{"id":10357,"date":"2023-06-09T14:34:16","date_gmt":"2023-06-09T12:34:16","guid":{"rendered":"https:\/\/www.cookiebot.com\/en\/?page_id=10357"},"modified":"2026-03-25T15:02:37","modified_gmt":"2026-03-25T14:02:37","slug":"lgpd","status":"publish","type":"page","link":"https:\/\/www.cookiebot.com\/us\/lgpd\/","title":{"rendered":"LGPD Data Protection Law in Brazil"},"content":{"rendered":"\n
\"\"<\/figure>\n\n\n\n

Introduction to Brazil\u2019s LGPD<\/h2>\n\n\n\n

Brazil\u2019s LGPD took effect in August 2020, with a grace period of 12 months. Enforcement began in August 2021 and is led by the National Data Protection Authority (ANPD)<\/a>.<\/p>\n\n\n\n

Organizations that collect and process personal data from individuals in Brazil need to be familiar with the LGPD and achieve compliance.<\/strong><\/p>\n\n\n\n

Cookiebot CMP<\/strong><\/a> by Usercentrics<\/strong><\/a> has been in operation since 2012 and offers full compliance with major data privacy laws like Brazil\u2019s LGPD, the European GDPR\/ePR, and California\u2019s CCPA\/CPRA.<\/p>\n\n\n\n

Try Cookiebot CMP free for LGPD compliance today<\/a><\/p>\n\n\n\n

Does my website use cookies?<\/strong><\/p>\n\n\n\n

Scan your website for free with Cookiebot CMP<\/a><\/p>\n\n\n\n

The Brazilian Senate approved the PEC 17\/19<\/strong><\/a> (proposed constitutional amendment) on August 31st, 2021.<\/p>\n\n\n\n

It alters the Federal Constitution to include the protection of personal data among the fundamental rights and guarantees. It also enables the Union to legislate on the protection and processing of personal data.<\/p>\n\n\n\n

One of the aims of the PEC is to ensure that there is no risk of states and municipalities legislating or interfering in the application of the LGPD.<\/p>\n\n\n\n

With the approval of the PEC 17\/19, rules, laws, and regulations for the protection of personal data are consolidated, including the LGPD, and inserted in the Consumer Protection Code (C\u00f3digo de Prote\u00e7\u00e3o do Consumidor), which will provide more guarantees against violations and fraud.<\/p>\n\n\n\n

LGPD - Brazil's data protection law<\/h2>\n\n\n\n

Brazil has over 140 million internet users<\/strong>, the largest internet market in Latin America and the fourth largest in the world. Brazil already had more than 40 federal regulations dealing with data protection and privacy, complicating the legal framework.<\/p>\n\n\n\n

Many of these laws relate separately to banking, real estate, consumer protection, etc. and were not broadly comprehensive.<\/p>\n\n\n\n

Brazil\u2019s data protection law \u2014 the Lei Geral de Prote\u00e7\u00e3o de Dados Pessoais<\/em> (LGPD) \u2014 is intended to replace this legal landscape with an overarching regulatory framework.<\/p>\n\n\n\n

Any data collection or processing within Brazil is protected by the LGPD, even from data processors located outside of the country.<\/p>\n\n\n\n

It empowers individuals with a streamlined set of rights, influenced by the EU\u2019s General Data Protection Regulation<\/strong><\/a> (GDPR).<\/p>\n\n\n\n

Companies that are already GDPR-compliant have done a fair bit of the work toward becoming LGPD-compliant as well.<\/p>\n\n\n\n

There are also some significant differences<\/strong> between the LGPD and GDPR.<\/p>\n\n\n\n

What is the LGPD in Brazil?<\/h2>\n\n\n\n

Brazil\u2019s data protection law,  the Lei Geral de Prote\u00e7\u00e3o de Dados (LGPD) or \u201cGeneral Law of Personal Data Protection\u201d, creates a legal framework for how personal data is to be handled in Brazil. It contains 65 articles.<\/p>\n\n\n\n

LGPD overview<\/strong><\/h2>\n\n\n\n

Brazil\u2019s LGPD creates nine rights<\/strong> for data subjects, found in Article 18:<\/p>\n\n\n\n

    \n
  1. confirmation of the existence of the processing of their data<\/li>\n\n\n\n
  2. access their data<\/li>\n\n\n\n
  3. correct incomplete, inaccurate or out of date data<\/li>\n\n\n\n
  4. anonymize, block, or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD<\/li>\n\n\n\n
  5. have their data be portable, i.e. handed over to another service or processor if requested<\/li>\n\n\n\n
  6. have their data deleted<\/li>\n\n\n\n
  7. information about public and private entities with which the controller has shared data<\/li>\n\n\n\n
  8. information about the possibility of denying consent and the consequences,<\/li>\n\n\n\n
  9. revoke consent<\/li>\n<\/ol>\n\n\n\n

    These are closely modeled after the rights that the GDPR<\/strong> empowers Europeanswith, and are relevant to website owners and operators all over the world, if they collect and process data from individuals in Brazil.<\/p>\n\n\n\n

    LGPD and personal data<\/strong><\/h2>\n\n\n\n

    Brazil\u2019s LGPD defines its key terms and concepts in its Article 5<\/strong>. These include personal data, sensitive personal data, data subject and processor, among others.<\/p>\n\n\n\n

    Personal data in the LGPD<\/strong><\/h3>\n\n\n\n

    Personal data is defined broadly in the LGPD: \u201cinformation regarding an identified or identifiable natural person<\/strong>\u201d (Article 5, I<\/strong>).<\/p>\n\n\n\n

    This can be anything from names, ID numbers, location data, or online identifiers, to physical, physiological, genetic, mental, economic, cultural or social information, although the LGPD does not explicitly list these examples.<\/p>\n\n\n\n

    LGPD and personal data<\/h2>\n\n\n\n

    Brazil\u2019s LGPD defines its key terms and concepts in Article 5<\/strong>. These include personal data, sensitive personal data, data subject and processor, among others.<\/p>\n\n\n\n

    Personal data in the LGPD<\/h3>\n\n\n\n

    Personal data is defined broadly in the LGPD: \u201cinformation regarding an identified or identifiable natural person<\/strong>\u201d (Article 5, I<\/strong>).<\/p>\n\n\n\n

    This can be anything from names, ID numbers, location data, or online identifiers, to physical, physiological, genetic, mental, economic, cultural or social information, although the LGPD does not explicitly list these examples.<\/p>\n\n\n\n

    LGPD and sensitive personal data<\/h3>\n\n\n\n

    Sensitive personal data is defined as a subcategory of personal data. It requires special handling and restrictions, and applies when the data processed concerns \u201cracial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organization membership, data concerning health or sex life, genetic or biometric data<\/strong>\u201d (Article 5, II<\/strong>).<\/p>\n\n\n\n

    The LGPD specifies in Article 11 the limited situations in which the processing of sensitive personal data is allowed to occur.<\/p>\n\n\n\n

    Personal information is similarly defined in the LGPD and the GDPR, with minor differences.<\/p>\n\n\n\n

    They include \u201cspecific and distinct consent<\/strong>\u201d, \u201cby the public administration for the execution of public policies<\/strong>\u201d and \u201cstudies carried out by a research entity<\/strong>\u201d, the latter upon the guarantee that the data will be anonymized whenever possible.<\/p>\n\n\n\n

    \"Guy<\/figure>\n\n\n\n

    LGPD and anonymized data<\/h3>\n\n\n\n

    This subcategory refers to \u201cdata related to a data subject who cannot be identified<\/strong>\u201d via technical means at the time of processing. If anonymized data is in any way re-identifiable, i.e. that if could be used to identify or used for behavioral profiling, it is not anonymized data, and qualifies as personal data.<\/p>\n\n\n\n

    Additional definitions important to the LGPD (Article 5)<\/h3>\n\n\n\n
      \n
    1. Processing<\/strong> is defined by the LGPD as \u201cany operation carried out with personal data\u201d.<\/li>\n\n\n\n
    2. Consent<\/strong> is defined by the LGPD as \"free, informed and unambiguous manifestation whereby the data subject agrees to her\/his processing of personal data for a given purpose\".<\/li>\n\n\n\n
    3. Database<\/strong> is defined by the LGPD as a \"structured set of personal data, kept in one or several locations, in electronic or physical support\".<\/li>\n\n\n\n
    4. Controller<\/strong> is in the LGPD defined as a \"natural person or legal entity, of public or private law, that has competence to make the decisions regarding the processing of personal data\".<\/li>\n\n\n\n
    5. Processor<\/strong> is defined by the LGPD as a \"natural person or legal entity, of public or private law, that processes personal data in the name of the controller\".<\/li>\n\n\n\n
    6. Officer<\/strong> is defined in the LGPd as a \"natural person, appointed by the controller, who acts as a communication channel between the controller and the data subjects and the national authority\" (the ANPD).<\/li>\n<\/ol>\n\n\n\n

      LGPD compliance in Brazil<\/h3>\n\n\n\n

      Brazil\u2019s LGPD empowers data subjects with 9 rights<\/strong>, defines what constitutes personal data<\/strong>, and creates ten legal bases<\/strong> for lawful processing.<\/p>\n\n\n\n

      It also puts the responsibility on companies and organizations to appoint a Data Protection Officer<\/strong> (DPO) and establishes the Autoridade Nacional de Prote\u00e7\u00e3o de Dados (ANPD)<\/strong><\/a>, which has powers of supervision, guidance and enforcement of its administrative sanctions.<\/p>\n\n\n\n

      Brazil\u2019s LGPD defines a data subject<\/strong> as \u201ca natural person to whom the personal data that are the object of processing refer\u201d. In other words, an individual whose data is being collected and\/or processed.<\/p>\n\n\n\n

      Brazil\u2019s LGPD has \u201ctransversal<\/strong>\u201d and \u201cmulti-sectoral application<\/strong>\u201d, meaning that it applies to both public and private sectors, as well as online and offline.<\/p>\n\n\n\n

      Brazil\u2019s LGPD also has \u201cextraterritorial application<\/strong>\u201d, which means that companies or organizations that process personal data from individuals in Brazil are bound to comply with the LGPD, regardless of where in the world they are owned or operated from.<\/p>\n\n\n\n

      Article 3<\/strong> defines that the LGPD applies to:<\/p>\n\n\n\n

        \n
      1. data processing within the territory of Brazil,<\/li>\n\n\n\n
      2. processing of the data of individuals who are within the territory of Brazil, regardless of where in the world the data processor is located<\/li>\n\n\n\n
      3. processing of data collected in Brazil<\/li>\n<\/ol>\n\n\n\n

        Brazil\u2019s LGPD not only protects Brazilians, but all individuals whose data is collected or processed while in the country, whether or not they are citizens.<\/p>\n\n\n\n

        \"Website<\/figure>\n\n\n\n

        LGPD compliance and EU adequacy<\/h3>\n\n\n\n

        With Brazil\u2019s LGPD being modeled on the GDPR, it has made it easier for Brazil to achieve an adequacy agreement<\/strong><\/a> with the EU, ensuring a free flow of data between the two. This means that the European Union considers Brazil\u2019s data protection and privacy policies to be sufficiently robust to meet its standards.<\/p>\n\n\n\n

        Brazil's LGPD and Cookiebot CMP<\/h2>\n\n\n\n

        Cookiebot CMP<\/strong><\/a> provides consent management.  It enables websites to achieve and maintain compliance with the LGPD when it comes to the use of cookies and other tracking technologies.<\/p>\n\n\n\n

        The Cookiebot CMP<\/strong><\/a> scanner finds all cookies and similar tracking technologies, and automatically blocks them until users give their specific, unambiguous consent to which types of cookies they will allow to be active on their browser.<\/p>\n\n\n\n

        Try Cookiebot CMP free for 14 days<\/a> - or forever if you have a small website.<\/p>\n\n\n\n

        Scan your website for free to see what cookies are in use <\/a><\/p>\n\n\n\n

        \"\"
        Cookiebot CMP consent banner for full cookie control.<\/figcaption><\/figure>\n\n\n\n