Brazil's Lei Geral de Protecao de Dados (LGPD) grants individuals a catalogue of nine rights over their personal data, codified in Articles 17 through 22 of the law. These rights apply to any person whose data is processed by a controller operating in Brazil, targeting individuals in Brazil, or using data collected on Brazilian territory. They are not optional extras. Failing to honour them can trigger sanctions from the Autoridade Nacional de Protecao de Dados (ANPD), including fines of up to 2% of a company's Brazilian revenue, capped at BRL 50 million per infraction.
The ANPD has signalled that data subject rights sit at the top of its enforcement priorities. LGPD compliance is no longer a reputational nice-to-have - it is a legal obligation with real consequences, as several enforcement actions in 2024 and 2025 have demonstrated.
The Nine Rights Under Article 18
Article 18 of the LGPD sets out nine specific rights that data subjects can exercise at any time, upon request, and free of charge. Each one imposes a corresponding duty on the controller.
| Right | Article 18 Item | What the controller must do |
|---|---|---|
| Confirmation of processing | I | Confirm whether personal data is being processed |
| Access | II | Provide the data subject with their processed data |
| Correction | III | Rectify incomplete, inaccurate, or outdated data |
| Anonymisation, blocking, or deletion | IV | Anonymise, block, or delete unnecessary, excessive, or non-compliant data |
| Portability | V | Transfer data to another service provider upon express request |
| Deletion of consent-based data | VI | Erase personal data processed on the basis of consent |
| Information on sharing | VII | Disclose which public and private entities received the data |
| Information on consent denial | VIII | Explain the possibility and consequences of withholding consent |
| Revocation of consent | IX | Allow the data subject to withdraw consent via a free, accessible process |
Two additional rights sit outside Article 18. Article 20 grants the right to request a review of decisions made solely through automated processing of personal data that affect the individual's interests - including credit scoring, behavioural profiling, and personality assessments. Article 21 prohibits using personal data relating to the regular exercise of a data subject's rights to their detriment.
Confirmation and Access: The Starting Point
The right to confirm whether processing is taking place and to access personal data is the foundation of every other right. Without knowing what data a controller holds, a data subject cannot meaningfully exercise correction, deletion, or portability.
Article 19 prescribes two response formats. A simplified confirmation must be provided immediately upon request. A clear and complete statement - detailing the origin of the data, any absence of records, the criteria used for processing, and the purpose - must be delivered within 15 days. That 15-day window is half the timeframe allowed under the GDPR, which grants one month. The LGPD provides no mechanism for extending this deadline, regardless of the volume or complexity of the request.
Under Article 19(3), when processing originates from consent or a contract, the data subject may request a full electronic copy of their personal data in a format that permits subsequent use, including in other processing operations. Commercial and industrial secrets remain protected.
Correction, Blocking, and Deletion
Data subjects can require controllers to correct incomplete, inaccurate, or outdated personal data at any time. There is no restriction on the format or channel through which a correction request can be submitted.
The right to anonymisation, blocking, or deletion under Article 18(IV) applies specifically to data that is unnecessary, excessive, or processed in violation of the LGPD. This is distinct from the deletion right in Article 18(VI), which targets data processed on the basis of consent. Where consent has been withdrawn, the controller must delete the data - subject to the retention exceptions in Article 16, which permit storage for legal compliance, research (with anonymisation where possible), transfer to third parties in accordance with the law, or exclusive use by the controller with third-party access prohibited.
A critical obligation follows from Article 18(6): when a controller corrects, deletes, anonymises, or blocks data, it must immediately inform every other processing agent with whom it has shared that data, so they can repeat the same procedure. The only exception is where doing so would be impossible or involve disproportionate effort.
Data Portability Under the LGPD
The right to data portability allows individuals to request that their data be transferred to another service or product provider. The request must be express, and the transfer is subject to ANPD regulation and to the protection of commercial and industrial secrets.
One notable limitation: portability does not extend to data that has already been anonymised by the controller. Article 40 authorises the ANPD to set interoperability standards for portability purposes, though detailed technical specifications have not yet been published. The ANPD's 2025-2026 regulatory agenda lists data subject rights - including portability - as a Phase 1 priority, meaning further guidance is expected in the near term.
For SaaS products and platforms operating in Brazil, this right has practical implications. You need a documented process for extracting a user's personal data in a structured, machine-readable format and transmitting it to a designated third party within the prescribed timeframe.
Consent Withdrawal and the Right to Object
Article 8(5) of the LGPD establishes that consent may be revoked at any time through an express request by the data subject, via a free and facilitated procedure. Any processing carried out under previously valid consent remains lawful, provided the data subject does not also request deletion under Article 18(VI).
Separately, Article 18(2) grants data subjects the right to object to processing carried out under one of the legal bases that do not require consent - such as legitimate interest - if there is non-compliance with the LGPD. This is a narrower right than the general objection right under Article 21 of the EU GDPR, but it still gives individuals a mechanism to challenge processing they believe is unlawful.
The ANPD's 2024 enforcement action against Meta illustrates how these rights interact in practice. The authority required Meta to provide Brazilian users with an opt-out mechanism for the collection of their social media data for AI training purposes, alongside proper disclosure and transparency measures. Non-compliance carried a threatened daily fine of BRL 50,000.
Review of Automated Decisions (Article 20)
Article 20 grants data subjects the right to request a review of decisions made solely on the basis of automated processing of personal data that affect their interests. This covers decisions used to define personal, professional, consumer, and credit profiles, as well as aspects of personality.
The controller must, upon request, provide clear and adequate information about the criteria and procedures used in the automated decision. Where the controller refuses to disclose this information on the grounds of commercial or industrial secrecy, the ANPD may carry out an audit to check for discriminatory aspects in the automated processing.
ANPD President Waldemar Goncalves has stated publicly that the authority is already using Article 20 as a basis for regulating AI-related data processing, even before a dedicated AI legal framework is enacted in Brazil. The ANPD's 2025-2026 regulatory agenda explicitly includes advancing the interpretation of Article 20 and developing parameters for data governance in AI-driven processing.
How Controllers Must Respond
Article 18(3) requires that rights be exercised through an express request by the data subject (or their legal representative) to the processing agent. There is no prescribed format - requests can arrive by email, phone, letter, or through an online portal.
The response deadlines are strict:
| Request type | Deadline | Source |
|---|---|---|
| Simplified confirmation of processing | Immediately | Article 19(I) |
| Detailed access statement | 15 days | Article 19(II) |
| All other Article 18 rights | As regulated by the ANPD (until then: immediately) | Article 18(5), Article 19(4) |
Unlike the GDPR, the LGPD offers no built-in extension for complex requests. The ANPD has the authority to modify these timeframes for specific sectors under Article 19(4), but has not yet done so.
If the controller cannot comply immediately, Article 18(4) permits two responses: either indicate that it is not the processing agent and identify who is, or provide the factual or legal reasons preventing immediate action. All responses must be provided free of charge.
LGPD vs GDPR: How the Rights Compare
The LGPD's data subject rights closely mirror those in the GDPR, but with several practical differences that matter for compliance teams.
| Aspect | LGPD | GDPR |
|---|---|---|
| Number of rights | 9 (Article 18) plus automated decision review (Article 20) | 8 core rights (Articles 15-22) |
| Access response deadline | Immediately (simplified) or 15 days (detailed) | 1 month, extendable by 2 months |
| Extension for complex requests | Not provided in the law | Up to 2 additional months with notice |
| Right to object | Limited to non-consent bases where LGPD is violated | Broader - applies to legitimate interest and public interest processing |
| Portability format | Not yet specified (ANPD to regulate) | Structured, commonly used, machine-readable |
| Breach notification to data subjects | Always required for relevant-risk incidents | Only when high risk to rights and freedoms |
| DPO requirement | All controllers (Article 41) | Only in specific circumstances (Article 37) |
One notable difference: the LGPD explicitly splits the right to information about data sharing (Article 18(VII)) into its own standalone right, whereas the GDPR bundles this within the broader right to be informed. For website owners operating across both jurisdictions, the stricter LGPD deadlines will typically set the compliance baseline.
Enforcement: What Happens When Rights Are Ignored
Data subjects who believe their rights have been violated can petition the ANPD directly under Article 18(1). The law also permits collective judicial actions under Article 22, and consumer protection authorities can pursue claims independently of the ANPD.
The ANPD has moved from cautious early enforcement to increasingly assertive action. In 2023, it issued its first-ever fine - BRL 14,400 against Telekall Infoservice, a telecom company that processed personal data without a lawful basis and failed to appoint a Data Protection Officer. In 2024, it sanctioned multiple public entities for failing to notify data subjects of security incidents, and took enforcement action against Meta and X Corp over the use of Brazilian users' data for AI training without adequate transparency or opt-out mechanisms.
In 2025, the ANPD was formally transformed into an independent regulatory agency with its own assets and full functional, technical, and financial autonomy. This institutional upgrade - placing it on the same footing as regulators in energy and telecommunications - signals that enforcement will only intensify. The ANPD has also published a Priority Topics Map for 2026-2027 and launched monitoring proceedings against twenty large companies that failed to appoint a DPO or provide effective communication channels for data subjects.
Practical Steps for Website Owners
If your website collects data from visitors in Brazil - through cookies, forms, user accounts, or analytics tools - you are likely a controller under the LGPD and must facilitate these rights. Here is what that looks like in practice.
Appoint a Data Protection Officer and publish their contact details prominently on your website. The LGPD requires this of all controllers, not just those meeting specific thresholds. Set up a documented intake process for data subject requests - whether through a dedicated email address, a web form, or an integrated privacy portal. Log every request, the date received, and the date fulfilled.
Map your data flows so you know exactly where personal data sits, who has access to it, and which third parties have received it. Without this groundwork, you cannot respond to access, portability, or sharing-disclosure requests within the required timeframes. Run a cookie scan to identify all first-party and third-party cookies on your site, categorise them, and ensure your consent mechanism collects valid, informed, and unambiguous consent as required by Articles 7 and 8 of the LGPD.
Build deletion and anonymisation workflows that cascade across your systems and processors. Remember Article 18(6): when you delete or correct data, you must notify every entity you have shared it with.
Frequently Asked Questions
How quickly must a controller respond to a data subject access request under the LGPD?
For a simplified confirmation of processing, the response must be immediate. For a detailed statement covering data origins, processing criteria, and purposes, the controller has 15 days from the date of the request (Article 19).
Can a controller charge a fee for handling LGPD data subject requests?
No. Article 18(5) states that all data subject requests must be fulfilled free of charge, within the timeframes established by law or regulation.
Does the LGPD right to portability apply to anonymised data?
No. Article 18(7) explicitly excludes data that has already been anonymised by the controller from the scope of the portability right.
What is the difference between deletion under Article 18(IV) and Article 18(VI)?
Article 18(IV) covers the deletion, blocking, or anonymisation of data that is unnecessary, excessive, or non-compliant with the LGPD - regardless of the legal basis. Article 18(VI) specifically applies to the erasure of data processed on the basis of consent, subject to the retention exceptions in Article 16.
Can a data subject in Brazil request a human review of an automated decision?
Yes. Article 20 grants the right to request a review of any decision made solely through automated processing that affects the individual's interests, including profiling for credit, consumer, or personality assessments. The controller must explain the criteria used, or the ANPD may audit the process.
What penalties can the ANPD impose for failing to honour data subject rights?
Sanctions range from warnings with corrective deadlines to fines of up to 2% of the company's Brazilian gross revenue (capped at BRL 50 million per infraction), public disclosure of the violation, data blocking or deletion orders, and partial or total suspension of processing activities.
Take Control of Your Cookie Compliance
If your website serves visitors in Brazil, data subject rights under the LGPD apply to you - and the ANPD is watching. Kukie.io helps you identify every cookie on your site, categorise them correctly, and collect valid consent that satisfies the LGPD's requirements alongside GDPR, CCPA, and other global regulations.
