping or data customer browsing, in either case, your company may fall within the scope of the GDPR application.

The application of GDPR/LGPD occurs indiscriminately between companies of any size that perform this type of operation with personal data. There is no mention of company size, mitigating for startups and small businesses, or different treatment for small market players.

Therefore, all startups, digital marketing, or BI companies must comply with the new data protection rule as a matter of urgency, given that the GDPR/LGPD compliance period is ending.

If you own a startup or provide digital marketing services, whether you are a home office or a large advertising agency, you must fit in and need to implement an awareness policy regarding the handling of your customer data.

If your company collects user data for the application or website registration, collects email for newsletters, stores data collected by another company, or uses personal data for profiling and targeting to create predictive mechanisms for consumption and analytics customer profile demographics, you will need to comply with data protection laws.

My company collects little data, is ‘’ harmless ‘’, yet will I have to fit in?

GDPR/LGPD does not provide any hypothesis of exclusion from the application due to the analysis of the size of the firm/company or the amount of data processed.

All companies that treat (collect, store, share, analyze, etc.) personal data of customers or employees will be subject to the application of GDPR/LGPD.

If a startup or small digital home office marketing agency performs any of these data processing activities, it will automatically be subject to the General Data Protection Act.

So, will I just need to start adjusting when the General Data Protection Act begins to apply?

Do not.

Prior to the GDPR, other laws already regulate the issue of data protection in United States such as the Consumer Protection Code, the Internet Civil Framework, the Federal Constitution and the Positive Registration Law.

In fact, the Public Prosecution Service has already started strong enforcement of data protection in several states.

Can I use data collected by a trading partner or sell /assign/share data without user consent?

Do not.

In fact, the consent of the user (client or potential client) is the general rule for the processing of personal data. Companies will not be able to share their customer data with business partners without express and specific consent for this purpose.

The GDPR/LGPD regime, as provided for in the Internet Civil Framework, provides that user consent is indispensable for any application provider activity (websites or applications, for example). Thus, startups and digital marketing companies would fall within this scope.

The sale of personal data, as well as any free transaction, is not permitted without the holder of the personal data expressly and specifically authorizing the sharing for this purpose.

What are the consequences of violating personal data protection laws?

Currently, the violation of the rules set forth in the Internet Civil Framework and the Consumer Protection Code has been used to support civil actions for the repair of moral and material data, within the scope of civil liability and Consumer Law. These rules may justify the application of convictions to the payment of indemnities in the judiciary.

With the new regime provided for in the General Data Protection Act, companies that do not comply may incur violations of data protection rules, which may imply application a fine of up to 2% of the company's annual revenues or fifty million ( $ 50,000,000.00) or less, regardless of the size of the firm/company or data flow handled.

How to avoid these penalties for my startup or digital marketing company?

For the prevention of corporate incidents or breaches of the General Data Protection Act, it is recommended that a data protection regime be established as the most appropriate legal '' remedy '' to mitigate risks and protect companies from the risks inherent in personal data processing activities of individual users, regardless of their economic appropriation.

What is most recommended now is the gradual and prior creation of a personal data protection program for users, which may consist of:

  • Legal advice specializing in data protection;
  • Information Security risk analysis;
  • Establishment of a specific compliance program;
  • Preparation of new Terms of Use and Privacy Policy, in line with the General Data Protection Act.

Most startups and digital marketing companies use personal data processing as part of their core business, which is not to say that these firms/companies will need to discontinue acting on personal data.

However, it objectively means that all of these companies will need to adjust to new personal data protection laws.

Glossary of some GDPR/LGPD terms

Our order was concerned to highlight and explain some terms used throughout the text of the law. So when dealing with personal data, we should keep in mind some of the following legal definitions:

  1. Personal data is information related to an identified or identifiable natural person;
  2. Sensitive personal data is personal data on racial or ethnic origin, religious belief, political opinion, union membership, or religious, philosophical or political organization, health or sexual life data, genetic or biometric data when linked to a natural person;
  3. Processing is any operation which is performed with personal data, such as data collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, deletion, evaluation or control, modification, communication, transfer, diffusion or extraction;
  4. The holder is the natural person (person) to whom the personal data subject to processing refer;
  5. The controller is the legal or natural person who will make decisions about the processing of personal data;
  6. An operator is the legal or natural person entrusted by the controller to process personal data.

Important: LGPD only comes into force in 2020, but the sooner adaptation begins, the easier the transition and compliance will be!

Have some questions about GDPR/LGPD that were not answered here? We have standby professional and qualified lawyers in this line that are willing to help you. Kindly contact us at Citiattorney for help on that.

To help us reach and update more people, kindly help us share this article on your social networks and help share knowledge with the startup ecosystem in the United States and every other part of the world.



Recent posts


SERVICE CONTRACT: MAKE A CONTRACT WITHOUT FAIL Service Contracts are legal instruments that serve to provide security to parties that agree on a particular object. To create a service contract,
Read More


PROPERTY SECURITY: 3 LEGAL RESOURCES TO PROTECT YOUR BUSINESS Owning assets in the United States is not easy but in cases whereby one has a private company, Property Security is advisable. 
Read More


MEMORANDUM OF UNDERSTANDING: WHAT IT IS AND WHEN TO USE In a direct way, the memorandum of understanding is an agreement between two or more parties to align the terms and details of an und
Read More