Let’s break it to you directly: No, Google Analytics is not illegal in Brazil. Google Analytics came under fire from several European authorities because it is not compliant with the GDPR rules on extra-European data transfers. The GDPR does not apply in Brazil as it is not a member of the European Union or the European Economic Area.
However, Brazilian companies still need to comply with the GDPR if they target the European market or monitor behaviors in the EU (this includes using Google Analytics on a website targeting a European audience). Hence, it's worthwhile to dig deeper here.
- Brazilian privacy legislation
- What rules apply to Google Analytics in Brazil?
- Can I transfer personal data from Europe to Brazil?
- What is all the fuss around Google Analytics about?
- Final Thoughts
Let’s dive in!
Brazilian privacy legislation
The Federal Constitution of Brazil recognizes privacy as a fundamental right and was recently amended to provide for a right to data protection. As a result, the Constitution now guarantees both privacy and data protection as distinct rights, much like the Charter of Fundamental Rights of the European Union.
The main Brazilian privacy legislation is the 2018 General Data Protection Act. The GDPR heavily influenced this law in many regards. Brazil also adopted an enforcement model similar to that of the European Union and established an independent National Data Protection Authority in 2020.
What rules apply to Google Analytics in Brazil?
Cookies are personal data under the LGPD, but the Brazilian legal framework is less strict than the European one, and consent is not always necessary.
The cookie banners and policy requirements are similar to those laid out by the GDPR.
Can I transfer personal data from Europe to Brazil?
At the moment, there is no adequacy decision for Brazil. In other words, the European Commission did not “green-light” Brazil as a safe country for the purpose of data transfers.
You can still transfer personal data to Brazil, but it will be trickier than transferring data to an EU/EEA country or a country covered by an adequacy decision.
What is all the fuss around Google Analytics about?
The recent trend of decisions against Google Analytics is part of a larger legal puzzle about data transfers between the EEA and the US. The issue does not involve Brazil directly, but it does involve Brazillian websites using Google Analytics, provided that they target the European market and audience. We wrote about this extensively already on our blog, so here’s a short version.
The core issue is State surveillance. Under the GDPR, European personal data can only be transferred safely outside the EEA. This is difficult for US data transfers because the US legal framework allows extensive and invasive surveillance of the data of foreign citizens.
Two different data transfer frameworks (Safe Harbor and Privacy Shield) between the EU and the US made GDPR-compliant data transfers possible in the past, but both frameworks were invalidated by the EU Court of Justice in the Schrems I and II cases. A third framework is on the way but will undoubtedly face legal challenges. With a Schrems III ruling already on the horizon, the future of EU-US data flows remains uncertain.
In the meantime, companies must resort to different legal tools (typically standard contractual clauses) to lawfully transfer data to the US under the GDPR. However, the issue with these tools is that they offer no protection against State surveillance. For this reason, the Court of Justice clarified in the Schrems II case that they must be supplemented by additional privacy-safeguarding measures whenever data is sent to “unsafe” countries. This is difficult and entirely impossible for the transfers required by certain cloud-based services such as Google Analytics (we wrote about this here). State surveillance is the reason transferring data to the US is typically trickier than transferring it to Brazil, even though an adequacy decision covers neither country.
After the Schrems II ruling in 2020, most companies kept doing business as usual with US-based service providers. In the meantime, NGO noyb filed 101 complaints about data transfers against European websites using Google Analytics and Facebook Connect to nudge authorities toward stricter enforcement of the Schrems II ruling.
Data protection authorities coordinated their approach at a European level to handle the complaints coherently. As a result, the Austrian, French, Italian, and Hungarian DPAs ruled against the use of Google Analytics in very similar decisions, and the Danish DPA essentially did the same in a press release. While the decisions address an individual controller, they all set a precedent that practically amounts to a State-wide ban, as we explained here.
With coordination at a European level and the influential French and Italian authorities leading the way, other DPAs will likely follow the example and adopt a harder stance on Google Analytics.
Whether Google Analytics is illegal in Brazil or not, it’s definitely not privacy-friendly to your website visitors. We believe you can gather website insights while respecting your visitor's privacy. This is why we started building Simple Analytics as a privacy-friendly Google Analytics alternative.
With Simple Analytics, you can still gather insights and discover opportunities from your website analytics without using cookies or collecting personal data. Want to see what that looks like? Check out our live dashboard here. If this resonates with you, feel free to give us a try.