LGPD — Brazil's General Data Protection Law
What the Lei Geral de Proteção de Dados means for cookie consent, data processing, and websites with Brazilian visitors.
The Lei Geral de Proteção de Dados (LGPD) is Brazil’s comprehensive data protection law. Effective since September 2020, enforceable since August 2021. It’s heavily inspired by the GDPR but has its own Brazilian spin.
If you process personal data from people in Brazil, LGPD applies. No thresholds. No revenue minimums. Everyone.
GDPR comparison: same, but different
LGPD shares GDPR’s core DNA:
- Same 10 legal bases for processing (but with Brazilian terminology)
- Same data subject rights (access, correction, deletion, portability, objection)
- Same principles (purpose limitation, data minimization, transparency, security)
- Same extraterritorial reach
Key differences:
- Brazil has the ANPD (Autoridade Nacional de Proteção de Dados) as its enforcement body
- LGPD has a broader “legitimate interest” basis than GDPR
- Certain enforcement rules are still being finalized
- LGPD explicitly protects credit data and reputation data
Who must comply
LGPD applies to any processing of personal data:
- Carried out in Brazil
- With the purpose of offering goods or services to people in Brazil
- Where the data was collected in Brazil
Foreign companies with Brazilian users or customers are covered. No exceptions.
Legal bases for processing
LGPD requires one of these legal bases:
- Consent: freely given, informed, unambiguous
- Legal obligation: required by law
- Public policy: by the government
- Research: by research bodies, with anonymization when possible
- Contract: necessary to perform a contract
- Judicial proceedings: legal exercise of rights
- Protection of life: to protect the life or physical safety
- Health protection: by health professionals
- Legitimate interest: supporting legitimate interests, except where fundamental rights override
- Credit protection: for credit scoring and financial profiles
Consent can be withdrawn at any time, as easily as it was given.
Sensitive personal data
Special protections for: race, ethnicity, religion, political opinion, union membership, health, sexual orientation, genetics, biometrics. Processing sensitive data requires explicit, specific consent.
Data subject rights
Brazilians have the right to: confirmation of processing, access, correction, anonymization/blocking/deletion, portability, information about shared data, withdrawal of consent, objection, and review of automated decisions.
Cookie consent
LGPD does not mandate cookie banners the way Europe’s GDPR, CCPA, and ePrivacy rules do, but the consent and transparency requirements effectively require informed consent for non-essential cookies and trackers. You must inform users, obtain consent for tracking, and allow easy withdrawal.
Penalties
Fines up to 2% of Brazilian revenue (capped at BRL 50 million) per violation. The ANPD can also issue warnings, block databases, and impose daily fines.
How Zest handles it
Zest’s consent-first model covers LGPD requirements: clear notice, prior consent for trackers, easy withdrawal, and documented records. Configure the consent experience once, and Zest adapts to your visitor’s jurisdiction.