Brazil's LGPD Compliance Requirements

Summary

Any organization processing personal data of individuals in Brazil, targeting Brazilians, or collecting data in Brazilian territory must comply with the LGPD (Law 13,709/2018) -- regardless of where it is based and with no minimum threshold: establish one of ten legal bases, appoint an encarregado (DPO), respond to data subject rights within 15 days, and notify breaches to the ANPD and affected individuals. Since August 23, 2025, all international transfers require ANPD-approved SCCs. Provisional Measure 1,317/2025 (September 18, 2025) made the ANPD an independent regulatory agency that can shut establishments, seize equipment, and request police support; its December 2025 supervision map prioritizes data subject rights, children's data (now co-governed by the Digital ECA, Law 15,211/2025), public authorities, and AI. Penalties reach 2% of Brazilian turnover, capped at BRL 50 million per violation. [src1, src2, src6, src7]

Rule

Any organization processing personal data of individuals located in Brazil, targeting individuals in Brazil, or processing data collected in Brazil must comply with the Lei Geral de Protecao de Dados (LGPD, Law 13,709/2018). Compliance requires establishing one of ten legal bases for processing, appointing a Data Protection Officer (encarregado), maintaining processing records, responding to data subject rights requests within 15 days, and notifying the ANPD and affected individuals of data breaches. Since August 23, 2025, all international data transfers must use ANPD-approved Standard Contractual Clauses or other authorized mechanisms. [src1, src2]

Evidence

LGPD penalties include fines of up to 2% of net turnover in Brazil (capped at BRL 50 million per violation, approximately USD 10.5 million), daily fines, mandatory public disclosure, blocking or deletion of personal data, and suspension of processing for up to six months. Provisional Measure 1,317/2025 (published September 18, 2025) transformed the ANPD into an independent special regulatory agency with full autonomy, a 200-position permanent career track, and expanded powers to shut down establishments, seize equipment, and request police support for obstruction. On December 24, 2025 the ANPD published its Map of Priority Issues for Supervision (2026-2027) -- prioritizing data subject rights, children's and adolescents' data, public-sector data sharing, and AI/emerging technologies -- and children's data is now co-governed by the Digital Statute of the Child and Adolescent (Digital ECA, Law 15,211/2025). The SCC grace period ended August 23, 2025 -- all cross-border transfers must now use authorized mechanisms. The ANPD issued its first administrative sanctions in 2023, signaling transition to enforcement-based regulation. [src1, src3, src5, src6, src7]

Key Properties

• Maximum fine: 2% of net turnover in Brazil, capped at BRL 50 million (approximately USD 10.5 million) per violation
• Daily fines: Available for ongoing violations until remediation
• Data subject request response time: 15 days (compared to GDPR's 30 days)
• SCC deadline: August 23, 2025 (grace period ended; all international transfers require authorized mechanisms)
• Enforcement body: Autoridade Nacional de Protecao de Dados (ANPD) -- an independent special regulatory agency since Provisional Measure 1,317/2025 (September 18, 2025), with powers to shut establishments, seize equipment, and request police support
• Children's data: co-governed by the Digital Statute of the Child and Adolescent (Digital ECA, Law 15,211/2025), with age-verification and content-blocking duties under ANPD oversight
• Legal bases: 10 legal bases for processing (compared to GDPR's 6), including credit protection unique to Brazil

Conditions

• Applies when: Any organization worldwide that processes personal data in Brazil, offers goods/services to Brazilian individuals, or processes data collected in Brazil -- no minimum revenue or data volume threshold
• Does NOT apply when: Processing by a natural person for exclusively private and non-economic purposes, for journalistic or artistic purposes, for academic research (with anonymization), for national security, defense, public safety, or criminal investigation
• Confidence degrades when: ANPD issues new regulations under its 2025-2026 agenda, enforcement patterns shift as the agency matures, or Brazil's adequacy status with the EU is assessed

Constraints

• Jurisdiction: applies to personal data of individuals in Brazil or data collected in Brazilian territory, regardless of entity location [src1]
• Temporal: Provisional Measure 1,317/2025 (Sept 18, 2025) made ANPD an independent regulatory agency with powers to shut establishments, seize equipment, and request police support; its Dec 2025 Map of Priority Issues (2026-2027) targets data subject rights, children's data, public authorities, and AI [src6, src7]
• Entity threshold: no minimum revenue or data volume threshold -- any organization processing Brazilian personal data must comply [src1]
• Prerequisite: all international data transfers must use ANPD-approved SCCs or other authorized mechanisms since August 23, 2025 [src4]
• Interaction: children's-data processing is now co-governed by the Digital ECA (Law 15,211/2025); LGPD has 10 legal bases (vs GDPR's 6) including credit protection unique to Brazilian law; no EU adequacy decision yet for Brazil [src1, src7]

Rationale

Brazil enacted the LGPD in 2018, modeled substantially on the GDPR, to establish a comprehensive data protection framework for Latin America's largest economy. Provisional Measure 1,317/2025 (September 18, 2025) completed the ANPD's evolution into a fully independent special regulatory agency -- modeled on Brazil's health and environmental regulators -- with autonomous budget, a tenured career track, and coercive enforcement powers, signaling a shift from a developmental authority to a mature enforcement body. The LGPD's ten legal bases reflect Brazil's unique legal tradition, including credit protection as a standalone basis. The August 2025 SCC deadline forced organizations to formalize previously informal cross-border data flows, particularly affecting US and EU tech companies operating in Brazil. [src1, src4, src6]

Framework Selection Decision Tree

START -- User needs Latin American privacy/data protection guidance
|-- Which jurisdiction?
|   |-- Brazil --> LGPD Summary <-- YOU ARE HERE
|   |-- EU/EEA --> GDPR Summary
|   |-- California/US --> CCPA/CPRA Summary
|   |-- Japan --> APPI Summary
|   +-- Multiple jurisdictions --> Cross-Border Data Transfers unit
|-- Does the organization process personal data of individuals in Brazil?
|   |-- YES --> LGPD applies: 10 legal bases, DPO, breach notification, SCCs
|   +-- NO --> LGPD does not apply; check other jurisdiction rules
+-- Does the organization transfer data internationally?
    |-- YES --> Must use ANPD-approved SCCs or authorized mechanisms (since Aug 2025)
    +-- NO --> Focus on domestic LGPD obligations

Application Checklist

Step 1: Determine applicability

• Inputs needed: Whether the organization processes data of individuals in Brazil, offers goods/services to Brazilians, or collects data in Brazil
• Output: Confirmed LGPD applicability
• Constraint: No minimum threshold -- even one Brazilian data subject triggers compliance [src1]

Step 2: Establish legal bases and appoint encarregado (DPO)

• Inputs needed: Complete data inventory, processing purposes, organizational structure
• Output: Documented legal basis for each activity; appointed and publicly identified DPO
• Constraint: Consent must be free, informed, and unambiguous; pre-checked boxes are invalid; credit protection basis requires specialized legal analysis [src2]

Step 3: Implement cross-border transfer mechanisms

• Inputs needed: Transfer destination countries, data flow maps, existing contracts
• Output: ANPD-approved SCCs or other authorized mechanisms for all international transfers
• Constraint: Grace period ended August 23, 2025 -- all transfers without authorized mechanisms are violations [src4]

Step 4: Establish data subject rights and breach response

• Inputs needed: Communication channels, response workflows, incident detection systems
• Output: Procedures for handling rights requests within 15 days; breach notification procedures
• Constraint: 15-day deadline is shorter than GDPR's 30 days; escalate if breach involves children's data (ANPD priority) [src5]

Decision Logic

If the organization processes data of even one individual located in Brazil, offers goods/services to Brazilians, or collects data in Brazilian territory

--> LGPD applies in full; there is no revenue or data-volume threshold, so establish a legal basis, appoint an encarregado (DPO), and build a rights/breach response program. [src1, src2]

If the organization already runs a mature GDPR program

--> Do NOT assume coverage; run a separate LGPD gap analysis for the four extra legal bases (credit, health, life protection, judicial process), the 15-day rights deadline, and ANPD-specific SCCs. [src1, src2]

If the organization transfers personal data outside Brazil

--> Execute ANPD-approved SCCs (Resolution CD/ANPD No. 19/2024 format) or another authorized mechanism; the grace period ended August 23, 2025, so any transfer without one is now a violation. [src3, src4]

If the processing involves children's or adolescents' data

--> Treat it as a top enforcement priority: comply with the Digital ECA (Law 15,211/2025) age-verification, privacy-by-default, and content-blocking duties under ANPD oversight, and escalate to specialized counsel. [src7]

If the processing involves AI, facial recognition, recommendation systems, or other high-risk activities

--> Prepare for heightened scrutiny under the ANPD's 2026-2027 supervision map and document a risk assessment; AI and emerging-tech use of personal data is an explicit oversight target. [src7]

If the organization receives an ANPD inquiry, inspection, or sanctioning notice

--> Cooperate fully and respond promptly; since Provisional Measure 1,317/2025 (Sept 18, 2025) the ANPD can shut down establishments, seize equipment, and request police support for obstruction, and apply daily fines plus the BRL 50M-per-violation cap. [src5, src6]

If a personal-data breach occurs

--> Notify the ANPD and affected individuals within a reasonable timeframe (not the GDPR 72-hour rule), document the incident, and prioritize escalation when sensitive or children's data is involved. [src1, src5]

Anti-Patterns

Wrong: Assuming LGPD is identical to GDPR and applying GDPR compliance as-is

Organizations with GDPR programs assume they cover Brazil automatically. LGPD has 10 legal bases, a unique credit protection basis, 15-day rights response, and ANPD-specific SCC requirements. [src2]

Correct: Conduct a separate LGPD gap analysis

Map GDPR controls to LGPD requirements, identifying the four additional legal bases, shorter response deadlines, ANPD-specific SCC formats, and Brazil-specific enforcement priorities. [src1]

Wrong: Relying on informal data transfer arrangements after August 2025

Before August 23, 2025, organizations could transfer data internationally during the grace period. Continuing without ANPD-approved SCCs is now a violation. [src4]

Correct: Execute ANPD-approved SCCs for all international transfers

Implement ANPD's specific SCC format (which differs from EU SCCs) for all cross-border transfers. Conduct transfer impact assessments and maintain documentation. [src3]

Wrong: Storing payment data without explicit, separate consent

Pre-populating payment forms or retaining card data for convenience without specific consent is a commonly seen LGPD violation in e-commerce. [src2]

Correct: Obtain separate, specific consent for each data retention purpose

Request explicit consent for storing payment information with clear purpose and duration. Provide easy withdrawal mechanisms and data deletion options. [src1]

Counter-Arguments

• The ANPD's enforcement capacity has historically been limited relative to its mandate; Provisional Measure 1,317/2025 created a 200-position permanent career track to address this, but effective investigative throughput compared to larger EU DPAs will depend on actual staffing and congressional ratification of the measure. [src5, src6]
• The BRL 50 million penalty cap is significantly lower than GDPR's turnover-based maximum, potentially reducing deterrence for large multinationals. [src1]
• LGPD's ten legal bases, while comprehensive, create complexity -- particularly the "credit protection" basis unique to Brazilian law. [src2]

Common Misconceptions

Misconception: LGPD is just a copy of GDPR, so GDPR compliance means LGPD compliance.
Reality: LGPD has four additional legal bases, a 15-day rights response deadline, ANPD-specific SCCs, and different penalty structures. A separate compliance assessment is required. [src1]

Misconception: LGPD only applies to companies with a physical presence in Brazil.
Reality: LGPD has extraterritorial scope: any organization processing data of individuals in Brazil or collecting data in Brazilian territory must comply. [src2]

Misconception: The ANPD is not actively enforcing LGPD yet.
Reality: The ANPD issued its first sanctions in 2023, and Provisional Measure 1,317/2025 made it an independent regulatory agency with powers to shut establishments, seize equipment, and request police support. Its Dec 2025 Map of Priority Issues (2026-2027) targets data subject rights, children's data, public authorities, and AI. Enforcement is active and intensifying. [src6, src7]

Misconception: Breach notification must be made within 72 hours like GDPR.
Reality: LGPD requires notification "within a reasonable timeframe" as defined by ANPD, which is less prescriptive than GDPR's 72-hour rule. [src1]

Comparison with Similar Rules

When This Matters

Fetch this when a user asks about Brazilian data protection requirements, LGPD compliance for foreign companies, cross-border data transfers involving Brazil, or privacy obligations for businesses serving Brazilian customers or collecting data in Brazilian territory.