Recherche avancée

Sur d’autres sites (4424)

• Adventures In NAS

  1er janvier, par Multimedia Mike — General

  In my post last year about my out-of-control single-board computer (SBC) collection which included my meager network attached storage (NAS) solution, I noted that :

  I find that a lot of my fellow nerds massively overengineer their homelab NAS setups. I’ll explore this in a future post. For my part, people tend to find my homelab NAS solution slightly underengineered.

  So here I am, exploring this is a future post. I’ve been in the home NAS game a long time, but have never had very elaborate solutions for such. For my part, I tend to take an obsessively reductionist view of what constitutes a NAS : Any small computer with a pool of storage and a network connection, running the Linux operating system and the Samba file sharing service.

  
  
  

  Many home users prefer to buy turnkey boxes, usually that allow you to install hard drives yourself, and then configure the box and its services with a friendly UI. My fellow weird computer nerds often buy cast-off enterprise hardware and set up more resilient, over-engineered solutions, as long as they have strategies to mitigate the noise and dissipate the heat, and don’t mind the electricity bills.

  If it works, awesome ! As an old hand at this, I am rather stuck in my ways, however, preferring to do my own stunts, both with the hardware and software solutions.

  My History With Home NAS Setups
  In 1998, I bought myself a new computer — beige box tower PC, as was the style as the time. This was when normal people only had one computer at most. It ran Windows, but I was curious about this new thing called “Linux” and learned to dual boot that. Later that year, it dawned on me that nothing prevented me from buying a second ugly beige box PC and running Linux exclusively on it. Further, it could be a headless Linux box, connected by ethernet, and I could consolidate files into a single place using this file sharing software named Samba.
  

  I remember it being fairly onerous to get Samba working in those days. And the internet was not quite so helpful in those days. I recall that the thing that blocked me for awhile was needing to know that I had to specify an entry for the Samba server machine in the LMHOSTS (Lanman hosts) file on the Windows 95 machine.

  However, after I cracked that code, I have pretty much always had some kind of ad-hoc home NAS setup, often combined with a headless Linux development box.

  In the early 2000s, I built a new beige box PC for a file server, with a new hard disk, and a coworker tutored me on setting up a (P)ATA UDMA 133 (or was it 150 ? anyway, it was (P)ATA’s last hurrah before SATA conquered all) expansion card and I remember profiling that the attached hard drive worked at a full 21 MBytes/s reading. It was pretty slick. Except I hadn’t really thought things through. You see, I had a hand-me-down ethernet hub cast-off from my job at the time which I wanted to use. It was a 100 Mbps repeater hub, not a switch, so the catch was that all connected machines had to be capable of 100 Mbps. So, after getting all of my machines (3 at the time) upgraded to support 10/100 ethernet (the old off-brand PowerPC running Linux was the biggest challenge), I profiled transfers and realized that the best this repeater hub could achieve was about 3.6 MBytes/s. For a long time after that, I just assumed that was the upper limit of what a 100 Mbps network could achieve. Obviously, I now know that the upper limit ought to be around 11.2 MBytes/s and if I had gamed out that fact in advance, I would have realized it didn’t make sense to care about super-fast (for the time) disk performance.

  At this time, I was doing a lot for development for MPlayer/xine/FFmpeg. I stored all of my multimedia material on this NAS. I remember being confused when I was working with Y4M data, which is raw frames, which is lots of data. xine, which employed a pre-buffering strategy, would play fine for a few seconds and then stutter. Eventually, I reasoned out that the files I was working with had a data rate about twice what my awful repeater hub supported, which is probably the first time I came to really understand and respect streaming speeds and their implications for multimedia playback.

  Smaller Solutions
  For a period, I didn’t have a NAS. Then I got an Apple AirPort Extreme, which I noticed had a USB port. So I bought a dual drive brick to plug into it and used that for a time. Later (2009), I had this thing called the MSI Wind Nettop which is the only PC I’ve ever seen that can use a CompactFlash (CF) card for a boot drive. So I did just that, and installed a large drive so it could function as a NAS, as well as a headless dev box. I’m still amazed at what a low-power I/O beast this thing is, at least when compared to all the ARM SoCs I have tried in the intervening 1.5 decades. I’ve had spinning hard drives in this thing that could read at 160 MBytes/s (‘dd’ method) and have no trouble saturating the gigabit link at 112 MBytes/s, all with its early Intel Atom CPU.

  Around 2015, I wanted a more capable headless dev box and discovered Intel’s line of NUCs. I got one of the fat models that can hold a conventional 2.5″ spinning drive in addition to the M.2 SATA SSD and I was off and running. That served me fine for a few years, until I got into the ARM SBC scene. One major limitation here is that 2.5″ drives aren’t available in nearly the capacities that make a NAS solution attractive.

  Current Solution
  My current NAS solution, chronicled in my last SBC post– the ODroid-HC2, which is a highly compact ARM SoC with an integrated USB3-SATA bridge so that a SATA drive can be connected directly to it :

  
  

  

  ODROID-HC2 NAS

  
  

  I tend to be weirdly proficient at recalling dates, so I’m surprised that I can’t recall when I ordered this and put it into service. But I’m pretty sure it was circa 2018. It’s only equipped with an 8 TB drive now, but I seem to recall that it started out with only a 4 TB drive. I think I upgraded to the 8 TB drive early in the pandemic in 2020, when ISPs were implementing temporary data cap amnesty and I was doing what a r/DataHoarder does.

  The HC2 has served me well, even though it has a number of shortcomings for a hardware set chartered for NAS :

  1. While it has a gigabit ethernet port, it’s documented that it never really exceeds about 70 MBytes/s, due to the SoC’s limitations
  2. The specific ARM chip (Samsung Exynos 5422 ; more than a decade old as of this writing) lacks cryptography instructions, slowing down encryption if that’s your thing (e.g., LUKS)
  3. While the SoC supports USB3, that block is tied up for the SATA interface ; the remaining USB port is only capable of USB2 speeds
  4. 32-bit ARM, which prevented me from running certain bits of software I wanted to try (like Minio)
  5. Only 1 drive, so no possibility for RAID (again, if that’s your thing)

  I also love to brag on the HC2’s power usage : I once profiled the unit for a month using a Kill-A-Watt and under normal usage (with the drive spinning only when in active use). The unit consumed 4.5 kWh… in an entire month.

  New Solution
  Enter the ODroid-HC4 (I purchased mine from Ameridroid but Hardkernel works with numerous distributors) :

  
  

  

  ODroid-HC4 with an SSD and a conventional drive

  
  

  I ordered this earlier in the year and after many months of procrastinating and obsessing over the best approach to take with its general usage, I finally have it in service as my new NAS. Comparing point by point with the HC2 :

  1. The gigabit ethernet runs at full speed (though a few things on my network run at 2.5 GbE now, so I guess I’ll always be behind)
  2. The ARM chip (Amlogic S905X3) has AES cryptography acceleration and handles all the LUKS stuff without breaking a sweat ; “cryptsetup benchmark” reports between 500-600 MBytes/s on all the AES variants
  3. The USB port is still only USB2, so no improvement there
  4. 64-bit ARM, which means I can run Minio to simulate block storage in a local dev environment for some larger projects I would like to undertake
  5. Supports 2 drives, if RAID is your thing

  How I Set It Up
  How to set up the drive configuration ? As should be apparent from the photo above, I elected for an SSD (500 GB) for speed, paired with a conventional spinning HDD (18 TB) for sheer capacity. I’m not particularly trusting of RAID. I’ve watched it fail too many times, on systems that I don’t even manage, not to mention that aforementioned RAID brick that I had attached to the Apple AirPort Extreme.

  I had long been planning to use bcache, the block caching interface for Linux, which can use the SSD as a speedy cache in front of the more capacious disk. There is also LVM cache, which is supposed to achieve something similar. And then I had to evaluate the trade-offs in whether I wanted write-back, write-through, or write-around configurations.

  This was all predicated on the assumption that the spinning drive would not be able to saturate the gigabit connection. When I got around to setting up the hardware and trying some basic tests, I found that the conventional HDD had no trouble keeping up with the gigabit data rate, both reading and writing, somewhat obviating the need for SSD acceleration using any elaborate caching mechanisms.

  Maybe that’s because I sprung for the WD Red Pro series this time, rather than the Red Plus ? I’m guessing that conventional drives do deteriorate over the years. I’ll find out.

  For the operating system, I stuck with my newest favorite Linux distro : DietPi. While HardKernel (parent of ODroid) makes images for the HC units, I had also used DietPi for the HC2 for the past few years, as it tends to stay more up to date.

  Then I rsync’d my data from HC2 -> HC4. It was only about 6.5 TB of total data but it took days as this WD Red Plus drive is only capable of reading at around 10 MBytes/s these days. Painful.

  For file sharing, I’m pretty sure most normal folks have nice web UIs in their NAS boxes which allow them to easily configure and monitor the shares. I know there are such applications I could set up. But I’ve been doing this so long, I just do a bare bones setup through the terminal. I installed regular Samba and then brought over my smb.conf file from the HC2. 1 by 1, I tested that each of the old shares were activated on the new NAS and deactivated on the old NAS. I also set up a new share for the SSD. I guess that will just serve as a fast I/O scratch space on the NAS.

  The conventional drive spins up and down. That’s annoying when I’m actively working on something but manage not to hit the drive for like 5 minutes and then an application blocks while the drive wakes up. I suppose I could set it up so that it is always running. However, I micro-manage this with a custom bash script I wrote a long time ago which logs into the NAS and runs the “date” command every 2 minutes, appending the output to a file. As a bonus, it also prints data rate up/down stats every 5 seconds. The spinning file (“nas-main/zz-keep-spinning/keep-spinning.txt”) has never been cleared and has nearly a quarter million lines. I suppose that implies that it has kept the drive spinning for 1/2 million minutes which works out to around 347 total days. I should compare that against the drive’s SMART stats, if I can remember how. The earliest timestamp in the file is from March 2018, so I know the HC2 NAS has been in service at least that long.

  For tasks, vintage cron still does everything I could need. In this case, that means reaching out to websites (like this one) and automatically backing up static files.

  I also have to have a special script for starting up. Fortunately, I was able to bring this over from the HC2 and tweak it. The data disks (though not boot disk) are encrypted. Those need to be unlocked and only then is it safe for the Samba and Minio services to start up. So one script does all that heavy lifting in the rare case of a reboot (this is the type of system that’s well worth having on a reliable UPS).

  Further Work
  I need to figure out how to use the OLED display on the NAS, and how to make it show something more useful than the current time and date, which is what it does in its default configuration with HardKernel’s own Linux distro. With DietPi, it does nothing by default. I’m thinking it should be able to show the percent usage of each of the 2 drives, at a minimum.

  I also need to establish a more responsible backup regimen. I’m way too lazy about this. Fortunately, I reason that I can keep the original HC2 in service, repurposed to accept backups from the main NAS. Again, I’m sort of micro-managing this since a huge amount of data isn’t worth backing up (remember the whole DataHoarder bit), but the most important stuff will be shipped off.

  The post Adventures In NAS first appeared on Breaking Eggs And Making Omelettes.

• OCPA, FDBR and TDPSA – What you need to know about the US’s new privacy laws

  22 juillet 2024, par Daniel Crough

  On July 1, 2024, new privacy laws took effect in Florida, Oregon, and Texas. People in these states now have more control over their personal data, signaling a shift in privacy policy in the United States. Here’s what you need to know about these laws and how privacy-focused analytics can help your business stay compliant.

  Consumer rights are front and centre across all three laws

  The Florida Digital Bill of Rights (FDBR), Oregon Consumer Privacy Act (OCPA), and Texas Data Privacy and Security Act (TDPSA) grant consumers similar rights.

  Access : Consumers can access their personal data held by businesses.

  Correction : Consumers can correct inaccurate data.

  Deletion : Consumers may request data deletion.

  Opt-Out : Consumers can opt-out of the sale of their personal data and targeted advertising.

  Oregon Consumer Privacy Act (OCPA)

  The Oregon Consumer Privacy Act (OCPA), signed into law on June 23, 2023, and effective as of July 1, 2024, grants Oregonians new rights regarding their personal data and imposes obligations on businesses. Starting July 1, 2025, authorities will enforce provisions that require data protection assessments, and businesses must recognize universal opt-out mechanisms by January 1, 2026. In Oregon, the OCPA applies to business that :

  • Either conduct business in Oregon or offer products and services to Oregon residents

  • Control or process the personal data of 100,000 consumers or more, or

  • Control or process the data of 25,000 or more consumers while receiving over 25% of their gross revenues from selling personal data.

  Exemptions include public bodies like state and local governments, financial institutions, and insurers that operate under specific financial regulations. The law also excludes protected health information covered by HIPAA and other specific federal regulations.

  Business obligations

  Data Protection Assessments : Businesses must conduct data protection assessments for high-risk processing activities, such as those involving sensitive data or targeting children.

  Consent for Sensitive Data : Businesses must secure explicit consent before collecting, processing, or selling sensitive personal data, such as racial or ethnic origin, religious beliefs, health information, biometric data, and geolocation.

  Universal Opt-out : Starting January 1, 2025, businesses must acknowledge universal opt-out mechanisms, like the Global Privacy Control, that allow consumers to opt out of data collection and processing activities.

  Enforcement

  The Oregon Attorney General can issue fines up to $7,500 per violation. There is no private right of action.

  Unique characteristics of the OCPA

  The OCPA differs from other state privacy laws by requiring affirmative opt-in consent for processing sensitive and children’s data, and by including nonprofit organisations under its scope. It also requires global browser opt-out mechanisms starting in 2026.

  Florida Digital Bill of Rights (FDBR)

  The Florida Digital Bill of Rights (FDBR) became law on June 6, 2023, and it came into effect on July 1, 2024. This law targets businesses with substantial operations or revenues tied to digital activities and seeks to protect the personal data of Florida residents by granting them greater control over their information and imposing stricter obligations on businesses. It applies to entities that :

  • Conduct business in Florida or provide products or services targeting Florida residents,

  • Have annual global gross revenues exceeding $1 billion,

  • Receive 50% or more of their revenues from digital advertising or operate significant digital platforms such as app stores or smart speakers with virtual assistants.

  Exemptions include governmental entities, nonprofits, financial institutions covered by the Gramm-Leach-Bliley Act, and entities covered by HIPAA.

  Business obligations

  Data Security Measures : Companies are required to implement reasonable data security measures to protect personal data from unauthorised access and breaches.

  Handling Sensitive Data : Explicit consent is required for processing sensitive data, which includes information like racial or ethnic origin, religious beliefs, and biometric data.

  Non-Discrimination : Entities must ensure they do not discriminate against consumers who exercise their privacy rights.

  Data Minimisation : Businesses must collect only necessary data.

  Vendor Management : Businesses must ensure that their processors and vendors also comply with the FDBR, regarding the secure handling and processing of personal data.

  Enforcement

  The Florida Attorney General can impose fines of up to $50,000 per violation, with higher penalties for intentional breaches.

  Unique characteristics of the FDBR

  Unlike broader privacy laws such as the California Consumer Privacy Act (CCPA), which apply to a wider range of businesses based on lower revenue thresholds and the volume of data processed, the FDBR distinguishes itself by targeting large-scale businesses with substantial revenues from digital advertising. The FDBR also emphasises specific consumer rights related to modern digital interactions, reflecting the evolving landscape of online privacy concerns.

  Texas Data Privacy and Security Act (TDPSA)

  The Texas Data Privacy and Security Act (TDPSA), signed into law on June 16, 2023, and effective as of July 1, 2024, enhances data protection for Texas residents. The TDPSA applies to entities that :

  • Conduct business in Texas or offer products or services to Texas residents.

  • Engage in processing or selling personal data.

  • Do not fall under the classification of small businesses according to the U.S. Small Business Administration’s criteria, which usually involve employee numbers or average annual receipts. 

  The law excludes state agencies, political subdivisions, financial institutions compliant with the Gramm-Leach-Bliley Act, and entities compliant with HIPAA.

  Business obligations

  Data Protection Assessments : Businesses must conduct data protection assessments for processing activities that pose a heightened risk of harm to consumers, such as processing for targeted advertising, selling personal data, or profiling.

  Consent for Sensitive Data : Businesses must get explicit consent before collecting, processing, or selling sensitive personal data, such as racial or ethnic origin, religious beliefs, health information, biometric data, and geolocation.

  Companies must have adequate data security practices based on the personal information they handle.

  Data Subject Access Requests (DSARs) : Businesses must respond to consumer requests regarding their personal data (e.g., access, correction, deletion) without undue delay, but no later than 45 days after receipt of the request.

  Sale of Data : If businesses sell personal data, they must disclose these practices to consumers and provide them with an option to opt out.

  Universal Opt-Out Compliance : Starting January 1, 2025, businesses must recognise universal opt-out mechanisms like the Global Privacy Control, enabling consumers to opt out of data collection and processing activities.

  Enforcement

  The Texas Attorney General can impose fines up to $25,000 per violation. There is no private right of action.

  Unique characteristics of the TDPSA

  The TDPSA stands out for its small business carve-out, lack of specific thresholds based on revenue or data volume, and requirements for recognising universal opt-out mechanisms starting in 2025. It also mandates consent for processing sensitive data and includes specific measures for data protection assessments and privacy notices.

  Try Matomo for Free

  Get the web insights you need, without compromising data accuracy.

  Start for free

  No credit card required

  Privacy notices across Florida, Oregon, and Texas

  All three laws include a mandate for privacy notices, though there are subtle variations in their specific requirements. Here’s a breakdown of these differences :

  FDBR privacy notice requirements

  Clarity : Privacy notices must clearly explain the collection and use of personal data.

  Disclosure : Notices must inform consumers about their rights, including the right to access, correct, delete their data, and opt-out of data sales and targeted advertising.

  Specificity : Businesses must disclose if they sell personal data or use it for targeted advertising.

  Security Practices : The notice should describe the data security measures in place.

  OCPA privacy notice requirements

  Comprehensive Information : Notices must provide information about the personal data collected, the purposes for processing, and any third parties that can access it.

  Consumer Rights : Must plainly outline consumers’ rights to access, correct, delete their data, and opt-out of data sales, targeted advertising, and profiling.

  Sensitive Data : To process sensitive data, businesses or entities must get explicit consent and communicate it.

  Universal Opt-Out : Starting January 1, 2026, businesses must recognise and honour universal opt-out mechanisms.

  TDPSA privacy notice requirements

  Detailed Notices : Must provide clear and detailed information about data collection practices, including the data collected and the purposes for its use.

  Consumer Rights : Must inform consumers of their rights to access, correct, delete their data, and opt-out of data sales and targeted advertising.

  High-Risk Processing : Notices should include information about any high-risk processing activities and the safeguards in place.

  Sensitive Data : To process sensitive data, entities and businesses must get explicit consent.

  What these laws mean for your businesses

  Businesses operating in Florida, Oregon, and Texas must now comply with these new data privacy laws. Here’s what you can do to avoid fines :

  1. Understand the Laws : Familiarise yourself with the specific requirements of the FDBR, OCPA, and TDPSA, including consumer rights and business obligations.

  2. Implement Data Protection Measures : Ensure you have robust data security measures in place. This includes conducting regular data protection assessments, especially for high-risk processing activities.

  3. Update Privacy Policies : Provide clear and comprehensive privacy notices that inform consumers about their rights and how their data is processed.

  4. Obtain Explicit Consent : For sensitive data, make sure you get explicit consent from consumers. This includes information like health, race, sexual orientation, and more.

  5. Manage Requests Efficiently : Be prepared to handle requests from consumers to access, correct, delete their data, and opt-out of data sales and targeted advertising within the stipulated timeframes.

  6. Recognise Opt-Out Mechanisms : For Oregon, businesses must be ready to implement and recognise universal opt-out mechanisms by January 1, 2026. In Texas, opt-out enforcement begins in 2026. In Florida, the specific opt-out provisions began on July 1, 2024.

  7. Stay Updated : Keep abreast of any changes or updates to these laws to ensure ongoing compliance. Keep an eye on the Matomo blog or sign up for our newsletter to stay in the know.

  Are we headed towards a more privacy-focused future in the United States ?

  Florida, Oregon, and Texas are joining states like California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, and Montana in strengthening consumer privacy protections. This trend could signify a shift in US policy towards a more privacy-focused internet, underlining the importance of consumer data rights and transparent business practices. Even if these laws do not apply to your business, considering updates to your data and privacy policies is wise. Fortunately, there are tools and solutions designed for privacy and compliance to help you navigate these changes.

  Avoid fines and get better data with Matomo

  Most analytics tools don’t prioritize safeguarding user data. At Matomo, we believe everyone has the right to data sovereignty, privacy and amazing analytics. Matomo offers a solution that meets privacy regulations while delivering incredible insights. With Matomo, you get :

  100% Data Ownership : Keep full control over your data, ensuring it is used according to your privacy policies.

  Privacy Protection : Built with privacy in mind, Matomo helps businesses comply with privacy laws.

  Powerful Features : Gain insights with tools like heatmaps, session recordings, and A/B testing.

  Open Source : Matomo’s is open-source and committed to transparency and customisation.

  Flexibility : Choose to host Matomo on your servers or in the cloud for added security.

  No Data Sampling : Ensure accurate and complete insights without data sampling.

  Privacy Compliance : Easily meet GDPR and other requirements, with data stored securely and never sold or shared.

  Try Matomo for Free

  21 day free trial. No credit card required.

  
  

  Your email address
  

  Your website address
  

  Your Analytics subdomain will be .matomo.cloud (change)

  Choose your analytics subdomain
  

  .matomo.cloud

  I accept the terms and conditions and data processing agreement (DPA)

  
  Your information will be used to create an account on our cloud service. For more information please consult our privacy policy.
  
  
  

  Start improving your websites now

  

  Disclaimer : This content is provided for informational purposes only and is not intended as legal advice. While we strive to ensure the accuracy and timeliness of the information provided, the laws and regulations surrounding privacy are complex and subject to change. We recommend consulting with a qualified legal professional to address specific legal issues related to your circumstances. 

• LGPD : Demystifying Brazil’s New Data Protection Law

  31 août 2023, par Erin — Privacy

  The General Personal Data Protection Law (LGPD or Lei Geral de Proteção de Dados Pessoais) is a relatively new legislation passed by the Brazilian government in 2018. The law officially took effect on September 18, 2020, but was not enforced until August 1, 2021, due to complications from the COVID-19 pandemic.

  For organisations that do business in Brazil and collect personal data, the LGPD has far-reaching implications, with 65 separate articles that outline how organisations must collect, process, disclose and erase personal data.

  In this article, you’ll learn what the LGPD is, including its contents and how a legal entity can be compliant.

  What is the LGPD ?

  The LGPD is a new data protection and privacy law passed by the Federal Brazilian Government on May 29, 2018. The purpose of the law is to unify the 40 previous Brazilian laws that regulated the processing of personal data.

  

  Many of the older laws have been either updated or removed to accommodate this change. The LGPD comprises 65 separate articles, and each covers a different area of the legislation, such as the rights of data subjects and the legal bases on which personal data may be collected. It also sets out the responsibilities of the National Data Protection Authority (ANPD), a newly created agency responsible for the guidance, supervision and enforcement of the LGPD.

  LGPD compliance is essential for organisations wishing to operate in Brazil and collect personal data for commercial purposes, whether online or offline. However, understanding the different rules and regulations and even figuring out if the LGPD applies to you can be challenging.

  Fortunately, the LGPD is relatively easy to understand and shares many similarities with the General Data Protection Regulation (GDPR), the data protection law implemented on May 25, 2018, by the European Union. This may help you better understand why the LGPD was enacted, the policies it contains and the goals it hopes to achieve. Both laws are very similar, but some items are unique to Brazil, such as what qualifies as a legal basis for collecting personal data.

  For these reasons, organisations should not apply a one-size-fits-all approach to GDPR and LGPD compliance, for they are different laws with different guiding principles and requirements.

  Who does the LGPD apply to, and who is exempt ?

  The LGPD applies to any natural person, public entity and private entity that collects, processes and stores personal data for commercial purposes within the national territory of Brazil. The same also applies to those who process the personal data of Brazilian and non-Brazilian citizens within the national territory of Brazil, even if the data processor is outside of Brazil. It also applies to those who process personal data collected from the national territory of Brazil.

  So, what does this all mean ? 

  Regardless of your location, if you conduct any personal data processing activities in Brazil or you process data that was collected from Brazil, then there is a high possibility that the LGPD applies to you. This is especially true if the data processing is for commercial purposes ; or, to be more precise, for the offering or provision of goods or services. It also means that subjects whose personal data is collected under these conditions are protected by the nine data subject rights.

  There are exceptions where the LGPD does not apply to data processors. These include if you process personal data for private or non-commercial reasons ; for artistic, journalistic and select academic purposes ; and for the purpose of state security, public safety, national defence and activities related to the investigation and prosecution of criminal offenders. Also, if the processed data originates from a country with similar data protection laws to Brazil, such as any country in the European Union (where the GDPR applies), then the LGPD will not apply to that individual or organisation.

  For these reasons, it is vital that you are familiar with the LGPD so that your data processing activities comply with the new standards. This is also important for the future, as an estimated 75% of the global population’s personal data will be protected by a privacy regulation. Getting things right now will make life easier moving forward.

  What are the nine LGPD data subject rights ?

  The LGPD has nine data subject rights. These protect the rights and freedoms of subjects, regardless of their political opinion and religious belief.

  

  These rights, listed under Article 19 of the LGPD, confirm that a data subject has the right to :

  1. Confirm the processing of their data.
  2. Access their data.
  3. Correct data that is incomplete, not accurate and out of date.
  4. Anonymize, block and delete data that is excessive, unnecessary and was not processed in compliance with the law.
  5. Move their data to a different service provider or product provider by special request.
  6. Delete or stop using personal data under certain circumstances.
  7. Gain information about who the data processor has shared the processed data with, including private and public entities.
  8. Be informed as to what the consequences may be for denying consent to the collection of personal data.
  9. Revoke consent to have their personal data processed under certain conditions.

  Many of these data subject rights are like the GDPR. For example, both the GDPR and LGPD give data subjects the right to be informed, the right to access, the right to data portability and the right to rectify false data. However, while the LGPD has nine data subject rights, the GDPR has only eight. What is the extra data subject right ? The right to gain information on who a data processor has shared your data with.

  There are other slight differences between the GDPR and LGPD with regard to data subject rights. For instance, the GDPR has a clear right to restrict certain data processing activities, such as those related to automation. The LGPD has this, too. But the subject of data collection automation is under Article 20, separate from all the data subject rights listed under Article 19.

  Under what conditions can personal data in Brazil be processed ?

  There are various conditions under which organisations can legally conduct personal data processing in Brazil. The aim of these conditions is to give data subjects confidence — that their personal data is processed for only safe, legal and ethical reasons. Also, the conditions help data processors, both individuals and organisations, determine if they have a legal basis for processing personal data in or in relation to Brazil.

  

  According to Article 7 of the LGPD, data processing may only be carried out if done :

  1. With consent by the data subject.
  2. To comply with a legal or regulatory obligation.
  3. By public authorities to assist with the execution of a public policy, one established by law or regulation.
  4. To help research entities carry out studies ; granted, when possible, subjects can anonymize their data.
  5. To carry out a contract or preliminary procedure, in particular, one related to a contract where the data subject is a party.
  6. To exercise the right of an arbitration, administration or judicial procedure.
  7. To protect the physical safety or life of someone
  8. To protect the health of someone about to undergo a procedure performed by health entities
  9. To fulfill the legitimate interests of a data processor, unless doing so would compromise a data subject’s fundamental rights and liberties.
  10. To protect one’s credit score.

  Much like the nine data subject rights, there are key differences between the LGPD and GDPR. The GDPR has six lawful bases for data processing, while the LGPD has ten. One notable addition to the LGPD is for the protection of one’s credit score, which is not covered by the GDPR. Another reason to ensure compliance with both data protection laws separately.

  LGPD vs. GDPR : How do they differ ?

  The LGPD was modeled closely on the GDPR, so it’s no surprise the two are similar. 

  Both laws ensure a high level of protection for the rights and freedoms of data subjects. They outline the legal justifications for data processing, establish the responsibilities of a data protection authority and lay out the penalties for non-compliance. That said, there are key differences between them.

  First, data subject rights ; the LGPD has nine, while the GDPR has eight. The GDPR gives data subjects the right to request a human review of automated decision-making, while the LGPD does not. Second, the legal bases for processing ; the LGPD has ten, while the GDPR has six. The four legal bases unique to the LGPD are : for protection of credit, for protection of health, for protection of life and for research entities carrying out studies.

  Both the LGPD and GDPR have different non-compliance penalties. The maximum fine for an infraction under the GDPR is up to €20 million (or 4% of the offender’s annual global revenue, whichever is higher). The maximum fine for an LGPD infraction is up to 50 million reais (around €9.2 million), or up to 2% of an offender’s revenue in Brazil, whichever is higher.

  6 steps to LGPD compliance with Matomo

  Below are steps you can follow to ensure your organisation is LGPD compliant. You’ll also learn how Matomo can help you comply quickly and easily.

  

  Let’s dive in.

  1. Appoint a DPO

  A DPO is a person, group, or organisation that communicates with data processors, data subjects, and the ANDP.

  Curiously, the LGPD lets you appoint your own DPO — even if they reside out of Brazil. So if the LGPD applies to you, you can appoint someone in your organisation to be a DPO. Just make sure that the nominated person has the understanding and capacity to perform the role’s duties.

  2. Assess your data

  Once you’re familiar with the LGPD and confirm your eligibility for LGPD compliance, take the time to assess your data. If you plan to collect data within the territory of Brazil, you’ll need to confirm the exact location of your data subjects. 

  To do this in Matomo, simply go to the previous year’s calendar. Then click on visitors, go to locations, and look for Brazil under the “Region” section. This will tell you how many of your web visitors are located in Brazil.

  

  3. Review privacy practices

  Review your existing privacy policies and practices, as there’s a good chance they’ll need to be updated to comply with the LGPD. Also, review your data sharing and third-party agreements, as you may need to communicate these new policies to partners that you rely on to deliver your services. 

  Lastly, review your procedures for tracking personal data and Personally Identifiable Information (PII). You may need to modify the type of data that you track to comply with the LGPD. You may even be tracking this data without your knowledge.

  4. Anonymize tracking data

  Data subjects under the LGPD have the right to request data anonymity. Therefore, to be LGPD compliant, your organisation must be able to accommodate for such a request.

  Fortunately, Matomo has various data anonymization techniques that help you protect your data subject’s privacy and comply with the LGPD. These techniques include the ability to anonymize previously tracked raw data, anonymize visitor IP addresses, and anonymize relevant geo-location data such as regions, cities and countries.

  

  You can find these features and more under the Anonymize data tab within the Privacy menu on the Matomo Settings page. Learn more about how to configure privacy settings in Matomo.

  5. Comply with LGPD consent laws without cookies

  By using Matomo to anonymize the data of your data subjects, this enables you to comply with LGPD consent laws and remove the need to display cookie consent banners on your website. This is made possible by the fact that Matomo is a cookieless tracking web analytics platform.

  Unlike other web analytics platforms like Google Analytics, which collect and use third-party cookies (persistent data that remains on your device, until that data expires or until you manually delete it) for their “own purposes,” Matomo is different. We use alternative means to identify web visitors, such as count the number of unique IP addresses and perform browser fingerprinting, neither of which involve the collection of personal data.

  As a result, you don’t have to display cookie consent banners on your website, and you can track your web visitors even if they disable cookies.

  6. Give users the right to opt-out

  Under the LGPD, data subjects have the right to opt-out of your data collection procedures. For this reason, make sure that your web visitors can do this on your website.

  

  You can do this in Matomo by adding an opt-out from tracking form to your website. To do this, click on the cog icon in the top menu, load the settings page, and click on the Users opt-out menu item in the Privacy section. Then follow the instructions to customise and publish the Matomo opt-out form.

  Achieve LGPD compliance with Matomo

  Like GDPR for Europe, the LGPD will impact organisations doing business in Brazil. And while they both share much of the same definitions and data subject rights, they differ on what qualifies as a legal basis for processing sensitive data. Complying with the GDPR and LGPD separately is non-negotiable and essential to avoiding maximum fines of €20 million and €9.2 million, respectively.

  

  As a web analytics platform with LGPD compliance, Matomo prioritises data privacy without compromising performance. Switch to a powerful LGPD-compliant web analytics platform that respects users’ privacy. 

  Get a 21-day free trial of Matomo today. No credit card required.

  Disclaimer

  We are not lawyers and don’t claim to be. The information provided here is to help give an introduction to LGPD. We encourage every business and website to take data privacy seriously and discuss these issues with your lawyer if you have any concerns.