Learn About LGPD and Website Compliance

What is LGPD?

What is LGPD and what does it stand for?

The LGPD or Lei Geral de Protecao de Dados is a long-awaited Data Protection Law in Brazil. After years of debate and consultation, it was finally implemented on August 14, 2018, and was inspired by and very similar to the EU General Data Protection Regulation (GDPR). Beginning on May 2021 Brazil’s data protection law will go into effect and require companies to comply with strict requirements related to the processing of personal data as well as sensitive personal data.

While it’s much leaner than the GDPR and consists of approximately 30 pages compared to GDPR’s 80+ pages almanac, the Brazilian law is very reminiscent of the European Union’s data privacy law.

The LGPD focuses on national specifics, illustrated by the fact that the legal bases of this data protection law are being based on accountability, purpose limitation, data minimisation as well as security and privacy by design. When you are comparing this data protection regulation to GDPR it definitely feels familiar.


The LGPD is a new standard that adds the new principles similar to GDPR requirements and will come into effect in May 2021, echoing the approximate timeframe of the GDPR’s implementation period. It will be useful to know the details of new personal data protection laws if your company is operating or planning to open a branch in Brazil.

Who does LGPD apply to?

The LGPD applies to any private or public individual or company with personal data processing activities that:

  • are carried out in Brazil;
  • personal data is collected in Brazil;
  • involve offering and supplying goods or services in Brazil or relate to data subjects who are geographically located in Brazil;

The LGPD has an extraterritorial scope and will apply to global businesses that meet these criteria. At the same time, it doesn’t matter where these companies are headquartered. But LGPD is a different standard that doesn’t apply to data processing by:

  • A person, who is processing data for personal purposes;
  • For journalistic, artistic, literary or academic purposes;
  • For national security, national defense, public safety, a criminal investigation, etc.;

The new law affects companies in all sectors that do business or engage in data processing activity in or with Brazil. Financial, technology, healthcare, insurance, airline and hotel companies are among those that will likely face substantial compliance obligations for lawful processing of customer data.

What are the penalties?

LGPD fines are not as punitive as the GDPR, both in sentiment and financial penalties. The maximum administrative sanctions under the LGPD is 2% of the company’s Brazilian revenue of up to R$50 million (EUR 11.2 million) per infraction. This is compared to 4% of global revenue or up to EUR 20 million under GDPR compliance.

What is personal data under the LGPD?

This Brazilian law defines personal data as any information related to an identified or identifiable natural person. Anonymized/anonymous data should not be considered personal data, except when the process of anonymization has been reversed or if it can be reversed by applying reasonable efforts.

Principles and legal bases for data processing

The LGPD sets out a set of general principles and legal bases of the processing of personal data, similar to GDPR requirements.

A key legal principle is purpose limitation, which means that processing must be “for legitimate, specific and explicit purposes of which the data subject is informed.” The principle of necessity likewise requires “limitation of the processing to the minimum necessary to achieve its purposes.” Other key principles include free access, transparency to the data subject, data quality. The “accountability” principle requires demonstrating the adoption of effective measures to ensure the protection of personal data. All principles are included in Article 6.

While the LGPD focuses mostly on data privacy, the ten principles also require serious data security options: companies must adopt technical meaures such as encryption as well as administrative strategies to guarantee the physical safety of personal data from unauthorized access or illegal destruction.

For companies, the key legal bases for data processing include:

  • Consent, which includes all particular purposes of the processing;
  • Fulfillment of legal, regulatory or contractual obligations;
  • For “the legitimate interests of the controller or a third party,” where those interests outweigh, on balance, the data subject’s rights and liberties;

What obligations does the LGPD impose on companies?

  • Inform, correct, anonymize, delete or provide a copy of the data if requested by the data subject;
  • Delete customer data after the relevant relationship terminates;
  • Adopt technical and administrative data security measures to protect personal data from unauthorized access, accidents, destruction, loss etc.;
  • Appoint a DPO officer responsible for receiving complaints and communications;
  • Provide a data breach notification to both the data subjects and local authorities in case of a breach

Transferring data outside Brazil?

With the LGPD, Brazil joins the European Union and many other jurisdictions (but not the USA) that limit the transfer of personal data outside their borders. The default rule, under Article 33 of the LGPD, is that such transfer is prohibited, absent certain enumerated exceptions. In some cases, transfer of data is permitted, including:

  • The receiving country or organization provides a level of data protection comparable to the LGPD’s
  • The non-Brazilian data importer is bound by a contract or by global corporate policy to provide and demonstrate a level of data protection comparable to the LGPD’s;
  • International legal cooperation between government agencies;
  • The data subject has given specific consent to the transfer

Who enforces LGPD?

The Brazilian ex-President Michel Temer vetoed the provision that would have created an independent National Data Protection Authority. That new agency presumably will issue further guidance on the LGPD. Until a data protection authority is created it is uncertain how the enforcement of LGPD compliance will be carried out.

Do we need a Data Protection Officer?

Yes, the LGPD creates the position of Chief of Data Treatment, which is the data protection officer (DPO) in charge of the data processing operation. The DPO will be responsible for the following:

  • Accepting complaints and communications from data subjects and the national data protection authority
  • Orienting employees about good practices and carrying out other duties as determined by the controller or set forth in complementary rules.

The law also provides that the Brazilian National Authority may further establish complementary rules about the definition and the duties of the DPO, including the situations when the appointment of such person may be waived, according to the nature and the size of the covered entity or the volume of data processing operations.

Does LGPD apply to small and medium-sized businesses?

The LGPD does not provide any exceptions for small/medium businesses or small-scale processing.

What should we do in case of a data breach?

If the data breach occurred, the controller must provide a data breach notification to the National Data Protection Authority (ANPD) and the data subject in a reasonable time period, which will be defined later, if the breach is likely to result in risk or harm to data subjects.

The breach notification notice must contain the following:

  • Description of the nature of the affected personal data
  • Information regarding the data subjects involved
  • Indication of the security measures used
  • The risks generated by the incident
  • The reasons for the delay of communication (if any)
  • The privacy protection measures that were or will be adopted

In addition, ANPD can verify the seriousness of the incident and may, if necessary to safeguard the data subject’s rights, order the controller to adopt measures, such as the broad disclosure of the event in communications media, as well as measures to reverse or mitigate the effects of the incident.

How can I make our organization LGPD compliant?

The LGPD will come into force in May 2021, giving companies time to get ready. In this period of time, the appropriate steps should be done, including:

  • A diligence process to identify what personal data processing activities, if any, the company is engaged in (including via vendors) that are covered by the LGPD;
  • A gap analysis to identify where any of these data processing activities do not satisfy the LGPD’s compliance requirements;
  • A remediation process to close any identified gaps;
  • Revision, implementation and testing of internal policies and procedures needed to comply with LGPD;
  • Appropriate vendor agreements should be revised or created;

How do I make a website LGPD compliant?

The Lei Geral de Protecao de Dados (LGPD) is based on the risk-based approach, which is similar to what is required for businesses to be GDPR compliant. Companies/organizations processing personal data are encouraged to implement protective measures corresponding to the level of risk of their data processing activities. Therefore, the LGPD cookie consent obligations on a company processing a lot of data are more onerous than on a company processing a small amount of data.

The LGPD focuses on national specifics, the principles of data protection law are being based on accountability, purpose limitation, data minimization as well as security and privacy by design. When you are comparing this document to GDPR it definitely feels familiar.

Is my website affected by LGPD?

The LGPD applies to any private or public individual or company with personal data processing activities that:

  • are carried out in Brazil;
  • personal data is collected in Brazil;
  • involve offering and supplying goods or services in Brazil or relate to individuals who are geographically located in Brazil;

Are you aware of what trackers you have on your website?

Many websites use tracking technologies, including cookies, pixels, and tags, to advertise, collect statistics and perform marketing campaigns. Under the LGPD, you are responsible for providing notice and obtaining cookie consent for each one of these technologies. LGPD cookie consent must be provided by the data subject in writing or by other means that demonstrate the data holder’s will. The controller is responsible for providing that the cookie consent was obtained in accordance with the requirements of the LGPD. Consent must be specific to particular purposes.

Make sure to do a web audit of your website and see what trackers you have enabled and running. If you are unsure what trackers you have on your website, then use our tool for free. It is free and will provide you a result within 5 minutes or less.

Are you gathering consent the right way?

In order to obtain valid LGPD cookie consent, you need to follow specific requirements. The consent must be informed, explicit, freely given, specific and data subjects have the right to withdraw and written in plain language that it’s clearly visible.

  1. Consent should be affirmative, specific and unambiguous
  2. Details of recipients and data controller
  3. Purpose of processing and notification of profiling
  4. Duration
  5. Withdraw consent
  6. Link to complain, correct and transfer data
  7. Can decline

Are your privacy banners affirmative?

Your privacy banners must clearly identify each party for which the cookie consent is being granted. It isn’t enough to state the category name, such as analytics, but should include the identity of the organization, e.g. Google, which processes the data.

Have you made it easy to withdraw consent?

The standard text phrase that is included in Cookie notices is “by using this site, you accept cookies” will not be sufficient under LGPD compliance requirements, as it only suggests implied consent, is ambiguous and generic. You will now need granular levels of control with separate consents for tracking and analytics cookies, as well as mechanisms to also signal customer consent.

Have you named the 3rd party plugins that process data?

Your privacy banners must clearly identify each party for which the cookie consent is being granted. It isn’t enough to state the category name, such as analytics, but should include the identity of the organization, e.g. Google, which processes the data to guarantee increased customer trust.

Can visitors contact you for their personal data?

Your customers may contact your company/organization to exercise their rights under the LGPD (rights of access, rectification, erasure, portability, etc.). Your company should provide a means for data subject requests to be made electronically. The data protection officer’s contact information should be publicly available and their tasks should include communication with the data subjects and regulatory authority.

Do you have evidence of valid consent?

According to the LGPD, evidence of valid LGPD cookie consent should be kept by businesses.

Have you updated your data and privacy policies?

You will need to update your data and privacy policies under the Brazilian data privacy law. The accuracy principle under the LGPD requires the organizations to ensure clarity, relevancy and timely updates of the customer data to achieve compatibility of the processing with the purposes communicated to the data subject.

Have you cleaned up your mailing lists?

It’s important to clean up your email databases. If you are collecting data inconsistent with the LGPD compliance standards, the necessary content needs to be validated. It means that your customers should receive emails with an option to opt-out. It will make your business LGPD compliant.

Are you collecting too much information?

While it may be easy to add an extra field on your website to collect information about phone number, gender, and location, you have to evaluate whether you need it to process the request. The legal basis of data minimization under the LGPD requires the organizations to limit the amount and scope of personal data they process to the minimum necessary to achieve their purposes. Only data that are relevant, proportional and non-excessive in relation to the purposes of the data processing should be used.