With the approval of Law No. 13,709/2018, the Brazilian General Data Protection Law (LGPD), practically all sectors of the economy, both public and private, must take measures to adapt their activities to the new legal requirements regarding the processing of personal data.

One of the sectors that will be most directly affected by the new law will be advertising and marketing, especially in relation to the targeted advertising model based on behavioral analysis, that individualizes and segment thesegments ads according to target-audience profiles.

To create these profiles, it is necessary to process a large volume and a wide variety of data, such as Web browsing history, use of App usage, shopping habits, geolocation data, IP address, network data, registration of date and time of therecords for actions performed actions, time spent on each page, links clicked, and searches performed.

NowadaysCurrently, these data are usually collected and processed freely, often without the consent or even the knowledge of the data subjects (i.e., the person to whom the data refer). In some cases, the argument for this practice is that such data are not, strictly speaking, personal data, since they are not able to identify a person, despite the definition provided in article 14 of Decree No. 8,771/2016, which provides for the regulationregulations of Law No. 12,965/2014 (the Brazilian Civil Rights Framework for the Internet). This model, however, will need to be revised to adjust to the LGPD, which will come into effect in August 2020.

Under the new law, the processing of personal data may only be performed in one of the ten hypothesisscenarios provided for in its article 7.^[1] In addition, it will be necessary to take into account the provisions of article 12, paragraph 2 of the LGPD, according to which the data used to form the behavioral profile of a particular individual, if identified, may be considered a personal data.

It should be noted that none of the legal basis that legitimize processing of personal data has a preponderance or greater importance in relation to the others, and a case-by-case analysis must be carried out in order to identify the one that best suits a particular situation.

The analysis of this article is limited to the hypothesisscenarios of items I and IX (the consent of the data subject and the legitimate interest of the controller), because they are the most commonly invoked to substantiate the processing of data for the purposes of behavior analysis and targeted advertising. Other hypothesisscenarios would very rarely apply for this purpose.

Regarding the legitimate interest of the controllers, the LGPD expressly states that they may only substantiate the processing of personal data for legitimate purposes, including, for example, support and promotion of the controller’s activities (i.e., the person responsible for the decisions concerning the processing of personal data), provided that such treatment does not entail a disproportionate violation of the fundamental rights and freedoms of the data subject.

Thus, it would be possible to question legitimate interest as a legal basis for the processing of personal data for the purposes of behavioral analysis and the provision of targeted advertising, since, by the very nature of the data, the respective collection and treatment could be considered too intrusive, disproportionately violating the privacy and intimacy of their data subjects.

A recent decision in this sense was handed down by the French National Data Protection Commission (CNIL), which ordered Google to pay a fine of 50 million euros on the grounds that the company processed data for the purposes of behavioral analysis and targeted advertising without adequate grounds based on one of the authorizing hypothesisscenarios for authorization provided for in the GDPR (the European General Data Protection Regulation, which inspired the LGPD).

According to CNIL, "if the large volume of data processed allows to ascertain the massive and intrusive nature of the performed processing performed, the very nature of some of the data described, such as geolocation or content consulted, reinforces this understanding. Taken in isolation, it is likely that collecting each of these pieces of data will accurately reveal many of the most intimate aspects of people's lives, including their lifestyle, their tastes, their contacts, their opinions, or even their travels. The result of combining these data reinforces considerably the massive and intrusive nature of the processing operations in question."^[2]

In the light of this understanding, it seems to us, in principle, that, although legitimate interest may be used as a legal basis for the collection and processing of more specific and less invasive data, when it comes to massive processing of large amounts of data of a more intrusive nature, such as is the case of Google, it is more advisable to obtain prior consent from the data subjects as a legal basis for the processing operation performed for behavioral analysis and targeted advertising. However, as already pointed out, the choice of the legal basis to substantiate the data processing must always be made on a case-by-case basis, analyzing, among other issues, the type and quantity of data collected, the feasibility of obtaining consent, and the risks arising from each choice.

The LGPD establishes that consent as a legal basis for the data processing must be free, informed, and unequivocal, in addition to being provided in writing or by other means that demonstrate the intention of the data subject, otherwise it will not be considered valid. Consent must also relate to specified purposes, such that generic authorizations for the processing of personal data are considered void.

In other words, for the consent to be considered valid and therefore capable of legitimizing the data processing, it is essential that the data subject have easy access to information on the processing, which should be made available in a clear, appropriate and ostensiveprominent manner, including information about the types of data processed, the specific purpose of the processing, the form and duration of the processing, the identification of the controller responsible for the processing decisions, the resulting consequences, the impacts on the data subjects, and the degree of intrusion in their private lives.

In the case of Google mentioned earlier, CNIL found that the consent obtained was not valid, since the information regarding the processing were spread out across various documents, which made access difficult for the data subjects. In addition, the information was too generic, and this prevented the data subjects from understanding with sufficient clarity the particular consequences of the processing and evaluating the extent of the processing and the degree of intrusion into their private lives.

CNIL also found that, in order for the consent to be considered valid, it would require a positive act by the data subject, not just pre-selected opt-ins. I.e., according to CNIL’s understanding, it is imperative that the data subjects themselves select the checkbox, expressly providing their consent.

Lastly, CNIL reiterated that the consent should be given in a specific and separate manner for each processing purpose (through specific and separate opt-ins for each purpose), which means that selecting one single “I agree” checkbox regarding the whole privacy policy is considered too generic and, therefore, void. In relation to this point, it should be emphasized that the LGPD, unlike the GDPR, only requires specific consent in exceptional situations (such as in the case of processing of sensitive data or international transfer of data). Thus, in theory, there is nothing in Brazilian law that prevents a single “I agree” with the whole privacy policy.

Although this CNIL decision was reached on the basis of the GDPR, it constitutes a very relevant precedent, which may be used as an interpretative benchmark for the application of the LGPD, bearing in mind the similarities and differences between the two legislations.

It is, therefore, of the utmost importance that targeted advertising and marketing companies carefully monitor the issues discussed in this article and adapt their activities to the new requirements of the LGPD, in order to ensure that the processing of personal data carried out by them is always based on one of the legal hypothesis,provisions, in order to avoid the application of sanctions, which include fines of up to 2% of the total revenues of the company, group, or conglomerate in Brazil, in its last fiscal year, limited to R$ 50 million per infraction.

^[1] Article 7. The processing of personal data may only be carried out in the following hypothesisscenarios:

I - upon the provision of consent by the data subject;

II - for the fulfillment by the controller of a legal or regulatory obligation;

III - by the public administration, for the processing and shared use of data that are necessary for the execution of public policies provided for in laws, regulations, or based on contracts, agreements or similar instruments, subject to the provisions of Chapter IV of this Law;

IV - to carry out studies by a research body, therein guaranteeing, wherever possible, the anonymization of personal data;

V - when necessary for the execution ofperformance under a contract or preliminary procedures relating to a contract to which the data subject is a party, at the request of the data subject;

VI - for the regular exercise of rights in judicial, administrative, or arbitration proceedings, in accordance with Law No. 9,307, of September 23, 1996 (the Arbitration Law);

VII - for the protection of life or physical safety of the data subject or a third party;

VIII - for the protection of health, in the context of a procedure performed by health care professionals or health authorities;

IX - when necessary to meet the legitimate interests of the controller or a third party, except in cases in which the data subject's fundamental rights and freedoms require the protection of personal data; or

X - for the protection of credit, including as set forth in the provisions of the relevant legislation.

^[2] Free translation. Original text: “Par ailleurs, si le très grand nombre de données traitées permet de caractériser à lui seul le caractère massif et intrusif des traitements opérés, la nature même de certaines des données décrites, telles que les données de géolocalisation ou les contenus consultés, renforce ce constat. Considérée isolément, la collecte de chacune de ces données est susceptible de révéler avec un degré de précision important de nombreux aspects parmi les plus intimes de la vie des personnes, dont leurs habitudes de vie, leurs goûts, leurs contacts, leurs opinions ou encore leurs déplacements. Le résultat de la combinaison entre elles de ces données renforce considérablement le caractère massif et intrusif des traitements dont il est question” (COMMISSION NATIONALE DE L'INFORMATIQUE ET DES LIBERTÉS (CNIL) - DELIBERATION No. SAN-2019-001 OF JANUARY 21, 2019).