Global Privacy Laws: Brazil LGPD

The Brazilian General Data Protection Law (LGPD) is Brazil’s first comprehensive data protection regulation, broadly aligning with the EU GDPR. It aims to regulate personal data processing, protect individuals’ privacy and fundamental rights, and provide legal certainty for data handling.

Overview

The Brazilian General Data Protection Law — known as Lei Geral de Proteção de Dados (LGPD) — is Brazil’s first comprehensive data protection regulation, and it broadly aligns with the EU General Data Protection Regulation (GDPR). LGPD aims to regulate the processing of personal data in Brazil, protect individuals’ privacy and fundamental rights, and provide legal certainty for data handling.

Key Dates

Signed into law: August 14, 2018
Effective date: September 18, 2020

Thresholds

The LGPD applies to any processing operation carried out by a natural person or a legal entity (of public or private law), irrespective of (1) the means used for the processing, (2) the country in which its headquarters are located, or (3) the country where the data are located, provided that:

The processing operation is carried out in Brazil;
The purpose of the processing activity is to offer or provide goods or services, or the processing of data of individuals located in Brazil; or
The personal data was collected in Brazil.

Consumer Rights

Right to be Informed – Individuals have the right to learn how companies process their personal data. This also applies when a third party obtains personal data from a controller.
Right of Access – Individuals can request a copy of their personal data through any reasonable means. This includes via email, phone, written letter, or through an online portal.
Right to Rectification – Individuals have the right for businesses to correct incomplete, inaccurate, or outdated information about them. There are no restrictions on the format or nature of rectification requests made by individuals.
Right to Erasure – Individuals have the right to request complete erasure of their personal data. Businesses must honor erasure requests so long as they have consent and have verified the data subject’s identity.
Right to Object – Also known as the “right to restriction,” individuals may ask companies to block unnecessary or excessive data collection or processing.
Right to Data Portability – Individuals have the right to the portability of their data via an express request.
Right not to be subject to automated decision-making – Individuals may request to review decisions made about them exclusively as a result of automation.

Sensitive Data

Under the LGPD, sensitive data is defined as personal information that may include an individual's racial or ethnic origin, religious beliefs, political opinions, trade union membership, or religious affiliation. Sensitive data also includes health or sexual life data, as well as genetic or biometric data.

Penalties

Under the LGPD, companies that mishandle personal data can face several consequences.

Warnings
- Warnings are a first step in enforcement, and they come with a deadline to fix issues. No fines are imposed at this stage, but ignoring warnings can lead to harsher penalties.
Simple Fines
- Up to 2% of a company’s gross revenue in Brazil from the previous year (excluding taxes).
- Maximum of R$50 million per violation.
Daily Fines
- Daily fines are charged each day a company fails to comply.
- Capped at R$50 million.
Public Disclosure of Violations
- Authorities may publish details of a breach, which can seriously damage a company’s reputation and trust.
Blocking or Deletion of Data
- Access to personal data may be blocked or data may be deleted until compliance is restored.
Prohibition of Activities
- Partial or total ban on processing personal data.
Compensation for Damages
- Companies may need to pay individuals for harm caused by non-compliance.

Regions are used to customize the behavior and experience based on an individual user’s location. As an example, this allows you to provide different experiences to users based on regional differences (like LGPD in Brazil vs. CCPA in California). When a user visits your site, we will automatically determine their location and will match them to the most granular region rule that you have set up in Concord. This can go down to the state/province level, which allows for different experiences for different laws (like CCPA in California).

Based on the current laws, we recommend the following regional settings:

Consent Mode: Express
Blocking Mode: Strict
**Google Consent Mode V2:** Basic
Consent Duration: 12 months
Enable Limit Sensitive Information: Off
Enable Do Not Sell Consent: Off
Enable Global Privacy Control: Off

Current LGPD requirements do not explicitly require Do Not Sell or Global Privacy Control, but you can enable these features if you choose to. This can be a good strategy if you want a single privacy-first configuration that you can use globally since regulations like CCPA/CPRA do require Do Not Sell but do require Global Privacy Control. Also, note that when processing privacy requests, the Brazil General Data Protection Law (LGPD) requires organizations to respond to detailed data access requests within 15 days.

For step-by-step instruction on how to configure your consent banner for different geographical regions within the Concord app, see our help document Configure Your Consent Banner for Different Geographical Regions.

While you can get as granular as you want, we typically recommend a single global policy that meets the strictest guidelines across regions, or higher splits (like separate GDPR and United States regions, only adding additional regions for stricter states like California if needed). If you have any questions on how and why to configure your regions in certain ways, please reach out to our support team.

Global Privacy Laws: Brazil LGPD

On this page