Brazil's LGPD Compliance Requirements

Rule

Any organization processing personal data of individuals located in Brazil, targeting individuals in Brazil, or processing data collected in Brazil must comply with the Lei Geral de Protecao de Dados (LGPD, Law 13,709/2018). Compliance requires establishing one of ten legal bases for processing, appointing a Data Protection Officer (encarregado), maintaining processing records, responding to data subject rights requests within 15 days, and notifying the ANPD and affected individuals of data breaches. Since August 23, 2025, all international data transfers must use ANPD-approved Standard Contractual Clauses or other authorized mechanisms. [src1, src2]

Evidence

LGPD penalties include fines of up to 2% of net turnover in Brazil (capped at BRL 50 million per violation, approximately USD 10.5 million), daily fines, mandatory public disclosure, blocking or deletion of personal data, and suspension of processing for up to six months. The ANPD's 2025-2026 regulatory agenda prioritizes children's data, AI and biometrics, data scraping, and DPIAs. The SCC grace period ended August 23, 2025 -- all cross-border transfers must now use authorized mechanisms. The ANPD issued its first administrative sanctions in 2023, signaling transition to enforcement-based regulation. [src1, src3, src5]

Key Properties

• Maximum fine: 2% of net turnover in Brazil, capped at BRL 50 million (approximately USD 10.5 million) per violation
• Daily fines: Available for ongoing violations until remediation
• Data subject request response time: 15 days (compared to GDPR's 30 days)
• SCC deadline: August 23, 2025 (grace period ended; all international transfers require authorized mechanisms)
• Enforcement body: Autoridade Nacional de Protecao de Dados (ANPD)
• Legal bases: 10 legal bases for processing (compared to GDPR's 6), including credit protection unique to Brazil

Conditions

• Applies when: Any organization worldwide that processes personal data in Brazil, offers goods/services to Brazilian individuals, or processes data collected in Brazil -- no minimum revenue or data volume threshold
• Does NOT apply when: Processing by a natural person for exclusively private and non-economic purposes, for journalistic or artistic purposes, for academic research (with anonymization), for national security, defense, public safety, or criminal investigation
• Confidence degrades when: ANPD issues new regulations under its 2025-2026 agenda, enforcement patterns shift as the agency matures, or Brazil's adequacy status with the EU is assessed

Constraints

• Jurisdiction: applies to personal data of individuals in Brazil or data collected in Brazilian territory, regardless of entity location [src1]
• Temporal: ANPD's 2025-2026 regulatory agenda introduces new rules on children's data, AI/biometrics, and DPIAs; SCC grace period ended August 23, 2025 [src3]
• Entity threshold: no minimum revenue or data volume threshold -- any organization processing Brazilian personal data must comply [src1]
• Prerequisite: all international data transfers must use ANPD-approved SCCs or other authorized mechanisms since August 23, 2025 [src4]
• Interaction: LGPD has 10 legal bases (vs GDPR's 6) including credit protection unique to Brazilian law; no EU adequacy decision yet for Brazil [src1]

Rationale

Brazil enacted the LGPD in 2018, modeled substantially on the GDPR, to establish a comprehensive data protection framework for Latin America's largest economy. The LGPD's ten legal bases reflect Brazil's unique legal tradition, including credit protection as a standalone basis. The August 2025 SCC deadline forced organizations to formalize previously informal cross-border data flows, particularly affecting US and EU tech companies operating in Brazil. [src1, src4]

Framework Selection Decision Tree

START -- User needs Latin American privacy/data protection guidance
|-- Which jurisdiction?
|   |-- Brazil --> LGPD Summary <-- YOU ARE HERE
|   |-- EU/EEA --> GDPR Summary
|   |-- California/US --> CCPA/CPRA Summary
|   |-- Japan --> APPI Summary
|   +-- Multiple jurisdictions --> Cross-Border Data Transfers unit
|-- Does the organization process personal data of individuals in Brazil?
|   |-- YES --> LGPD applies: 10 legal bases, DPO, breach notification, SCCs
|   +-- NO --> LGPD does not apply; check other jurisdiction rules
+-- Does the organization transfer data internationally?
    |-- YES --> Must use ANPD-approved SCCs or authorized mechanisms (since Aug 2025)
    +-- NO --> Focus on domestic LGPD obligations

Application Checklist

Step 1: Determine applicability

• Inputs needed: Whether the organization processes data of individuals in Brazil, offers goods/services to Brazilians, or collects data in Brazil
• Output: Confirmed LGPD applicability
• Constraint: No minimum threshold -- even one Brazilian data subject triggers compliance [src1]

Step 2: Establish legal bases and appoint encarregado (DPO)

• Inputs needed: Complete data inventory, processing purposes, organizational structure
• Output: Documented legal basis for each activity; appointed and publicly identified DPO
• Constraint: Consent must be free, informed, and unambiguous; pre-checked boxes are invalid; credit protection basis requires specialized legal analysis [src2]

Step 3: Implement cross-border transfer mechanisms

• Inputs needed: Transfer destination countries, data flow maps, existing contracts
• Output: ANPD-approved SCCs or other authorized mechanisms for all international transfers
• Constraint: Grace period ended August 23, 2025 -- all transfers without authorized mechanisms are violations [src4]

Step 4: Establish data subject rights and breach response

• Inputs needed: Communication channels, response workflows, incident detection systems
• Output: Procedures for handling rights requests within 15 days; breach notification procedures
• Constraint: 15-day deadline is shorter than GDPR's 30 days; escalate if breach involves children's data (ANPD priority) [src5]

Anti-Patterns

Wrong: Assuming LGPD is identical to GDPR and applying GDPR compliance as-is

Organizations with GDPR programs assume they cover Brazil automatically. LGPD has 10 legal bases, a unique credit protection basis, 15-day rights response, and ANPD-specific SCC requirements. [src2]

Correct: Conduct a separate LGPD gap analysis

Map GDPR controls to LGPD requirements, identifying the four additional legal bases, shorter response deadlines, ANPD-specific SCC formats, and Brazil-specific enforcement priorities. [src1]

Wrong: Relying on informal data transfer arrangements after August 2025

Before August 23, 2025, organizations could transfer data internationally during the grace period. Continuing without ANPD-approved SCCs is now a violation. [src4]

Correct: Execute ANPD-approved SCCs for all international transfers

Implement ANPD's specific SCC format (which differs from EU SCCs) for all cross-border transfers. Conduct transfer impact assessments and maintain documentation. [src3]

Wrong: Storing payment data without explicit, separate consent

Pre-populating payment forms or retaining card data for convenience without specific consent is a commonly seen LGPD violation in e-commerce. [src2]

Correct: Obtain separate, specific consent for each data retention purpose

Request explicit consent for storing payment information with clear purpose and duration. Provide easy withdrawal mechanisms and data deletion options. [src1]

Counter-Arguments

• The ANPD's enforcement capacity remains limited with fewer than 200 staff, constraining complaint processing and investigations compared to larger EU DPAs. [src5]
• The BRL 50 million penalty cap is significantly lower than GDPR's turnover-based maximum, potentially reducing deterrence for large multinationals. [src1]
• LGPD's ten legal bases, while comprehensive, create complexity -- particularly the "credit protection" basis unique to Brazilian law. [src2]

Common Misconceptions

Misconception: LGPD is just a copy of GDPR, so GDPR compliance means LGPD compliance.
Reality: LGPD has four additional legal bases, a 15-day rights response deadline, ANPD-specific SCCs, and different penalty structures. A separate compliance assessment is required. [src1]

Misconception: LGPD only applies to companies with a physical presence in Brazil.
Reality: LGPD has extraterritorial scope: any organization processing data of individuals in Brazil or collecting data in Brazilian territory must comply. [src2]

Misconception: The ANPD is not actively enforcing LGPD yet.
Reality: The ANPD issued its first sanctions in 2023 and its 2025-2026 agenda prioritizes children's data, AI/biometrics, data scraping, and DPIAs. Enforcement is active. [src5]

Misconception: Breach notification must be made within 72 hours like GDPR.
Reality: LGPD requires notification "within a reasonable timeframe" as defined by ANPD, which is less prescriptive than GDPR's 72-hour rule. [src1]

Comparison with Similar Rules

When This Matters

Fetch this when a user asks about Brazilian data protection requirements, LGPD compliance for foreign companies, cross-border data transfers involving Brazil, or privacy obligations for businesses serving Brazilian customers or collecting data in Brazilian territory.