Loosely based on GDPR (the data protection regulation enacted by the EU), LGPD is Brazilian legislation that establishes the conditions under which personal data can be processed, defines a set of rights for data subjects, creates specific obligations for data controllers and creates a series of procedures and standards so that greater care is taken with the processing of personal data and sharing with third parties.
The LGPD is inspired by data privacy regulations, such as GDPR, but differs in significant ways. Brazil’s law is formed on “ten bases”, which include guidance on consent, protection of life and health, legitimate interests, and more. This is one of the ways it differs from GDPR and is an important difference to consider when looking to comply with LGPD.
Some of the key tenets of LGPD compliance include taking specific actions, including:
Data minimization and purpose:
Documenting your legal bases for processing Brazilians' personal information. You have to define a basis for every kind of data you collect and then document it in your processing records
Privacy Policy:
Including the necessary disclosures within your site's Privacy Policy
Consent:
Collecting users’ valid consent and maintaining proof of that consent including developing processes for honoring user requests
Privacy-by-default:
Implementing privacy by default, meaning the default setup for everything must offer the highest possible security
Notification:
Notifying the DPA and its users in the event that a data reach occurs and poses "significant risk or damage" to your users
Cross-border data transfer:
Remaining in compliance with the requirements of cross-border data transfer policies
Regulatory oversight:
Appointing a Data Protection Officer (DPO) tasked with managing all of these activities
LGPD applies to any person or entity (public or private) that processes personal data of individuals located in Brazil, regardless of where the entity is based or where the data processing takes place. This includes both domestic and foreign entities, as long as the data processing activities involve individuals in Brazil or are related to offering goods or services to individuals in Brazil or the data was collected in Brazil.
Under the LGPD, users have specific rights with regard to their data, including, among others:
Request access to their personal data
Rectify inaccuracies in their data
Request the deletion of their personal data, with certain exceptions
Anonymize, block or eliminate unnecessary or excessive personal data, or of any data that is not being processed in compliance with LGPD
Opt out of the processing of their personal data for targeted advertising, the sale of their data, or for profiling
Withdraw consent at any time
Gain access to and move their data upon request
Gain confirmation that their data has been processed
Get information about sub-processors and other third parties with access to their personal data as well as information about their consent choices and what happens if they refuse consent
Lodge complaints with the Data Protection Authority (DPA)
As a rule, the LGPD requires that you only process personal data for legitimate, specific, explicit and clearly communicated purposes, and these purposes need to be clearly and transparently communicated. Also, businesses should only collect the data they absolutely need, i.e., the principle of data minimization.
With regard to cookies, consent must be freely given and unambiguous, and clear explanations of cookie use and purposes must also be provided. Consent management platforms like CookieHub are one way to make this process easier and transparent.
LGPD non-compliance can cost businesses a great deal. Fines can reach BRL 50 million (approximately 9 million USD) in addition to lawsuits, sanctions and any reputational damage done.
Businesses can also take additional steps to ensure compliance and a consent-first mindset:
Conduct data audits:
Align data practices with LGPD requirements
Update privacy policies:
Ensure privacy notices make data practices, consumer rights, and how to exercise those rights clear to consumers
Implement consent management:
Control cookie consent and oversight with a comprehensive consent management platform like CookieHub
Employee training:
Train employees on the importance of data privacy and LGPD compliance
LGPD provides a framework for processing Brazilians’ personal data responsibly. A comprehensive and flexible consent management platform (CMP) like CookieHub helps to streamline this compliance and take all the steps you need to get there.
Build consent management into your websites for compliance, consumer trust and peace of mind.
The LGPD applies to any individual or organization that processes personal data of individuals located in Brazil, regardless of where the data processor is based. It covers all sectors and types of data processing activities, aiming to protect the privacy and rights of data subjects.
Personal data is any information related to an identified or identifiable natural person. This includes data like names, identification numbers, location data, online identifiers, or any other information that can directly or indirectly identify someone.
Sensitive data is a specific category of personal data that requires higher protection due to its nature. It includes information about racial or ethnic origin, religious beliefs, political opinions, health or sex life, genetic or biometric data, and any data related to children or adolescents.
The National Data Protection Authority (ANPD) is the official regulatory body responsible for overseeing and enforcing compliance with the LGPD in Brazil.
The LGPD does not apply to personal data processed exclusively for journalistic, artistic, or academic purposes, or data processed by individuals for exclusively private and non-economic activities. Certain government activities related to national security may also be exempt.
Learn more by visiting the official website of the National Data Protection Authority (ANPD) or consulting the full text of the LGPD available through Brazil’s government publications.
©2025 CookieHub ehf.
