LGPD Compliance Guide: Brazil's Privacy Law Explained

What is LGPD?

The Lei Geral de Proteção de Dados (LGPD), or General Data Protection Law, is Brazil's comprehensive data protection regulation that came into effect on September 18, 2020. Modeled after the European Union's GDPR, the LGPD establishes rules for the collection, storage, processing, and sharing of personal data in Brazil.

The law applies to any organization—regardless of where it is based—that processes personal data of individuals located in Brazil, offers goods or services to Brazilian residents, or processes data collected in Brazil. This extraterritorial reach means that international businesses serving Brazilian customers must comply with LGPD requirements.

Who Must Comply with LGPD?

LGPD applies to any natural person or legal entity (public or private) that:

• Processes personal data in Brazil - regardless of where the data processor is located
• Processes data of individuals in Brazil - even if the processing occurs outside Brazil
• Offers goods or services to individuals in Brazil - including free services
• Collects data in Brazil - regardless of where the data is later processed

There are limited exemptions for personal use, journalistic purposes, artistic expression, academic research (with anonymization), public safety, national defense, and state security.

LGPD Compliance Checklist

Use this checklist to assess your organization's LGPD compliance status. Each item represents a key requirement under the law:

The 10 Lawful Bases for Processing Under LGPD

Unlike GDPR, which provides six lawful bases for processing personal data, LGPD establishes ten legal grounds. Organizations must identify and document the appropriate lawful basis before processing personal data:

Data Subject Rights Under LGPD

LGPD grants individuals (data subjects) extensive rights regarding their personal data. Organizations must implement procedures to handle these requests efficiently:

Privacy Policy Requirements

Under LGPD, organizations must provide clear and accessible information about their data processing activities. Your privacy policy must include:

• Identity of the controller - Name and contact information of your organization
• DPO contact details - Information about your Data Protection Officer (Encarregado)
• Purposes of processing - Clear explanation of why data is collected and processed
• Types of data collected - Categories of personal data being processed
• Lawful basis - The legal ground for each processing activity
• Data sharing - Information about third parties with whom data is shared
• International transfers - Details about any cross-border data transfers
• Data retention periods - How long data will be stored
• Data subject rights - How individuals can exercise their rights
• Security measures - General description of security practices

Important: If you serve Brazilian users, your privacy policy should be available in Portuguese to ensure accessibility and compliance.

Data Protection Officer (Encarregado)

LGPD requires organizations to appoint a Data Protection Officer, called "Encarregado" in Portuguese. Unlike GDPR, which only requires a DPO in specific circumstances, LGPD initially required all data controllers to appoint one. However, the ANPD (National Data Protection Authority) has since provided flexibility for small businesses.

The Encarregado's responsibilities include:

• Receiving complaints and communications from data subjects
• Receiving communications from the ANPD
• Advising the organization's employees on data protection practices
• Performing other duties assigned by the controller or established by the ANPD

Penalties and Enforcement

International Data Transfers

LGPD restricts the transfer of personal data to countries or international organizations that do not provide an adequate level of data protection. Data transfers are permitted when:

• The receiving country provides adequate data protection (as determined by ANPD)
• The controller provides appropriate guarantees through standard contractual clauses, binding corporate rules, or certifications
• The transfer is necessary for international legal cooperation
• The data subject has provided specific and explicit consent
• The transfer is necessary to execute a contract with the data subject
• The transfer is necessary to protect life or physical safety

LGPD vs GDPR: Key Differences

While LGPD was heavily influenced by GDPR, there are several important differences that organizations must understand:

Data Breach Notification

Unlike GDPR's strict 72-hour notification requirement, LGPD requires organizations to report data breaches to the ANPD and affected data subjects within a "reasonable time." The notification should include:

• Description of the nature of the affected personal data
• Information about the data subjects involved
• Technical and security measures used for data protection
• Risks related to the incident
• Reasons for any delay in communication (if applicable)
• Measures taken or to be taken to mitigate the effects of the breach

Sensitive Personal Data

LGPD provides additional protections for sensitive personal data, which includes:

• Racial or ethnic origin
• Religious beliefs
• Political opinions
• Trade union membership
• Religious, philosophical, or political organization membership
• Health or sexual life data
• Genetic or biometric data

Processing sensitive data requires specific consent (separate from other consents) or must fall under specific exemptions such as legal compliance, public health protection, or when necessary for exercising rights in legal proceedings.

Children's Data

LGPD requires special attention when processing personal data of children and adolescents. Key requirements include:

• Processing must be in the child's best interest
• Consent must be obtained from at least one parent or legal guardian
• Controllers must make reasonable efforts to verify parental consent
• Information about data processing must be provided in a clear, simple manner appropriate for children

Steps to Achieve LGPD Compliance

Frequently Asked Questions

Does LGPD apply to my business outside Brazil?

Yes, if you offer goods or services to individuals in Brazil, process data of Brazilian residents, or collect data in Brazilian territory, LGPD applies to your organization regardless of where you are located. This extraterritorial scope is similar to GDPR.

What is the ANPD?

The Autoridade Nacional de Proteção de Dados (ANPD) is Brazil's national data protection authority. It is responsible for enforcing LGPD, issuing guidelines, receiving complaints, and imposing penalties for non-compliance.

Do I need a representative in Brazil?

Currently, LGPD does not explicitly require foreign organizations to appoint a local representative in Brazil, unlike GDPR's requirement for an EU representative. However, having a contact point in Brazil can facilitate communication with the ANPD and data subjects.

How does LGPD handle cookies?

LGPD does not have specific provisions for cookies like the EU's ePrivacy Directive. However, cookies that collect personal data fall under LGPD's general requirements, meaning you need a lawful basis (typically consent) and must inform users about cookie usage in your privacy policy.

Is LGPD compliance enough for GDPR compliance?

Not entirely. While LGPD and GDPR share many similarities, there are differences in requirements such as breach notification timelines, lawful bases, and penalty structures. Organizations serving both Brazilian and EU users should ensure compliance with both regulations separately.