LGPD (Lei Geral de Proteção de Dados)
Brazil's federal law regulating personal data protection. A stringent regulation second only to GDPR, imposing high requirements on data-processing companies.
What is LGPD (Brazil’s General Data Protection Law)?
LGPD (Lei Geral de Proteção de Dados) is Brazil’s federal law regulating personal data protection. Enacted in 2018 and effective August 2020, it’s considered the most stringent data protection law outside the EU, imposing requirements equal to or exceeding GDPR. All companies processing data in Brazil—Brazilian or foreign—are subject to it.
In a nutshell: Brazil’s GDPR. It powerfully protects individual privacy and prevents companies from misusing data. Violating companies face potential penalties reaching 2% of corporate revenue.
Key points:
- Who’s covered: All companies processing personal data in Brazil or of Brazilians globally
- Main requirements: Obtaining individual consent, data minimization, security measures, data breach notification obligations
- Penalties: Administrative fines reaching 2% of revenue or 49 million Brazilian reals equivalent
Scope of application
LGPD applies in these cases.
- Companies processing Brazilian personal data — Data of Brazilian citizens, permanent residents, and individuals based in Brazilian territory
- Foreign companies providing services to Brazilian markets — For example, Japanese companies selling web services to Brazilian citizens face LGPD application
- Data exporting companies — Restrictions on data transfer from Brazil to other countries
However, exceptions exist. Anonymized data, public information (previously published like news reports), and data processing related to safety or public interest are exempt.
Main requirements
Key requirements companies must meet under LGPD:
Obtaining individual consent — Data processing generally requires explicit individual consent. “Consent checkboxes must be unchecked by default” is required; companies cannot coerce consent.
Data minimization — Companies should “collect only minimum data necessary for purpose achievement.” Collecting unnecessary data is prohibited.
Implementing security measures — Data encryption, access restrictions, regular vulnerability assessments, and technical/organizational security measures are mandatory.
Publishing privacy policies — Companies must clearly disclose how personal data is processed.
Protecting individual rights — Individuals have rights to know “what uses my data,” request data deletion (right to be forgotten).
Data breach notification — Security incidents require notifying affected individuals and regulators.
Violation consequences
Companies violating LGPD face strict penalties.
Administrative penalties — The regulatory authority (National Data Protection Authority) imposes fines. Minor violations incur up to 500,000 Brazilian reals (approximately 10 million yen); major violations reach 2% of revenue or 49 million Brazilian reals equivalent. Multiple violations accumulate.
Civil liability — Individuals harmed by data breaches can claim damages. Compared to GDPR breach settlements, LGPD precedents are still limited but likely to increase.
Criminal liability — Executives intentionally violating the law (like personal information sale) risk criminal penalties.
Operational suspension — Extremely serious violations may trigger regulatory orders suspending data processing.
Why it matters
LGPD is critically important beyond Brazil for global companies. Brazil is South America’s largest economy, with many international companies serving Brazilian markets. Operating in Brazil without LGPD compliance is impossible.
LGPD compliance capability is also becoming an evaluation criterion in Brazilian government procurement. Companies seeking public sector contracts must demonstrate LGPD compliance.
Real-world use cases
Japanese e-commerce company expanding to Brazil Opening online shops for Brazilian citizens requires LGPD-compliant customer databases (addresses, purchase history). Website terms require revising and securing customer opt-in consent. Data encryption and access restriction technologies must be implemented.
International logistics company shipping records Handling shipping destination addresses and delivery person information in Brazil treats these as LGPD-covered personal data. Third-party resale without shipper consent is prohibited.
Cloud-based analytics company Analyzing Brazilian company customer data treats these as Brazilian personal data. Must simultaneously comply with EU (GDPR) and Brazil (LGPD) regulations, increasing complexity.
Benefits and considerations
LGPD adoption benefits companies through “acquiring individual trust.” Individuals believe “my data is handled safely,” increasing transaction willingness. Particularly in South America where data privacy concern is rapidly rising, LGPD-compliant companies gain competitive advantage.
Considerations include “increased compliance costs.” Building individual consent mechanisms, strengthening security, regularly reviewing privacy policies require substantial resources. Simultaneous GDPR and other regulation compliance create extremely heavy global company burdens.
Brazil’s internal oversight is still developing, but regulatory monitoring increases. Recent years show growing fine examples against violating companies, raising corporate compliance awareness.
Related terms
- GDPR — European personal data protection regulation that informed LGPD creation
- Data Protection — Fundamental LGPD purpose and concept
- Consent Management — Process essential for LGPD compliance
- Security Measures — LGPD-required security implementation
- Compliance — Overall corporate LGPD compliance responsibility
Frequently asked questions
Q: If I have no Brazilian customers, is LGPD irrelevant? A: No. If your service intentionally targets Brazilian citizens, LGPD applies. For example, if your online shop permits Brazil selection or targets Brazil in advertising, LGPD applies.
Q: What’s the major GDPR/LGPD difference? A: Basic concepts (personal data protection, consent) are similar, but details differ. For example, GDPR’s “right to be forgotten” is in LGPD but practical implementation slightly differs. Global companies typically adopt “stricter requirement” unified strategies rather than separate approaches.
Q: Are there past examples of LGPD-violating company penalties? A: Yes. Between 2020–2024, multiple companies faced fines. For example, companies failing to report data breaches received multi-million real penalties. However, GDPR-scale “massive fines” examples are still limited, though likely to increase.
Related Terms
CCPA (California Consumer Privacy Act)
CCPA is California law giving consumers the right to control personal data and requiring businesses ...
GDPR
Comprehensive data protection rules from the EU. Learn its principles, compliance requirements, data...
Zero-Trust Security
A security framework assuming no user or device should be automatically trusted. All access requests...
Data Minimization
Data Minimization is the principle of limiting the collection, retention, and processing of personal...
Data Protection Impact Assessment
A process to evaluate the potential impact of personal data processing on privacy before implementat...
GDPR (General Data Protection Regulation)
EU data protection law enacted in 2018, the world's most stringent privacy regulation.
