LGPD at a Glance
The Lei Geral de Protecao de Dados, or LGPD (Law No. 13,709/2018), is Brazil's first comprehensive data protection law. It took effect on 18 August 2020, with enforcement penalties kicking in from 1 August 2021. The law was modelled heavily on the EU's General Data Protection Regulation, but it is not a copy. It has its own scope, its own definitions, and a few notable departures from the European framework.
Brazil has over 140 million internet users, making it the largest online market in Latin America and the fourth largest globally. Before the LGPD, personal data protection was scattered across more than 40 federal-level laws and sectoral regulations, from the Consumer Protection Code to the Marco Civil da Internet. The LGPD consolidated all of that into a single framework.
The law is enforced by the Autoridade Nacional de Protecao de Dados (ANPD). In September 2025, Provisional Measure No. 1,317/2025 transformed the ANPD from a standard federal authority into a full independent regulatory agency, with its own budget, technical staff, and enforcement powers comparable to Brazil's telecom and health regulators. That transition is still being formalised through Congress, but the signal is clear: enforcement is ramping up, not winding down.
Who Does the LGPD Apply To?
The LGPD applies to any natural person or legal entity - public or private - that processes personal data, provided at least one of these conditions is met:
- The processing takes place in Brazil
- The data belongs to individuals located in Brazil, regardless of where the processing entity is based
- The personal data was collected in Brazil
This extraterritorial reach is similar to the GDPR's. If your website serves visitors in Brazil, sets cookies, or collects form submissions from Brazilian users, the LGPD applies to you. The location of your servers or your company's headquarters does not matter.
There are a few exemptions. Processing carried out by a natural person for purely private, non-economic purposes is excluded. So is processing done exclusively for journalistic, artistic, or academic purposes, and processing related to national security, public safety, or criminal investigations.
What Counts as Personal Data Under the LGPD?
Article 5 of the LGPD defines personal data as any information related to an identified or identifiable natural person. That definition is broad. Names, email addresses, phone numbers, and ID numbers all qualify, but so do IP addresses, device identifiers, cookie IDs, and behavioural profiles that can be linked back to a specific person.
The law also creates a separate category of sensitive personal data. This includes information about racial or ethnic origin, religious beliefs, political opinions, trade union membership, health data, sex life, genetic data, and biometric data. Sensitive data gets stricter treatment - three of the ten legal bases available for ordinary personal data (legitimate interests, credit protection, and contract performance) cannot be used for sensitive data processing.
Anonymised data sits outside the LGPD's scope, but only if the anonymisation process cannot be reversed using reasonable technical efforts. Pseudonymised data, on the other hand, still qualifies as personal data.
The Ten Legal Bases for Processing
One of the most notable differences between the LGPD and the GDPR is the number of legal bases. The GDPR has six. The LGPD has ten, listed in Article 7. None of them sit in a hierarchy - the appropriate basis depends on the specific processing activity.
| Legal Basis | Description | Available for Sensitive Data? |
|---|---|---|
| Consent | Free, informed, and unambiguous agreement from the data subject | Yes |
| Legal or regulatory obligation | Processing required by law or regulation | Yes |
| Public policy | Execution of public policies by public authorities | Yes |
| Research | Studies by research bodies, with anonymisation where possible | Yes |
| Contract performance | Necessary for executing or preparing a contract with the data subject | No |
| Exercise of legal rights | Judicial, administrative, or arbitration proceedings | Yes |
| Protection of life | Protecting the life or physical safety of the data subject or third party | Yes |
| Health protection | Procedures carried out by health professionals or services | Yes |
| Legitimate interests | Controller's or third party's legitimate interests, balanced against data subject rights | No |
| Credit protection | Processing for the purpose of protecting credit | No |
The tenth basis - credit protection - is unique to the LGPD and does not exist in the GDPR. It reflects Brazil's existing legal framework around credit scoring and consumer finance.
For cookies and online tracking, consent and legitimate interests are the two bases that matter most. The ANPD's October 2022 cookie guidance made this explicit: consent is the proper basis for non-essential cookies, and it must be freely given, informed, and unambiguous.
Cookie Consent Under the LGPD
The LGPD does not contain a standalone "cookie law" equivalent to the EU's ePrivacy Directive. Instead, cookie compliance falls under the general data protection rules. Because cookies like _ga, _fbp, or _gid collect data that can identify or profile individuals, they constitute personal data processing and need a valid legal basis.
The ANPD published its cookie guidance on 18 October 2022, settling several open questions. The key takeaways:
- Essential cookies can rely on legitimate interests (or, more precisely, contract performance in many cases) and do not require prior consent. A session cookie like
PHPSESSIDthat keeps a shopping cart alive falls into this category. - Non-essential cookies - analytics, advertising, social media tracking - require consent. That consent must be specific to each category of cookies, not a blanket "accept all" with no granularity.
- Cookie banners must give users equally prominent options to accept or refuse non-essential cookies. Pre-ticked boxes, implied consent through continued browsing, or dark patterns that steer users toward acceptance are not compliant.
- Users must be able to withdraw consent at any time through a simple, free mechanism.
If your website targets Brazilian visitors, your cookie banner needs a Portuguese translation. The ANPD's guidance specifically requires this.
What a Compliant Cookie Banner Looks Like
A first-level banner (the one visitors see immediately on landing) should explain what cookies are being used and why, offer clear accept and reject options of equal visual weight, and link to your full cookie policy. A second-level interface - often called a preference centre - should let visitors toggle individual cookie categories on or off. Non-essential cookies must be off by default until the visitor actively opts in.
Kukie.io's cookie banner supports LGPD-compliant configurations, including geo-targeted rules so Brazilian visitors see the appropriate consent experience. You can scan your site to see which cookies you are currently setting and map them to the right categories using Kukie.io's features page.
Data Subject Rights
Article 18 of the LGPD grants individuals nine specific rights. Controllers must respond to data subject requests within 15 days. The rights include:
- Confirmation and access - the right to know whether processing is taking place and to access the data
- Correction of incomplete, inaccurate, or outdated data
- Anonymisation, blocking, or deletion of unnecessary or excessive data
- Data portability to another service provider
- Deletion of data processed with consent, when consent is withdrawn
- Information about third parties with whom data has been shared
- Information about what happens if consent is refused
- Revocation of consent
- Review of automated decisions, including profiling (Article 20)
The right to be informed about the consequences of refusing consent is a detail the GDPR lacks. It gives Brazilian data subjects a clearer picture of what they are agreeing to and what they lose by opting out.
Enforcement: The ANPD Gets Serious
The ANPD spent its first few years building regulatory infrastructure - publishing guidance, setting up complaints processes, and issuing dosimetry rules for how fines would be calculated. Since 2023, the pace of enforcement has accelerated sharply.
The first-ever LGPD fine came in July 2023, when the ANPD sanctioned Telekall Infoservice, a small telemarketing company, for processing personal data without a legal basis, failing to appoint a Data Protection Officer, and obstructing the investigation. The fine was BRL 14,400 (roughly USD 3,000) - modest in absolute terms, but it represented 2% of the company's annual revenue, the statutory maximum percentage. The message was that compliance applies to businesses of every size.
Since then, the ANPD has sanctioned multiple public entities for data breach notification failures and inadequate security measures. It ordered Meta to suspend the use of Brazilian users' personal data for AI training in July 2024, threatening a daily fine of BRL 50,000 for non-compliance. Meta complied and submitted a corrective plan. In November 2024, the ANPD launched investigations into 20 large companies for failing to appoint a DPO or provide accessible communication channels for data subjects.
Maximum Penalties
The LGPD allows the following administrative sanctions:
- Warnings, with a deadline for corrective action
- Simple fines of up to 2% of the company's revenue in Brazil for the previous fiscal year, capped at BRL 50 million (roughly USD 9.3 million) per violation
- Daily fines, subject to the same cap
- Public disclosure of the violation
- Blocking or deletion of personal data related to the violation
- Partial or total suspension of data processing activities for up to six months, renewable
Public entities cannot be fined under the LGPD, but they can receive warnings and corrective orders. Private entities face the full range of sanctions. Beyond ANPD enforcement, individual and collective lawsuits under the Consumer Protection Code and actions by the Public Prosecutor's Office are also possible.
LGPD vs GDPR: Key Differences
If you already comply with the GDPR, the LGPD will feel familiar. But there are differences worth paying attention to.
| Area | GDPR | LGPD |
|---|---|---|
| Legal bases for processing | 6 | 10 (adds research, health protection, credit protection, public policy) |
| Data Protection Officer | Required in specific circumstances | Required for all controllers (with exemptions for small-scale agents) |
| Breach notification deadline | 72 hours to the DPA | 3 working days to the ANPD and data subjects (since Resolution 15/2024) |
| Maximum fine | EUR 20 million or 4% of global annual turnover | BRL 50 million or 2% of revenue in Brazil |
| Sensitive data - legal bases | 6 (consent plus specific exemptions) | 7 (excludes legitimate interests, credit protection, and contracts) |
| International transfers | Adequacy decisions, SCCs, BCRs | SCCs mandatory since August 2025; no adequacy decisions issued yet |
The DPO requirement is broader under the LGPD. The GDPR only mandates a DPO for public authorities and organisations whose core activities involve large-scale processing of sensitive data or systematic monitoring. The LGPD requires every controller to appoint one, though small-scale processing agents (those with annual revenue under BRL 4.8 million and low-risk processing) may qualify for an exemption under Resolution CD/ANPD No. 2.
International Data Transfers
The LGPD restricts transfers of personal data outside Brazil under Article 33. Until recently, the rules lacked practical detail. That changed in August 2024, when the ANPD published Resolution CD/ANPD No. 19/2024, introducing a formal international data transfer regulation along with Brazil's own Standard Contractual Clauses.
The compliance deadline for adopting these SCCs was 23 August 2025. Organisations that transfer personal data from Brazil - whether to cloud providers, analytics platforms, or parent companies abroad - now need SCCs in place or another approved mechanism. No adequacy decisions have been issued yet, so SCCs are currently the only viable route for most businesses.
A foreign entity that directly collects data from individuals in Brazil (through a website, for example) is not performing an "international transfer" under the regulation, but it is still subject to the LGPD itself. If that entity then shares the collected data with a third party, that onward transfer does qualify and must be covered by SCCs.
What Is Coming Next
The ANPD's 2025-2026 Regulatory Agenda signals several priorities. Regulations on data subject rights, Data Protection Impact Assessments, and the processing of children's and adolescents' data are expected in the first phase. Biometric data processing rules are also in development, following an ANPD consultation in mid-2025 that received 88 contributions.
Brazil's Digital Statute for Children and Adolescents (the "Digital ECA"), enacted as Law No. 15,211/2025, takes effect on 17 March 2026. The ANPD has been designated as the authority responsible for overseeing its enforcement, including rules around age verification, parental controls, and data processing for minors in digital environments.
AI regulation is another area to watch. The ANPD has stated publicly that it can regulate AI-related data processing under existing LGPD provisions, specifically Article 20 on automated decision-making, while Brazil's separate AI legal framework works its way through Congress.
Practical Steps for Website Owners
If your website attracts visitors from Brazil, here is what compliance looks like in practice.
Start by scanning your site to identify every cookie and tracker. Many websites set 20-40 cookies without the site owner fully realising it, especially when third-party scripts like Google Analytics 4, Meta Pixel, or embedded videos are involved. Use the free cookie scanner to detect and categorise these automatically.
Classify your cookies. Essential cookies (session management, security tokens, load balancing) can proceed without consent. Everything else - analytics (_ga, _gid), advertising (_fbp, _gcl_au), social media embeds - needs opt-in consent from Brazilian visitors before firing.
Configure your cookie banner for the LGPD. It must be available in Portuguese, offer granular category-level choices, present accept and reject options with equal visual prominence, and not set non-essential cookies until the visitor actively consents. If you use a consent management platform like Kukie.io, set up geo-targeting rules so the LGPD-compliant banner appears specifically for visitors from Brazil, while other regions see the appropriate banner for their local laws.
Appoint a DPO and make their contact details publicly available on your website. Review your privacy policy to include all information required under Articles 9 and 18 of the LGPD, in clear, accessible language. If you transfer personal data outside Brazil, make sure your contracts include the ANPD-approved SCCs.
Frequently Asked Questions
Does the LGPD apply to websites outside Brazil?
Yes. If your website processes personal data of individuals located in Brazil, or if you offer goods or services to people in Brazil, the LGPD applies regardless of where your business is based.
