Lei Geral de Proteção de Dados (LGPD)
Brazil’s comprehensive data protection law modeled on the GDPR, establishing rules for processing personal data of individuals in Brazil.
The Lei Geral de Proteção de Dados (LGPD) is Brazil’s general data protection law, which came into full effect in August 2020 with enforcement beginning in August 2021. It applies to any organization that processes personal data collected in Brazil, processes data of individuals located in Brazil, or offers goods and services to the Brazilian market — regardless of where the organization is based. The LGPD defines ten legal bases for processing, including consent, legitimate interest, contract performance, and legal obligation.
The LGPD is enforced by the Autoridade Nacional de Proteção de Dados (ANPD), which has the power to issue warnings, fines of up to 2% of the organization’s Brazilian revenue (capped at BRL 50 million per violation), and publish violations. While modeled on the GDPR, the LGPD has some distinctive features: it includes ten legal bases instead of the GDPR’s six, it applies specifically to data processed in Brazil or of individuals in Brazil, and its consent requirements allow for some flexibility in format. The ANPD has been actively issuing guidelines and regulations to fill in the details of the law’s implementation.