LGPD

Lei Geral de Proteção de Dados Pessoais (General Personal Data Protection Law)

Flag of BR
BrazilOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
September 18, 2020
Enacted
August 14, 2018
Enforcing Authority
Autoridade Nacional de Proteção de Dados (ANPD)
Consent Model
Opt-in
Fulfillment Time
15 days
Applies To
Any organization processing personal data of individuals located in Brazil, regardless of location (extraterritorial scope)

Overview

The LGPD is Brazil's comprehensive data protection law, modeled after the GDPR with extraterritorial scope. It requires explicit consent with separate authorization per processing purpose. The ANPD has issued specific cookie guidance clarifying that non-essential cookies require prior consent.

What This Means for Your Website

  • Explicit consent with separate authorization per purpose is required for Brazilian visitors
  • Non-essential cookies require prior consent per ANPD cookie guidance
  • A Data Protection Officer (Encarregado) must be appointed
  • Penalties include publicization of the infraction — creating reputational risk beyond fines
  • Extraterritorial scope applies to any processing of data of individuals in Brazil
  • Data subject rights include access, correction, deletion, portability, and information on sharing

Key Requirements

The ANPD enforces the LGPD with penalties of up to 2% of annual revenue in Brazil, capped at BRL 50 million per infraction. Additional sanctions include daily fines, publicization of the infraction, and blocking or deletion of data. Data subject requests must be fulfilled within 15 days. The ANPD was elevated to independent authority status, strengthening enforcement capacity.

How ConsentStack Handles This

ConsentStack detects Brazilian visitors and presents a consent banner requiring explicit opt-in per purpose category, meeting ANPD cookie guidance requirements. Consent records are maintained for audit compliance.

Penalties

2% of annual revenue in Brazil, capped at BRL 50 million per infraction; daily fines; publicization of infraction; blocking/deletion of data.

Maximum Fine
R$50,000,000 per violation
Revenue-based
2% of annual revenue

Key Requirements

  • Explicit consent with separate authorization per processing purpose
  • Consent for non-essential cookies per ANPD guidance
  • Appoint a Data Protection Officer (Encarregado)
  • Data subject rights: access, correction, deletion, portability
  • Data Protection Impact Assessments for high-risk processing
  • Breach notification to ANPD and data subjects within reasonable time

Notable Provisions

  • GDPR-modeled with extraterritorial reach
  • ANPD elevated to independent authority status
  • Separate consent per purpose required
  • Penalties include publicization of infraction (reputational impact)

Other Latin America & Caribbean Regulations

Colombia Law 1581Colombia
Colombia's comprehensive data protection law with active SIC enforcement. Requires prior, express, and informed consent for all processing including cookies. The SIC has broad investigative powers including on-site inspections. Authorization logs are required for cookies, and a pop-up must inform users about privacy and cookie management.
LFPDPPPMexico
Completely new data protection law enacted March 2025, replacing the 2010 version. The INAI was dissolved and replaced by Transparencia para el Pueblo. Introduces criminal penalties, specialized federal data protection courts, and doubled fines for sensitive data violations. Express consent required for sensitive data; implied consent available for non-sensitive.
Peru Law 29733Peru
Peru's data protection law was significantly strengthened in 2025 with updated regulations introducing phased DPO requirements, extraterritorial scope, and the tightest breach notification timeline in the region. Foreign companies serving Peruvian individuals must appoint local representatives. Maximum penalty is 10% of annual net income.
Chile Law 21.719Chile
A complete overhaul of Chile's data protection framework replacing the 1999 law. Creates a new dedicated Data Protection Agency, introduces tiered penalties, and explicitly prohibits pre-ticked consent boxes. The agency must issue cookie guidelines. Takes effect December 2026 after a 24-month implementation period.
Argentine PDPAArgentina
One of the earliest comprehensive data protection laws in Latin America, granting Argentina EU adequacy since 2003. The law is increasingly outdated, and reform bills submitted in 2025 would introduce GDPR-aligned penalties of up to 4% of turnover. Current penalties under the original law are low.
Jamaica DPAJamaica
The most comprehensive data protection law in the Caribbean, with GDPR-level penalties (4% of worldwide turnover). Individual violators face both fines and up to 10 years imprisonment. The OIC operates independently with broad enforcement powers including assessment notices, information notices, and criminal prosecution.

Frequently Asked Questions

Does Brazil have a cookie law?

The LGPD does not specifically mention cookies, but ANPD cookie guidance requires consent for non-essential cookies. ConsentStack implements this automatically for Brazilian visitors.

What are the LGPD penalties?

Up to 2% of annual revenue in Brazil, capped at BRL 50 million per infraction. Penalties also include publicization of the infraction and data blocking/deletion.

Does the LGPD have extraterritorial scope?

Yes. The LGPD applies to any processing of personal data of individuals located in Brazil, regardless of where the processing organization is located.

How does consent work under the LGPD?

The LGPD requires explicit consent with separate authorization per processing purpose — similar to GDPR but with per-purpose granularity explicitly required.

Stay compliant with LGPD

ConsentStack helps you implement Opt-in consent for Brazil automatically.

Get started free