Skip to main content

Achieve LGPD compliance and future-proof your business

Automate consent management and align your business with regulatory compliance with our easy-to-use cookie consent solution.

Become LGPD Compliant

14-day free trial Cancel anytime

brazil lgpd compliance

The #1 cookie consent solution, trusted by 1.5 Million+ websites

Brand logos of global companies that are CookieYes customers.

The Lei Geral de Proteção de Dados (LGPD) is Brazil’s first data privacy law that establishes a framework for regulating the use and processing of personal data and provides rights to data subjects over their personal data. It imposes data protection obligations on businesses that process the personal data of Brazil’s residents.

LGPD Compliance Checklist for Websites

  • Obtain user consent for cookies and trackers
  • Maintain a record of all user consent
  • Include an accurate, up-to-date privacy policy
  • Limit data collection only for legitimate purposes
  • Implement privacy by design and default
  • Notify data breaches to DPAs and users

Comply with LGPD using CookieYes

Display cookie consent banner for visitors

The LGPD requires businesses to process personal data (including data collected through cookies) with free, informed and unambiguous consent that can be withdrawn easily.

With CookieYes you can

  • Scan your website against a 100,000+ cookie database
  • Display a custom cookie banner that fits your brand
  • Show a consent revisit widget for users to withdraw consent
cookie banner for lgpd brazil

Automate consent management

LGPD requires that businesses implement privacy by design and default. This means taking measures to ensure ongoing compliance with requirements for consent and proof of consent.

With CookieYes you can

  • Auto-block third-party marketing cookies prior to user consent
  • Schedule cookie scanning for continuous compliance
  • Record user consent logs for regulatory audits
consent management for lgpd compliance

Generate compliant privacy policy

Under the LGPD, businesses should implement a privacy policy to meet the requirements for transparency and include information on the personal data collected, the purpose of collection, how to exercise user rights, and more.

With our policy generators you can

  • Use our pre-built, legally-compliant policy templates
  • Generate your privacy policy and cookie policy in minutes
  • Simply copy-paste the legal policies to your website
legal policies for lgpd compliance

Achieve regulatory compliance with ease
with our no-code cookie consent solution

Become LGPD Compliant

14-day free trial Cancel anytime

Learn more and take the first step
towards compliance

What is LGPD?

The General Data Privacy Law or Lei Geral de Proteção de Dados (LGPD) is a Brazilian data protection law that imposes obligations on companies for processing personal data and grants certain rights to individuals to protect their privacy.

Modelled on the EU’s GDPR, the LGPD came into effect on September 18, 2020, and enforcement began on August 1, 2021.

Who does LGPD apply to?

LGPD applies to all organizations that process the personal data of residents of Brazil whether or not the organization is established in Brazil, including businesses, public bodies, institutions as well as not-for-profit organisations.

LGPD also applies to processing the personal data of an individual who was in Brazil at the time of data collection.The law protects personal data relating to an identified or identifiable natural person.

What is the penalty for non-compliance?

Violation of the LGPD provides can result in warnings, monetary penalties, suspension, publicizing of the violation, and partial or complete ban on the processing activities.

The monetary fines for non-compliance can go up to a maximum of 2% of an organization’s annual revenue or up to BRL 50 million (approx. USD 12.8 M)

What are consumer rights under LGPD?

Right to confirm

The right to get confirmation on their personal data processing.

Right to access

The right to access personal data and to have it available in a clear and readable format, free of cost.

Right to correction

The right to request to correct, update, or complete personal data about them.

Right to delete

The right to request the deletion of personal data if it is no longer needed by a business.

Right to anonymization

The right to anonymization, blocking, or deletion of unnecessary, excessive, or data processed in violation of the law.

Right to data portability

The right to portability of data to another service or product provider, upon express request.

Right to information on data sharing

The right to disclosure of information about other processors with whom personal data has been shared.

Right to revoke

The right to revoke or withdraw consent to the processing of personal data.

Right to object

The right to object and restrict the processing of personal data, and have information on the consequences of refusal.

FAQ on LGPD Compliance

The General Data Privacy Law or Lei Geral de Proteção de Dados (LGPD) is a data privacy law that regulates data processing in Brazil and sets out privacy rights for individuals in Brazil. It was signed into law in 2018 and came into effect on September 18, 2020.

The LGPD defines personal data as information relating to an identified or identifiable natural person. The law does not limit its definition of personal data to a set of identifiers or characteristics nor provides any specific examples for the same. The LGPD also defines certain types of data as ‘sensitive data’. This involves personal data on racial or ethnic origin, religious belief, political opinion, union membership or religion, philosophical or political organisation, health or sexual life, and genetic or biometric data. The LGPD does not prohibit the processing of sensitive data, but processing sensitive data is more restricted.

There are some exceptions to the applicability of LGPD. It does not apply if:

  • Processing of personal data is carried out by a natural person for private and non-commercial purposes or
  • Personal data is processed exclusively for one of the following purposes:
    • Journalistic or artistic expression,
    • Academic research,
    • Public safety,
    • National defence and security,
    • Investigation and prosecution of criminal offences

LGPD limits the transfer of personal data outside Brazilia unless the countries or organizations data is transferred to can provide an adequate level of protection of personal data. Data transfer is also permitted when it occurs within the means of Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs) or by global corporate norms. 

The law also recognises other grounds for transferring personal data outside Brazil, for international legal cooperation between government agencies or if the transfer is carried out with the consent of the data subject.

Brazilian Data Protection Authority (ANPD) is the supervisory authority for the interpretation, application and enforcement of LGPD. Under the LGPD, ANPD has the authority to issue guidance and procedures concerning data protection and has investigatory powers to monitor data processing activities and issue sanctions in case of non-compliance. 

The ANPD also has corrective powers such as issuing warnings and fines, publicising the violation and blocking the processing of personal data relating to the violation.

Brazil is not subject to the General Data Protection Regulation (GDPR) because it protects the rights to data privacy of EU and EEA residents. However, GDPR has extra-territorial scope, meaning businesses in Brazil that collect the personal data of EU/EEA residents in exchange for goods and services or for monitoring their behaviour, can come under the purview of GDPR. Similar to GDPR, the LGPD may also impact companies outside Brazil because of its extraterritorial scope.

The LGPD was influenced by the European Union’s General Data Protection Regulation (GDPR) and has borrowed key concepts from European law. But LGPD has expanded its coverage in some areas, for instance, LGPD established four additional legal bases for processing personal data than the GDPR.

LGDP differs from GDPR in the details. Although both regulations require data breach notifications, GDPR has a stricter timeline of 72 hours for reporting while LGPD does not provide a definite timeline for breach notifications. Under the LGPD, controllers must appoint a DPO, but it is not an explicit requirement for data processors, while in GDPR, both controllers and processors must appoint a data protection officer (‘DPO’) in specific circumstances.

Here are some links you can refer to for additional reading:

Fast-track your LGPD compliance in minutes

Set up a cookie consent banner in 3 simple steps and automate your compliance.

Become LGPD Compliant

14-day free trial Cancel anytime