What is LGPD?

The LGPD (Lei Geral de Proteção de Dados) is Brazil's comprehensive data protection law. Enacted in 2018 and in effect since 2020, it is one of the most significant privacy laws in Latin America and one of the most closely modeled on the GDPR of any national law worldwide.

Overview

Brazil is the world's sixth most populous country and a major digital economy. The LGPD was enacted to address the fragmented, sectoral data protection regime that preceded it and to bring Brazil in line with international standards — particularly as Brazilian companies increasingly operate across EU and U.S. markets where GDPR and CCPA compliance is required.

The law applies to any organization processing the personal data of individuals located in Brazil, regardless of where the organization itself is based. Like the GDPR, it has extraterritorial reach.

Key Rights for Data Subjects

Brazilian residents have rights that closely mirror those under the GDPR:

• Right of confirmation — Know whether an organization processes your data
• Right of access — Obtain a copy of your data
• Right of correction — Fix inaccurate or incomplete data
• Right of anonymization, blocking, or deletion — Request that data processed with inadequate consent be restricted or deleted
• Right of portability — Receive your data in a transferable format
• Right of deletion — Request erasure of data processed with your consent
• Right to information — Know with which entities your data has been shared
• Right to refuse consent — Be informed of the consequences of refusing consent, and refuse without penalty where consent is the legal basis
• Right to review automated decisions — Request human review of decisions made solely by automated processing

Legal Bases for Processing

The LGPD establishes ten legal bases for processing personal data — significantly more than the GDPR's six. In addition to consent, legitimate interest, and legal obligation (mirroring GDPR), the LGPD adds:

• Credit protection — Processing for credit scoring and fraud prevention
• Health protection — Processing by health authorities or health professionals
• Tutela da saúde (healthcare) — Specific to healthcare providers
• Studies by research entities — Academic or scientific research with anonymization guarantees

This broader set of legal bases reflects Brazil's specific economic and social context.

Sensitive Data

The LGPD creates a higher protection tier for sensitive personal data, including:

• Racial or ethnic origin
• Religious conviction
• Political opinion
• Trade union membership
• Health or sex life data
• Genetic or biometric data when tied to an individual

Processing of sensitive data requires explicit consent or a specific legal basis (health, legal obligation, legitimate interest with restrictions).

Enforcement Authority: ANPD

Brazil's National Data Protection Authority (Autoridade Nacional de Proteção de Dados — ANPD) enforces the LGPD. The ANPD was slower to start enforcement than EU data protection authorities but has become increasingly active since 2022.

Maximum fines: 2% of a company's gross revenue in Brazil in the prior fiscal year, capped at R$50 million (~$10 million USD) per violation. This is less severe than GDPR's 4% of global turnover, but enforcement is accelerating.

Notable enforcement: In 2023, Brazil's ANPD issued its first fine — against Telekall Infoservice for processing consumer data without a legal basis. Meta was also sanctioned in Brazil for using WhatsApp data to improve Facebook's ad targeting without adequate disclosure.

Cross-Border Data Transfers

Like the GDPR, the LGPD restricts transfers of personal data to countries or international organizations that do not provide adequate data protection. The ANPD is developing a list of "adequate" countries. In the interim, organizations can use contractual clauses (similar to SCCs), binding corporate rules, or specific consent.

LGPD vs. GDPR: Key Differences

Aspect	LGPD	GDPR
Jurisdiction	Data subjects in Brazil	Data subjects in the EU/EEA
Fine cap	2% of Brazil revenue, R$50M per violation	4% of global annual turnover
Legal bases	10	6
Data breach notification	"Reasonable time" (not defined as strictly as GDPR's 72 hours)	72 hours to supervisory authority
DPO requirement	Required for controllers; details less prescriptive than GDPR	Required for high-risk processing
Enforcement start	Active fines since 2023	Active fines since 2018

Why It Matters Beyond Brazil

If your business serves customers in Brazil — even if you are based in the United States, EU, or elsewhere — the LGPD applies to you. Brazil is one of the largest e-commerce markets in Latin America. Organizations that already comply with GDPR will find LGPD compliance significantly easier, but the differences in legal bases and enforcement timelines require attention.

The rise of LGPD, alongside GDPR, CCPA, India's DPDP Act, and others, reflects a global shift: most major markets now have comprehensive data protection frameworks. Compliance is no longer a European concern only.