Logo Logo

The Lei Geral de Proteção de Dados Pessoais (LGPD) entered into force in August 2020 and affect how your website is allowed to track users in Brazil. It is closely modelled after the EU’s General Data Protection Regulation (GDPR).

Try our free compliance test to check if your website’s use of cookies and online tracking is GDPR/ePR compliant.

The LGPD (Lei Geral de Proteção de Dados Pessoais) is Brazil's new data protection law.

Updated November 9, 2020.

In this blogpost, we paint a broad overview of the LGPD (Lei Geral de Proteção de Dados Pessoais) – its substance and consequences for data protection in both Brazil and the rest of the world.

We look at its foundation and definitions, the rights it empowers data subjects with, what constitutes compliance with the LGPD and how it compares to the European GDPR.

Update: LGPD now in effect!

On August 26, in a last-minute decision by the Brazilian Senate, the LGPD was passed into effect starting Thursday August 27, 2020.

Brazil’s data privacy law LGPD is now in effect.

Brazil’s data protection authority Autoridade Nacional de Proteção de Dados (ANPD) was also established by on August 26, but remained inactive until Monday November 9, when Brazil’s president Jair Bolsonaro appointed its board of directors to formally enter it into force.

Administrative sanctions from the LGPD will not be imposed until August 1, 2021.

However, civil litigation based on the LGPD can be filed and enforced immediately and has in fact already been done by Brazil’s Public Ministry of the Federal District for LGPD violations

Becoming compliant with Brazil’s LGPD is therefore an urgent matter, if your website, company or organization collect and process personal data from individuals inside Brazil’s territories.

If you haven’t familiarized yourself with the LGPD or sought compliance with the law if you collect or process data in the territories of Brazil, read the following blogpost and try Cookiebot free for LGPD compliance today.

Cookiebot is a consent management platform (CMP) built around a world-leading scanning technology that detects and controls all cookies, trackers and third-party trojan horses on your website – completely plug-and-play and automated.

Cookiebot has been in operation since 2012 and offers full compliance with major data privacy laws like the European GDPR/ePR, California’s CCPA and Brazil’s LGPD.

Sign up to Cookiebot for free today

Scan your website to see if your website collects and processes personal data from Brazil

Brazil's data protection law LGPD

Brazil has over 140 million internet users. It is the largest internet market in Latin America and the fourth largest in the world in number of users. Brazil already has more than forty legal norms at the federal level that in various ways deal with data protection and privacy, causing a crosswire legal framework.

However, these are sectoral in nature, meaning that they relate separately and specifically to banking, real estate, consumer protection and the likes.

Brazil's new data protection law – the LGPD (Lei Geral de Proteção de Dados Pessoais) – is intended to replace this fractured legal landscape with an overarching regulatory framework.

It will empower individuals with a streamlined set of rights, rather than the partial protection of the sectoral laws in place today and is shaped with great inspiration from the EU’s General Data Protection Regulation.

Some even call it “Brazil’s GDPR”. And it’s true – if you’re already GDPR compliant, you are mostly within the provisions of the LGPD… though not completely!

There are some significant differences between the LGPD and GDPR, which we will sort out below.

Try Cookiebot free for 30 days... or forever if you have a small website.

What is the LGPD and when will it be enforced?

Brazil’s data protection law is Lei Geral de Proteção de Dados Pessoais, which means “general law of personal data protection”.

It is officially abbreviated to LGPDP, though it is most commonly known and referred to as the LGPD or Lei Geral de Proteção de Dados.

The Lei Geral de Proteção de Dados is closely modelled after the European GDPR and creates a legal framework for how personal data is allowed to be handled in Brazil. It contains sixty-five articles.

Update: the LGPD is now in effect

The LGPD took effect on Thursday August 27, 2020.

Sign up to Cookiebot for free to make your website LGPD compliant

LGPD compliance

LGPD (Lei Geral de Proteção de Dados) empowers data subjects with nine rights, defines what constitutes personal data, creates ten legal bases for lawful processing.

It also puts the responsibility on companies and organizations to appoint a Data Protection Officer (DPO) and establishes the Autoridade Nacional de Proteção de Dados (or ANPD, Brazil’s new national data protection authority) with powers of supervision, guidance and enforcement of its administrative sanctions.

LGPD (Lei Geral de Proteção de Dados Pessoais) protects individuals in Brazil, like the GDPR in EU.

Any data processing within Brazil is protected by the LGPD, even from foreign data processors.

LGPD defines a data subject as “a natural person to whom the personal data that are the object of processing refer”. In other words, an individual whose data is being collected and/or processed is a data subject.

LGPD has “transversal” and “multi-sectoral application”, meaning that it applies to both public and private sectors, as well as online and offline.

It also has “extraterritorial application”, which means that websites, companies or organizations that process personal data from individuals in Brazil are bound to comply with the LGPD, regardless of where in the world they are owned or operated from.

In Article 3, it is defined that the LGPD applies to:

  1. data processing within the territory of Brazil,
  2. data processing of individuals who are within the territory of Brazil, regardless of where in the world the data processor is located,
  3. data processing of data collected in Brazil.

LGPD (Lei Geral de Proteção de Dados) will regulate all processing of personal data in the territory of Brazil.

Brazil's LGPD not only protects Brazilians, but all individuals whose data is collected or processed while in the national territory.

This means that the LGPD applies to any individual whose data has been collected or is being processed while inside the territory of Brazil, and not only Brazilian citizens!

LGPD compliance and EU adequacy

It is no secret that the LGPD (Lei Geral de Proteção de Dados) has been closely modelled on the GDPR with the intention to make it easier for Brazil to achieve a so-called adequacy agreement with the EU, ensuring a free flow of data between the two.

Yet, some significant changes were made to the law in July 2019, when it was sanctioned by President Bolsonaro.

These include the removal of a provision that mandated companies and organizations to review machine-automated decisions, the removal of technical skill requirements for data protection officers, as well as changes made to the enforcement power of Brazil’s coming data protection authority (the ANPD).

In the original draft, the ANPD had the option of restricting a data processor’s access to databases and forbid them to process personal data altogether. This was scrapped by the time Bolsonaro sanctioned the final version of the LGPD.

LGPD In English

An English translation of the official LGPD law text can be found here, however, note that it is a previous draft and not the final law that was passed in July 2019. Some changes have been made to the law, but the overall scope, foundation and wording remains very much the same.

LGPD Text in Portuguese

The official LGPD law text in Portuguese can be found here.

LGPD and Cookiebot

Here at Cookiebot, we follow the implementation and enforcement phase of the LGPD (Lei Geral de Proteção de Dados) very closely, since it deals with our area of expertise: protecting privacy.

Cookiebot is a tool that enables websites to be compliant when it comes to the use of cookies and tracking, as required by the European law of GDPR, by the coming ePrivacy Regulation (expected in 2021) and by the LGPD in Brazil.

Our consent and compliance solution is unique on the market: the Cookiebot scanner finds all cookies and similar tracking technology, and automatically holds everything back until the users give their specific, unambiguous consent to which types of cookies they will allow on their browser.

LGPD Brazil data protection law comes into effect August 2020.Compliance with Brazil's LGPD with Cookiebot CMP.

Cookiebot consent banner for full cookie control.

Cookiebot enables 100% GDPR compliance.

Sign up to Cookiebot for free to make your website LGPD compliant – as well as GDPR/ePR and CCPA compliant.

LGPD Overview

The LGPD (Lei Geral de Proteção de Dados) creates nine rights for data subjects.

They are found in Article 18 and empower individuals with the rights to:

  1. confirmation of the existence of the processing of their data,
  2. access their data,
  3. correct incomplete, inaccurate or out-of-date data,
  4. anonymize, block, or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD,
  5. have their data be portable, i.e. handed over to another service or processor if requested,
  6. have their data deleted,
  7. information about public and private entities with which the controller has shared data,
  8. information about the possibility of denying consent and the consequences,
  9. revoke consent.

These are closely modelled after the rights that the GDPR empower European citizens with and have direct implications for website owners and operators all over the world, who process and/or collect data within the territory of Brazil.

It means that if you have a website and that website has visitors from Brazil, or if you offer services to individuals in Brazil, or collect and process data within Brazil, you need to comply with the LGPD.

A consent solution like Cookiebot can help you become compliant.

Try Cookiebot free for 30 days - or forever if you have a small website. 

LGPD Overview - personal data

The LGPD (Lei Geral de Proteção de Dados) defines its key terms and concepts in its Article 5. These include personal data, sensitive personal data, data subject and processor, among others.

Personal data in the LGPD

Personal data is defined broadly in the LGPD.

The law simply states that personal data is “information regarding an identified or identifiable natural person” (Article 5, I).

This can be anything from names, ID-numbers, location data, online identifiers to physical, physiological, genetic, mental, economic, cultural or social facts, although the LGPD does not list any of these examples itself.

Sensitive personal data in the LGPD

Sensitive personal data is defined as a subcategory to personal data and applies when the data processed concerns “racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organization membership, data concerning health or sex life, genetic or biometric data” (Article 5, II).

The LGPD specifies in Article 11 the limited situations in which the processing of sensitive personal data is allowed to occur.

LGPD secures personal data processing in Brazil.

Personal information is similarly defined in the LGPD and GDPR, with minor differences.

They include “specific and distinct consent”, “by the public administration for the execution of public policies” and “studies carried out by a research entity”, the latter upon the guarantee that the data will be anonymized whenever possible.

Anonymized data in the LGPD

This subcategory refers to “data related to a data subject who cannot be identified” with the technical means of the time of processing. If anonymized data is in any way reversible, i.e. that if can be used to identify or used for behavioral profiling, it is not anonymized data.

Additional definitions important to the LGPD (found in Article 5)

  1. Processing is defined by the LGPD as “any operation carried out with personal data”.
  2. Consent is defined by the LGPD as "free, informed and unambigious manifestation whereby the data subject agrees to her/his processing of personal data for a given purpose".
  3. Database is defined by the LGPD as a "structured set of personal data, kept in one or several locations, in electronic or physical support".
  4. Controller is in the lGPD defined as a "natural person or legal entity, of public or private law, that has competence to make the decisions regarding the processing of personal data".
  5. Processor is defined by the LGPD as a "natural person or legal entity, of public or private law, that processes personal data in the name of the controller".
  6. Officer is defined in the LGPd as a "natural person, appointed by the controller, who acts as a communication channel between the controller and the data subjects and the national authority" (the ANPD).

IAPP’s English translation of the LGPD varies slightly from the original text in Portuguese, e.g. “Operador” is translated to “Controller”.

See the full 19 definitions in Article 5, take a look at the English translation here.

LGPD Overview – consent and legal bases for processing

Of the ten legal bases for lawful processing that the LGPD lays out, consent is the first.

This is very important for our niche of the privacy field, because it has direct implication for how your website is allowed to set cookies, process user data and share this with third parties.

Article 8 of the LGPD makes it clear that consent cannot be obtained through “generic authorization”, rather it must refer to particular purposes.

This means that websites, companies and organizations must first obtain the specific, unambiguous consent of the data subject before any processing of personal data is allowed to take place.

Consent must be revocable at any time and must also be provided by the data subject “in writing or by other means”, e.g. a consent banner on a website.

When processing personal data, a website or company or organization must present a specific legal basis.

LGPD's legal bases for processing

The ten legal bases in the LGPD (Article 7) for lawful processing of personal data are –

  1. With the consent of the data subject,
  2. To comply with a legal or regulatory obligation of the controller,
  3. To execute public policies provided in laws or regulations, or based on contracts, agreements, or similar instruments,
  4. To carry out studies by research entities that ensure, whenever possible, the anonymization of personal data,
  5. To execute a contract or preliminary procedures related to a contract of which the data subject is a party,
  6. To exercise rights judicial, administrative or arbitration procedures,
  7. To protect the life or physical safety of the data subject or a third party,'
  8. To protect health, in a procedure carried out by health professionals or by health entities,
  9. To fulfill the legitimate interests of the controller or a third party, except when the data subject's fundamental rights and liberties which require personal data protection prevail,
  10. To protect credit.

The entire processing of personal or sensitive data must be documented from its initial collection to its termination. Also mandatory is a description of what kind of data is collected, the purpose of the collection and processing, its retention time, and who the data can be shared with.

Controllers or processors can be either jointly or separately liable to data breaches or non-compliance.

LGPD Overview - data protection authorities

Brazil’s data protection law LGPD (Lei Geral de Proteção de Dados) establishes both a national data protection authority (the ANPD) and mandates companies and organizations to appoint a data protection officer.

Autoridade Nacional de Proteção de Dados (ANPD) - Brazil's new data protection authority

The ANPD – Brazil’s national data protection authority – was established by a Presidential decree on August 26, 2020 and had its board of directors appointed on Monday November 9, 2020 – officially entering the national data protection authority into force.

LGPD (Lei Geral de Proteção de Dados) will be enforced by the ANPD.

Enforcement of the LGPD is supervised by the ANPD.

The ANPD’s main objectives is to new norms, establish technical standards, supervise and audit, educate about the law and its correct applications, deal with notifications of data breaches and enforce its sanctions.

The national data protection authority is directly tied to the office of the presidency.

It has two bodies – the Board of Directors consisting of five members with expertise from the privacy and data protection field, and the National Council, a 23-member advisory board with representation from government, civil society, research institutions and the private sector.

Data Protection Officer (DPO) and the LGPD

According to the final version of LGPD (Lei Geral de Proteção de Dados), companies will be responsible for appointing a Data Protection Officer. It will be the job of this entity to ensure compliance with the LGPD for the data controller, who appoints them.

In the original draft, certain technical skills were required for an individual to become a DPO. These were deleted from the final, sanctioned version. This has led to criticism by privacy experts.

LGPD fines

The LGPD (Lei Geral de Proteção de Dados) is clear when it comes to the consequences of non-compliance with the law.

The penalty system ranges from –

LGPD vs. GDPR - fines are lower than in the EU

Maximum fines reach 50 million Brazilian reais or 2% of a company’s annual turnover for a LGPD violation.

It is the responsibility of the ANPD to enforce such sanctions in Brazil.


The LGPD (Lei Geral de Proteção de Dados) was informed and shaped by the EU's GDPR (General Data Protection Regulation) that came before it. It also has global jurisdiction, since any website anywhere that processes personal data from individuals in Brazil is obligated to comply with it.

LGPD vs GDPR - rights of the data subject

First off, when it comes to the number of rights given to the data subjects in each law, the LGPD and GDPR vary slightly, but only on surface: the GDPR provides data subjects with eight fundamental rights, while the LGPD grants nine rights.

This is in part because the LGPD has split the more general “right to be informed” in the GDPR into the “right to be informed of the parties the controller has shared the data with” and the “right to be informed about the possibility of denying consent”.

LGPD vs GDPR - legal bases for processing of data

Secondly, the LGPD differs only on surface from the GDPR when it comes to its framework for what constitutes legal bases for processing of data. Again, the LGPD and GDPR basically aligns, with minor variations.

Where the GDPR has six lawful bases for processing, the LGPD has ten (as described above).

Again, the GDPR and LGPD basically align, but the LGPD splits the more general wording of the GDPR into more specific provisions.

The GDPR’s legal basis of “to save somebody’s life” has been split into first “protect the life or physical safety” and secondly “to protect health, in a procedure carried out by health professionals or by health entities” in the LGPD.

Other splits include the GDPR’s “necessary to perform a task in the public interest” into the LGPD’s “to execute public policies” and “to carry out studies by research entities”. Additionally, the LGPD includes a legal basis that the GDPR does not have at all, the basis of credit protection.

Additionally, the LGPD includes a legal basis that the GDPR does not have at all, the basis of credit protection.

LGPD vs GDPR - personal data

Personal data has a broader definition in the LGPD than GDPR.

According to the LGPD, personal data is anything that relates to an identifiable natural person. In the GDPR, this is further specified with examples such as names, addresses, gender.

Personal data is defined broader in the LGPD vs. GDPR

EU's GDPR has more "teeth" than Brazil's LGPD when it comes to enforcement.

Sensitive data is – like in the GDPR – a separate category from personal data that includes data on race, ethnicity, religious beliefs, political convictions, health, sexuality, genetics and biometrics. The restrictions for processing sensitive data in the LGPD are stricter than in the GDPR.

The LGPD does not give any definitions or provisions about pseudonymized data, as does the GDPR, except in context of research done by public health organizations. Where the GDPR is very specific in its requirements for the processing of personal data for marketing purposes, the LGPD does not specify at all.

LGPD vs GDPR - DPO, DPIA and data breaches

In the GDPR, a so-called DPIA (Data Protection Impact Assessment) is instituted to evaluate the potential risks of data processing. It also requires processors to notify their respective data protection authorities if high risks associated with data processing are assessed.

The LGPD also institutes DPIAs but does not specify how these are to be used, nor does it lay out any requirements for notification of any supervisory authorities.

LGPD makes is mandatory for companies to have a data protection officer (DPO), whereas this is only required in certain circumstances in the GDPR.

Time limitations for the notification of data breaches are sharply defined in the GDPR as 72 hours, whereas the LGPD loosely mandates that data breaches are to be reported to the authorities in “reasonable time”.

LGPD vs GDPR - fines

Compared with the GDPR, the LGPD is much less severe in its abilities to fine and penalize violations and non-compliance.

Maximum fines for non-compliance in the GDPR are set at €20 million or 4% of a company’s annual global turnover. The LGPD sets its maximum fines at 50 million Brazilian reais (around €11 million) or 2% of a company’s annual turnover in Brazil per violation.

LGPD vs GDPR - territorial applications

The LGPD treats the transfer of personal data internationally in much the same way as the GDPR, by assessments of whether the foreign country has an adequate level of data protection laws in place. And of course, based on the prior, specific and express consent of the data subject.

However, the LGPD (unlike GDPR) does not rule on data being transmitted through Brazil without further processing.


With Brazil's new data protection law Lei Geral de Proteção de Dados Pessoais (LGPDP), the country is getting a whole new legal framework for data protection that spans beyond sectoral reach, includes all data processing and collection within the nation’s territory, and might very well reach an adequacy decision with the EU, since the LGPD is closely modelled after its European sibling, the GDPR.

Cookiebot will, come enforcement date, enable compliance with the LGPD.

Sign up to Cookiebot for free to make your website LGPD compliant today


What is the LGPD?

The LGPD (Lei Geral de Proteção de Dados Pessoais) is Brazil’s federal data privacy law that governs all personal data processing within the country. It was passed in August 2018 and took effect in August 2020. LGPD empowers individuals inside Brazil with nine enforceable rights over their own personal data.

Try Cookiebot free for 30 days for LGPD compliance

What is personal data under the LGPD?

The LGPD defines personal data as any kind of information regarding an identified or identifiable natural person. This includes anything from names, addresses, location data, information on physical, genetic, mental, economic, cultural or social facts, as well as online identifiers such as IP addresses, cookies, browser and search history.

Test for free to see what personal data your website processes

Who is required to comply with the LGPD?

Any website, company or organization that processes personal data within Brazil’s territory is required to comply with the LGPD – even foreign data processors. The LGPD has extraterritorial application, meaning that websites anywhere in the world will have to comply with the LGPD if they process personal data from individuals inside Brazil.

Try Cookiebot’s free compliance test today

How can my website become compliant with the LGPD?

Your website must have a legal basis for processing personal data from individuals inside Brazil. Your website is required to ask for and obtain the clear and unambiguous consent of its users before legally being allowed to process any personal data, e.g. through cookies and trackers in operation on your website.

Try Cookiebot free for 30 days to control all cookies


The Lei Geral de Proteção de Dados Pessoais (LGPDP) official law text, translated into English

LGPDP law text (in Portuguese)

General overview of the LGPDP by the IAPP

The recent changes made to the final version of the LGPD

The eight fundamental rights of data subjects in the GDPR

GDPR consent requirement and lawful processing bases explained by the EU

The EU’s official comparison between its own GDPR and the Brazilian LGPD

New: Cookiebot™ for Partners 

Deliver automated cookie compliance at scale with Cookiebot™ for Partners.

Make your website’s use of cookies and online tracking compliant today

Try for free