Skip to main content

Menu

Choose a theme and configure high-contrast mode. Preferences are saved in your browser only.

User Preferences

Theme

Pick a palette or follow your system preference.

High Contrast

Sharper text and borders. System follows your OS setting.

Regulations

LGPD — Brazil's General Data Protection Law

What the Lei Geral de Proteção de Dados means for cookie consent, data processing, and websites with Brazilian visitors.

The Lei Geral de Proteção de Dados (LGPD) is Brazil’s comprehensive data protection law. Effective since September 2020, enforceable since August 2021. It’s heavily inspired by the GDPR but has its own Brazilian spin.

If you process personal data from people in Brazil, LGPD applies. No thresholds. No revenue minimums. Everyone.

GDPR comparison: same, but different

LGPD shares GDPR’s core DNA:

  • Same 10 legal bases for processing (but with Brazilian terminology)
  • Same data subject rights (access, correction, deletion, portability, objection)
  • Same principles (purpose limitation, data minimization, transparency, security)
  • Same extraterritorial reach

Key differences:

  • Brazil has the ANPD (Autoridade Nacional de Proteção de Dados) as its enforcement body
  • LGPD has a broader “legitimate interest” basis than GDPR
  • Certain enforcement rules are still being finalized
  • LGPD explicitly protects credit data and reputation data

Who must comply

LGPD applies to any processing of personal data:

  • Carried out in Brazil
  • With the purpose of offering goods or services to people in Brazil
  • Where the data was collected in Brazil

Foreign companies with Brazilian users or customers are covered. No exceptions.

LGPD requires one of these legal bases:

  1. Consent: freely given, informed, unambiguous
  2. Legal obligation: required by law
  3. Public policy: by the government
  4. Research: by research bodies, with anonymization when possible
  5. Contract: necessary to perform a contract
  6. Judicial proceedings: legal exercise of rights
  7. Protection of life: to protect the life or physical safety
  8. Health protection: by health professionals
  9. Legitimate interest: supporting legitimate interests, except where fundamental rights override
  10. Credit protection: for credit scoring and financial profiles

Consent can be withdrawn at any time, as easily as it was given.

Sensitive personal data

Special protections for: race, ethnicity, religion, political opinion, union membership, health, sexual orientation, genetics, biometrics. Processing sensitive data requires explicit, specific consent.

Data subject rights

Brazilians have the right to: confirmation of processing, access, correction, anonymization/blocking/deletion, portability, information about shared data, withdrawal of consent, objection, and review of automated decisions.

LGPD does not mandate cookie banners the way Europe’s GDPR, CCPA, and ePrivacy rules do, but the consent and transparency requirements effectively require informed consent for non-essential cookies and trackers. You must inform users, obtain consent for tracking, and allow easy withdrawal.

Penalties

Fines up to 2% of Brazilian revenue (capped at BRL 50 million) per violation. The ANPD can also issue warnings, block databases, and impose daily fines.

How Zest handles it

Zest’s consent-first model covers LGPD requirements: clear notice, prior consent for trackers, easy withdrawal, and documented records. Configure the consent experience once, and Zest adapts to your visitor’s jurisdiction.

Own your cookie banner.

Zest is free and MIT-licensed, and it doesn't phone home to anyone.
Drop the script in and you're done.