HomeLawsBrazil’s LGPD: What US Businesses Need to Know

Brazil’s LGPD: What US Businesses Need to Know

Brazil’s LGPD: What US Businesses Need to Know — and How It Differs from the GDPR

Brazil’s comprehensive data protection law shares important DNA with the GDPR but diverges in meaningful ways. For US businesses operating in or targeting Brazil, understanding those differences is essential to building a compliant global privacy program.

Last reviewed: April 2026

Contents

  1. Introduction: Brazil’s Arrival as a Global Privacy Jurisdiction
  2. Which US Businesses Does the LGPD Apply To?
  3. Legal Bases for Processing: A Broader Framework Than the GDPR
  4. Sensitive Personal Data
  5. Data Subject Rights: Familiar Ground, Important Nuances
  6. The Data Protection Officer Equivalent: The Encarregado
  7. International Data Transfers from Brazil
  8. Data Breach Notification
  9. Enforcement, Sanctions, and the ANPD
  10. Children’s Personal Data
  11. Practical Compliance Considerations for US Businesses
  12. Conclusion
  1. Introduction: Brazil’s Arrival as a Global Privacy Jurisdiction

On August 14, 2018, Brazil enacted the Lei Geral de Proteção de Dados Pessoais — the General Personal Data Protection Law, universally known as the LGPD (Law No. 13,709/2018). After a series of legislative delays partly caused by the COVID-19 pandemic, the law’s substantive provisions entered into force on September 18, 2020, and the administrative sanction regime became operational on August 1, 2021. Brazil thus joined a growing list of jurisdictions — headlined by the European Union — that have adopted comprehensive, sector-neutral data protection frameworks carrying real extraterritorial reach.

For US businesses, the LGPD matters for a straightforward reason: Brazil is the largest economy in Latin America and the ninth largest in the world. With approximately 215 million people and one of the world’s highest rates of smartphone and social media adoption, Brazil represents a commercially significant market. Any US company that sells products or services to Brazilian consumers, processes data collected from individuals in Brazil, or operates a Brazilian subsidiary is likely within the LGPD’s scope — and therefore subject to its requirements and enforcement regime.

The LGPD was explicitly modeled on the EU’s General Data Protection Regulation (GDPR), which entered into force in May 2018, just months before Brazil passed its own law. The family resemblance is real and meaningful: the LGPD shares the GDPR’s risk-based philosophy, its distinction between controllers and processors, its menu of legal bases for processing, and its catalog of data subject rights. US businesses that have already invested in GDPR compliance will find their programs serve as a useful foundation. However, the LGPD is not the GDPR. It differs from the European framework in a number of substantive respects — some of which expand obligations beyond the GDPR, and others of which set a different or lighter standard. Those differences are the focus of this page.

  1. Which US Businesses Does the LGPD Apply To?

Article 3 of the LGPD sets out a broad territorial scope that closely mirrors the GDPR’s extraterritorial reach. The law applies to any processing of personal data — regardless of where the data controller or processor is established — in three circumstances: (i) when the processing occurs in the national territory of Brazil; (ii) when the purpose of the processing is to offer or supply goods or services, or to process data relating to individuals who are located in Brazil; or (iii) when the personal data was collected in Brazil.

The practical implication for US businesses is significant. A US company that has no physical presence in Brazil but that markets and sells products to Brazilian consumers, operates a website accessible in Brazil with localized content, or processes any personal data originally collected in Brazil falls within the LGPD’s scope. The standard is functionally similar to the GDPR’s “targeting” test under Article 3(2), which US businesses will recognize: offering goods or services to individuals in the country — regardless of whether payment is required — is enough to trigger application of the law.

It is worth noting that the LGPD expressly carves out processing carried out exclusively for: private purposes, not-for-profit, journalistic/artistic/literary purposes, academic research (with specific conditions), national security, public security, national defense, state security, investigation and prosecution of criminal offenses, and activities carried out exclusively outside Brazil where none of the data was collected in Brazil. These exceptions are narrowly drawn and will rarely apply to commercial US businesses operating in the Brazilian market.

Key Point for US Businesses: The LGPD applies to you if you target, serve, or collect data from individuals in Brazil — even without a physical presence there. A GDPR-compliant stance on extraterritorial reach does not automatically equate to LGPD compliance, because the two laws differ meaningfully in their substantive requirements.

  1. Legal Bases for Processing: A Broader Framework Than the GDPR

One of the most immediately noticeable structural differences between the LGPD and the GDPR is the number of lawful bases available for processing personal data. The GDPR provides six legal bases in Article 6, which have become familiar to privacy practitioners worldwide: consent, contract, legal obligation, vital interests, public task, and legitimate interests. The LGPD, by contrast, provides ten legal bases in Article 7 for processing general personal data — a materially broader menu that reflects both a different legislative philosophy and the particularities of Brazilian law.

The ten LGPD legal bases are: (1) consent of the data subject; (2) compliance with a legal or regulatory obligation by the controller; (3) execution of public policies by the public administration on the basis of laws or regulations; (4) research by research bodies, with the assurance of anonymization wherever possible; (5) execution of a contract or preliminary procedures at the request of the data subject; (6) exercise of rights in judicial, administrative, or arbitration proceedings; (7) protection of life or physical safety of the data subject or a third party; (8) protection of health, applicable exclusively to procedures carried out by health professionals or health services or sanitary authorities; (9) legitimate interests of the controller or a third party, except where data subjects’ fundamental rights and freedoms prevail; and (10) credit protection.

The tenth basis — credit protection — has no direct equivalent in the GDPR and reflects the central importance of credit markets in Brazilian commercial life. It permits processing of personal data where necessary for the purposes of extending or managing credit, fraud prevention, and financial risk assessment in the context of credit relationships. This is a meaningful difference for US financial institutions, fintech companies, and any business operating credit-based services in Brazil.

The LGPD’s approach to legitimate interests (basis 9) broadly parallels the GDPR’s, in that controllers must assess whether their interests are overridden by the data subject’s rights and freedoms. However, the LGPD’s legitimate interests basis applies to the interests of the controller or a third party, and the ANPD (Brazil’s data protection authority) retains the power to define the activities that may be conducted under this basis, giving the regulatory landscape an additional layer of potential development over time. US businesses should not simply import their GDPR legitimate interests assessments into the Brazilian context without reviewing them against LGPD-specific standards and any ANPD guidance issued to date.

For sensitive personal data, the LGPD significantly narrows the available legal bases. Under Article 11, processing of sensitive data is only permitted under six bases: specific and highlighted consent; compliance with legal or regulatory obligations; shared data required for execution of public policies; research by research bodies; exercise of rights (including contract and judicial proceedings); and protection of life or physical safety. Notably, legitimate interests is not available as a legal basis for processing sensitive personal data under the LGPD — a stricter position than under the GDPR, where legitimate interests can in principle support processing of sensitive data in limited circumstances.

  1. Sensitive Personal Data

Both the LGPD and the GDPR recognize a special category of particularly sensitive personal data that warrants heightened protection. The categories are largely overlapping but not identical. Under Article 5(II) of the LGPD, sensitive personal data means personal data on racial or ethnic origin, religious belief, political opinion, membership of a trade union or organization of a religious, philosophical, or political nature, data relating to health or sex life, genetic or biometric data — when linked to a natural person — and data relating to children.

The most significant categorical difference is the LGPD’s explicit inclusion of data relating to children within the definition of sensitive personal data. The GDPR does not classify children’s data as a special category in the same way; instead, it addresses children’s data primarily through enhanced consent requirements (Article 8) and consideration of children’s interests in legitimate interests assessments. The LGPD’s decision to categorize all data relating to children as inherently sensitive triggers the stricter processing conditions of Article 11 across the board, regardless of the specific nature of the data being processed. This is a meaningful and practically important divergence for US businesses operating consumer-facing services that children may use.

Financial data — including bank account details, credit card numbers, and financial history — is not explicitly classified as sensitive under either the LGPD or the GDPR at the level of statute. However, US businesses should be aware that processing financial data in Brazil may intersect with the dedicated credit protection legal basis and with sector-specific Brazilian financial regulation administered by the Banco Central do Brasil (the Brazilian Central Bank) and the Comissão de Valores Mobiliários (the securities regulator).

  1. Data Subject Rights: Familiar Ground, Important Nuances

The LGPD grants Brazilian data subjects a catalog of rights under Article 18 that is recognizable to anyone familiar with Chapter III of the GDPR. These include the right to confirmation of the existence of processing, the right of access to data held, the right to correction of incomplete, inaccurate, or outdated data, the right to anonymization or deletion of unnecessary or non-compliant data, the right to data portability, the right to deletion of personal data processed with the data subject’s consent, the right to information about entities with which the controller has shared data, the right to information about the option to withhold consent and its consequences, the right to revoke consent, and the right to seek review of automated decisions.

Several of these rights warrant specific attention from a comparative perspective. First, the right to information about third-party sharing is more explicitly defined in the LGPD than in the GDPR. Under Article 18(VII), data subjects may request information specifically about the public and private entities with which the controller has shared their data. GDPR privacy notices typically satisfy this at a categorical level (identifying categories of recipients), but the LGPD creates a more direct pathway for data subjects to seek disclosure of individual recipients — a difference with real implications for privacy notice design and records-keeping.

Second, the LGPD’s right to revoke consent is listed as a free-standing right under Article 18(IX), reinforcing that withdrawal of consent is available at any time and without detriment to the data subject. This parallels Article 7(3) of the GDPR, but the LGPD’s framing as a discrete, enumerated right places it with particular emphasis. Controllers who rely on consent must maintain robust mechanisms for revocation and must ensure that prior processing based on consent retains its lawfulness after withdrawal.

Third, on automated decision-making, the LGPD’s Article 20 provides a right to seek review of decisions made solely on the basis of automated processing of personal data affecting the data subject’s interests — including decisions affecting their professional profile, consumer behavior, creditworthiness, or personality. Data subjects are entitled to request a human review of such decisions and to receive clear information about the criteria and procedures employed. This broadly parallels Article 22 of the GDPR, but the LGPD does not create the same explicit opt-out mechanism for automated decision-making as the GDPR does; instead, the ANPD retains authority to issue supplementary regulation on the subject. US businesses using automated profiling, credit scoring, or algorithmic decision-making that affects Brazilian data subjects should monitor ANPD guidance in this area carefully.

Right GDPR LGPD
Access Yes (Art. 15) Yes (Art. 18, II)
Rectification Yes (Art. 16) Yes (Art. 18, III)
Erasure Yes (Art. 17) Yes, tied to consent withdrawal or non-compliance (Art. 18, IV & VI)
Portability Yes (Art. 20) Yes (Art. 18, V) — scope to be determined by ANPD
Object to processing Yes (Art. 21) Not a freestanding objection right; addressed via consent revocation and basis-specific rules
Restriction of processing Yes (Art. 18) Anonymization or blocking (Art. 18, IV) — narrower formulation
Automated decision review Yes, with opt-out (Art. 22) Yes, right to request human review (Art. 20); no explicit opt-out
Third-party recipient disclosure Indirectly — categories of recipients (Art. 13 & 15) Explicit right to know specific entities with whom data was shared (Art. 18, VII)
  1. The Data Protection Officer Equivalent: The Encarregado

The LGPD requires both controllers and operators (the LGPD’s term for processors) to designate a data protection officer, referred to in the statute as the encarregado — a Portuguese term meaning, roughly, “the person in charge.” This requirement is set out in Article 41. The encarregado’s responsibilities under the LGPD include receiving complaints and communications from data subjects, receiving communications from the ANPD, providing guidance to employees and contractors on data protection matters, and performing any other functions specified by the controller or determined by supplementary regulation.

The LGPD’s mandatory designation requirement differs from the GDPR’s more targeted approach. Under the GDPR, Article 37 requires designation of a DPO only when: (a) processing is carried out by a public authority; (b) core activities involve large-scale systematic monitoring of individuals; or (c) core activities involve large-scale processing of special category data. The GDPR’s DPO requirement, in other words, is risk-based and threshold-triggered. The LGPD’s default rule is universal: every controller and every operator is required to designate an encarregado, without an explicit risk-based threshold.

However, the ANPD has exercised its statutory power to create exemptions through regulation. ANPD Resolution CD/ANPD No. 2/2022 established simplified compliance requirements for “small-scale processing agents,” a category that includes micro and small enterprises (as defined under Brazilian law), startups (as defined under Law No. 13,709/2018 and supplementary legislation), and individual entrepreneurs. Small-scale processing agents that do not process high-risk data may be exempt from the mandatory encarregado designation requirement, among other simplified obligations. US businesses operating in Brazil at significant scale should assume the requirement applies to them.

One notable feature of the LGPD’s encarregado requirement is that the designee may be a natural person or a legal entity. The LGPD thus expressly contemplates that businesses may fulfill this function through a designated external service provider — a firm, a consultancy, or a law firm, for example — rather than only through an individual employee. Under the GDPR, Article 37(6) similarly allows the DPO to be an external service provider, but the GDPR frames this in terms of a service contract with a natural person or an organization. The LGPD’s explicit inclusion of legal entities gives businesses greater structural flexibility in how they organize this function across group structures. US businesses operating Brazilian entities should ensure that the identity and contact details of the encarregado are publicly disclosed, as required by Article 41(1).

  1. International Data Transfers from Brazil

Personal data collected or processed in Brazil may only be transferred to a foreign country or international organization in accordance with the conditions set out in Article 33 of the LGPD. The framework broadly parallels Chapter V of the GDPR, establishing a hierarchy of transfer mechanisms that includes adequacy decisions, contractual safeguards, and specific derogations — but with important differences in both structure and current legal status.

The primary transfer mechanism under the LGPD is an adequacy determination issued by the ANPD, recognizing that a foreign country or international organization provides a level of personal data protection equivalent to the LGPD. As of the date of this page, the ANPD had not yet issued any adequacy determinations. US businesses cannot therefore rely on an adequacy decision to transfer data from Brazil to the United States. This is a practically important point: businesses that rely on EU-US adequacy mechanisms for GDPR transfers (such as the EU-US Data Privacy Framework) must conduct a separate analysis for their LGPD data flows, since the two frameworks operate independently.

In the absence of an adequacy decision, Article 33 permits transfers based on adequate guarantees provided by the controller. These include: specific contractual clauses approved by the ANPD; standard clauses published by the ANPD; global corporate norms (analogous to Binding Corporate Rules under the GDPR); and seals, certificates, or codes of conduct regularly issued by the ANPD. As of this writing, the ANPD had published draft guidance on standard contractual clauses and global corporate norms but had not finalized those instruments. Controllers relying on these mechanisms should monitor ANPD developments closely and ensure that any contractual arrangements are updated when final instruments are published.

The LGPD also permits transfers under a series of specific derogations in Article 33, including: with the specific consent of the data subject; where necessary for the performance of a contract; for exercise of rights in judicial, administrative, or arbitration proceedings; to protect life or physical safety; for health protection by sanitary authorities; and for financial, credit, banking, or insurance operations. These derogations are broadly comparable to those in Article 49 of the GDPR, and US businesses should apply similar caution about relying on derogations for routine or repeated data transfers rather than using them only for occasional or incidental flows.

Practical Note on US-Brazil Transfers: Unlike the EU-US Data Privacy Framework, no bilateral adequacy arrangement exists between Brazil and the United States. US businesses that receive personal data from Brazil — whether through a subsidiary, a service provider relationship, or directly from Brazilian consumers — should implement contractual safeguards and monitor ANPD guidance on standard clauses, which remains an active area of regulatory development.

  1. Data Breach Notification

Article 48 of the LGPD requires controllers to notify the ANPD and affected data subjects of any security incident that may cause relevant risk or harm to data subjects. The notification must be made within a “reasonable period” defined by the ANPD and must include, at minimum: a description of the nature of the affected personal data; information on the data subjects involved; the security measures adopted to protect the data; the risks related to the incident; the reasons for any delay in notification (if applicable); and the measures that have been or will be adopted to reverse or mitigate the incident’s effects.

The ANPD formalized the notification timeline and content requirements through Resolution CD/ANPD No. 4/2023, adopted in February 2023. Under that Resolution, controllers must submit a preliminary notification to the ANPD within three business days of becoming aware of a security incident that meets the threshold for notification. A full supplementary notification containing the complete details required by Article 48 must follow within 20 business days of the preliminary notice. The ANPD has the power to require earlier notification in high-risk cases.

US businesses familiar with the GDPR will note two significant differences. First, the GDPR’s 72-hour notification clock for supervisory authorities (Article 33) begins to run from the point at which the controller becomes aware of the breach — a standard that European regulators and courts have interpreted strictly. The LGPD’s three business day window is somewhat longer and is calculated in business days, which may provide modestly more operational time in some circumstances. Second, the GDPR requires notification to data subjects “without undue delay” when the breach is “likely to result in a high risk to the rights and freedoms of natural persons” — an immediate, direct obligation. Under the LGPD, notification to affected data subjects is also required, but the precise standards and timing are subject to further ANPD interpretation and guidance. Controllers who process data of individuals in both Brazil and the EU will need to manage parallel notification obligations that may not be perfectly synchronized.

  1. Enforcement, Sanctions, and the ANPD

Enforcement of the LGPD is the responsibility of the Autoridade Nacional de Proteção de Dados — the National Personal Data Protection Authority, known by its Portuguese acronym ANPD. The ANPD was created by Law No. 13,853/2019, which modified the original LGPD text, and became an independent federal autarchy — placing it outside direct executive control — pursuant to Decree No. 10,474/2020. The ANPD has a Board of Directors composed of five members with fixed terms, a National Council for Personal Data Protection and Privacy with a broader advisory role, and an internal investigation and enforcement structure. Since becoming fully operational, the ANPD has progressively built out its regulatory and enforcement activities, including issuing substantive resolutions on topics including breach notification, exemptions for small-scale processing agents, and consent.

The LGPD’s sanctions regime under Article 52 provides the ANPD with a range of administrative penalties. These include: a warning with a deadline for adoption of corrective measures; a simple administrative fine of up to 2% of the company or business group’s revenue in Brazil for the prior fiscal year, capped at BRL 50 million per violation (approximately USD 10 million at current exchange rates); a daily administrative fine; publication of the infraction after due process and final judgment; blocking of personal data until the irregularity is remedied; deletion of the personal data concerned; partial suspension of the database operation for up to six months; and partial or total prohibition of personal data processing activities.

The difference between the LGPD’s and GDPR’s penalty structures is material and has important strategic implications. The GDPR’s maximum fine — €20 million or 4% of global annual turnover, whichever is higher — is calibrated to global revenue and can reach enormous sums for large multinationals. The LGPD’s maximum fine is expressly tied to Brazilian revenue only and is subject to an absolute cap of BRL 50 million per violation, regardless of revenue. For a large US multinational, the practical maximum LGPD fine exposure from a single violation is likely to be far lower than the equivalent GDPR exposure. However, businesses should not interpret the lower maximum penalty as a signal that LGPD compliance is optional or low-stakes: the ANPD’s enforcement activity has been increasing, multiple violations can compound the financial exposure, and the reputational and commercial consequences of a public enforcement action in Brazil’s large consumer market are independent of the fine amount. The ANPD also has the power to prohibit data processing entirely — a remedy with operational consequences that can dwarf any monetary penalty.

  1. Children’s Personal Data

The LGPD dedicates Article 14 to the processing of personal data of children and adolescents. Under Brazilian law, a child is defined as a person under 12 years of age, and an adolescent is defined as a person between 12 and 18 years of age — classifications drawn from Brazil’s Child and Adolescent Statute (ECA, Law No. 8,069/1990). The LGPD generally requires that processing of children’s personal data must be carried out in the best interests of the child and must be conducted only with the specific and highlighted consent of at least one parent or legal guardian.

The LGPD requires controllers to make every reasonable effort to verify that consent was given by a parent or legal guardian, using available technologies consistent with market standards. Processing for the purpose of behavioral contact or profiling of children is explicitly prohibited. US businesses that operate consumer-facing digital services — including apps, websites, gaming platforms, and e-commerce services — that may attract Brazilian users under 12 must build parental consent workflows into their onboarding and data processing flows, or alternatively design their services to avoid collecting any personal data from this age group.

The interaction between the LGPD’s treatment of children’s data and US law is worth noting for US businesses. The Children’s Online Privacy Protection Act (COPPA) applies to US-directed online services and requires verifiable parental consent for processing personal data of children under 13. While the LGPD and COPPA share the underlying policy objective of protecting younger users, their scope, thresholds, definitions, and consent standards differ. A service that is COPPA-compliant is not automatically LGPD-compliant for Brazilian users, and vice versa. US businesses serving both markets should assess compliance against each framework on its own terms.

  1. Practical Compliance Considerations for US Businesses

Assess Your Territorial Exposure

The starting point for any LGPD compliance program is a clear-eyed assessment of whether and to what extent the law applies to your operations. This means mapping your data flows to determine whether you process personal data collected in Brazil, whether your products or services are targeted at individuals in Brazil, and whether your website, app, or platform is accessible and localized for Brazilian users. Many US businesses are subject to the LGPD without having made a deliberate decision to enter the Brazilian market — for example, because their e-commerce platform ships to Brazil, because their software-as-a-service product is used by Brazilian businesses and their employees, or because they have acquired a company with Brazilian operations.

Conduct a Gap Analysis Against Your GDPR Program

If your business has invested in GDPR compliance, that investment provides a strong platform — but should not be treated as a complete solution. A structured gap analysis comparing your current GDPR program against LGPD requirements will typically identify differences in: the applicable legal bases (particularly around credit protection and the narrower scope of legitimate interests for sensitive data); the encarregado designation and public disclosure requirement; the specific data subject rights disclosures required; the composition and coverage of data processing agreements; and your data breach response procedures (particularly the three business day preliminary notification requirement). The gap analysis should also identify any processing activities that fall within scope of the LGPD but not the GDPR, or vice versa.

Appoint and Publicly Disclose Your Encarregado

Unlike the GDPR’s DPO, whose identity must be communicated to the supervisory authority but whose public disclosure is optional, the LGPD requires that the identity and contact information of the encarregado be made publicly available, typically through a privacy notice or the controller’s website. US businesses subject to the LGPD should ensure that their privacy notices and website footers are updated to include the name and contact information (or at minimum the contact channel) of the designated encarregado, even where the function is fulfilled by a person or entity based outside Brazil.

Review and Update Data Processing Agreements

Article 37 of the LGPD requires controllers and operators to maintain records of personal data processing activities as requested by the ANPD. Article 39 requires operators (processors) to process data only in accordance with the controller’s instructions. Contracts between US businesses and their Brazilian vendors, service providers, and processors should be reviewed to ensure they reflect LGPD requirements, particularly where those contracts were originally negotiated on GDPR standard contractual clause templates without specific LGPD adaptation.

Monitor ANPD Regulatory Output

The ANPD has been actively issuing resolutions, orientations, and guidance notes across a range of topics since becoming fully operational. Areas of active regulatory development as of this writing include: standard contractual clauses for international transfers, final guidance on legitimate interests, sector-specific processing guidance, and further development of the sanctions calculation methodology. US businesses with Brazilian data processing activities should maintain a regulatory monitoring function — or engage outside counsel — to track and respond to ANPD output on a timely basis.

  1. Conclusion

Brazil’s LGPD is a mature, GDPR-inspired comprehensive data protection law with real enforcement teeth and an increasingly active regulatory authority. For US businesses operating in Brazil or serving Brazilian consumers, the law is not a distant compliance horizon — it is current, operative, and enforceable. While the GDPR provides a useful frame of reference, treating LGPD compliance as merely an extension of a GDPR program is a mistake. The ten legal bases (including credit protection), the mandatory and publicly disclosed encarregado, the three business day preliminary breach notification, the classification of children’s data as inherently sensitive, the different international transfer mechanisms, and the Brazil-specific penalty structure all require discrete attention and tailored program design.

As the ANPD continues to mature its regulatory framework and issue substantive guidance — and as Brazil’s digital economy continues to grow — the practical stakes of LGPD compliance will only increase. US businesses that establish robust programs now, calibrated specifically to the LGPD rather than merely borrowed from their GDPR infrastructure, will be best positioned to operate confidently in the Brazilian market and to manage enforcement risk effectively.

Advising US Businesses on Brazilian Data Protection Law

Our data protection practice regularly advises US-headquartered businesses on LGPD compliance strategy, cross-border transfer frameworks, privacy program design, and ANPD regulatory developments. If you have questions about whether the LGPD applies to your operations or how to build an effective Brazil-specific compliance program, we welcome the opportunity to assist.