Brazil Data Privacy Laws: LGPD Compliance Guide (2026)

What Is the LGPD?

Brazil's Lei Geral de Protecao de Dados, commonly known as the LGPD, is the country's general data protection law. Enacted as Law No. 13.709 on August 14, 2018, and effective since September 18, 2020, the LGPD unified approximately 40 different Brazilian laws that previously regulated various aspects of personal data processing.

The law applies to any natural person or legal entity, public or private, that processes personal data in Brazil. It has explicit extraterritorial reach, meaning it applies to any foreign business that offers goods or services to individuals in Brazil, collects personal data from Brazilian residents, or operates through a Brazilian subsidiary.

The LGPD draws heavily from the European Union's General Data Protection Regulation (GDPR), but includes several provisions unique to Brazil's legal and commercial landscape. It establishes a comprehensive framework covering data collection, storage, processing, sharing, and deletion, with strong protections for individual privacy rights.

The ANPD: Brazil's Data Protection Authority

The Autoridade Nacional de Protecao de Dados (ANPD) is Brazil's national data protection authority, created by the LGPD to oversee, enforce, and regulate data protection across the country. The ANPD was initially established as part of the Presidency of the Republic but has since been transformed into an independent regulatory agency with functional, technical, decision-making, administrative, and financial autonomy.

The ANPD's responsibilities include issuing regulations and guidelines on data protection, investigating complaints and potential violations, imposing administrative sanctions for non-compliance, promoting public awareness of data protection rights, and cooperating with data protection authorities in other countries.

In November 2025, the ANPD launched its Enforcement Dashboard, an interactive tool that provides aggregated data on oversight actions, preparatory procedures, and administrative proceedings. This dashboard represents a significant step toward enforcement transparency.

ANPD Regulatory Agenda for 2025-2026

The ANPD has published an updated regulatory agenda that prioritizes several key areas. These include data subject rights enforcement, biometric data processing rules, artificial intelligence governance and security standards, Data Protection Impact Assessment (DPIA) guidelines, data sharing by government entities, and security measures for high-risk processing.

For the 2026-2027 biennium, the ANPD has identified four priority themes for heightened scrutiny: data subject rights, protection of children and adolescents online, processing of personal data by public authorities, and artificial intelligence and emerging technologies.

The 10 Legal Bases for Data Processing

One of the LGPD's defining features is that it establishes 10 legal bases for the lawful processing of personal data, outlined in Article 7. There is no hierarchy among these bases. Organizations must identify the most appropriate legal basis for each specific processing activity based on the purpose and the relationship with the individual.

1. Consent

The data subject provides free, informed, and unequivocal consent for a specific purpose. Consent must be given in writing or through another means that demonstrates the data subject's intent. It can be revoked at any time, and the controller must inform the data subject of the consequences of revoking consent.

2. Legal or Regulatory Obligation

Processing is necessary to comply with a legal or regulatory obligation of the controller. This covers situations where Brazilian law requires certain data to be collected or retained, such as tax records, employment data, or anti-money laundering requirements.

3. Public Policy Execution

Processing is necessary for the execution of public policies provided for in laws, regulations, or supported by contracts, agreements, or similar instruments. This basis is available exclusively to the public administration.

4. Research

Research bodies may process personal data for studies of a historical, scientific, technological, or statistical character. Wherever possible, data must be anonymized. This basis requires compliance with ethical standards and cannot be used for commercial purposes without additional legal grounds.

5. Contract Execution

Processing is necessary to execute a contract or preliminary procedures related to a contract of which the data subject is a party. This covers processing needed to fulfill contractual obligations at the data subject's request.

6. Exercise of Legal Rights

Processing is necessary for the regular exercise of rights in judicial, administrative, or arbitration proceedings. This allows organizations to process personal data when needed to establish, exercise, or defend legal claims.

7. Protection of Life or Physical Safety

Processing is necessary to protect the life or physical safety of the data subject or a third party. This emergency basis applies in situations where obtaining consent is not feasible and there is an immediate threat to someone's life or safety.

8. Health Protection

Processing is necessary for health protection purposes, carried out by health professionals, health services, or health authorities. This basis covers medical treatment, public health measures, and health-related research conducted by qualified entities.

9. Legitimate Interests

Processing is necessary for the legitimate interests of the controller or a third party, except where overridden by the data subject's fundamental rights and freedoms. Controllers relying on this basis must conduct a balancing test and maintain documentation of their assessment.

10. Credit Protection

Processing is necessary for the protection of credit, including credit scoring. This is a legal basis unique to the LGPD and not found in the GDPR. It reflects Brazil's extensive credit reporting system and allows data processing for creditworthiness assessments and fraud prevention.

Data Subject Rights Under the LGPD

Article 18 of the LGPD grants data subjects a comprehensive set of rights regarding their personal data. These rights can be exercised at any time and free of charge through a request to the data controller.

Confirmation of Processing. Data subjects have the right to confirm whether their personal data is being processed by a controller.

Access to Data. Individuals can request access to their personal data held by the controller, including information about what data is being processed and how.

Correction of Inaccurate Data. Data subjects can request the correction of incomplete, inaccurate, or outdated personal data.

Anonymization, Blocking, or Deletion. Individuals can request anonymization, blocking, or deletion of data that is unnecessary, excessive, or processed in non-compliance with the LGPD.

Data Portability. Data subjects have the right to request portability of their personal data to another service or product provider, in accordance with ANPD regulations.

Deletion of Processed Data. Individuals can request the deletion of personal data processed with their consent, except where the controller has a legal basis to retain it.

Information About Sharing. Data subjects have the right to know which public and private entities the controller has shared their data with.

Information About Consent Denial. Individuals must be informed about the possibility of denying consent and the consequences of such denial.

Revocation of Consent. Data subjects can revoke their consent at any time through an express request to the controller, through a free and facilitated procedure.

Explanation of Automated Decisions. Data subjects have the right to request an explanation about any decisions made solely through automated processing that affect their interests, including decisions on their personal, professional, consumer, or credit profile.

Sensitive Personal Data

The LGPD provides enhanced protection for sensitive personal data. Under Article 5(II), sensitive data includes information related to racial or ethnic origin, religious beliefs, political opinions, trade union membership, religious, philosophical, or political organization membership, health data, sexual orientation, and genetic or biometric data.

Processing of sensitive data requires specific and prominent consent from the data subject, with clear information about the purposes of the processing. Without consent, sensitive data may only be processed for compliance with legal obligations, execution of public policies, research by qualified entities, protection of life or physical safety, health protection, and prevention of fraud.

Notably, the legal bases of legitimate interest and contract execution cannot be used for processing sensitive data. The LGPD also prohibits the sharing of health-related sensitive data between controllers for economic advantage, with exceptions for health services, pharmaceutical assistance, and health plan portability.

Data Protection Officer Requirements

Article 41 of the LGPD requires every controller to appoint a Data Protection Officer (referred to as "encarregado" in Portuguese). The DPO serves as the primary point of contact between the controller, data subjects, and the ANPD.

The DPO's responsibilities include accepting complaints and communications from data subjects and providing clarifications, receiving communications from the ANPD and taking appropriate measures, guiding the controller's employees and contractors on data protection practices, and executing any other duties assigned by the controller or established by regulation.

The LGPD does not mandate specific professional qualifications or certifications for the DPO role. However, the DPO must be able to communicate in Portuguese when interacting with the ANPD and data subjects. Under Resolution CD/ANPD No. 18/2024, a single DPO may serve multiple controllers, provided there are no conflicts of interest.

Small processing agents, as defined by Resolution CD/ANPD No. 2/2022, are exempt from the mandatory DPO appointment requirement. This exemption applies to microenterprises, small businesses, startups, and natural persons or legal entities whose data processing activities pose limited risk. However, the ANPD still recommends voluntary appointment as a best practice.

Breach Notification Requirements

The LGPD requires controllers to report security incidents involving personal data to the ANPD and affected data subjects. Resolution CD/ANPD No. 15/2024 established detailed requirements for this notification process.

Timeline. Controllers must notify the ANPD and affected data subjects within three business days of becoming aware that a security incident involved personal data likely to result in risk or relevant harm. If complete details are not immediately available, a preliminary notification can be submitted within this window, with supplementary information due within 20 business days.

Content of Notification. The notification must include a description of the nature of the affected personal data, information about the data subjects involved, the technical and security measures used to protect the data (subject to trade secret protections), the risks related to the incident, the measures taken to reverse or mitigate the effects of the incident, and the reasons for any delay in notification if the three-day deadline was not met.

Notification to Data Subjects. When individual notification is required, it must be made in simple, easy-to-understand language. Controllers should contact data subjects directly through email, SMS, letter, or electronic message, preferably using the communication channel normally used with the data subject. If the controller cannot identify all affected individuals, it must publicly disclose the incident through its website, applications, social media, and customer service channels for at least three months.

DPO Role in Notification. The breach notification must be submitted by the controller's DPO or legal representative with the corresponding nomination documentation or power of attorney, using the breach reporting form provided by the ANPD.

Penalties and Enforcement

The LGPD establishes a graduated system of administrative sanctions for non-compliance, outlined in Articles 52 through 54. The ANPD classifies infractions as minor, medium, or serious under Resolution CD/ANPD No. 4/2023, which determines the severity of sanctions applied.

Types of Sanctions

Warning. The ANPD may issue a warning with a deadline for the controller to adopt corrective measures.

Simple Fine. Fines of up to 2% of the legal entity's, group's, or conglomerate's revenue in Brazil in the preceding fiscal year, net of taxes, capped at BRL 50 million (approximately USD 9.3 million) per violation.

Daily Fine. The ANPD may impose daily fines subject to the same BRL 50 million cap, designed to compel compliance within a specified timeframe.

Public Notice. After a violation is duly investigated and confirmed, the ANPD may publicly disclose the infraction, which can cause significant reputational damage.

Blocking of Data. The ANPD can order the blocking of personal data related to the violation until the processing is regularized.

Deletion of Data. The authority can order the complete deletion of personal data related to the infraction.

Suspension of Processing. The ANPD may suspend data processing activities for up to six months, with the possibility of renewal, until the controller resolves the non-compliance.

Prohibition of Processing. In severe cases, the ANPD can impose a partial or total ban on data processing activities.

Proposed Penalty Increases

Bill PL 4530/23, currently under consideration by the Brazilian legislature, proposes significant increases to LGPD penalties. If approved, the maximum fine percentage would increase from 2% to 20% of revenue, and the absolute cap would double from BRL 50 million to BRL 100 million per violation.

Notable Enforcement Actions

Since the ANPD began active enforcement, several cases have demonstrated the authority's willingness to pursue violations across sectors and company sizes.

Telekall Infoservice (2023). The ANPD's first-ever enforcement action targeted this small telecom company for processing personal data without a legal basis and failing to appoint a DPO. The fine was BRL 14,400 (approximately USD 2,960). Though modest in amount, the case signaled that compliance obligations apply to businesses of all sizes.

Meta Platforms (2024). In July 2024, the ANPD issued a preventive measure ordering Meta to stop using personal data from Facebook, Instagram, and Messenger to train its AI systems. The ANPD found four distinct LGPD violations: inadequate disclosures, insufficient protections for children's data, failure to provide opt-out mechanisms, and disregard for the legitimate expectations of Brazilian social media users. Meta faced daily fines of BRL 50,000 (approximately USD 10,000) for non-compliance. After Meta implemented required adjustments, the measure was suspended in August 2024.

DPO Non-Compliance Campaign (2024-2025). In November 2024, the ANPD initiated proceedings against 20 companies for failing to appoint or publicly disclose a Data Protection Officer. By April 2025, all companies had achieved compliance, demonstrating the effectiveness of targeted enforcement.

Ongoing Investigations. As of 2026, the ANPD has active supervisory actions against social media networks (regarding children's data), messaging platforms (transparency and consent issues), pharmaceutical loyalty programs, and 23 football clubs using facial recognition technology for stadium access.

The ANPD has imposed a cumulative total of over BRL 98 million (approximately USD 20 million) in fines between 2023 and 2025, reflecting a clear trajectory from educational guidance toward active enforcement.

International Data Transfers

The LGPD provides specific rules for the international transfer of personal data, detailed in Articles 33 through 36. Transfers are only permitted under legally defined mechanisms.

Transfer Mechanisms

Adequacy Decisions. The ANPD can recognize that a foreign country or international organization provides an adequate level of personal data protection. This is the simplest mechanism, as it allows transfers without additional safeguards.

Standard Contractual Clauses (SCCs). Organizations may rely on ANPD-approved standard contractual clauses for international transfers. Under the 2024 international transfer regulation, organizations have 12 months to implement SCCs.

Specific Contractual Clauses. When SCCs are insufficient, organizations may use specific contractual clauses as a subsidiary mechanism. These must mirror the language of SCCs as closely as possible and require prior ANPD approval.

Binding Corporate Rules (BCRs). For intragroup international data transfers, organizations may use binding corporate rules, which also require a prior assessment and approval from the ANPD. Controllers must demonstrate compliance with several requirements, including a data privacy governance program.

Other Permitted Circumstances. International transfers are also permitted for international legal cooperation, protection of life or physical safety, data subject consent, compliance with legal or regulatory obligations, contractual necessity, and the regular exercise of legal rights.

The EU-Brazil Mutual Adequacy Decision

On January 26, 2026, Brazil and the European Union adopted mutual adequacy decisions, marking a watershed moment for international data transfers between the two jurisdictions. This was formalized through Resolution CD/ANPD No. 32/2026 on the Brazilian side and the corresponding European Commission implementing decision on the EU side.

This mutual recognition means personal data can circulate between Brazil and the EU directly, securely, and without additional transfer mechanisms under LGPD Article 33(I). The decision covers transfers to all EU member states plus Iceland, Liechtenstein, and Norway (EEA/EFTA countries), as well as EU institutions, bodies, and agencies.

The adequacy framework excludes transfers conducted exclusively for public security, national defense, state security, or criminal investigation and prosecution purposes. The agreement is subject to review every four years.

This is Brazil's first-ever adequacy decision and the most comprehensive one adopted by the European Union under the GDPR, covering both public and private sectors simultaneously. It establishes ongoing cooperation mechanisms between the ANPD and European data protection authorities.

LGPD vs. GDPR: Key Differences

While the LGPD is modeled on the GDPR, several important differences distinguish the two frameworks.

Legal Bases for Processing. The LGPD provides 10 legal bases for processing personal data, while the GDPR provides 6. The LGPD includes unique bases for credit protection, public policy execution, and research that are either absent or structured differently under the GDPR.

Penalties. LGPD fines are capped at 2% of revenue in Brazil (max BRL 50 million per violation), while GDPR fines can reach 4% of global annual turnover or EUR 20 million for the most severe violations. The GDPR's penalties are significantly larger in both percentage and absolute terms.

Breach Notification Timeframe. The LGPD requires notification within three business days, while the GDPR mandates notification to the supervisory authority within 72 hours of becoming aware of a breach.

DPO Requirements. The GDPR specifies conditions under which a DPO must be appointed (large-scale processing, public authorities, special category data), while the LGPD broadly requires all controllers to appoint a DPO, with a narrower exemption for small processing agents.

Scope of Application. The GDPR applies to both controllers and processors directly, while the LGPD primarily places obligations on controllers, with processors bearing responsibility mainly through contractual obligations.

Data Protection Principles. The LGPD includes non-discrimination as an explicit data protection principle, which is not listed as a standalone principle under the GDPR.

Children's Data. The GDPR sets the minimum consent age at 16 (with member states allowed to lower it to 13), while the LGPD requires specific parental consent for processing children's data (under 12) and treats adolescents' data (13-17) with additional protections.

Sensitive Data Categories. Both laws define sensitive data similarly, but the LGPD explicitly includes trade union membership as a separate category and does not include philosophical beliefs in the same way the GDPR does.

Data Protection Impact Assessments

The LGPD requires Data Protection Impact Assessments (DPIAs) for processing activities that present a high risk to data subjects' fundamental rights and civil liberties. The ANPD has established specific criteria for determining when a DPIA is mandatory.

A DPIA becomes required when processing meets cumulative criteria: the activity must involve large-scale processing or significantly affect data subjects' rights and interests, plus at least one additional risk factor. These factors include monitoring of publicly accessible areas, automated decision-making, use of emerging technologies, processing of sensitive data, processing of children's or elderly individuals' data, or any processing that could result in discriminatory effects.

The DPIA must document the types of personal data collected, the methodology for collection and processing, the measures and mechanisms used to mitigate risks, and the controller's analysis of the proportionality and necessity of the processing in relation to its stated purposes.

Children's and Adolescents' Data

The LGPD provides specific protections for the processing of children's and adolescents' personal data under Article 14. Processing must always be carried out in the best interest of the child or adolescent.

For children under 12, the processing of personal data requires specific and prominent consent from at least one parent or legal guardian. Controllers must make reasonable efforts to verify that consent was actually given by the parent or guardian, using available technology.

For adolescents aged 13 to 17, the LGPD does not explicitly require parental consent, but processing must still serve the minor's best interest. The ANPD has signaled heightened scrutiny of data processing involving minors as a priority for the 2026-2027 biennium.

Brazil's Digital Statute for Children and Adolescents (ECA Digital, Law No. 15.211/2025), which took effect in March 2026, creates additional rules for protecting minors when using online applications, electronic games, social networks, and software. This law adds obligations for technology providers regarding age verification mechanisms and content moderation for minors.

Compliance Requirements for Organizations

Organizations processing personal data in Brazil or of Brazilian residents should take the following steps to ensure LGPD compliance.

Appoint a Data Protection Officer. Unless exempt as a small processing agent, every controller must appoint a DPO and publicly disclose the DPO's contact information. The DPO must be able to communicate in Portuguese with the ANPD.

Map Data Processing Activities. Conduct a comprehensive inventory of all personal data processing activities, identifying the types of data collected, purposes of processing, legal bases relied upon, data sharing arrangements, and retention periods.

Establish Legal Bases. Identify and document the appropriate legal basis for each processing activity. Remember that legitimate interest and contract execution cannot be used for sensitive data processing.

Implement Data Subject Rights Mechanisms. Create clear, accessible, and free processes for data subjects to exercise their rights, including access, correction, deletion, portability, and consent revocation.

Develop a Breach Response Plan. Prepare an incident response plan that enables notification to the ANPD and affected data subjects within three business days. Designate team members responsible for breach assessment and notification.

Conduct Data Protection Impact Assessments. Perform DPIAs for any processing activities that meet the ANPD's high-risk criteria. Document the assessment methodology, identified risks, and mitigation measures.

Review International Transfer Mechanisms. If transferring data internationally, ensure compliance with LGPD Articles 33-36. Take advantage of the EU-Brazil adequacy decision for transfers to the EU, and implement SCCs or other approved mechanisms for other jurisdictions.

Train Employees. Provide regular data protection training to employees and contractors who handle personal data. The DPO should oversee training programs.

Maintain Records. Keep detailed records of processing activities, consent obtained, DPIAs conducted, breach notifications submitted, and data subject requests fulfilled.