What Is the LGPD? Brazil's General Data Protection Law, Explained

What is the LGPD? See who must comply, the 10 legal bases, data subject rights, penalties, and how it differs from GDPR for cookies and consent.


by Riad Us Salehin • 4 July 2026


The LGPD (Lei Geral de Proteção de Dados Pessoais) is Brazil's comprehensive data protection law. It has been in force since September 18, 2020, and the ANPD enforces it. It applies to any organization worldwide that processes the personal data of people in Brazil, regardless of where the company is based.

This guide covers who must comply, the 10 legal bases for processing, and the nine data subject rights. It also covers the ANPD's penalty structure and how the LGPD differs from the GDPR, then closes with how Consently supports LGPD-facing consent requirements.

What Is the LGPD (Lei Geral de Proteção de Dados)?

The Lei Geral de Proteção de Dados Pessoais (LGPD), or General Personal Data Protection Law, is Brazil's comprehensive data protection statute, enacted as Law No. 13.709/2018. It is the country's first cross-sector data protection law.

It unifies roughly 40 prior Brazilian statutes into one framework and amends the Marco Civil da Internet (Law 12.965/2014), Brazil's earlier internet-governance law.

Before the LGPD, Brazil regulated personal data through scattered sector rules covering banking, telecommunications, health records, and consumer protection separately. The LGPD replaced that patchwork with a single set of obligations that applies across every industry, whether an organization operates online, offline, or both.

The law runs 65 articles and closely mirrors the structure of the European Union's General Data Protection Regulation (GDPR). The two differ in several concrete ways, covered later in this guide.

The wider landscape of data privacy laws now in force worldwide follows a similar pattern: a comprehensive, GDPR-influenced statute backed by a dedicated regulator.

When Did the LGPD Take Effect? A Quick Timeline

The LGPD was signed in 2018, took effect on September 18, 2020, and its penalties became enforceable on August 1, 2021. The gap between the law taking effect and its sanctions becoming enforceable gave organizations roughly 11 extra months to build compliance programs before facing fines.

The full timeline:

  • August 14, 2018: The LGPD is signed into law as Law No. 13.709/2018.
  • December 28, 2018: The ANPD (Autoridade Nacional de Proteção de Dados) is created by provisional measure.
  • September 18, 2020: The LGPD takes effect; its substantive obligations become binding.
  • August 1, 2021: The LGPD's administrative sanctions become enforceable, giving the ANPD authority to fine non-compliant organizations.

As of 2026, the ANPD actively monitors and sanctions organizations. Its own site currently references an active review of 21 companies and public bodies for potential LGPD violations, confirming the law is enforced, not dormant.

Who Has to Comply with the LGPD? (Does It Apply to Companies Outside Brazil?)

The LGPD applies to any organization, anywhere in the world, that processes personal data in Brazil. It also covers any organization that offers goods or services to people in Brazil, or that processes data collected within Brazil. Where the company or its servers are based does not matter. A US or European company with no Brazilian office can still fall under the law.

Three separate triggers each independently create LGPD obligations:

  • Processing data in Brazil: The organization collects, stores, or otherwise handles personal data within Brazilian territory, even through a local partner or subsidiary.
  • Offering goods or services to people in Brazil: The organization markets, sells, or provides a product or service to individuals located in Brazil, whether or not payment changes hands.
  • Processing data collected in Brazil: The personal data itself originated from someone physically in Brazil when it was collected, even if processing happens entirely on foreign servers.

Meeting any single trigger is enough. A US-based SaaS company with a handful of Brazilian trial users has already crossed the "offering goods or services" threshold.

Storing that data on servers outside Brazil does not remove the obligation. The American Bar Association confirms the law reaches "any natural person or legal entity" that processes Brazilians' data. That holds true even when the processing company sits entirely outside Brazil.

Key LGPD Terms: Controller, Processor, Data Subject, and DPO

The LGPD assigns distinct legal roles to the parties involved in handling personal data, and each role carries different obligations. Four terms recur throughout the law and its English-language coverage.

RolePortuguese termWhat it means
ControllercontroladorThe person or organization who decides why and how personal data is processed
ProcessoroperadorThe person or organization who processes data on the controller's behalf and instructions
Data subjecttitularThe individual whose personal data is being processed
Data Protection OfficerencarregadoThe person a controller designates as the point of contact between the organization, data subjects, and the ANPD

Controllers generally must appoint a DPO, or encarregado, though the exact exemptions for smaller organizations are still evolving under ANPD guidance. The LGPD splits responsibility between the controller and processor much like the GDPR does. That overlap is one reason organizations already GDPR-compliant find LGPD compliance more familiar than starting from scratch.

What Counts as Personal Data Under the LGPD?

The LGPD's definition of personal data is any information relating to an identified or identifiable natural person. That definition is broad enough to cover names, IP addresses, device identifiers, and behavioral data collected through cookies. Anonymized data falls outside this definition, unless the anonymization process could reasonably be reversed to re-identify someone.

That breadth means a website's analytics cookies, marketing pixels, and login records likely qualify as personal data. The trigger is simple: the moment they tie back to an individual visitor from Brazil, the LGPD applies.

Sensitive Personal Data (the Special Categories)

The LGPD designates certain categories of personal data as sensitive, requiring stricter handling than ordinary personal data. These categories are:

  • Racial or ethnic origin
  • Religious belief
  • Political opinion
  • Trade union, religious, philosophical, or political organization membership
  • Data concerning health or sex life
  • Genetic data
  • Biometric data

Processing any of these categories generally demands a narrower set of legal bases and tighter safeguards than ordinary personal data. Consider a developer sending a user's real name to a third-party API. That data demands the same caution the law applies to sensitive categories once identity and behavior combine to reveal something sensitive about the person.

The 10 Legal Bases for Processing Personal Data

Like the GDPR, the LGPD requires a lawful basis before any organization can process personal data. It provides ten legal bases, one more than the GDPR's six. Article 7 of the statute lists these bases:

  1. Consent from the data subject
  2. Compliance with a legal or regulatory obligation
  3. Execution of public policies by public administration
  4. Studies conducted by research bodies
  5. Performance of a contract with the data subject
  6. Exercise of rights in judicial, administrative, or arbitration proceedings
  7. Protection of life or physical safety
  8. Protection of health, in specific procedures
  9. Legitimate interests of the controller or third party
  10. Credit protection

Consent is the most commonly discussed basis for cookies and website tracking. It is not automatically required for every processing activity, though. A company invoicing a Brazilian customer under a signed contract, for instance, relies on the contract-performance basis rather than consent for that transaction.

What Rights Does the LGPD Give Data Subjects?

The LGPD grants nine data subject rights over personal data under Article 18. Controllers generally must respond to a verified data subject access request within 15 days, a third of the GDPR's standard one-month timeline.

The nine rights are:

  • Confirmation that processing of their data exists
  • Access to their data
  • Correction of incomplete, inaccurate, or outdated data
  • Anonymization, blocking, or deletion of unnecessary or non-compliant data
  • Portability of their data to another provider
  • Deletion of data processed with their consent
  • Information about which public and private entities the controller shared their data with
  • Information about the option to refuse consent and the consequences of refusal
  • Revocation of consent

Consider a visitor who submitted an email address to a Brazilian e-commerce site. They can request the site confirm what data it holds, correct an outdated address, or withdraw consent entirely. The site then has 15 days to act on that verified request.

What Are the Penalties for Breaking the LGPD? (Fines and the ANPD)

The ANPD enforces the LGPD and can issue warnings, require data deletion, or suspend processing activities. It can also levy fines. The cap is 2% of the company's revenue in Brazil for the prior fiscal year, up to R$50 million per infraction. A single company can face multiple infractions, so the cap applies per violation, not per company overall.

The ANPD's sanction ladder escalates by severity:

SanctionWhat it involves
WarningA formal notice with a deadline to fix the violation
FineUp to 2% of Brazil revenue for the prior fiscal year, capped at R$50 million per infraction
Publicization of the violationThe infraction is made public
Blocking or deletion of the data involvedThe ANPD orders the affected data blocked or erased
Suspension of the processing activityThe specific data-processing operation is halted

The ANPD's enforcement is not theoretical. In 2023, it issued its first data protection fine (Forbes, 2023). The company chose not to challenge the decision, cutting the fine to R$10,800 (about $2,225).

A 2025 case resulted in a R$14,400 (about $2,960) fine for a small business, capped under the law's small-business provisions. That case also required a mandatory DPO appointment within 30 days.

Both cases show the ANPD fining organizations well below the R$50 million ceiling. Smaller sites face real exposure, not just multinational enterprises.

Controllers and processors also carry a data-breach notification duty. Under Article 48, they must notify the ANPD and affected data subjects within a reasonable time period after becoming aware of a breach. The statute does not fix an exact number of days for this notice.

How Is the LGPD Different from the GDPR?

The LGPD was modeled closely on the GDPR and shares its overall structure. The two diverge on fines, response timelines, and the number of legal bases.

FactorLGPDGDPR
Maximum fine2% of Brazil revenue, capped at R$50 million per infraction4% of global annual revenue, capped at 20 million euros
Data subject response window15 days1 month
Legal bases for processing106
RegulatorANPD (single national authority)National DPAs plus the EDPB

The LGPD's ten legal bases give organizations more routes to a lawful basis than the GDPR's six. Its regulator structure is simpler too: one national authority, instead of a patchwork of national data protection authorities coordinated through the European Data Protection Board.

For a deeper dive into the GDPR itself, see what the GDPR requires. For a fuller comparison of how privacy laws differ across jurisdictions, see GDPR vs CCPA.

What the LGPD Means for Your Website and Cookies

A website with visitors in Brazil that uses cookies or trackers for analytics or advertising needs a lawful basis, often consent, before non-essential cookies fire. It also needs a clear privacy notice and a way for visitors to manage and withdraw consent.

The LGPD is principles-based rather than prescriptive about banner mechanics. Consent plus transparency is the safe default for any tracker that is not strictly necessary for the site to function.

A practical checklist for LGPD-facing sites:

  • Run a cookie and tracker inventory to know what is actually firing on the site
  • Display a consent banner that blocks non-essential cookies until the visitor responds
  • Publish a privacy policy that names what data is collected and why
  • Give visitors a way to review and withdraw consent after their first choice
  • Keep a record of each visitor's consent choice as compliance evidence

Teams already building GDPR-compliant cookie consent are close to LGPD-ready, since consent-first tracking satisfies both laws' default expectations.

For sites operating across multiple jurisdictions, a practical approach to cookie law compliance covers the cross-regional setup in more depth.

How Consently Helps You Meet the LGPD's Consent Requirements

Consently captures and records visitor consent before cookies and trackers load. It shows the right consent experience by region and generates the policy documents an LGPD privacy notice needs.

Consently is a consent management platform that blocks non-essential cookies, scripts, and iframes until a visitor consents. It then logs every choice as an exportable audit trail, the kind of record-keeping the LGPD expects a controller to maintain. That auto-blocking runs before any tracker fires, not after, which matters for a law built around consent preceding processing.

Two features support LGPD-facing sites specifically. Region-based, geotargeted banner display shows Brazilian visitors the consent experience suited to their region, and Consently's banners support 35 languages, including Portuguese.

The cookie policy, privacy policy, and terms and conditions generators produce the disclosure documents an LGPD privacy notice requires. No outside help is needed to draft them.

Consently's consent tooling, banners, and policy templates help you operationalize LGPD consent requirements. It does not replace legal advice and does not by itself guarantee full LGPD compliance.

Start your free trial to see the region-based banner and consent log in your own dashboard.

FAQs

What is the LGPD in simple terms?

The LGPD is Brazil's national data protection law, Law No. 13.709/2018, in force since September 18, 2020. It governs how organizations collect, use, and store the personal data of people in Brazil and is enforced by the ANPD.

What does LGPD stand for?

LGPD stands for Lei Geral de Proteção de Dados Pessoais, which translates to General Personal Data Protection Law in English.

When did the LGPD come into effect?

The LGPD took effect on September 18, 2020. Its administrative sanctions became enforceable later, on August 1, 2021.

Does the LGPD apply to companies outside Brazil?

Yes. The LGPD applies to any organization worldwide that processes personal data in Brazil, or that offers goods or services to people in Brazil. It also applies to any organization that processes data collected in Brazil, regardless of where the company itself is based.

What is the difference between the LGPD and the GDPR?

The LGPD caps fines at 2% of Brazil revenue, up to R$50 million per infraction. The GDPR caps fines at 4% of global revenue, up to 20 million euros. The LGPD also gives data subjects a 15-day response window instead of the GDPR's one month, and provides 10 legal bases instead of 6.

What are the penalties for LGPD non-compliance?

Penalties range from a warning to fines of up to 2% of a company's revenue in Brazil, capped at R$50 million per infraction. Suspension of the processing activity involved is also possible. The ANPD enforces these penalties.

Who enforces the LGPD?

The ANPD (Autoridade Nacional de Proteção de Dados), Brazil's National Data Protection Authority, enforces the LGPD. The ANPD was created in December 2018 and gained sanctioning power once penalties became enforceable in August 2021.

Does the LGPD require cookie consent?

The LGPD does not prescribe a specific cookie-banner mechanism, but it requires a lawful basis, often consent, before non-essential cookies and trackers process personal data. Consent paired with a clear privacy notice is the safest default for websites.

How many legal bases does the LGPD have?

The LGPD provides ten legal bases for processing personal data under Article 7, compared to the GDPR's six. Consent, legitimate interest, and contract performance are among the most commonly used.

AUTHOR

Riad Us Salehin is the content lead at Dorik. He is a passionate content creator who lets the work speak for itself. Focused on taking brands and causes to the next level.

Read More

Subscribe to Consently
Newsletter

Subscribe to our newsletter to stay updated with latest articles from our blog.

Built with ❤️ by the team @ Dorik.com 

GET IN TOUCH

Any questions? Feel free to chat with us or reach out to us at

For any queries:
support@consently.net

Follow us:


©2026 Dorik, Inc. All rights reserved.