Brazil's LGPD requires any organization processing personal data of individuals in Brazil to have a transparent privacy policy. Your policy must disclose the categories of personal data collected, the legal basis for each processing activity, data subject rights, the identity of your Encarregado (DPO), international transfer mechanisms, and data retention periods. Non-compliance can result in fines up to 2% of revenue in Brazil, capped at 50 million BRL per violation.
If your business processes personal data from individuals located in Brazil, whether you are a Brazilian company or an international organization, you need to comply with the LGPD. Brazil's comprehensive data protection law was enacted in 2018 and has been fully enforceable since August 2021, with administrative sanctions now actively imposed by the ANPD (Autoridade Nacional de Protecao de Dados).
The LGPD was modeled closely on the European GDPR but includes unique provisions that reflect Brazil's legal traditions and regulatory approach. With 10 legal bases for processing (compared to GDPR's 6), a mandatory DPO requirement for all controllers, and an enforcement authority that has been increasingly active, the LGPD represents one of the most comprehensive data protection frameworks in Latin America.
This guide provides a detailed breakdown of the LGPD's requirements, explains each of the 10 legal bases, covers data subject rights, addresses DPO obligations, compares the LGPD with GDPR, and gives you a template outline for creating your own compliant privacy policy.
What Is the LGPD?
The LGPD (Lei Geral de Protecao de Dados Pessoais, or General Personal Data Protection Law) is Brazil's federal data protection law. It was signed into law in August 2018 (Law No. 13,709) and became fully enforceable in August 2021 when the ANPD gained the authority to impose administrative sanctions. The LGPD applies to all processing of personal data carried out in Brazil, processing aimed at offering goods or services to individuals in Brazil, or processing of data collected in Brazilian territory.
The LGPD adopts a broad definition of personal data: any information related to an identified or identifiable natural person. This includes names, CPF numbers (Brazil's individual taxpayer ID), email addresses, IP addresses, device identifiers, location data, cookie data, and any other information that can be linked to a specific individual. The law also defines a special category of "sensitive personal data" that receives heightened protection.
Sensitive Personal Data Under the LGPD
The LGPD defines sensitive personal data as data related to racial or ethnic origin, religious belief, political opinion, trade union membership, religious, philosophical, or political organization membership, health or sexual life data, genetic data, and biometric data. Processing of sensitive data is subject to stricter rules under Article 11 and can only be carried out with specific consent or under limited legal bases.
Key Roles Under the LGPD
The LGPD defines several key roles: the Controlador (controller) decides the purposes and means of processing; the Operador (processor) processes data on behalf of the controller; the Encarregado (DPO) serves as the communication channel between the controller, data subjects, and the ANPD; and the Titular (data subject) is the individual whose data is being processed. Understanding these roles is essential for determining your obligations under the law.
Q: Does the LGPD apply to small businesses?
Yes. The LGPD applies to organizations of all sizes that process personal data. However, the ANPD has issued Resolution CD/ANPD No. 2/2022, which provides simplified compliance procedures for small businesses (micro and small enterprises), startups, and individuals who process data for economic purposes. These simplified rules include relaxed requirements for the Encarregado role and simplified record-keeping, but the core obligations remain.
Q: Does the LGPD apply to data about companies (legal entities)?
No. The LGPD only protects personal data of natural persons (individuals). Data about legal entities (such as company names, CNPJ numbers, or business addresses) is not covered by the LGPD. However, if company data includes information about identifiable individuals (such as contact persons or employees), that individual data is protected.
The 10 Legal Bases for Data Processing Under the LGPD
Unlike the GDPR, which provides 6 legal bases for processing, the LGPD establishes 10 distinct legal bases under Article 7. Your privacy policy must identify which legal basis applies to each category of personal data you process. Here is a breakdown of all 10 legal bases.
| # | Legal Basis | Description | Common Use Cases |
|---|---|---|---|
| 1 | Consent | Free, informed, and unambiguous consent of the data subject | Marketing emails, cookies, newsletter signups |
| 2 | Legal or Regulatory Obligation | Compliance with a legal or regulatory obligation of the controller | Tax records, employment law requirements |
| 3 | Public Policy | Execution of public policies by the public administration | Government programs, public health initiatives |
| 4 | Research | Research by research bodies, with anonymization when possible | Academic studies, statistical research |
| 5 | Contract Execution | Execution of a contract or preliminary procedures at the data subject's request | Order processing, service delivery, account creation |
| 6 | Exercise of Rights | Exercise of rights in judicial, administrative, or arbitration proceedings | Legal disputes, regulatory proceedings |
| 7 | Protection of Life | Protection of the life or physical safety of the data subject or third party | Emergency situations, health emergencies |
| 8 | Health Protection | Health protection by health professionals or health entities | Medical records, health services, telemedicine |
| 9 | Legitimate Interest | Legitimate interests of the controller or third party, subject to balancing test | Fraud prevention, security, analytics |
| 10 | Credit Protection | Credit protection, including credit scoring | Credit checks, financial assessments |
Did you know?
The LGPD's "credit protection" legal basis (number 10) is unique to Brazil and has no equivalent in the GDPR or any other major data protection framework. This legal basis reflects Brazil's established credit scoring system and allows organizations to process personal data for credit protection purposes without requiring consent. It was one of the most debated provisions during the law's legislative process.
For most website operators and online businesses, the most commonly used legal bases will be consent (for marketing and cookies), contract execution (for delivering services), legitimate interest (for analytics and security), and legal obligation (for tax and regulatory compliance). Your privacy policy must clearly state which legal basis applies to each processing activity.
Free LGPD Privacy Policy Template Preview
Below is a structured outline of what an LGPD-compliant privacy policy should contain. Each section maps to specific LGPD requirements. Use this as a checklist when reviewing your existing policy or as a starting point for creating a new one.
1. Controller Identification
State the full legal name, CNPJ (if applicable), and contact details of the data controller. Include the name and contact information of the Encarregado (DPO). This is required under Article 23 and Article 41 of the LGPD.
2. Categories of Personal Data Collected
List every category of personal data you process: names, CPF numbers, email addresses, phone numbers, IP addresses, device identifiers, cookie data, location data, financial data, and any other identifiable information. Distinguish between regular and sensitive personal data.
3. Purposes for Processing
For each category of personal data, explain the specific purpose for processing. Purposes might include providing services, processing payments, sending marketing communications, improving website performance, complying with legal obligations, or fraud prevention.
4. Legal Bases for Processing
Identify which of the 10 LGPD legal bases applies to each processing activity. Be specific: state that you process email addresses based on consent for marketing, based on contract execution for service delivery, and based on legal obligation for tax records.
5. Data Sharing and Third Parties
Disclose all third parties with whom you share personal data, including payment processors, analytics providers, cloud hosting services, and advertising platforms. For each third party, explain what data is shared and the purpose.
6. International Data Transfers
If you transfer personal data outside of Brazil, explain the legal mechanism for the transfer: adequacy decision by the ANPD, standard contractual clauses, binding corporate rules, or specific consent of the data subject.
7. Data Subject Rights
List all rights granted to data subjects under Article 18 of the LGPD: confirmation of processing, access, correction, anonymization, blocking, deletion, portability, information about sharing, information about consent denial, and consent revocation. Explain how to exercise each right.
8. Data Retention
Describe your data retention periods for each category of personal data. Explain the criteria used to determine retention periods and what happens to data when the retention period expires (deletion or anonymization).
9. Security Measures
Describe the technical and organizational security measures you implement to protect personal data. Mention encryption, access controls, monitoring, employee training, and incident response procedures without revealing specific technical details.
10. Data Breach Procedures
Describe your process for handling data breaches, including notification to the ANPD and affected data subjects when a breach may cause risk or significant harm. Include your commitment to maintaining breach records.
11. Cookies and Tracking Technologies
Detail the types of cookies and tracking technologies used on your website, their purposes, and how users can manage cookie preferences. This section should cover essential cookies, analytics cookies, and advertising cookies.
12. Policy Updates
Explain how and when you will update the privacy policy, how data subjects will be notified of material changes, and that continued use after notification constitutes awareness of the updated practices.
Data Subject Rights Under the LGPD
Article 18 of the LGPD grants data subjects (titulares) extensive rights over their personal data. Your privacy policy must inform data subjects of these rights and explain how they can exercise them. Here are the rights your policy must address.
Confirmation of Processing
Data subjects have the right to obtain confirmation that their personal data is being processed. You must be able to confirm whether or not you hold any personal data about an individual upon request.
Access to Data
Data subjects have the right to access their personal data that you hold. Upon request, you must provide a complete copy of the data in a clear, adequate format.
Correction of Incomplete or Inaccurate Data
Data subjects can request the correction of any incomplete, inaccurate, or outdated personal data. You must implement processes to update records promptly upon receiving such requests.
Anonymization, Blocking, or Deletion
Data subjects can request anonymization, blocking, or deletion of unnecessary or excessive data, or data processed in violation of the LGPD. This applies to data that is no longer needed for the original purpose.
Data Portability
Data subjects have the right to transfer their personal data to another service provider. You must provide data in a structured, commonly used format as regulated by the ANPD.
Information About Sharing
Data subjects have the right to know which public and private entities their personal data has been shared with. Your privacy policy should proactively disclose this information.
Consent Revocation
Data subjects can revoke consent at any time through an express, free, and easy-to-use mechanism. You must stop processing data based on consent once it is revoked, and inform the data subject of the consequences of revocation.
DPO (Encarregado) Requirements
Under Article 41 of the LGPD, every data controller must appoint an Encarregado (Data Protection Officer). Unlike the GDPR, which only requires a DPO in certain situations, the LGPD applies this requirement to all controllers. The Encarregado's identity and contact information must be publicly disclosed, typically on your website and in your privacy policy.
The Encarregado has four main responsibilities: accepting complaints and communications from data subjects, receiving communications from the ANPD and adopting corrective measures, guiding the organization's employees on data protection practices, and carrying out other duties assigned by the controller or established by supplementary regulations.
The ANPD's Resolution CD/ANPD No. 2/2022 provides simplified requirements for small businesses and startups. Under this resolution, small-scale data processing agents are not required to appoint an Encarregado, but they must provide a communication channel for data subjects. Even with this exemption, appointing an Encarregado is considered a best practice.
Did you know?
Unlike the GDPR, the LGPD does not require the Encarregado to be an individual. The role can be fulfilled by a committee, a department, or even an outsourced service provider. This flexibility allows organizations of all sizes to meet the requirement in a way that suits their structure. However, the ANPD recommends that regardless of the format, the Encarregado should have adequate knowledge of data protection law and practices.
ANPD Enforcement and Penalties
The ANPD (Autoridade Nacional de Protecao de Dados) is Brazil's data protection authority, established to oversee, implement, and enforce the LGPD. The ANPD began applying administrative sanctions in August 2021 and has been increasingly active in enforcement actions, issuing guidelines, and developing the regulatory framework.
The ANPD can impose the following sanctions under Article 52 of the LGPD: warnings with a deadline for corrective measures; simple fines of up to 2% of the organization's revenue in Brazil (capped at 50 million BRL per violation); daily fines to compel compliance; publicization of the infraction after confirmation; blocking of personal data involved in the violation; deletion of personal data involved in the violation; and partial or total suspension of data processing activities for up to 6 months.
When determining sanctions, the ANPD considers the severity of the violation, the good faith and cooperation of the infractor, the economic advantage obtained, the scale and duration of the violation, whether the infractor adopted data protection policies and good practices, and the promptness of corrective measures. Organizations that demonstrate proactive compliance efforts receive more favorable treatment.
LGPD vs GDPR: Key Differences
The LGPD was heavily influenced by the GDPR, and the two laws share many similarities. However, there are important differences that affect what your privacy policy must include if you serve both Brazilian and European users.
| Aspect | LGPD (Brazil) | GDPR (EU/UK) |
|---|---|---|
| Legal bases | 10 legal bases for processing under Article 7 | 6 legal bases for processing under Article 6 |
| DPO requirement | Required for all controllers (Encarregado); simplified rules for small businesses | Required only when processing sensitive data at scale or systematic monitoring |
| Maximum fines | 2% of revenue in Brazil, capped at 50 million BRL per violation | Up to 20 million euros or 4% of global revenue, whichever is higher |
| Scope | Applies to processing of data of individuals in Brazil, regardless of nationality | Applies to processing of data of individuals in the EU/EEA |
| Data portability | Included under Article 18; format regulated by the ANPD | Included under Article 20; must be in machine-readable format |
| Breach notification | Notify ANPD and data subjects within a reasonable time (ANPD guidance suggests promptly) | Notify supervisory authority within 72 hours; notify individuals if high risk |
| Credit protection | Unique legal basis under Article 7(X) for credit scoring and protection | No equivalent; credit scoring handled under legitimate interest or consent |
If you serve both Brazilian and European users, the practical approach is to build a privacy policy that meets both sets of requirements. Since the GDPR is generally stricter on fines and breach notification timelines, while the LGPD has more legal bases and a broader DPO requirement, a comprehensive policy should address the unique elements of each law. Region-specific sections can clarify which rights and mechanisms apply to users in each jurisdiction.
International Data Transfers Under the LGPD
Chapter V of the LGPD (Articles 33-36) governs the transfer of personal data to other countries. If your organization transfers personal data collected in Brazil to servers or partners in other countries, you must ensure one of the following conditions is met and disclose it in your privacy policy.
The LGPD permits international transfers when: the receiving country or organization provides an adequate level of data protection as recognized by the ANPD; the controller can demonstrate compliance through standard contractual clauses, binding corporate rules, or compliance seals; the transfer is necessary for international legal cooperation, protection of life, execution of public policy, or when authorized by the ANPD; or the data subject provides specific and prominent consent for the transfer.
The ANPD has been developing its framework for international transfers, including adequacy assessments for various countries and regions. Organizations that use cloud services hosted outside Brazil (such as AWS, Google Cloud, or Azure) should pay particular attention to this requirement and ensure appropriate transfer mechanisms are in place.
Did you know?
The ANPD's approach to international data transfers is still evolving. Unlike the GDPR, which has well-established adequacy decisions and Standard Contractual Clauses, the ANPD is still in the process of issuing definitive regulations on transfer mechanisms. In the interim, most organizations rely on standard contractual clauses or explicit consent for transfers. The ANPD has signaled that it will recognize adequacy determinations for countries that have robust data protection frameworks, including EU member states.
Consent Under the LGPD
Consent is one of the 10 legal bases under the LGPD, but it has specific requirements that go beyond simply checking a box. Under Article 8 of the LGPD, consent must be free, informed, and unambiguous. It must be provided in writing or by another means that demonstrates the will of the data subject. If consent is provided in writing, it must be in a prominent clause, separate from other contractual terms.
The LGPD also requires that consent be specific to each processing purpose. You cannot bundle multiple purposes into a single consent request. If the purpose of processing changes, you must obtain new consent. For sensitive personal data, consent must be given in a specific and prominent manner, for specific purposes.
Data subjects have the right to revoke consent at any time, through a free and easy-to-use mechanism. Your privacy policy must describe how users can withdraw consent, and the consequences of doing so. When consent is revoked, processing based on that consent must cease, although data already processed under a valid legal basis before revocation remains lawful.
Importantly, consent is not always the best legal basis. The LGPD provides 9 other legal bases, and for many common processing activities (such as fulfilling a contract or complying with legal obligations), a different legal basis may be more appropriate and more stable than consent. Over-reliance on consent is a common mistake in LGPD compliance.
Common LGPD Mistakes
Here are the five most common misconceptions about LGPD compliance, and why each one can leave your organization exposed to enforcement action by the ANPD.
Mistake: "The LGPD only applies to Brazilian companies."
Reality: The LGPD applies to any organization, anywhere in the world, that processes personal data of individuals located in Brazil, offers goods or services to individuals in Brazil, or collects data within Brazilian territory. If your website has Brazilian visitors and you collect any data from them (through analytics, forms, or cookies), the LGPD can apply to you. This extraterritorial reach is similar to the GDPR.
Mistake: "GDPR compliance automatically means LGPD compliance."
Reality: While the LGPD was inspired by the GDPR and shares many similarities, there are unique LGPD requirements. The LGPD has 10 legal bases (vs. 6 for GDPR), requires an Encarregado for all controllers (not just certain ones), has a unique credit protection legal basis, and follows different rules for international transfers. A GDPR-compliant policy is a strong starting point, but it needs LGPD-specific additions to be fully compliant.
Mistake: "Consent is required for all data processing under the LGPD."
Reality: Consent is just one of 10 legal bases under the LGPD. For many processing activities, a different legal basis is more appropriate. Contract execution covers data needed to deliver services. Legal obligation covers tax and regulatory requirements. Legitimate interest covers analytics and fraud prevention. Over-relying on consent creates unnecessary friction and makes your processing vulnerable to consent withdrawal. Choose the most appropriate legal basis for each activity.
Mistake: "The ANPD is not actively enforcing the LGPD yet."
Reality: The ANPD has been fully operational since 2021 and has been increasingly active in enforcement. The authority has issued its first fines, conducted investigations, published binding guidelines, and established a complaints process. The ANPD has also published a regulatory agenda outlining priority areas for enforcement. Organizations should not assume that the relative newness of the ANPD means a lack of enforcement risk.
Mistake: "I do not need a privacy policy in Portuguese."
Reality: If you serve Brazilian users, providing your privacy policy in Portuguese is essential for compliance. The LGPD requires that information about data processing be provided in a clear and accessible manner. For Brazilian data subjects, this means Portuguese. While the LGPD does not explicitly mandate Portuguese, providing your policy only in English to Portuguese-speaking users undermines the transparency principle and could be viewed unfavorably by the ANPD in an enforcement action.
How to Create an LGPD-Compliant Privacy Policy (6 Steps)
Follow these steps to create a privacy policy that meets LGPD requirements and demonstrates compliance to the ANPD.
Appoint an Encarregado (DPO) and document accountability
The LGPD requires every data controller to appoint an Encarregado. This can be an individual, a committee, or an outsourced service. Document this person's name and contact information and include it in your privacy policy. The Encarregado serves as the communication channel between your organization, data subjects, and the ANPD. For small businesses, the ANPD allows simplified appointment procedures.
Map all personal data processing activities
Create a comprehensive data inventory documenting every category of personal data you process: form data (names, CPF numbers, emails), payment information, analytics data (IP addresses, device identifiers), cookie data, and third-party integrations. For each data type, record the purpose, the legal basis, retention period, and any third parties with whom data is shared. This mapping forms the foundation of your privacy policy disclosures.
Identify the correct legal basis for each activity
For each processing activity, identify which of the 10 LGPD legal bases applies. Use consent for marketing and optional cookies. Use contract execution for service delivery and account management. Use legal obligation for tax and regulatory requirements. Use legitimate interest for analytics and fraud prevention. Document your analysis and be prepared to demonstrate it to the ANPD if requested.
Draft the policy covering all required disclosures
Using the template preview above as your guide, write each section of your privacy policy. Be specific about your actual practices. Name the third-party services you use (Google Analytics, Stripe, AWS), describe your actual retention periods, explain your real security measures, and list all data subject rights with instructions for exercising them. Generic language weakens your compliance position.
Implement data subject rights mechanisms
Set up accessible channels for data subjects to exercise their LGPD rights: confirmation, access, correction, anonymization, blocking, deletion, portability, information about sharing, and consent revocation. Provide an email address, web form, or dedicated portal. Define internal procedures for handling requests and establish response timeframes in accordance with ANPD guidance.
Publish prominently and review regularly
Link your privacy policy from the footer of every page on your website. Ensure the policy is available in Portuguese if you serve Brazilian users. Review and update the policy whenever your data practices change or when the ANPD issues new guidance. Maintain records of processing activities (ROPA) and be prepared to demonstrate compliance upon request. If you also serve EU users, add GDPR-specific sections.
Shortcut: A privacy policy generator automates the entire process. You answer questions about your data practices, select that you need LGPD compliance, and the generator produces a complete policy covering all 10 legal bases, data subject rights, Encarregado details, and international transfer disclosures. Takes under five minutes. Generate your LGPD-compliant policy.
Frequently Asked Questions
What is the LGPD and who does it apply to?
The LGPD (Lei Geral de Protecao de Dados) is Brazil's comprehensive data protection law. It applies to any organization that processes personal data of individuals located in Brazil, offers goods or services to individuals in Brazil, or collects data within Brazilian territory. This includes organizations based outside of Brazil.
What are the 10 legal bases under the LGPD?
The 10 legal bases are: consent, legal/regulatory obligation, public policy execution, research, contract execution, exercise of rights in proceedings, protection of life, health protection, legitimate interest, and credit protection. Each processing activity must be justified by at least one of these bases, and the chosen basis must be documented and disclosed in your privacy policy.
How does the LGPD compare to the GDPR?
The LGPD was modeled on the GDPR but has key differences: 10 legal bases instead of 6, a mandatory DPO for all controllers, a unique credit protection legal basis, fines capped at 50 million BRL (vs. GDPR's 20 million euros or 4% global revenue), and an evolving international transfer framework. Both laws grant similar data subject rights and have extraterritorial reach.
What is the ANPD and what does it do?
The ANPD (Autoridade Nacional de Protecao de Dados) is Brazil's data protection authority. It oversees LGPD compliance, investigates complaints, conducts audits, imposes sanctions, issues guidelines and regulations, and promotes data protection awareness. The ANPD has been fully operational since 2021 and is increasingly active in enforcement.
Do I need a DPO (Encarregado) under the LGPD?
Yes. The LGPD requires all data controllers to appoint an Encarregado (DPO). The Encarregado's identity and contact information must be publicly disclosed. The ANPD has provided simplified rules for small businesses and startups, but the core requirement remains. The role can be filled by an individual, a committee, or an outsourced service.
What are the penalties for non-compliance?
The ANPD can impose warnings, fines up to 2% of revenue in Brazil (capped at 50 million BRL per violation), daily fines, publicization of the infraction, blocking or deletion of personal data, and suspension of data processing activities. The ANPD considers the severity, good faith, economic advantage, and corrective measures when determining sanctions.
How do I handle international data transfers?
The LGPD allows international transfers under specific conditions: adequacy decisions by the ANPD, standard contractual clauses, binding corporate rules, specific consent of the data subject, or when necessary for legal cooperation or protection of life. The ANPD is still developing definitive regulations on transfer mechanisms, so organizations should document their chosen mechanism clearly.
Related Resources
GDPR Privacy Policy Template
Compliant GDPR template with all required disclosures
CCPA Privacy Policy Example
What a compliant California privacy disclosure looks like
PIPEDA Privacy Policy Template
Canada-compliant template covering all 10 fair information principles
UK GDPR Privacy Policy Template
Post-Brexit UK data protection compliance guide
Privacy Policy for Websites
A comprehensive guide for standard website operators
How to Write a Privacy Policy
Step-by-step guide to writing your own privacy policy
What Happens Without a Privacy Policy
The real consequences of operating without one
Privacy Policy Generator
Generate a compliant privacy policy in under 60 seconds