Achieve LGPD compliance and future-proof your business
Automate consent management and align your business with regulatory compliance with our easy-to-use cookie consent solution.
The #1 cookie consent solution, trusted by 1.4 Million+ websites
The Lei Geral de Proteção de Dados (LGPD) is Brazil’s first data privacy law that establishes the framework for regulating the use and processing of all personal data ways for data subjects to control their own personal data It imposes data protection obligations on businesses that process the personal data of Brazil’s residents.
LGPD Compliance Checklist for Websites
- Obtain user consent for cookies and trackers
- Maintain a record of all user consent
- Limit data collection only for legitimate purposes
- Implement privacy by design and default
- Notify data breaches to DPAs and users
Comply with LGPD using CookieYes
Display cookie consent banner for visitors
The LGPD requires businesses to process personal data (including data collected through cookies) with free, informed and unambiguous consent that can be withdrawn easily.
With CookieYes you can
Automate consent management
LGPD requires that businesses implement privacy by design and default. This means taking measures to ensure ongoing compliance with requirements for consent and proof of consent.
With CookieYes you can
With our policy generators you can
Achieve regulatory compliance with ease
with our no-code cookie consent solution
Learn more and take the first step
What is LGPD?
The General Data Privacy Law or Lei Geral de Proteção de Dados (LGPD) is a Brazilian data protection law that imposes obligations on companies for processing personal data and grants certain rights to individuals to protect their privacy.
Modelled on the EU’s GDPR, the LGPD came into effect on September 18, 2020, and enforcement began on August 1, 2021.
Who does LGPD apply to?
LGPD applies to all organizations that process the personal data of residents of Brazil whether or not the organization is established in Brazil, including businesses, public bodies, institutions as well as not-for-profit organisations.
LGPD also applies to processing the personal data of an individual who was in Brazil at the time of data collection.The law protects personal data relating to an identified or identifiable natural person.
What is the penalty for non-compliance?
Violation of the LGPD provides can result in warnings, monetary penalties, suspension, publicizing of the violation, and partial or complete ban on the processing activities.
The monetary fines for non-compliance can go up to a maximum of 2% of an organization’s annual revenue or up to BRL 50 million (approx. USD 12.8 M)
What are consumer rights under LGPD?
Right to confirm
The right to get confirmation on their personal data processing.
Right to access
The right to access personal data and to have it available in a clear and readable format, free of cost.
Right to correction
The right to request to correct, update, or complete personal data about them.
Right to delete
The right to request the deletion of personal data if it is no longer needed by a business.
Right to anonymization
The right to anonymization, blocking, or deletion of unnecessary, excessive, or data processed in violation of the law.
Right to data portability
The right to portability of data to another service or product provider, upon express request.
Right to information on data sharing
The right to disclosure of information about other processors with whom personal data has been shared.
Right to revoke
The right to revoke or withdraw consent to the processing of personal data.
Right to object
The right to object and restrict the processing of personal data, and have information on the consequences of refusal.
FAQ on LGPD Compliance
The General Data Privacy Law or Lei Geral de Proteção de Dados (LGPD) is a data privacy law that regulates data processing in Brazil and sets out privacy rights for individuals in Brazil. It was signed into law in 2018 and came into effect on September 18, 2020.
The LGPD defines personal data as information relating to an identified or identifiable natural person. The law does not limit its definition of personal data to a set of identifiers or characteristics nor provides any specific examples for the same. The LGPD also defines certain types of data as ‘sensitive data’. This involves personal data on racial or ethnic origin, religious belief, political opinion, union membership or religion, philosophical or political organisation, health or sexual life, and genetic or biometric data. The LGPD does not prohibit the processing of sensitive data, but processing sensitive data is more restricted.
There are some exceptions to the applicability of LGPD. It does not apply if:
- Processing of personal data is carried out by a natural person for private and non-commercial purposes or
- Personal data is processed exclusively for one of the following purposes:
- Journalistic or artistic expression,
- Academic research,
- Public safety,
- National defence and security,
- Investigation and prosecution of criminal offences
LGPD limits the transfer of personal data outside Brazilia unless the countries or organizations data is transferred to can provide an adequate level of protection of personal data. Data transfer is also permitted when it occurs within the means of Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs) or by global corporate norms.
The law also recognises other grounds for transferring personal data outside Brazil, for international legal cooperation between government agencies or if the transfer is carried out with the consent of the data subject.
Brazilian Data Protection Authority (ANPD) is the supervisory authority for the interpretation, application and enforcement of LGPD. Under the LGPD, ANPD has the authority to issue guidance and procedures concerning data protection and has investigatory powers to monitor data processing activities and issue sanctions in case of non-compliance.
The ANPD also has corrective powers such as issuing warnings and fines, publicising the violation and blocking the processing of personal data relating to the violation.
Brazil is not subject to the General Data Protection Regulation (GDPR) because it protects the rights to data privacy of EU and EEA residents. However, GDPR has extra-territorial scope, meaning businesses in Brazil that collect the personal data of EU/EEA residents in exchange for goods and services or for monitoring their behaviour, can come under the purview of GDPR. Similar to GDPR, the LGPD may also impact companies outside Brazil because of its extraterritorial scope.
The LGPD was influenced by the European Union’s General Data Protection Regulation (GDPR) and has borrowed key concepts from European law. But LGPD has expanded its coverage in some areas, for instance, LGPD established four additional legal bases for processing personal data than the GDPR.
LGDP differs from GDPR in the details. Although both regulations require data breach notifications, GDPR has a stricter timeline of 72 hours for reporting while LGPD does not provide a definite timeline for breach notifications. Under the LGPD, controllers must appoint a DPO, but it is not an explicit requirement for data processors, while in GDPR, both controllers and processors must appoint a data protection officer (‘DPO’) in specific circumstances.
Here are some links you can refer to for additional reading:
- Official Text of LGPD (in Portuguese)
- Simplified Guide on Brazil’s LGPD
Fast-track your LGPD compliance in minutes
Set up a cookie consent banner in 3 simple steps and automate your compliance.