Layer 5: Compliance
LGPD: Brazil's Data Protection Law
If you collect data from Brazilian residents — even from outside Brazil — LGPD applies. Here's what foreign companies need to know to stay compliant.
LGPD
Lei 13.709/2018
ANPD
Enforcement authority
2%
Max fine (of revenue)
R$50M
Max fine per violation
Does LGPD apply to your company?
LGPD has extraterritorial reach — similar to GDPR. It applies to any organization that:
- Processes personal data in Brazil (regardless of where the company is headquartered)
- Collects data from individuals located in Brazil (regardless of nationality)
- Processes data to offer goods or services to people in Brazil
If you have a website in English targeting Brazilian importers, you collect analytics data from Brazilian visitors, or you process orders from Brazilian customers — LGPD applies.
LGPD vs. GDPR comparison
| Topic | LGPD (Brazil) | GDPR (EU) |
|---|---|---|
| Effective | September 2020 | May 2018 |
| Authority | ANPD | National DPAs |
| Legal bases | 10 (including credit protection) | 6 |
| DPO required? | Yes, for all controllers | Conditional |
| Breach notification | Reasonable time (no fixed deadline) | 72 hours |
| Max fine | 2% of Brazil revenue (cap R$ 50M/violation) | 4% of global revenue (cap €20M) |
| Cross-border transfers | Allowed with adequacy or SCCs | Allowed with adequacy or SCCs |
Good news for GDPR-compliant companies
If you're already GDPR-compliant, you're 80%+ of the way to LGPD compliance. The frameworks are very similar in structure and principles. The main differences are in the DPO requirement (mandatory in Brazil), the number of legal bases, and enforcement maturity.
Key compliance requirements
- Appoint a DPO (Encarregado) — LGPD requires every data controller to appoint a Data Protection Officer. The DPO can be an individual or entity, internal or external, and can be based outside Brazil. ANPD is expected to exempt small businesses.
- Map your data processing — create a Record of Processing Activities (ROPA) documenting what personal data you collect, why, how long you keep it, and who you share it with.
- Establish a legal basis — every processing activity needs one of LGPD's 10 legal bases: consent, legitimate interest, contract performance, legal obligation, credit protection, public policy, research, health protection, life protection, or judicial process.
- Implement security measures — technical and organizational measures to protect personal data. ANPD has published minimum security standards for small businesses.
- Enable data subject rights — Brazilian residents can request access, correction, deletion, portability, and information about third-party sharing. You must respond within 15 days.
- Cross-border transfer safeguards — transferring personal data of Brazilian residents outside Brazil requires either: ANPD adequacy decision (none issued yet), standard contractual clauses, binding corporate rules, or explicit consent.
Practical steps for foreign exporters
- Website: add a Portuguese-language privacy notice if you target Brazilian users. Include cookie consent (ANPD follows a consent-based approach similar to GDPR).
- E-commerce: if you sell directly to Brazilian consumers online, you're a data controller under LGPD. Appoint a DPO and establish a data processing record.
- B2B: if you only sell to Brazilian companies (not consumers), LGPD still applies to any personal data you process (contact names, emails, etc.), but the practical risk is lower.
- Brazilian subsidiary: if you have a CNPJ, your local entity is directly subject to ANPD enforcement. Full compliance is required.