LGPD Compliance — Brazil's Data Protection Law

You’re a US tech company selling SaaS to Brazilian customers. You collect names, emails, phone numbers, sometimes credit card data, maybe biometric info (fingerprint logins). In the US, you’re compliant with CCPA and industry standards. But if those customers are Brazilian, you also need to comply with LGPD (Lei Geral de Proteção de Dados Pessoais)—Brazil’s data protection law, which is as strict as Europe’s GDPR in many respects.

LGPD came into force in September 2020 (enforcement started August 2021). Brazil’s data protection authority, ANPD (Autoridade Nacional de Proteção de Dados), has been issuing fines and guidance aggressively. Companies ignoring LGPD face penalties up to 50 million BRL (~USD 10M) per violation.

This guide explains LGPD compliance for foreign companies doing business in Brazil: legal requirements, how it differs from GDPR, practical steps to achieve compliance, and penalties for non-compliance. For companies with cross-border operations, see foreign investment in Brazil.

---

LGPD Fundamentals

Lei Geral de Proteção de Dados Pessoais (General Data Protection Law) is Brazil’s comprehensive privacy law. It’s inspired by GDPR but tailored to Brazil’s economy and privacy concerns.

Key Principles

LGPD is built on 10 principles:

1. Purpose limitation – Data collected only for specified purpose
2. Adequacy – Collect only data necessary for stated purpose
3. Transparency – Users must know what data is collected, how it’s used
4. Security – Reasonable protections against data loss/theft
5. Prevention – Prevent unauthorized access and data breaches
6. Non-discrimination – Cannot discriminate based on processing personal data
7. Accountability – Organizations must document compliance efforts
8. Free access – Users can request copy of their data
9. Data correction – Users can request deletion/correction
10. Deletion – Data deleted after serving its purpose (right to be forgotten)

Who LGPD Applies To

Any organization:

• Collecting personal data from Brazilian residents
• Operating in Brazil
• Processing data for Brazilian markets
• Even if company is outside Brazil

This includes:

• Foreign tech companies selling to Brazil
• Multinationals with Brazilian subsidiaries
• Platforms accessing Brazilian users’ data
• Cloud providers serving Brazilian customers

There is NO exception for small companies – LGPD applies to all; compliance is mandatory regardless of size.

---

LGPD vs. GDPR: Key Differences

If you’re already GDPR-compliant, LGPD is somewhat familiar. But important differences exist:

Key Differences Explained

1. Consent Requirements

• GDPR: Strict opt-in; you must get explicit, affirmative consent before processing
• LGPD: Opt-in required, BUT exceptions exist for:
  • Contractual performance (you need email to process order)
  • Legal obligation (tax law requires record-keeping)
  • Protection of vital interests
  • Legitimate interests (vaguely defined)
  • Public interest

Implication: LGPD is slightly more flexible than GDPR (legitimate interests exception is broader)

2. Data Protection Officer (DPO)

• GDPR: Most organizations must appoint a DPO
• LGPD: DPO only required if:
  • Large-scale processor of personal data
  • Public authority/agency
  • Core business is data profiling/monitoring

Implication: Many smaller companies can skip DPO under LGPD (but should appoint someone for accountability)

3. Cross-Border Data Transfers

• GDPR: Transfers only to “adequate countries” (EU decision required) or with Standard Contractual Clauses (SCCs) or binding corporate rules
• LGPD: Transfers permitted if “adequate safeguards” (undefined; ANPD still issuing guidance)

Implication: LGPD is ambiguous on cross-border transfers; companies are experimenting with:

• Data Processing Agreements (DPAs) similar to GDPR
• Standard Contractual Clauses (borrowing from GDPR practice)
• Encryption of data at rest/in transit
• ANPD pre-approval (if high-risk transfer)

---

LGPD Compliance: 8-Step Roadmap

Step 1: Conduct a Data Audit

Identify all personal data you collect, store, and process.

Document:

• What data (names, emails, phone, location, biometric, financial info?)
• Source (directly from user, third party, publicly available?)
• Purpose (marketing, customer service, analytics, compliance?)
• Retention period (how long you keep it)
• Who has access (employees, contractors, third-party vendors?)
• Where stored (on-premise, cloud, third-country servers?)

Tools:

• Use GDPR data mapping framework (most of the work is the same)
• Interview all departments (marketing, sales, product, legal)
• Review contracts with vendors (confirm they’re LGPD-compliant)

Output: Data inventory spreadsheet listing all processing activities

Step 2: Map Legal Basis for Processing

For each data processing activity, identify the legal basis (why you’re allowed to process):

LGPD allows processing if:

1. Consent – User explicitly agreed
2. Contract – Necessary to fulfill service
3. Legal obligation – Required by law (tax, compliance)
4. Vital interests – Protect health/safety (rare; emergencies)
5. Legitimate interests – Company has legitimate business need (marketing, security)
6. Public interest – For government/public agencies
7. Credit/debt – Managing credit relationships
8. Biometric data – Specific rules for fingerprints, iris scans, etc.

Example:

• Email: Contract basis (needed to deliver service) + legitimate interests (marketing emails, if you disclose in privacy notice)
• Payment info: Contract basis (needed to process transaction)
• Biometric login: Consent basis (user chooses fingerprint login)

Step 3: Audit Consent Practices

Review how you currently collect consent. In Brazil, consent must be:

1. Explicit – Clear, unambiguous statement (not inferred from silence)
2. Informed – User knows what data, how it’s used, for how long
3. Separate – Consent for different purposes kept separate (don’t mix marketing + service consents)
4. Freely given – No coercion; user can withdraw anytime

Common LGPD violations:

• Pre-checked consent boxes (opt-in must be active choice, not default)
• Bundled consents (claiming user consents to marketing just because they consent to service)
• No withdrawal mechanism (user can’t unsub from marketing)
• Vague purpose statements (“we use data for business operations” is too broad)

Action items:

• Audit current consent forms/banners
• Separate consents by purpose (service vs. marketing)
• Make withdrawal easy (unsubscribe link, simple request process)
• Document each user’s consent and when it was given

Step 4: Implement Technical Safeguards

LGPD requires “security” measures. This means:

1. Encryption – Data encrypted in transit (HTTPS/TLS) and at rest (database encryption)
2. Access controls – Only authorized employees access sensitive data
3. Audit trails – Log who accessed what data when
4. Backups – Regular backups; test restoration procedures
5. Incident response – Plan for data breaches (who to notify, how fast)

Implementation:

• Use cloud providers with security certifications (AWS, Azure, Google Cloud all offer LGPD-compliant services)
• Enable encryption (most platforms have one-click encryption options)
• Limit access (only employees who need data get access)
• Conduct regular security audits (annual penetration testing recommended)

Step 5: Establish Data Subject Rights Procedures

LGPD gives users rights; you must be able to fulfill requests quickly.

Rights include:

• Access – Copy of their data (you have 15 days to respond)
• Correction – Fix inaccurate data
• Deletion (right to be forgotten) – Erase data after purpose served
• Portability – Receive data in portable format (JSON, CSV)
• Opt-out – Stop processing (if legitimate interests basis)

Procedures to establish:

• Privacy portal – Self-service tool for data access/deletion (faster, scalable)
• Request mechanism – Email address or form where users submit requests
• Verification – Confirm requester is actual data subject (prevent fraud)
• Response timeline – 15 days to respond; 30 days if complex

Example workflow:

1. User submits data access request via portal
2. System verifies email/identity
3. System generates data export (JSON file)
4. User downloads within 15 days
5. Log request for audit trail

Step 6: Create Data Processing Agreements (DPAs)

If you use third-party vendors (cloud providers, analytics, payment processors), they must have written agreements specifying:

• Purpose and scope of processing
• Type of data processed
• Duration of processing
• Security measures
• Confidentiality obligations
• User rights fulfillment (right to access, deletion, etc.)
• Sub-processors (if vendor uses other vendors)

Example vendors requiring DPAs:

• Cloud hosting (AWS, Azure, Google Cloud)
• Email platforms (SendGrid, Mailchimp)
• Analytics (Google Analytics, Mixpanel)
• Payment processors (Stripe, Adyen)
• CRM systems (Salesforce, HubSpot)

Action: Contact all vendors; request LGPD-compliant DPA or data addendum

Step 7: Appoint Data Protection Officer (if required)

Required if:

• You’re a large-scale processor (collect data from many Brazilians)
• You’re a public authority
• Core business is data monitoring/profiling

Optional but recommended if:

• You collect sensitive data (biometric, health, payment)
• You have cross-border transfers
• You’re a foreign company (shows good faith compliance)

DPO responsibilities:

• Oversee LGPD compliance
• Handle data subject requests
• Serve as contact for ANPD
• Document compliance efforts (audit trails)

Cost: R$3K–10K/month for external DPO service (or hire internal)

Step 8: Document Your Compliance Efforts (Accountability)

LGPD requires accountability – you must prove you’re compliant.

Document:

• Consent records – When each user consented, to what, when/if withdrawn
• Data audit – What data you collect, why, how long stored
• DPA agreements – Copies of all vendor agreements
• Security measures – Encryption, access controls, audit logs
• Breach incidents – Any data breaches, how handled, notifications sent
• Data subject requests – Log of all access/deletion requests, responses
• Privacy notices – Copy of your privacy policy as published

Store in: Central repository (shared drive, document management system)

Purpose: If ANPD audits or users file complaints, you can demonstrate compliance

---

Cross-Border Data Transfers

This is the thorniest issue. If you’re a US company storing Brazilian users’ data on US servers, is that LGPD-compliant?

Current state: Ambiguous. ANPD hasn’t issued definitive guidance. Companies are using these approaches:

1. Data Processing Agreements (DPA) Approach

Mimic GDPR’s Standard Contractual Clauses:

• Include DPA with your terms of service
• Specify security measures
• Commit to respond to data subject requests
• Accept liability for LGPD violations

Risk: ANPD might not accept this as “adequate safeguard” if challenged

Status: Most common approach now; low enforcement risk currently

2. Encryption Approach

Store data encrypted; only Brazilian entity holds decryption keys.

How it works:

• Data transferred encrypted to US servers
• Encryption keys stay in Brazil
• US servers cannot decrypt
• Data remains under Brazilian control

Risk: Complex to implement; may not work for all processing (analytics requires decryption)

Status: Increasingly recommended; high technical bar

3. ANPD Pre-Approval

Request ANPD guidance before transferring sensitive data.

Pros: Definitive; prevents future disputes Cons: Slow (6–12 months); ANPD rarely approves risky transfers

Status: Only for high-risk transfers (biometric, health data)

4. Brazil-Based Infrastructure

Store all Brazilian data on servers physically located in Brazil.

Pros: Clearly compliant; data sovereignty Cons: Cost, complexity; may require local subsidiary

Status: Growing trend for sensitive data; multinational companies increasingly doing this

Practical approach: Use multi-layered approach:

• DPA with clear security commitments (primary basis)
• Encryption for sensitive data (additional protection)
• Brazil-based backup storage (redundancy)
• Document your choice (accountability)

---

LGPD Breach Notification

If a data breach occurs (unauthorized access, ransomware, theft), you must notify users and ANPD.

Notification Requirements

Timeline: “Without undue delay” (ANPD guidance suggests 10 days from discovery)

Who to notify:

• Affected users (if breach poses “risk to rights”)
• ANPD (if significant risk)
• Public disclosure (if mass impact; required by media)

What to communicate:

• What data was breached
• When it was discovered
• Steps taken to mitigate
• What users should do (e.g., change passwords)
• Contact for questions

Example notification:

"We discovered unauthorized access to our systems on [date].
Personal data including names and email addresses were accessed.
Payment data was encrypted and not accessible. We have:
1. Isolated the breach
2. Enhanced security
3. Notified ANPD

You should [action]. Contact [email] with questions."

Breach Response Plan

Establish a data breach response plan before a breach occurs:

1. Detection: Monitor systems for unauthorized access; set up alerts
2. Containment: Isolate affected systems; stop ongoing breach
3. Investigation: Determine scope (how much data? how long was it exposed?)
4. Notification: Draft notification; send to users + ANPD
5. Remediation: Fix the vulnerability; implement preventive measures
6. Documentation: Record everything for audit trail

---

LGPD Penalties & Enforcement

ANPD can impose two types of penalties:

1. Administrative Penalties

For violations, ANPD can issue fines:

• Minor violations (failure to maintain audit trail): Up to 2% of annual revenue or 50K BRL (whichever is less)
• Serious violations (no consent; no security): Up to 50M BRL (~USD 10M) or 2% of annual revenue (whichever is higher)

Examples of violations drawing fines:

• No consent; no valid legal basis for processing
• Data breaches due to inadequate security
• Refusing to honor data subject requests
• Inadequate privacy notices
• Cross-border transfers without safeguards

2. Administrative Actions

ANPD can also:

• Suspend processing (if processing violates LGPD)
• Block transfer of data internationally
• Require deletion of improperly collected data
• Require implementation of safeguards

Enforcement Status

Key point: ANPD is relatively new; enforcement is accelerating but not yet comprehensive.

• 2021–2022: Focus on awareness, guidance
• 2023–2024: ANPD starting to issue fines (30+ fines issued so far)
• Target: Companies collecting large amounts of data (tech companies, financial services, telecom)

Current enforcement focus:

• Biometric data (facial recognition, fingerprints)
• Children’s data
• Health data
• Data brokers

Low enforcement risk currently for: Small companies, those with reasonable security + consent

High enforcement risk for: Large tech platforms, no consent, poor security, breach response failures

---

Privacy Notice & Transparency Requirements

LGPD requires clear communication about data practices. Your privacy notice must disclose:

1. Identity of data controller (your company)
2. Purpose of processing
3. Legal basis (consent, contract, etc.)
4. Recipients of data (third parties you share with)
5. Retention period (how long you keep data)
6. User rights (access, deletion, portability, etc.)
7. How to exercise rights (contact email, portal)
8. Consequences of refusing consent (if service won’t work without data)

Best practice: Simple, clear language; avoid legal jargon

Common mistakes:

• Privacy notice buried in terms of service (should be standalone)
• Vague purposes (“we use data for business purposes”)
• No mention of user rights
• No easy mechanism to withdraw consent

---

Why ZS Advogados

At ZS Advogados, we help companies navigate LGPD compliance—from initial audits through implementation and ongoing management.

We’ve conducted LGPD audits for tech companies, e-commerce platforms, and financial services firms. We’ve drafted privacy notices, DPAs, and consent mechanisms. We’ve helped companies respond to data breaches compliantly.

We understand ANPD’s evolving enforcement posture. We know which compliance measures carry highest return on investment. We help you be compliant without overengineering (unlike GDPR, LGPD doesn’t require some expensive measures—yet).

Whether you’re a foreign company newly subject to LGPD or a Brazilian company needing LGPD audit, we make compliance achievable and practical.

Let’s ensure your data practices are legally defensible.