The LGPD is Brazil’s General Data Protection Law, passed by the National Data Protection Authority (Autoridade Nacional de Proteção de Dados). It came into...
by Usercentrics
May 3, 2021
Book a demo
Learn how our consent management solution can improve privacy and user experience for your users.
Get your free data privacy audit now!

The LGPD is Brazil’s General Data Protection Law, passed by the National Data Protection Authority (Autoridade Nacional de Proteção de Dados). It came into effect August 16, 2020. The LGPD is very similar to Europe’s GDPR and is a framework containing 65 articles regulating the use and processing of personal data.



We have compiled the most important questions around LGPD for you:


LGPD stands for Lei Geral de Proteção de Dados. It is the data protection law in Brazil. It came into effect on August 16th, 2020 but it will be enforceable as of August 1st, 2021.

The main difference between these two regulations is that LGPD has more legal bases. Besides the 6 legal bases that are also included in the GDPR they have 4 more:

  • – to carry out studies by research entities that ensure, whenever possible, the anonymization of personal data,
  • – to exercise judicial or administrative rights or arbitration procedures,
  • – to protect health in procedures carried out by health professionals or by health entities,
  • – to protect credit.

Regarding the data subject rights, the only difference is that in Brazil there is no right of restriction of processing (Art. 18 GDPR). There is also no direct right to object to the processing, but the user needs to be able to withdraw their consent.

There are 10 legal bases that allow the processing of personal information. The most commonly used legal bases to enable the use of cookies and other technologies on a website, which collect personal information, are Consent and Legitimate Interest. The services that can be used under legitimate interest are ones that are essential, help with the functionality of the website, or are used for performance and analytics purposes.

– The General Data Protection Regime (the ‘GDP’) does not establish specific requirements regarding providing cookie descriptions to users.

– Obtaining cookie consent would only be necessary as long as the information captured by cookies is deemed personal data. For consent to be valid it has to be: 

– prior (before the processing takes place), 

– express (through means where the data subject reveals unequivocal intention), and 

– informed. 

Data subjects need to be informed about: 

(i) the name and contact details of the data controller 

(ii) their rights and means to exercise them;

(iii) where to consult the applicable privacy policy

(iv) that the authorization to process sensitive data is entirely optional

(v) the specific data that will be collected and processed (especially if sensitive data is involved), and 

(vi) how the data will be used and for what purposes (the information and consent language must be provided in the Portuguese language, if the website is provided in Portuguese).

Yes. Since there are no specific requirements in Brazil for obtaining cookie consent, the two-layer approach used on the Usercentrics website is sufficient to comply with the transparency and consent requirements established by Brazilian data protection laws.

Yes. It must be equally as easy to withdraw cookie consent as to give it. This requirement can be implemented by switches as used on the Usercentrics website.

In Brazil, there are no specific regulations concerning the content of the cookie banner. In any event, the following is recommended:

(i) allow acceptance of specific categories of cookies, if consent will be sought

(ii) place the cookie banner prominently on the website

(iii) avoid nudge techniques to influence users’ preferences or consent

(iv) insert the cookie privacy notice link in the banner.

Yes. Such implementation is sufficient. There are no requirements regarding the storage location for cookie consent.

The Brazilian National Data Protection Authority (‘ANPD’) has been created but is not yet operational. Guidance has not been issued yet and no official ANPD website is available.

Please find general information on ANPD here:


There are no specific rules related to the use of cookies in Brazil. However, since the data collected by cookies is deemed to be personal data, data protection laws such as the Brazilian Internet Act and, most importantly, the LGPD, will apply.

The LGPD applies to any personal data processing operation performed by an individual or organization, whether public or private, irrespective of the means, the country where it is headquartered, or the country where the data is located, provided that: 

(i) the processing operation is carried out in Brazil

(ii) the purpose of the processing operation is to offer or provide goods or services or the processing of data of individuals located in Brazil (i.e. offering goods or services and addressing marketing campaigns in Brazilian reals or in the Portuguese language), or 

(iii) the personal data is collected in Brazil (i.e. when the data subject is located in Brazil at the time of the collection).

Section 14 of the LGPD states that the processing of personal data of children – defined as individuals between 0 and 12 years old – and teenagers – defined as between 13 to 18 years old – must be performed in their best interest under LGPD and the applicable specific legislation, e.g. the Brazilian Civil Code and the Children and Teenagers Statute.

Section 14 (1) LGPD specifically mentions that the processing of personal data of children must be performed with the specific and express consent provided by at least one parent or legal guardian. Controllers shall employ reasonable efforts to confirm/validate this consent.

The ANPD may apply administrative sanctions that will be enforceable as of August 2021.

These penalties are defined in Section 52 of the LGPD and include the following: 

(i) warning 

(ii) one-time fine of up to 2% of the net revenue of the infringing entity’s conglomerate in Brazil in its preceding fiscal year, excluding taxes, up to BRL 50,000,000.00 per violation

(iii) daily fine, which is also subject to the limit set before 

(iv) press release 

(v) blocking or deletion of personal data 

(vi) suspension or prohibition of processing activities.

Even though administrative sanctions will only be enforceable as of August 2021, data subjects are already able to exercise their rights in court or before consumer protection bodies. Consumer protection bodies and public prosecution offices may also enforce some of the LGPD or Consumer Protection Code provisions in matters related to consumer protection and data subjects’ rights.

Related Articles

Consent Management for Customer Data Solutions

Consent Management for Customer Data Solutions

Using Data Warehouses and CDPs to store and manage customer data on companies’ own servers means opportunities and...

South Africa’s Protection of Personal Information Act – an overview

South Africa’s Protection of Personal Information Act – an overview

South Africa’s POPIA is a data privacy law that preceded the GDPR by five years. We look at how...