What LGPD is
The Lei Geral de Proteção de Dados (LGPD, Federal Law 13.709/2018) is Brazil's comprehensive data protection law. It came into force in 2020 and was enforced with fines starting in 2023. LGPD is the primary privacy framework anywhere in Latin America and is the model that subsequent regional laws have followed.
The law is enforced by the Autoridade Nacional de Proteção de Dados (ANPD), which has issued specific guidance on cookies and online tracking.
Who LGPD applies to
- Any organisation processing personal data in Brazilian territory.
- Any organisation processing data collected in Brazil, regardless of where the processor is based.
- Any organisation offering goods or services to people located in Brazil.
Like GDPR, LGPD is extra-territorial. A US-based site that targets Brazilian visitors — via Portuguese language, BRL pricing, or just having significant Brazilian traffic — will fall under LGPD.
Legal bases for processing
LGPD lists ten lawful bases for processing personal data. The relevant ones for cookies and online tracking are:
- Consent — the standard basis for analytics, advertising, and any non-essential tracking.
- Legitimate interest — narrow; ANPD guidance generally rules it out for behavioural advertising.
- Compliance with legal obligation — for regulated industries.
Consent requirements
Consent under LGPD must be:
- Free.
- Informed — purpose, retention, controllers, and recipients disclosed.
- Unambiguous — clear affirmative action.
- Specific to a given purpose (granular).
- Withdrawable at any time, as easily as it was given.
ANPD's October 2023 cookie guidance also emphasises that the reject option must be on the first banner layer with the same prominence as accept — mirroring the EDPB's GDPR guidance.
Common violations CookieGap detects
- Cookies set before consent — same opt-in pattern as GDPR.
- Cookies persisting after the user rejects.
- No reject button or reject hidden behind extra clicks.
- No privacy policy in Portuguese or no DPO contact published.
Penalties
LGPD fines reach 2% of revenue in Brazil up to BRL 50 million per violation — meaningful but lower than GDPR. ANPD can also order publication of the violation, blockage of the personal data involved, and suspension of processing — operational consequences that often hurt more than the fine itself.
Frequently asked questions
Is LGPD the same as GDPR?
Very similar — LGPD was modeled on GDPR — but with a couple of significant differences. LGPD enumerates ten legal bases for processing (vs GDPR's six), it has weaker territorial reach, and the regulator (ANPD) is younger and still building out enforcement practice. For cookie consent specifically, the practical requirements are nearly identical to GDPR.
Does LGPD require opt-in for cookies?
For non-essential cookies, yes — consent is the operative legal basis, and ANPD guidance has been clear that consent must be free, informed, unambiguous, and specific. Pre-ticked boxes and 'continued browsing implies consent' are not valid.
Does LGPD apply to my business if I'm not in Brazil?
Yes, if you process personal data of people located in Brazil, regardless of your own location, or if the data was collected in Brazil. The territorial trigger is similar to GDPR's.
What is ANPD and does it enforce?
The Autoridade Nacional de Proteção de Dados (ANPD) is Brazil's data protection authority, established in 2020. It became fully empowered to issue fines in 2023 and has been ramping up enforcement steadily. ANPD has issued cookie-specific guidance making clear that opt-in consent is required.
Are there mandatory contact points for users?
Yes. LGPD requires designation of a Data Protection Officer (Encarregado/DPO) whose contact details must be published on the website. ANPD guidance also requires a clear, accessible channel for users to exercise their rights.
See where your site stands
Run a free CookieGap scan and get a LGPD compliance report in under a minute.
Scan your site freeThis guide is informational only and does not constitute legal advice. Privacy laws evolve frequently — always confirm current obligations with qualified counsel before making compliance decisions.