What the LGPD Actually Is - and Why It Matters Beyond Brazil
The Lei Geral de Protecao de Dados (Law No. 13,709/2018) is Brazil's comprehensive data protection framework. It entered into force on 18 September 2020, with administrative penalties becoming enforceable from 1 August 2021. The law consolidated more than 40 pre-existing federal rules into a single regime that governs how personal data may be collected, stored, processed, and shared.
Brazil has over 140 million internet users - the largest online population in Latin America and the fourth largest globally. That user base makes the LGPD relevant to virtually any company with a web presence that attracts traffic from South America.
The LGPD draws heavy inspiration from the EU's General Data Protection Regulation. Both laws share similar principles around transparency, purpose limitation, and data minimisation. But the LGPD is not a carbon copy. It defines ten legal bases for processing (the GDPR has six), treats sensitive data somewhat differently, and calculates fines based on Brazilian revenue rather than global turnover. Where it aligns most closely with the GDPR is in its territorial ambitions: both laws reach beyond their home borders.
Territorial Scope Under Article 3
Article 3 is the provision that gives the LGPD its extraterritorial reach. It states that the law applies to any processing operation carried out by a natural person or legal entity - public or private - regardless of the country where the organisation is headquartered or where the data is physically stored. Three conditions trigger applicability, and meeting just one of them is enough.
Condition 1: The processing takes place in Brazilian territory. If you operate servers in Brazil, have employees processing data from a Brazilian office, or use a local data centre, the LGPD applies. This is straightforward territorial jurisdiction.
Condition 2: The processing targets individuals in Brazil. This is where the extraterritorial bite comes in. If your website offers goods or services to people located in Brazil, or if you process data belonging to individuals who are in Brazil at the time of collection, you fall within scope - even without a single employee or server in the country. A European e-commerce shop that ships to Brazilian addresses, a SaaS platform with Brazilian subscribers, or a news site that collects _ga cookie data from visitors browsing from Sao Paulo all meet this criterion.
Condition 3: The personal data was collected in Brazilian territory. Article 3(1) clarifies that data is considered "collected in the national territory" when the data subject was physically in Brazil at the moment of collection. A tourist visiting Rio de Janeiro who signs up for a service while on Brazilian soil generates data that falls under the LGPD, even if the service itself is based in another country.
How This Differs from the GDPR's Territorial Scope
The GDPR's territorial scope under its Article 3 includes a "monitoring" trigger: the regulation applies to organisations that track the behaviour of individuals in the EU, even without offering them goods or services. The LGPD has no equivalent monitoring provision. In theory, this means a company that passively tracks Brazilian users' online behaviour without offering them anything might argue it falls outside the LGPD's scope. In practice, the ANPD has not tested this distinction, and most tracking activities involve cookies or analytics that qualify as "processing" under the law anyway.
Another difference: the GDPR requires non-EU organisations within its scope to appoint an EU representative. The LGPD has no such requirement. There is no obligation to appoint a local representative in Brazil, though controllers must appoint a Data Protection Officer whose contact details are publicly accessible.
| Trigger | LGPD (Article 3) | GDPR (Article 3) |
|---|---|---|
| Processing in the territory | Yes | Yes (via establishment) |
| Offering goods/services to individuals in the territory | Yes | Yes |
| Data collected in the territory | Yes | No explicit equivalent |
| Monitoring behaviour of individuals in the territory | No explicit provision | Yes |
| Requirement to appoint a local representative | No | Yes (Article 27) |
The Four Exemptions Under Article 4
Article 4 carves out four categories of processing that sit outside the LGPD entirely. These are narrow, and they do not help most commercial organisations.
Private, non-economic use. If a natural person processes data purely for personal reasons with no commercial motive - a family photo album, a personal contact list - the LGPD does not apply. The moment the activity becomes economic (selling products using that contact list, for example), the exemption evaporates.
Journalistic, artistic, or academic purposes. Processing carried out exclusively for journalism, art, or academic research sits outside the LGPD's general rules. Academic processing still needs to comply with Articles 7 and 11 regarding legal bases, so this exemption is partial rather than absolute.
National security and law enforcement. Data processing for public security, national defence, state security, or the investigation and prosecution of criminal offences falls under separate legislation. Private entities cannot invoke this exemption unless they are acting under the direct authority of a public body, and even then, the processing must be reported to the ANPD.
Data originating outside Brazil with no local nexus. Article 4(IV) excludes data that originates in another country and passes through Brazil without being communicated to Brazilian processing agents, shared with them, or transferred internationally to a country other than the country of origin. This is a transit exemption: if the data merely passes through Brazilian infrastructure without being accessed, used, or stored by any entity in Brazil, the LGPD does not apply. Once any Brazilian entity touches the data, the exemption falls away.
Articles 1 and 2: The Foundation and Principles
Article 1 sets the LGPD's overarching purpose: protecting the fundamental rights of freedom, privacy, and the free development of personality. It applies to data processing by digital and non-digital means alike. The sole paragraph, added by Law No. 13,853/2019, confirms that the LGPD is of "national interest" and must be observed uniformly by all levels of government - federal, state, and municipal.
Article 2 lists the seven foundational pillars on which the law rests. These include respect for privacy, informational self-determination, freedom of expression, the inviolability of intimacy and reputation, economic and technological development, free enterprise and consumer protection, and human rights. These are not abstract ideals. The ANPD references them when evaluating enforcement cases. When it suspended Meta's use of Brazilian user data for AI training in July 2024, the authority's reasoning cited the need to protect data subjects' fundamental rights against the company's legitimate interest claims.
Real Enforcement: The ANPD Is Not a Paper Tiger
A law's territorial scope only matters if someone enforces it. The Autoridade Nacional de Protecao de Dados has moved from a regulatory setup phase into active enforcement, and it is not limiting itself to domestic targets.
The ANPD's first-ever sanction came in July 2023 against Telekall Infoservice, a small telemarketing company fined BRL 14,400 (approximately USD 3,000) for processing personal data without a legal basis and failing to appoint a DPO. The amount was small, but it represented the statutory maximum of 2% of the company's annual revenue - a signal that size offers no shelter from compliance.
The authority's most prominent action against a foreign company came on 2 July 2024, when it ordered Meta to immediately suspend processing Brazilian users' personal data from Facebook, Instagram, and Messenger for the purpose of training generative AI models. Meta had updated its privacy policy in June 2024 to permit this processing under a legitimate interest basis. The ANPD found the policy inadequate on multiple grounds: insufficient transparency, no meaningful opt-out mechanism, and a failure to protect the data of children and adolescents. The order carried a daily fine of BRL 50,000 for non-compliance. Meta complied, submitted a corrective plan, and the suspension was lifted on 30 August 2024 after the company agreed to notify users, provide opt-out tools, and exclude data from minors.
The ANPD also took action against X (formerly Twitter) for using posts to train its Grok AI model, and against ByteDance (TikTok's parent company) over age verification failures in December 2024. It investigated Sam Altman's Tools for Humanity project for offering cryptocurrency in exchange for biometric iris scans. These cases demonstrate that the ANPD treats foreign technology companies as fully within its jurisdiction when they process data of individuals in Brazil.
The ANPD's Institutional Upgrade
On 18 September 2025, Provisional Measure No. 1,317/2025 transformed the ANPD from a standard federal authority into an independent regulatory agency with its own budget, technical staff, and enforcement powers. The measure created 200 specialist positions for data protection regulation and was approved by both houses of Congress in February 2026, pending presidential sanction. The upgraded ANPD now sits alongside Brazil's telecom regulator (Anatel) and health surveillance agency (Anvisa) in terms of institutional standing. It can order businesses to cease operations and request police assistance in cases of obstruction.
Practical Scenarios: Does the LGPD Apply to You?
The extraterritorial scope sounds broad, but how does it translate into concrete situations? Here are common scenarios website owners face.
You run an e-commerce site that ships to Brazil. The LGPD applies. You are offering goods to individuals in Brazilian territory, and you are collecting their names, addresses, and payment details in the process. Your checkout flow, cookie categories, and privacy policy all need to comply.
You operate a SaaS product with Brazilian customers. The LGPD applies. Contract performance is one of the ten legal bases, but analytics cookies, marketing trackers, and behavioural profiling still require consent.
You have a blog with global traffic, including visitors from Brazil. If your site sets functional cookies, analytics trackers like _ga or _gid, or advertising pixels like _fbp, you are processing personal data of Brazilian visitors. The LGPD applies. You need a consent mechanism that meets LGPD requirements for those visitors.
You are a B2B company dealing only with Brazilian businesses. The LGPD still applies. Even in B2B relationships, you process personal data belonging to your clients' employees and contacts - names, email addresses, phone numbers. That data is protected.
You have no Brazilian customers and do not target Brazil. If a Brazilian visitor happens to land on your site and you set tracking cookies, the strict reading of Article 3 could bring you within scope. Enforcement against a company with no commercial nexus to Brazil is unlikely in the near term, but the legal exposure exists. A geo-targeted consent management platform that shows Brazilian visitors an LGPD-compliant banner eliminates this risk with minimal effort.
Penalties for Non-Compliance
Article 52 sets out the sanctions the ANPD can impose. The maximum fine is 2% of the entity's revenue in Brazil for the previous fiscal year, capped at BRL 50 million (approximately USD 9.3 million) per violation. Daily fines can compound up to the same cap. Beyond financial penalties, the ANPD can issue warnings, order data deletion, mandate public disclosure of violations, and suspend or ban data processing activities for up to six months.
Fines are calculated on Brazilian revenue, not global turnover. This is a meaningful difference from the GDPR's penalty framework, which uses worldwide annual turnover as its baseline. For multinational companies with modest Brazilian operations, the LGPD's financial exposure is lower than the GDPR's. But the non-financial sanctions - particularly the power to suspend processing activities - can be commercially devastating for companies that depend on the Brazilian market.
Frequently Asked Questions
Does the LGPD apply to companies with no office or servers in Brazil?
Yes. Article 3 makes the LGPD applicable to any entity that processes personal data of individuals located in Brazil or offers goods and services to people in Brazil, regardless of where the company is headquartered or where its servers are located.
What triggers LGPD applicability for a foreign website?
Three triggers exist under Article 3: processing carried out in Brazil, processing aimed at offering goods or services to individuals in Brazil, or personal data collected while the data subject was physically in Brazil. Meeting any one of these brings your website within scope.
Is the LGPD the same as the GDPR?
No. The LGPD was influenced by the GDPR and shares many principles, but it has its own structure, ten legal bases (versus the GDPR's six), different penalty calculations (Brazilian revenue, not global turnover), and no "monitoring" trigger in its territorial scope. Companies already compliant with the GDPR have a head start but still need to address LGPD-specific requirements.
Are there any businesses exempt from the LGPD?
Article 4 exempts processing for purely personal and non-economic purposes, exclusive journalistic or artistic purposes, academic purposes (with conditions), national security and law enforcement, and data in transit through Brazil with no local processing. Commercial websites and online services do not qualify for any of these exemptions.
Can the ANPD enforce the LGPD against foreign companies?
Yes. The ANPD has already taken enforcement action against Meta, X (formerly Twitter), and ByteDance - all foreign companies processing data of individuals in Brazil. In July 2024, it ordered Meta to suspend AI training on Brazilian user data and threatened a daily fine of BRL 50,000 for non-compliance.
What is the maximum fine under the LGPD?
Up to 2% of the company's revenue in Brazil for the previous fiscal year, capped at BRL 50 million (roughly USD 9.3 million) per violation. Daily fines can also be applied up to the same total limit. The ANPD can additionally order data deletion, processing suspension, and public disclosure of violations.
Get Your Website Ready for LGPD Compliance
If your website receives traffic from Brazil and sets any non-essential cookies or trackers, you need a consent mechanism that satisfies LGPD requirements. Kukie.io detects every cookie on your site, categorises them automatically, and lets you configure geo-targeted banners so Brazilian visitors see the right consent experience - with accept and reject options of equal prominence, granular category toggles, and Portuguese translations.
