Brazil Data Privacy Laws: LGPD Compliance Guide (2026)

Brazil's Lei Geral de Protecao de Dados (Law No. 13.709/2018), in force since September 2020, is the country's comprehensive data privacy law. It covers any organization processing personal data in Brazil, provides 10 legal bases for processing under Article 7, and is enforced by the ANPD with fines up to BRL 50 million per violation.

Brazil's Lei Geral de Protecao de Dados (LGPD), enacted as Law No. 13.709/2018, is the country's general data protection law and one of the most comprehensive privacy frameworks in Latin America. The law has been in force since September 18, 2020, applies extraterritorially to any organization processing data of people in Brazil, and is enforced by the Autoridade Nacional de Protecao de Dados (ANPD). For a side-by-side comparison of Brazil's framework with the European Union's GDPR, see our GDPR vs LGPD comparison. For Brazilian recording consent rules, see Brazil recording laws.

What Is the LGPD?

Brazil's Lei Geral de Protecao de Dados, commonly known as the LGPD, is the country's general data protection law. Enacted as Law No. 13.709 on August 14, 2018, and effective since September 18, 2020, the LGPD unified approximately 40 different Brazilian laws that previously regulated various aspects of personal data processing.

The law applies to any natural person or legal entity, public or private, that processes personal data in Brazil. It has explicit extraterritorial reach, meaning it applies to any foreign business that offers goods or services to individuals in Brazil, collects personal data from Brazilian residents, or operates through a Brazilian subsidiary.

The LGPD draws heavily from the European Union's General Data Protection Regulation (GDPR), but includes several provisions unique to Brazil's legal and commercial landscape. It establishes a comprehensive framework covering data collection, storage, processing, sharing, and deletion, with strong protections for individual privacy rights.

Data Protection as a Constitutional Right (EC 115/2022)

On February 10, 2022, the Brazilian Congress enacted Constitutional Amendment No. 115 (EC 115/2022), which elevated the protection of personal data to an explicit fundamental right under Brazil's 1988 Federal Constitution. The amendment added item LXXIX to Article 5, which now reads: "it is guaranteed, in the terms of the law, the right to personal data protection, including in digital means."

This constitutional change has two major practical effects. First, personal data protection now carries the same constitutional status as other fundamental rights in Article 5, such as privacy, freedom of expression, and the right to due process. Any legislation or government action that violates data protection rights is subject to constitutional challenge. Second, EC 115/2022 granted the federal government exclusive jurisdiction to legislate on personal data protection and processing. This preempts state and municipal governments from enacting conflicting privacy rules, ensuring uniform application of the LGPD across all Brazilian states and territories.

The amendment originated from Proposal for Constitutional Amendment No. 17/2019 and was motivated in part by the LGPD's entry into force, which had already established a statutory framework. EC 115/2022 gave that framework constitutional footing, reinforcing the LGPD's principles in the text of the constitution itself. The European Commission cited the constitutional amendment as one of the factors supporting Brazil's adequacy decision in January 2026.

The ANPD: Brazil's Data Protection Authority

The Autoridade Nacional de Protecao de Dados (ANPD) is Brazil's national data protection authority, created by the LGPD to oversee, enforce, and regulate data protection across the country. The ANPD was initially established as part of the Presidency of the Republic but has since been transformed into an independent regulatory agency with functional, technical, decision-making, administrative, and financial autonomy.

The ANPD's responsibilities include issuing regulations and guidelines on data protection, investigating complaints and potential violations, imposing administrative sanctions for non-compliance, promoting public awareness of data protection rights, and cooperating with data protection authorities in other countries.

In November 2025, the ANPD launched its Enforcement Dashboard on gov.br/anpd, an interactive tool that provides aggregated data on oversight actions, preparatory procedures, and administrative proceedings. This dashboard represents a significant step toward enforcement transparency.

ANPD Regulatory Agenda for 2025-2026

The ANPD has published an updated regulatory agenda that prioritizes several key areas. These include data subject rights enforcement, biometric data processing rules, artificial intelligence governance and security standards, Data Protection Impact Assessment (DPIA) guidelines, data sharing by government entities, and security measures for high-risk processing.

For the 2026-2027 biennium, the ANPD has identified four priority themes for heightened scrutiny: data subject rights (with special attention to sensitive data used for advertising), protection of children and adolescents online (including compliance with the Digital ECA, age verification, and blocking of inappropriate content), processing of personal data by public authorities, and artificial intelligence and emerging technologies. These priorities reflect the ANPD's stated intention to move from educational enforcement toward active sanctioning across all sectors.

The 10 Legal Bases for Data Processing

One of the LGPD's defining features is that it establishes 10 legal bases for the lawful processing of personal data, outlined in Article 7. There is no hierarchy among these bases. Organizations must identify the most appropriate legal basis for each specific processing activity based on the purpose and the relationship with the individual.

1. Consent

The data subject provides free, informed, and unequivocal consent for a specific purpose. Consent must be given in writing or through another means that demonstrates the data subject's intent. It can be revoked at any time, and the controller must inform the data subject of the consequences of revoking consent.

2. Legal or Regulatory Obligation

Processing is necessary to comply with a legal or regulatory obligation of the controller. This covers situations where Brazilian law requires certain data to be collected or retained, such as tax records, employment data, or anti-money laundering requirements.

3. Public Policy Execution

Processing is necessary for the execution of public policies provided for in laws, regulations, or supported by contracts, agreements, or similar instruments. This basis is available exclusively to the public administration.

4. Research

Research bodies may process personal data for studies of a historical, scientific, technological, or statistical character. Wherever possible, data must be anonymized. This basis requires compliance with ethical standards and cannot be used for commercial purposes without additional legal grounds.

5. Contract Execution

Processing is necessary to execute a contract or preliminary procedures related to a contract of which the data subject is a party. This covers processing needed to fulfill contractual obligations at the data subject's request.

6. Exercise of Legal Rights

Processing is necessary for the regular exercise of rights in judicial, administrative, or arbitration proceedings. This allows organizations to process personal data when needed to establish, exercise, or defend legal claims.

7. Protection of Life or Physical Safety

Processing is necessary to protect the life or physical safety of the data subject or a third party. This emergency basis applies in situations where obtaining consent is not feasible and there is an immediate threat to someone's life or safety.

8. Health Protection

Processing is necessary for health protection purposes, carried out by health professionals, health services, or health authorities. This basis covers medical treatment, public health measures, and health-related research conducted by qualified entities.

9. Legitimate Interests

Processing is necessary for the legitimate interests of the controller or a third party, except where overridden by the data subject's fundamental rights and freedoms. Controllers relying on this basis must conduct a balancing test and maintain documentation of their assessment.

10. Credit Protection

Processing is necessary for the protection of credit, including credit scoring. This is a legal basis unique to the LGPD and not found in the GDPR. It reflects Brazil's extensive credit reporting system and allows data processing for creditworthiness assessments and fraud prevention.

Data Subject Rights Under the LGPD

Article 18 of the LGPD grants data subjects a comprehensive set of rights regarding their personal data. These rights can be exercised at any time and free of charge through a request to the data controller.

Confirmation of Processing. Data subjects have the right to confirm whether their personal data is being processed by a controller.

Access to Data. Individuals can request access to their personal data held by the controller, including information about what data is being processed and how.

Correction of Inaccurate Data. Data subjects can request the correction of incomplete, inaccurate, or outdated personal data.

Anonymization, Blocking, or Deletion. Individuals can request anonymization, blocking, or deletion of data that is unnecessary, excessive, or processed in non-compliance with the LGPD.

Data Portability. Data subjects have the right to request portability of their personal data to another service or product provider, in accordance with ANPD regulations.

Deletion of Processed Data. Individuals can request the deletion of personal data processed with their consent, except where the controller has a legal basis to retain it.

Information About Sharing. Data subjects have the right to know which public and private entities the controller has shared their data with.

Information About Consent Denial. Individuals must be informed about the possibility of denying consent and the consequences of such denial.

Revocation of Consent. Data subjects can revoke their consent at any time through an express request to the controller, through a free and facilitated procedure.

Explanation of Automated Decisions. Data subjects have the right to request an explanation about any decisions made solely through automated processing that affect their interests, including decisions on their personal, professional, consumer, or credit profile.

Sensitive Personal Data

The LGPD provides enhanced protection for sensitive personal data. Under Article 5(II), sensitive data includes information related to racial or ethnic origin, religious beliefs, political opinions, trade union membership, religious, philosophical, or political organization membership, health data, sexual orientation, and genetic or biometric data.

Processing of sensitive data requires specific and prominent consent from the data subject, with clear information about the purposes of the processing. Without consent, sensitive data may only be processed for compliance with legal obligations, execution of public policies, research by qualified entities, protection of life or physical safety, health protection, and prevention of fraud.

Notably, the legal bases of legitimate interest and contract execution cannot be used for processing sensitive data. The LGPD also prohibits the sharing of health-related sensitive data between controllers for economic advantage, with exceptions for health services, pharmaceutical assistance, and health plan portability.

Data Protection Officer (Encarregado) Requirements

Article 41 of the LGPD requires every controller to appoint a Data Protection Officer (referred to as "encarregado" in Portuguese). The DPO serves as the primary point of contact between the controller, data subjects, and the ANPD.

The DPO's responsibilities include accepting complaints and communications from data subjects and providing clarifications, receiving communications from the ANPD and taking appropriate measures, guiding the controller's employees and contractors on data protection practices, and executing any other duties assigned by the controller or established by regulation.

The LGPD does not mandate specific professional qualifications or certifications for the DPO role. However, the DPO must be able to communicate in Portuguese when interacting with the ANPD and data subjects. The ANPD has confirmed that a single DPO may serve multiple controllers, provided there are no conflicts of interest.

Small processing agents, as defined by Resolution CD/ANPD No. 2/2022, are exempt from the mandatory DPO appointment requirement. This exemption applies to microenterprises, small businesses, startups, and natural persons or legal entities whose data processing activities pose limited risk. However, the ANPD still recommends voluntary appointment as a best practice.

In November 2024, the ANPD initiated proceedings against 20 companies for failing to appoint or publicly disclose a DPO. By April 2025, all companies had achieved compliance, demonstrating both the ANPD's willingness to target non-compliant organizations and the effectiveness of targeted enforcement campaigns.

Breach Notification Requirements

The LGPD requires controllers to report security incidents involving personal data to the ANPD and affected data subjects. Resolution CD/ANPD No. 15/2024, adopted in April 2024, established detailed requirements for this notification process.

Timeline. Controllers must notify the ANPD and affected data subjects within three business days of becoming aware that a security incident involved personal data likely to result in risk or relevant harm. If complete details are not immediately available, a preliminary notification can be submitted within this window, with supplementary information due within 20 business days.

Content of Notification. The notification must include a description of the nature of the affected personal data, information about the data subjects involved, the technical and security measures used to protect the data (subject to trade secret protections), the risks related to the incident, the measures taken to reverse or mitigate the effects of the incident, and the reasons for any delay in notification if the three-day deadline was not met.

Notification to Data Subjects. When individual notification is required, it must be made in simple, easy-to-understand language. Controllers should contact data subjects directly through email, SMS, letter, or electronic message, preferably using the communication channel normally used with the data subject. If the controller cannot identify all affected individuals, it must publicly disclose the incident through its website, applications, social media, and customer service channels for at least three months.

DPO Role in Notification. The breach notification must be submitted by the controller's DPO or legal representative with the corresponding nomination documentation or power of attorney, using the breach reporting form provided by the ANPD.

Penalties and ANPD Enforcement

The LGPD establishes a graduated system of administrative sanctions for non-compliance, outlined in Articles 52 through 54. The ANPD classifies infractions as minor, medium, or serious under Resolution CD/ANPD No. 4/2023, which sets the methodology for calculating fine amounts (dosimetria) and determines the severity of sanctions applied.

Types of Sanctions

Warning. The ANPD may issue a warning with a deadline for the controller to adopt corrective measures.

Simple Fine. Fines of up to 2% of the legal entity's, group's, or conglomerate's revenue in Brazil in the preceding fiscal year, net of taxes, capped at BRL 50 million (approximately USD 9.3 million) per violation.

Daily Fine. The ANPD may impose daily fines subject to the same BRL 50 million cap, designed to compel compliance within a specified timeframe.

Public Notice. After a violation is duly investigated and confirmed, the ANPD may publicly disclose the infraction, which can cause significant reputational damage.

Blocking of Data. The ANPD can order the blocking of personal data related to the violation until the processing is regularized.

Deletion of Data. The authority can order the complete deletion of personal data related to the infraction.

Suspension of Processing. The ANPD may suspend data processing activities for up to six months, with the possibility of renewal, until the controller resolves the non-compliance.

Prohibition of Processing. In severe cases, the ANPD can impose a partial or total ban on data processing activities.

Notable Enforcement Actions

The ANPD has imposed a cumulative total of over BRL 98 million (approximately USD 20 million) in fines between 2023 and 2025, reflecting a clear trajectory from educational guidance toward active enforcement.

Telekall Infoservice (2023). The ANPD's first-ever enforcement action targeted this small telecom company for processing personal data without a legal basis and failing to appoint a DPO. The fine was BRL 14,400 (approximately USD 2,960). Though modest in amount, the case signaled that compliance obligations apply to businesses of all sizes.

IAMSPE (2024). The ANPD's second enforcement action targeted the Instituto de Assistencia Medica ao Servidor Publico Estadual de Sao Paulo (IAMSPE), a public health body. The sanctions arose from a security incident in which personal data of state civil servants and their dependents was accessed by an unauthorized external user. The ANPD issued two warnings: the first for failing to notify the ANPD and affected data subjects within the required timeframe (a violation of Article 48 of the LGPD); the second for inadequate security controls protecting a high volume of personal data including data of vulnerable subjects such as minors and the elderly (a violation of Article 49). The case confirmed that public sector entities face the same LGPD obligations as private controllers.

Meta Platforms (July 2024). The ANPD issued a preventive measure ordering Meta to stop using personal data from Facebook, Instagram, and Messenger to train its AI systems. The ANPD found four distinct LGPD violations: inadequate disclosures, insufficient protections for children's data, failure to provide opt-out mechanisms, and disregard for the legitimate expectations of Brazilian social media users. Meta faced daily fines of BRL 50,000 (approximately USD 10,000) for non-compliance. After Meta implemented required adjustments, the measure was suspended in August 2024.

TikTok/ByteDance (December 2024). The ANPD ordered TikTok's parent company ByteDance to strengthen its age verification measures on the platform, continuing the authority's heightened focus on children's data protection. The order preceded Brazil's Digital ECA (Law No. 15.211/2025) and signals the ANPD's proactive approach to minors' data even before new legislation took effect.

Ongoing Investigations. As of 2026, the ANPD has active supervisory actions against social media networks (regarding children's data), messaging platforms (transparency and consent issues), pharmaceutical loyalty programs, and 23 football clubs using facial recognition technology for stadium access.

Proposed Penalty Increases

Bill PL 4530/23, currently under consideration by the Brazilian legislature, proposes significant increases to LGPD penalties. If approved, the maximum fine percentage would increase from 2% to 20% of revenue, and the absolute cap would double from BRL 50 million to BRL 100 million per violation.

International Data Transfers and Standard Contractual Clauses

The LGPD provides specific rules for the international transfer of personal data, detailed in Articles 33 through 36. Transfers are only permitted under legally defined mechanisms.

Transfer Mechanisms

Adequacy Decisions. The ANPD can recognize that a foreign country or international organization provides an adequate level of personal data protection. This is the simplest mechanism, as it allows transfers without additional safeguards.

Standard Contractual Clauses (SCCs). Resolution CD/ANPD No. 19/2024, published on August 23, 2024, introduced ANPD-approved Standard Contractual Clauses as the primary transfer mechanism for organizations without an adequacy decision. The SCCs cover both controller-to-controller and controller-to-processor transfers. The grace period for implementing these SCCs expired on August 23, 2025. Since that date, international data transfers are only valid if SCCs or another ANPD-approved mechanism are in place.

Binding Corporate Rules (BCRs). For intragroup international data transfers, organizations may use binding corporate rules, which require prior assessment and approval from the ANPD. As of mid-2025, no BCRs had received ANPD approval, making them a technically available but practically unavailable mechanism.

Specific Contractual Clauses. When SCCs are insufficient, organizations may use specific contractual clauses as a subsidiary mechanism. These must mirror the SCCs as closely as possible and require prior ANPD approval.

Other Permitted Circumstances. International transfers are also permitted for international legal cooperation, protection of life or physical safety, data subject consent, compliance with legal or regulatory obligations, contractual necessity, and the regular exercise of legal rights.

The EU-Brazil Mutual Adequacy Decision

On January 26, 2026, Brazil and the European Union adopted mutual adequacy decisions, marking a watershed moment for international data transfers between the two jurisdictions. This was formalized through Resolution CD/ANPD No. 32/2026 on the Brazilian side and the corresponding European Commission implementing decision on the EU side.

This mutual recognition means personal data can circulate between Brazil and the EU directly, securely, and without additional transfer mechanisms under LGPD Article 33(I). The decision covers transfers to all EU member states plus Iceland, Liechtenstein, and Norway (EEA/EFTA countries), as well as EU institutions, bodies, and agencies.

The adequacy framework excludes transfers conducted exclusively for public security, national defense, state security, or criminal investigation and prosecution purposes. The agreement is subject to review every four years. This is Brazil's first-ever adequacy decision and the most comprehensive one adopted by the European Union under the GDPR, covering both public and private sectors simultaneously.

Brazil's AI Bill (PL 2338/2023)

Brazil's proposed Artificial Intelligence Act, Bill No. 2338/2023, represents a significant regulatory development for organizations using AI systems to process personal data. The Brazilian Federal Senate approved the bill on December 10, 2024. As of May 2026, the bill remained under review in the Chamber of Deputies, where it had been referred to a special committee established on April 29, 2025.

The bill establishes a risk-based framework with three tiers. Excessive-risk AI systems are banned outright. High-risk systems, which include those used for biometric identification, employment decisions, credit scoring, and social services, require formal impact assessments before deployment. Significant-risk systems face transparency and disclosure obligations.

The ANPD is designated as the primary AI regulator under the bill's current text. This would give the ANPD jurisdiction over AI systems that process personal data, creating direct overlap with LGPD enforcement. The bill also creates specific obligations for generative AI foundation models, including transparency requirements for training data.

The Chamber's review has surfaced competing concerns about biometric surveillance carve-outs for public security, the scope of liability for foundation model developers, and the relationship between the AI bill and existing LGPD provisions. No floor vote had been scheduled as of May 2026. Until the bill is enacted and in force, the ANPD regulates AI-related data processing under existing LGPD provisions, as demonstrated by the 2024 Meta AI training enforcement action.

LGPD vs. GDPR: Key Differences

While the LGPD is modeled on the GDPR, several important differences distinguish the two frameworks. The table below summarizes the most significant structural variations.

For a full analysis of both frameworks, see our GDPR vs LGPD comparison.

Data Protection Impact Assessments

The LGPD requires Data Protection Impact Assessments (DPIAs) for processing activities that present a high risk to data subjects' fundamental rights and civil liberties. The ANPD has established specific criteria for determining when a DPIA is mandatory.

A DPIA becomes required when processing meets cumulative criteria: the activity must involve large-scale processing or significantly affect data subjects' rights and interests, plus at least one additional risk factor. These factors include monitoring of publicly accessible areas, automated decision-making, use of emerging technologies, processing of sensitive data, processing of children's or elderly individuals' data, or any processing that could result in discriminatory effects.

The DPIA must document the types of personal data collected, the methodology for collection and processing, the measures and mechanisms used to mitigate risks, and the controller's analysis of the proportionality and necessity of the processing in relation to its stated purposes. The ANPD's Regulatory Agenda for 2025-2026 identifies DPIA guidelines as a priority rulemaking item, meaning additional regulations on DPIA requirements and methodology are expected before the end of 2026.

Children's and Adolescents' Data

The LGPD provides specific protections for the processing of children's and adolescents' personal data under Article 14. Processing must always be carried out in the best interest of the child or adolescent.

For children under 12, the processing of personal data requires specific and prominent consent from at least one parent or legal guardian. Controllers must make reasonable efforts to verify that consent was actually given by the parent or guardian, using available technology.

For adolescents aged 13 to 17, the LGPD does not explicitly require parental consent, but processing must still serve the minor's best interest. The ANPD has signaled heightened scrutiny of data processing involving minors as a priority for the 2026-2027 biennium.

Brazil's Digital Statute for Children and Adolescents (ECA Digital, Law No. 15.211/2025), which took effect in March 2026, creates additional rules for protecting minors when using online applications, electronic games, social networks, and software. Platform operators must implement age verification mechanisms, privacy-by-default settings, and content moderation for minors. The ANPD's enforcement action against TikTok in December 2024 foreshadowed the stricter obligations the ECA Digital now imposes.

Compliance Requirements for Organizations

Organizations processing personal data in Brazil or of Brazilian residents should take the following steps to ensure LGPD compliance.

Appoint a Data Protection Officer. Unless exempt as a small processing agent, every controller must appoint a DPO and publicly disclose the DPO's contact information. The DPO must be able to communicate in Portuguese with the ANPD.

Map Data Processing Activities. Conduct a comprehensive inventory of all personal data processing activities, identifying the types of data collected, purposes of processing, legal bases relied upon, data sharing arrangements, and retention periods.

Establish Legal Bases. Identify and document the appropriate legal basis for each processing activity. Legitimate interest and contract execution cannot be used for sensitive data processing.

Implement Data Subject Rights Mechanisms. Create clear, accessible, and free processes for data subjects to exercise their rights, including access, correction, deletion, portability, and consent revocation.

Develop a Breach Response Plan. Prepare an incident response plan that enables notification to the ANPD and affected data subjects within three business days. Designate team members responsible for breach assessment and notification.

Conduct Data Protection Impact Assessments. Perform DPIAs for any processing activities that meet the ANPD's high-risk criteria. Document the assessment methodology, identified risks, and mitigation measures.

Review International Transfer Mechanisms. If transferring data internationally, ensure compliance with LGPD Articles 33-36. Transfers to EU countries benefit from the January 2026 mutual adequacy decision and require no additional mechanisms. Transfers to other jurisdictions require ANPD-approved SCCs (under Resolution CD/ANPD No. 19/2024, with the grace period having expired on August 23, 2025), a future BCR approval, or another lawful mechanism. Organizations that have not yet implemented SCCs for non-EU transfers are currently non-compliant.

Train Employees. Provide regular data protection training to employees and contractors who handle personal data. The DPO should oversee training programs.

Maintain Records. Keep detailed records of processing activities, consent obtained, DPIAs conducted, breach notifications submitted, and data subject requests fulfilled.

Monitor AI and Children's Data Developments. Organizations using AI systems to process personal data should track the progress of PL 2338/2023 in the Chamber of Deputies. Operators of online platforms accessible to minors must comply with ECA Digital (Law No. 15.211/2025), which took effect in March 2026.