Stop worrying about compliance!

    Find out if your website is compliant and how to fix it.


    Illustration of an iPhone - Cookiebot

    Introduction to Brazil’s LGPD

    Brazil’s LGPD took effect in August 2020, with a grace period of 12 months. Enforcement began in August 2021 and is led by the National Data Protection Authority (ANPD).

    Organizations that collect and process personal data from individuals in Brazil need to be familiar with the LGPD and achieve compliance.

    Cookiebot CMP by Usercentrics has been in operation since 2012 and offers full compliance with major data privacy laws like Brazil’s LGPD, the European GDPR/ePR, and California’s CCPA/CPRA.

    Try Cookiebot CMP free for LGPD compliance today

    Does my website use cookies?

    Scan your website for free with Cookiebot CMP

    The Brazilian Senate approved the PEC 17/19 (proposed constitutional amendment) on August 31st, 2021.

    It alters the Federal Constitution to include the protection of personal data among the fundamental rights and guarantees. It also enables the Union to legislate on the protection and processing of personal data.

    One of the aims of the PEC is to ensure that there is no risk of states and municipalities legislating or interfering in the application of the LGPD.

    With the approval of the PEC 17/19, rules, laws, and regulations for the protection of personal data are consolidated, including the LGPD, and inserted in the Consumer Protection Code (Código de Proteção do Consumidor), which will provide more guarantees against violations and fraud.

    LGPD – Brazil’s data protection law

    Brazil has over 140 million internet users, the largest internet market in Latin America and the fourth largest in the world. Brazil already had more than 40 federal regulations dealing with data protection and privacy, complicating the legal framework.

    Many of these laws relate separately to banking, real estate, consumer protection, etc. and were not broadly comprehensive.

    Brazil’s data protection law — the Lei Geral de Proteção de Dados Pessoais (LGPD) — is intended to replace this legal landscape with an overarching regulatory framework.

    Illustration of Christ the Redeemer statue in Brazil holding a laptop - Cookiebot CMP

    Any data collection or processing within Brazil is protected by the LGPD, even from data processors located outside of the country.

    It empowers individuals with a streamlined set of rights, influenced by the EU’s General Data Protection Regulation (GDPR).

    Companies that are already GDPR-compliant have done a fair bit of the work toward becoming LGPD-compliant as well.

    There are also some significant differences between the LGPD and GDPR.

    What is the LGPD in Brazil?

    Brazil’s data protection law,  the Lei Geral de Proteção de Dados (LGPD) or “General Law of Personal Data Protection”, creates a legal framework for how personal data is to be handled in Brazil. It contains 65 articles.

    LGPD overview

    Brazil’s LGPD creates nine rights for data subjects, found in Article 18:

    1. confirmation of the existence of the processing of their data
    2. access their data
    3. correct incomplete, inaccurate or out of date data
    4. anonymize, block, or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD
    5. have their data be portable, i.e. handed over to another service or processor if requested
    6. have their data deleted
    7. information about public and private entities with which the controller has shared data
    8. information about the possibility of denying consent and the consequences,
    9. revoke consent

    These are closely modeled after the rights that the GDPR empowers Europeanswith, and are relevant to website owners and operators all over the world, if they collect and process data from individuals in Brazil.

    LGPD and personal data

    Brazil’s LGPD defines its key terms and concepts in its Article 5. These include personal data, sensitive personal data, data subject and processor, among others.

    Personal data in the LGPD

    Personal data is defined broadly in the LGPD: “information regarding an identified or identifiable natural person” (Article 5, I).

    This can be anything from names, ID numbers, location data, or online identifiers, to physical, physiological, genetic, mental, economic, cultural or social information, although the LGPD does not explicitly list these examples.

    LGPD and personal data

    Brazil’s LGPD defines its key terms and concepts in Article 5. These include personal data, sensitive personal data, data subject and processor, among others.

    Personal data in the LGPD

    Personal data is defined broadly in the LGPD: “information regarding an identified or identifiable natural person” (Article 5, I).

    This can be anything from names, ID numbers, location data, or online identifiers, to physical, physiological, genetic, mental, economic, cultural or social information, although the LGPD does not explicitly list these examples.

    LGPD and sensitive personal data

    Sensitive personal data is defined as a subcategory of personal data. It requires special handling and restrictions, and applies when the data processed concerns “racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organization membership, data concerning health or sex life, genetic or biometric data” (Article 5, II).

    The LGPD specifies in Article 11 the limited situations in which the processing of sensitive personal data is allowed to occur.

    Illustration of flip flops with a cursor - Cookiebot

    Personal information is similarly defined in the LGPD and the GDPR, with minor differences.

    They include “specific and distinct consent”, “by the public administration for the execution of public policies” and “studies carried out by a research entity”, the latter upon the guarantee that the data will be anonymized whenever possible.

    LGPD and anonymized data

    This subcategory refers to “data related to a data subject who cannot be identified” via technical means at the time of processing. If anonymized data is in any way re-identifiable, i.e. that if could be used to identify or used for behavioral profiling, it is not anonymized data, and qualifies as personal data.

    Additional definitions important to the LGPD (Article 5)

    1. Processing is defined by the LGPD as “any operation carried out with personal data”.
    2. Consent is defined by the LGPD as “free, informed and unambiguous manifestation whereby the data subject agrees to her/his processing of personal data for a given purpose”.
    3. Database is defined by the LGPD as a “structured set of personal data, kept in one or several locations, in electronic or physical support”.
    4. Controller is in the LGPD defined as a “natural person or legal entity, of public or private law, that has competence to make the decisions regarding the processing of personal data”.
    5. Processor is defined by the LGPD as a “natural person or legal entity, of public or private law, that processes personal data in the name of the controller”.
    6. Officer is defined in the LGPd as a “natural person, appointed by the controller, who acts as a communication channel between the controller and the data subjects and the national authority” (the ANPD).

    LGPD compliance in Brazil

    Brazil’s LGPD empowers data subjects with 9 rights, defines what constitutes personal data, and creates ten legal bases for lawful processing.

    It also puts the responsibility on companies and organizations to appoint a Data Protection Officer (DPO) and establishes the Autoridade Nacional de Proteção de Dados (ANPD), which has powers of supervision, guidance and enforcement of its administrative sanctions.

    Brazil’s LGPD defines a data subject as “a natural person to whom the personal data that are the object of processing refer”. In other words, an individual whose data is being collected and/or processed.

    Brazil’s LGPD has “transversal” and “multi-sectoral application”, meaning that it applies to both public and private sectors, as well as online and offline.

    Brazil’s LGPD also has “extraterritorial application”, which means that companies or organizations that process personal data from individuals in Brazil are bound to comply with the LGPD, regardless of where in the world they are owned or operated from.

    Article 3 defines that the LGPD applies to:

    1. data processing within the territory of Brazil,
    2. processing of the data of individuals who are within the territory of Brazil, regardless of where in the world the data processor is located
    3. processing of data collected in Brazil
    Carnival Head dress with wifi icon - Cookiebot

    Brazil’s LGPD not only protects Brazilians, but all individuals whose data is collected or processed while in the country, whether or not they are citizens.

    LGPD compliance and EU adequacy

    With Brazil’s LGPD being modeled on the GDPR, it has made it easier for Brazil to achieve an adequacy agreement with the EU, ensuring a free flow of data between the two. This means that the European Union considers Brazil’s data protection and privacy policies to be sufficiently robust to meet its standards.

    Brazil’s LGPD and Cookiebot CMP

    Cookiebot CMP provides consent management.  It enables websites to achieve and maintain compliance with the LGPD when it comes to the use of cookies and other tracking technologies.

    The Cookiebot CMP scanner finds all cookies and similar tracking technologies, and automatically blocks them until users give their specific, unambiguous consent to which types of cookies they will allow to be active on their browser.

    Cookieboot Pop Up Banner - Cookiebot
    Cookiebot CMP consent banner for full cookie control.

    Try Cookiebot CMP free for 14 days – or forever if you have a small website.

    Scan your website for free to see what cookies are in use 

    Of the ten legal bases for lawful processing that the LGPD lays out, consent is the first.

    This is very important for Cookiebot CMP because it has direct implications for how your website is allowed to set cookies, process user data and share it with third parties.

    Article 8 of the LGPD makes it clear that consent cannot be obtained through “generic authorization”, rather it must refer to particular purposes or be explicit and granular, per the GDPR.

    This means that websites, companies and organizations must first obtain the specific, unambiguous consent from the data subject before any processing of personal data is allowed to take place.

    Consent must be revocable at any time and must also be provided by the data subject “in writing or by other means”, e.g. via a consent banner on a website.

    When processing personal data, a website or company or organization must present a specific legal basis, i.e. a justification for why they need to collect and process personal data.

    The ten legal bases in the LGPD (Article 7) for lawful processing of personal data are –

    1. With the consent of the data subject,
    2. To comply with a legal or regulatory obligation of the controller,
    3. To execute public policies provided in laws or regulations, or based on contracts, agreements, or similar instruments,
    4. To carry out studies by research entities that ensure, whenever possible, the anonymization of personal data,
    5. To execute a contract or preliminary procedures related to a contract of which the data subject is a party,
    6. To exercise rights judicial, administrative or arbitration procedures,
    7. To protect the life or physical safety of the data subject or a third party,’
    8. To protect health, in a procedure carried out by health professionals or by health entities,
    9. To fulfill the legitimate interests of the controller or a third party, except when the data subject’s fundamental rights and liberties which require personal data protection prevail,
    10. To protect credit.

    The entire processing of personal or sensitive data must be documented from its initial collection to its termination. Also mandatory is a description of what kind of data is collected, the purpose of the collection and processing, its retention time, and who the data can be shared with.

    Controllers or processors can be either jointly or separately liable to data breaches or noncompliance.

    LGPD and data protection authorities

    Brazil’s data protection law LGPD (Lei Geral de Proteção de Dados) establishes both a national data protection authority (the ANPD) and mandates companies and organizations to appoint a data protection officer.

    Autoridade Nacional de Proteção de Dados (ANPD) – Brazil’s new data protection authority

    The ANPD, Brazil’s national data protection authority, was established by a Presidential decree on August 26, 2020. Its board of directors was appointed on Monday November 9, 2020, officially entering the national data protection authority into force.

    Try Cookiebot CMP for LGPD compliance.

    Enforcement of the LGPD is supervised by the ANPD.

    The ANPD’s main objective is to establish technical standards, supervise and audit, educate about the law and its correct applications, deal with notifications of data breaches, and enforce its sanctions.

    The national data protection authority is directly tied to the office of the presidency.

    The ANPD has two bodies, the Board of Directors, which consist of five members with expertise from the privacy and data protection fields, and the National Council, a 23-member advisory board with representation from government, civil society, research institutions and the private sector.

    LGPD and Data Protection Officers (DPO)

    According to the final version of LGPD, companies will be responsible for appointing a Data Protection Officer (DPO). It will be the job of this position to ensure the organization’s compliance with the LGPD on behalf of the data controller, who appoints them.

    LGPD fines and penalties

    The LGPD is clear when it comes to the consequences of noncompliance with the law.

    Penalties range from:

    • Warnings issued in case of violations and noncompliance with the intent of having the entity adopt corrective measures
    • Daily fines
    • Fines up to 2% of annual turnover in Brazil or R50 million per violation (~ €11 million)
    Illustration of a Toucan - Cookiebot

    Maximum fines can reach 50 million Brazilian reals or 2% of a company’s annual turnover for an LGPD violation.

    LGPD vs GDPR

    The LGPD was influenced by the EU’s General Data Protection Regulation (GDPR).

    LGPD vs GDPR – rights of the data subject

    The GDPR provides data subjects with eight fundamental rights, while the LGPD grants nine rights.

    This is in part because the LGPD has split the more general “right to be informed” into the “right to be informed of the parties the controller has shared the data with” and the “right to be informed about the possibility of denying consent”.

    The LGPD differs only slightly from the GDPR when it comes to its framework for what constitutes legal bases for processing of data. Where the GDPR has six lawful bases for processing, the LGPD has ten, as listed above.

    The LGPD splits the more general wording of the GDPR into more specific provisions.

    The GDPR’s legal basis of “to save somebody’s life” has been split into first “protect the life or physical safety” and secondly “to protect health, in a procedure carried out by health professionals or by health entities” in the LGPD.

    Other splits include the GDPR’s “necessary to perform a task in the public interest” into the LGPD’s “to execute public policies” and “to carry out studies by research entities”. Additionally, the LGPD includes a legal basis that the GDPR does not have at all, the basis of credit protection.

    LGPD vs GDPR – personal data

    Personal data has a broader definition in the LGPD than in the GDPR.

    According to the LGPD, personal data is anything that relates to an identifiable natural person. In the GDPR, this is further specified with examples such as names, addresses, gender.

    Illustration of football with location pins around it - Cookiebot
    EU’s GDPR has more “teeth” than Brazil’s LGPD when it comes to enforcement.

    Sensitive data is — like in the GDPR — a separate category from personal data that includes data on race, ethnicity, religious beliefs, political convictions, health, sexuality, genetics and biometrics. The restrictions for processing sensitive data in the LGPD are stricter than in the GDPR.

    The LGPD does not give any definitions or provisions about pseudonymized data, as the GDPR does, except in the context of research done by public health organizations. Where the GDPR is very specific in its requirements for the processing of personal data for marketing purposes, the LGPD does not specify this at all.

    LGPD vs GDPR – DPO, DPIA and data breaches

    In the GDPR, a Data Protection Impact Assessment (DPIA) is instituted to evaluate the potential risks of an organization’s data processing. It also requires processors to notify their respective data protection authorities if high risks associated with data processing are assessed.

    The LGPD also includes DPIA requirements, but does not specify how these are to be used, nor does it lay out any requirements for notification of any supervisory authorities.

    LGPD makes it mandatory for companies to have a data protection officer (DPO), whereas this is only required in certain circumstances under the GDPR.

    Time limitations for the notification of data breaches are sharply defined in the GDPR as 72 hours, whereas the LGPD loosely mandates that data breaches are to be reported to the authorities in “reasonable time”.

    LGPD vs GDPR – fines

    Compared with the GDPR, the LGPD is much less severe in its ability to fine and penalize violations and noncompliance.

    Maximum fines for noncompliance under the GDPR are set at €20 million or 4% of a company’s annual global turnover for the most serious or repeat offenses. The LGPD sets its maximum fines at 50 million Brazilian reals (around €11 million) or 2% of a company’s annual turnover in Brazil per violation.

    LGPD vs GDPR – territorial applications

    The LGPD treats the transfer of personal data internationally in much the same way as the GDPR, by assessing whether the other country has adequate data protection laws in place and enforced. 

    However, the LGPD, unlike the GDPR, does not rule on data being transmitted through Brazil without further processing.

    Summary

    With Brazil’s new data protection law, Lei Geral de Proteção de Dados Pessoais (LGPD), the country has a comprehensive legal framework for data protection that encompasses all data processing and collection within the nation’s territory, protects the personal data of Brazilians, and enables international data transfers and business relationships, with other countries around the world.

    Try Cookiebot CMP free for LGPD compliance today

    FAQ

    What is the LGPD?

    The LGPD (Lei Geral de Proteção de Dados Pessoais) is Brazil’s federal data privacy law that governs all personal data processing within the country. It was passed in August 2018 and took effect in August 2020. LGPD empowers individuals inside Brazil with nine enforceable rights over their own personal data.

    Try Cookiebot CMP free for 14 days for LGPD compliance

    What is personal data under the LGPD?

    The LGPD defines personal data as any kind of information regarding an identified or identifiable natural person. This includes anything from names, addresses, location data, information on physical, genetic, mental, economic, cultural or social facts, as well as online identifiers such as IP addresses, cookies, browser and search history.

    Test for free to see what personal data your website processes

    Who is required to comply with the LGPD?

    Any website, company or organization that processes personal data within Brazil’s territory is required to comply with the LGPD – even foreign data processors. The LGPD has extraterritorial application, meaning that websites anywhere in the world will have to comply with the LGPD if they process personal data from individuals inside Brazil.

    Try the free Cookiebot CMP compliance test today

    What is LGPD compliance?

    Your website must have a legal basis for processing personal data from individuals inside Brazil. Your website is required to ask for and obtain the clear and unambiguous consent of its users before legally being allowed to process any personal data, e.g. through cookies and trackers in operation on your website.

    Try Cookiebot CMP free for 14 days to control all cookies

    Resources

    The Lei Geral de Proteção de Dados Pessoais (LGPDP) official law text, translated into English

    LGPDP law text (in Portuguese)

    Brazil’s National Data Protection Authority (ANPD)

    ANPD guide for protecting personal data under the LGPD (in Portuguese)

    General overview of the LGPDP by the IAPP

    ANPD guide for protecting personal data under the LGPD (in Portuguese)

    The recent changes made to the final version of the LGPD

    The eight fundamental rights of data subjects in the GDPR

    GDPR consent requirement and lawful processing bases explained by the EU

    The EU’s official comparison between its own GDPR and the Brazilian LGPD

      Stay informed

      Join our growing community of data privacy enthusiasts now. Subscribe to the Cookiebot™ newsletter and get all the latest updates right in your inbox.

      By clicking on “Subscribe” I confirm that I want to subscribe to the Cookiebot™ newsletter. I can easily cancel my Cookiebot™ newsletter subscription and revoke consent to use my data by clicking the unsubscribe link or I can write to [email protected] to make the request. Privacy policy.