LGPD – Brazil’s Privacy Law

What is LGPD?

Brazil's Lei Geral de Proteção de Dados Pessoais (LGPD, Law No. 13.709/2018) is Brazil's comprehensive data protection law. It establishes a unified legal framework for the processing of personal data, replacing a patchwork of sector-specific provisions that had been scattered across the Brazilian Consumer Protection Code, the Civil Rights Framework for the Internet (Marco Civil da Internet), and other legislation.

The LGPD took effect on September 18, 2020, with administrative sanctions enforceable from August 1, 2021. The law is enforced by the Autoridade Nacional de Proteção de Dados (ANPD), which was transformed into an independent regulatory agency in 2025, granting it functional, technical, decision-making, administrative, and financial autonomy comparable to Brazil's other sector regulators for energy, health, and telecommunications. The ANPD can impose administrative fines of up to 2% of a company's revenue in Brazil in the preceding fiscal year, net of taxes, capped at R$50 million (approximately US$10 million) per violation, along with daily fines, public disclosure of violations, data deletion orders, and partial or total bans on processing activities.

Though modeled in significant part on the EU's General Data Protection Regulation, the LGPD has developed its own enforcement approach and regulatory specifics. The ANPD has published its Regulatory Agenda for 2025–2026 and its Priority Topics Map for 2026–2027, signaling focused enforcement attention on data subject rights, children's and adolescents' data protection, public authority compliance, and artificial intelligence.

Personal data under the LGPD

Like the GDPR, the LGPD defines personal data as information regarding an identified or identifiable natural person (Article 5(I)). Anonymized data, where the data subject cannot be identified using reasonable and available technical means at the time of processing, falls outside the law's scope, though pseudonymized data remains within scope because re-identification is possible.

The LGPD also defines "sensitive personal data" (Article 5(II)), which includes data on racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical, or political organization membership, health or sex life data, and genetic or biometric data when linked to a natural person. Processing sensitive personal data requires either specific and highlighted consent from the data subject, or must fall within one of the limited exceptions in Article 11, such as compliance with a legal or regulatory obligation, protection of life, or fraud prevention.

Legal bases for processing

The LGPD provides ten legal bases for processing personal data (Article 7), more than the GDPR's six:

• Consent of the data subject.
• Compliance with a legal or regulatory obligation.
• Execution of public policies by the public administration.
• Research by research bodies (with anonymization where possible).
• Performance of a contract or preliminary procedures related to a contract.
• Exercise of rights in judicial, administrative, or arbitration proceedings.
• Protection of life or physical safety.
• Health protection in procedures carried out by health professionals or health entities.
• Legitimate interests of the controller or a third party (subject to a balancing test). The ANPD published a Guide on Legitimate Interests to clarify the application of this basis.
• Credit protection.

Controllers must identify and document the applicable legal basis before processing begins. For sensitive personal data, the available legal bases are narrower (Article 11) and do not include legitimate interests or credit protection.

Data subject rights

The LGPD grants data subjects a set of rights under Article 18, including:

• Confirmation of whether processing is taking place.
• Access to their personal data.
• Correction of incomplete, inaccurate, or outdated data.
• Anonymization, blocking, or deletion of unnecessary or excessive data, or data processed in violation of the LGPD.
• Portability of personal data to another service or product provider.
• Deletion of personal data processed with consent, when consent is revoked.
• Information about public and private entities with which data has been shared.
• Information about the possibility of withholding consent and the consequences of doing so.
• Revocation of consent.

Organizations must respond to data subject requests and the ANPD has indicated that the effectiveness of data subject rights is a priority enforcement topic for 2026–2027.

Controllers and processors

The LGPD uses the terms "controller" (controlador) and "processor" (operador), with meanings comparable to the GDPR. The controller makes decisions about the processing of personal data; the processor carries out processing on the controller's behalf. Both must maintain records of processing operations (Article 37), though unlike the GDPR's Article 30, the LGPD does not detail the specific categories of information that must be recorded. Both controllers and processors can be held liable for damages suffered by data subjects as a result of violations.

The LGPD requires the appointment of a Data Protection Officer (encarregado) by the controller (Article 41). The ANPD has issued Resolution CD/ANPD No. 18/2024 establishing additional rules for DPOs, including the obligation to appoint a substitute when the DPO is absent. In November 2024, the ANPD initiated proceedings against 20 companies for failing to appoint a DPO or disclose DPO contact information, all of which came into compliance.

Territorial scope

The LGPD applies to any processing of personal data that:

• Is carried out in Brazilian territory, regardless of where the organization is headquartered or where the data is located (Article 3(I)).
• Involves personal data of individuals located in Brazil at the time of collection (Article 3(III)).
• Is carried out by an organization that offers or provides goods or services to individuals in Brazil (Article 3(II)).

This means that companies based outside Brazil, including U.S. companies, must comply with the LGPD if they process data collected in Brazil, target goods or services to people in Brazil, or process data belonging to individuals who were in Brazil when the data was collected. An e-commerce company that ships to Brazil falls within scope. However, data that originates outside Brazil, is not shared with processing agents in Brazil, and is not transferred to a country with inadequate protections is generally exempt (Article 4(IV)).

International data transfers

The LGPD restricts international transfers of personal data to countries or organizations that provide an adequate level of data protection, or where appropriate safeguards are in place (Article 33). In August 2024, the ANPD published Resolution CD/ANPD No. 19/2024, which introduced Brazilian Standard Contractual Clauses (SCCs) for international transfers, modeled in part on the EU's SCCs. The grace period for incorporating the SCCs ended on August 23, 2025. From that date, international transfers must be supported by SCCs, an ANPD adequacy determination, or another mechanism approved by the ANPD.

The SCCs require, among other obligations, that the data importer ensure the laws of the destination country are compatible with the contractual protections, that security incidents be reported to data subjects and the ANPD within three days, and that the exporter retain the right to terminate the transfer if the importer breaches the clauses.

Enforcement

The ANPD has been increasingly active in enforcement since sanctions became available in August 2021. Its first enforcement action targeted a micro-enterprise for processing personal data without a legal basis, failing to appoint a DPO, and obstructing investigations, signaling that compliance obligations apply regardless of company size. Subsequent enforcement actions have addressed delayed breach notifications, inadequate security controls, and the use of personal data for AI training without valid consent (including a case involving Meta's use of Facebook and Instagram data for generative AI, which resulted in a suspension of processing and threatened daily fines of R$50,000).

The ANPD's Priority Topics Map for 2026–2027, published in December 2025, focuses enforcement attention on four areas: data subject rights (with particular attention to sensitive data used in advertising), protection of children and adolescents (including privacy by default, age verification, and content blocking), public authority compliance, and artificial intelligence.

Key differences from the GDPR

While substantially inspired by the GDPR, the LGPD differs in several important respects:

• Ten legal bases instead of six, including credit protection and exercise of rights in legal proceedings.
• Maximum fines capped at R$50 million per violation (approximately US$10 million), rather than the GDPR's €20 million or 4% of global turnover. The LGPD fine is calculated on Brazilian revenue only, not global revenue.
• Public entities cannot be fined under the LGPD, though they can face non-monetary sanctions including public disclosure of violations and data processing restrictions.
• The LGPD does not include a right equivalent to the GDPR's Article 22 (right not to be subject to solely automated decision-making), though Article 20 provides a right to request review of decisions made solely on the basis of automated processing that affect the data subject's interests.
• Breach notification timelines differ: the ANPD's Resolution CD/ANPD No. 15/2024 establishes specific procedures and timelines for breach communication, with a three-day notification requirement for incidents involving SCCs.