What the LGPD Is, and Why It Reaches Your Website
Brazil's Lei Geral de Proteção de Dados Pessoais (LGPD, Law No. 13.709/2018) is the country's comprehensive data-protection statute. It came into force in September 2020, and administrative sanctions became enforceable in August 2021. With more than 200 million people online, Brazil is one of the largest digital markets on the planet — and the LGPD governs how any organisation processes the personal data of people located there.
Like the EU's GDPR, the LGPD is extraterritorial. Article 3 makes the law apply not only to processing carried out in Brazil, but to any processing that has the purpose of offering goods or services to people in Brazil, or that involves data collected in the national territory. In plain terms: if your site has Brazilian visitors and you set analytics or marketing cookies on their browsers, the LGPD almost certainly applies to you — regardless of where your company or servers are based.
This guide walks through the practical obligations the LGPD places on a website operator: the legal bases for processing, how cookie consent works, the rights you must honour, and how the law compares with the GDPR you may already know. If you are new to privacy law generally, start with our What Is GDPR? explainer, then return here for the Brazilian specifics.
The Ten Legal Bases for Processing
Where the GDPR offers six lawful bases, the LGPD lists ten in Article 7. The most relevant for a typical website are:
- Consent — a free, informed, and unambiguous expression of agreement to processing for a specific purpose. This is the basis you rely on for non-essential cookies.
- Legitimate interest (legítimo interesse) — processing necessary for the controller's legitimate purposes, balanced against the data subject's rights and freedoms. The LGPD treats this more cautiously than the GDPR and ties it closely to the data subject's reasonable expectations.
- Compliance with a legal or regulatory obligation — for example, retaining transaction records required by Brazilian law.
- Performance of a contract — processing needed to deliver a service the user requested.
- Credit protection — a basis unique to the LGPD, reflecting Brazil's credit-reporting context.
Choosing the correct basis matters, because it determines which rights the data subject can exercise and whether you need explicit consent. For tracking technologies that are not strictly necessary to deliver your service, consent is the safe and expected basis.
Cookies and Consent Under the LGPD
The LGPD does not contain a dedicated "cookie clause" the way the EU's ePrivacy Directive does. Instead, cookies that collect personal data — and most analytics and advertising cookies do, because identifiers and IP addresses count as personal data — fall under the general consent and transparency rules. Brazil's data-protection authority, the ANPD, published a guide on cookies and personal data in 2022 that confirms this reading and sets clear expectations.
In practice, a compliant Brazilian cookie banner looks much like a GDPR one:
- No pre-ticked boxes and no implied consent. Continuing to browse is not consent. The user must take an affirmative action.
- Granular control. Visitors should be able to accept or reject categories of cookies — analytics, marketing, personalisation — rather than being forced into all-or-nothing.
- Symmetry. The ANPD's guidance discourages designs where "Accept" is one click but rejecting requires hunting through menus. A clear, equally prominent reject option is expected.
- Transparency first. Before consent, the banner must explain who is processing data, for what purposes, and how to withdraw consent later.
Because these requirements overlap heavily with GDPR, a well-built consent layer can serve both audiences. Our guide to blocking scripts until consent covers the technical enforcement that makes a banner more than decorative — the tags must actually be held back until the visitor agrees.
A Banner Without Enforcement Is Not Compliance
The single most common LGPD and GDPR failure is the same: a banner appears, but the analytics and advertising scripts have already fired before the visitor clicks anything. If consent is your legal basis, processing that happens before consent has no lawful basis at all. The banner must gate the tags, not merely sit on top of them.
Data-Subject Rights You Must Honour
Article 18 of the LGPD grants data subjects a robust set of rights, several of which go beyond the GDPR's list. Brazilian residents (called titulares) can request:
- Confirmation that their data is being processed, and access to that data.
- Correction of incomplete, inaccurate, or outdated data.
- Anonymisation, blocking, or deletion of unnecessary or excessive data, or data processed unlawfully.
- Data portability to another service provider.
- Deletion of data processed on the basis of consent.
- Information about the entities with which the controller has shared the data — a transparency right that is unusually specific.
- Information about the consequences of refusing consent.
- Withdrawal of consent, which must be as easy as giving it.
Controllers must respond to these requests, and the right to a simplified response generally has to be met immediately or within 15 days for a complete declaration. Building a request-handling process now — rather than improvising when the first request arrives — is the difference between a routine task and a scramble.
The DPO, the ANPD, and Records
The LGPD requires controllers to appoint an encarregado — the data protection officer or DPO — who serves as the point of contact for data subjects and for the ANPD. Unlike the GDPR, the LGPD's original text required a DPO for essentially all controllers, though later ANPD regulation introduced proportionality for small processing agents. At minimum, you must publish a contact channel for privacy matters.
The Autoridade Nacional de Proteção de Dados (ANPD) is Brazil's supervisory authority. It issues guidance, investigates complaints, and applies sanctions. Controllers are also expected to maintain records of their processing activities and, for higher-risk processing, to prepare a Relatório de Impacto à Proteção de Dados Pessoais (a data protection impact report) when the ANPD requests one.
Penalties for Non-Compliance
The LGPD's sanctions, set out in Article 52, escalate from a warning through to substantial fines. The headline penalty is a fine of up to 2% of the company's revenue in Brazil for the prior financial year, capped at R$50 million per infraction. The ANPD can also order the blocking or deletion of the data involved, and publicise the violation — a reputational sanction that can be as damaging as the financial one.
The 2% revenue cap is lower than the GDPR's 4% global-turnover ceiling, but the per-infraction structure means repeated or compounding failures add up quickly. The ANPD has moved from an education-first posture toward active enforcement, so treating the LGPD as optional is an increasingly expensive bet.
LGPD vs GDPR at a Glance
| Aspect | LGPD (Brazil) | GDPR (EU) |
|---|---|---|
| Legal bases | Ten bases, including credit protection and health protection | Six bases |
| Maximum fine | 2% of Brazilian revenue, capped at R$50 million per infraction | 4% of global annual turnover or 20 million euros, whichever is higher |
| Supervisory authority | ANPD, a single national authority | One authority per member state, coordinated by the EDPB |
| DPO requirement | Encarregado broadly required, with proportionality for small agents | Required only in specific circumstances |
| Cookie rules | No dedicated cookie law; governed by general consent rules plus ANPD guidance | ePrivacy Directive sets explicit cookie-consent requirements |
LGPD Website Compliance Checklist
Map what personal data your site collects and the legal basis for each purpose
Cookies, forms, analytics, and embedded third-party widgets all count.
Deploy a consent banner that blocks non-essential tags until the visitor opts in
Affirmative action only — no pre-ticked boxes and no consent-by-scrolling.
Offer an equally easy way to reject and to withdraw consent later
Withdrawal must be as simple as giving consent.
Publish a privacy notice in Portuguese covering purposes, sharing, and rights
Transparency is a standalone obligation, not just part of the banner.
Name an encarregado (DPO) and publish a privacy contact channel
This is the point of contact for both data subjects and the ANPD.
Build a process to fulfil access, correction, deletion, and portability requests
Aim to handle simplified requests immediately and full declarations within 15 days.
The Practical Takeaway
If you already run a GDPR-grade consent setup, you are most of the way to LGPD compliance — the consent mechanics, transparency, and rights-handling overlap heavily. The Brazil-specific work is naming an encarregado, providing a Portuguese privacy notice, recognising the LGPD's extra legal bases and data-subject rights, and aligning your banner with ANPD guidance. A single, properly enforcing consent layer can serve both Brazilian and European visitors without separate implementations.
Related Guides
Continue with What Is GDPR? to compare frameworks, GDPR Requirements for Websites for the EU baseline, and How to Block Scripts Until Cookie Consent for the technical enforcement that any consent-based law requires. For authoritative sources, see the ANPD's official site and the full text of the LGPD (Lei 13.709/2018).