Sign up
  1. Blog
  2. Compliance
  3. What Is LGPD? Brazil's Data Protection Law Explained

What Is LGPD? Brazil’s Data Protection Law Explained

LGPD cookie consent banner in Portuguese with three equal buttons - Rejeitar, Configurar, Aceitar - showing Brazil data protection compliance

Brazil is home to over 185 million internet users – the fifth-largest online population in the world – and one of Latin America’s most dynamic digital advertising markets. For publishers and ad-tech companies serving Brazilian audiences, one law shapes the rules of engagement: the Lei Geral de Proteção de Dados (LGPD).

Enacted in 2018 and in force since September 2020, the LGPD has moved past its introductory phase. Brazil’s data protection authority, the ANPD (Autoridade Nacional de Proteção de Dados), became a fully independent regulatory agency in February 2026 and has published enforcement priorities that explicitly target the use of personal data for advertising. For publishers who have not yet aligned their practices, the compliance window is narrowing.

This guide covers everything publishers need to know: the LGPD’s core provisions, consent and legal bases, the ANPD’s cookie guidance and what it means for your consent banner, data subject rights, enforcement, how the law differs from GDPR in practice, and what you should be doing right now.

What Is the LGPD?

The Lei Geral de Proteção de Dados (Law No. 13,709/2018) is Brazil’s comprehensive data protection statute. Inspired by the EU’s GDPR, it establishes a unified framework for the processing of personal data by individuals, companies, and public authorities.

The law defines three key roles:

  • Controlador (Controller) – the entity that decides why and how personal data is processed. For publishers, this is typically the site or app operator.
  • Operador (Processor) – the entity that processes personal data on behalf of the controller, such as an analytics provider or ad-tech vendor.
  • Titular (Data Subject) – the individual whose personal data is being processed.

The LGPD has extraterritorial scope. It applies whenever:

  • Data processing takes place in Brazil
  • The processing aims at offering goods or services to individuals located in Brazil, or involves processing the data of individuals located in Brazil
  • Personal data was collected in Brazil

This means any publisher or ad platform with Brazilian traffic falls within scope, regardless of where the company is headquartered.

Key Principles

Article 6 of the LGPD sets out ten principles that govern all personal data processing:

  1. Purpose (Finalidade) – processing must serve legitimate, specific, and explicit purposes disclosed to the data subject
  2. Adequacy (Adequação) – processing must be compatible with the stated purpose
  3. Necessity (Necessidade) – processing must be limited to the minimum required (data minimization)
  4. Free Access (Livre Acesso) – data subjects must have easy, free access to information about how their data is processed
  5. Data Quality (Qualidade dos Dados) – personal data must be accurate, clear, relevant, and up to date
  6. Transparency (Transparência) – clear, precise, and easily accessible information about processing must be provided
  7. Security (Segurança) – technical and administrative measures must protect personal data
  8. Prevention (Prevenção) – measures must be adopted to prevent harm from data processing
  9. Non-Discrimination (Não Discriminação) – data must not be processed for discriminatory or abusive purposes
  10. Accountability (Responsabilização e Prestação de Contas) – controllers must demonstrate compliance

For publishers, the practical effect is that every data processing activity – from setting cookies to passing bid requests – must have a clear purpose, be limited to what is strictly necessary, and be transparent to the user.

Legal Bases for Processing

The LGPD provides ten legal bases for processing personal data under Article 7 – more than the GDPR’s six. The most relevant for publishers are:

  • Consent – freely given, informed, and unambiguous agreement by the data subject
  • Legitimate interests – necessary for the legitimate interests of the controller or a third party, provided data subject rights are not overridden
  • Contract performance – necessary for executing a contract to which the data subject is a party
  • Legal obligation – compliance with a legal or regulatory requirement

The remaining six legal bases – public administration, research, exercise of rights, protection of life, health protection, and credit protection (unique to Brazil) – are less relevant in the ad-tech context but contribute to the LGPD’s broader flexibility compared to the GDPR.

Why Consent Matters Most for Advertising

While legitimate interests is available as a legal basis, the ANPD’s enforcement priorities for 2026-2027 explicitly target the use of personal data for advertising and profiling. More importantly, the ANPD’s cookie guidance (covered below) makes clear that consent is the recommended legal basis for non-essential cookies, including those used for behavioral advertising, cross-site tracking, and audience profiling.

Legitimate interests may support some operational activities – fraud detection, basic analytics with aggregated data, security monitoring – but relying on it for advertising-related cookies carries increasing regulatory risk. Publishers should plan for consent as the primary legal basis for advertising data processing in Brazil.

Consent Requirements

Where consent is used as the legal basis, the LGPD sets a high bar. Under Articles 7 and 8, valid consent must be:

  • Freely given – the data subject must have a genuine choice; consent cannot be a condition for accessing a service unless processing is necessary for that service
  • Informed – the data subject must understand what they are consenting to
  • Unambiguous – indicated through a clear affirmative action
  • Purpose-specific – generic authorizations for broad data processing are void
  • Documented – the burden of proof rests with the controller

When consent is given in writing, it must appear in a highlighted clause that stands out from other contractual terms. The data subject has the right to withdraw consent at any time, through a free and facilitated procedure.

For publishers deploying cookies and tracking technologies: pre-ticked boxes, “by continuing to browse” banners, and scroll-based consent are not valid. Each processing purpose – analytics, personalized advertising, cross-site tracking – should have its own consent request. Consent must be obtained before data collection begins.

ANPD Cookie Guidance: What Your Banner Must Look Like

In October 2022, the ANPD published a detailed guidance document on the use of cookies and similar tracking technologies. This is the single most important reference for publishers configuring consent banners for Brazilian visitors – yet most content about LGPD completely overlooks it.

The guidance establishes a two-layer approach to cookie consent:

First Layer: The Initial Banner

The ANPD recommends that the initial cookie banner include:

  • Three equally prominent buttons: Reject All, Configure Preferences, and Accept All. The reject and accept buttons must have equal visual weight – making the reject option less visible, smaller, or harder to find is considered a dark pattern.
  • A brief explanation of what cookies are used for on the site
  • A link to the full Cookie Policy
  • A link for exercising data subject rights
  • Portuguese language – the banner must be in Portuguese for Brazilian visitors

Second Layer: Granular Controls

When a user clicks “Configure Preferences,” they should see a detailed panel with:

  • Category-level toggles for each type of cookie (analytics, functionality, advertising)
  • All non-essential categories disabled by default (opt-in model)
  • Clear descriptions of each category and its purpose
  • Information about cookie retention periods
  • Identification of first-party vs. third-party cookies in each category

Anti-Patterns the ANPD Flags

The guidance specifically identifies practices that the ANPD considers non-compliant:

  1. Showing only an “Accept” button with no way to reject
  2. Making the reject button less prominent than accept (smaller, different color, hidden)
  3. Preventing or impeding rejection of unnecessary cookies
  4. Enabling non-essential cookies by default before consent
  5. Providing no second-layer granular controls
  6. No mechanism for exercising data subject rights
  7. Making it difficult to change cookie preferences after initial choice
  8. Displaying the cookie policy only in a foreign language
  9. Excessive granularity that causes decision fatigue
  10. Tying consent to full acceptance of terms of service (cookie walls)

If your current cookie banner for Brazilian visitors consists of a single “OK” or “I understand” button – as is still common on many major Brazilian publisher sites – it does not meet the ANPD’s recommendations.

How This Relates to TCF

If you already use a TCF-compliant CMP for European visitors, the good news is that TCF’s vendor-level consent model is more granular than what the ANPD requires. A CMP that meets TCF standards can satisfy the LGPD’s category-level consent requirements – but it still needs to be properly configured for Brazilian visitors. Specifically, it must display the banner in Portuguese, present reject/configure/accept buttons with equal prominence, include a data subject rights link, and default non-essential cookies to off. Your CMP should handle these region-specific settings automatically based on visitor location.

How LGPD Differs from GDPR in Practice

If you already comply with the GDPR, many LGPD concepts will feel familiar. But the practical differences matter – especially for how you configure consent management.

AspectLGPD (Brazil)GDPR (EU)
Legal bases10 (including credit protection, unique to Brazil)6
Cookie consent modelCategory/purpose-level consent (minimum); vendor-level also acceptableVendor-level consent via TCF
Banner languagePortuguese required for Brazilian visitorsLocal language of each EU member state
Children’s thresholdUnder 12: parental consent; 12-17: best interest13-16 years (varies by member state)
DPO requirementRequired for all controllers except small processing agents (micro-enterprises, startups) unless high-risk processingBased on processing type and scale
PenaltiesUp to 2% of revenue in Brazil (excl. taxes), capped at R$50MUp to 4% of global annual turnover
Enforcement bodySingle authority (ANPD)Network of national DPAs

Configuring Your CMP for Brazilian Visitors

Publishers with global audiences need their CMP configured for each region’s specific requirements. For Brazilian visitors, this means:

  • Portuguese language for all consent text, buttons, and cookie policy
  • Equal button prominence for reject, configure, and accept options
  • Non-essential cookies off by default (opt-in model)
  • Data subject rights link in the banner
  • Category-level granular controls in the second layer

A multi-regulation CMP handles these region-specific configurations automatically, detecting visitor location and serving the appropriate consent experience – whether that is a TCF-compliant flow for EU visitors, LGPD-configured flow for Brazilian visitors, or CCPA-compliant experience for Californians.

Try Clickio Consent Free

Data Subject Rights

Article 18 of the LGPD grants data subjects (titulares) nine rights:

  1. Confirmation – the right to confirm whether their personal data is being processed
  2. Access – the right to access their personal data held by the controller
  3. Correction – the right to have incomplete, inaccurate, or outdated data corrected
  4. Anonymization, blocking, or deletion – for unnecessary or excessive data, or data processed in violation of the LGPD
  5. Data portability – the right to transfer personal data to another controller
  6. Deletion of consented data – when consent is withdrawn
  7. Information on sharing – the right to know which entities have received their data
  8. Information on consent consequences – the right to understand the consequences of refusing consent
  9. Revocation of consent – the right to withdraw consent at any time

Controllers must respond to these requests within a reasonable time, in a clear and complete manner, and free of charge. For publishers, this means having operational processes in place to handle access, correction, and deletion requests from Brazilian users. If you already handle DSARs for GDPR, the LGPD process will be familiar – though the specific rights and timelines differ.

Sensitive Data

The LGPD defines sensitive personal data (Article 5, II) as data related to racial or ethnic origin, religious conviction, political opinion, membership in trade unions or religious, philosophical, or political organizations, health, sex life, genetic or biometric data. Article 11 governs how sensitive data may be processed, and one critical restriction applies: legitimate interests cannot be used as a legal basis for processing sensitive data. Only consent or specific legal exceptions (legal obligation, public health, research, fraud prevention) are available.

For publishers, the implication is straightforward: if your ad-tech operations involve any categories that could be classified as sensitive data – health-related content targeting, political interest segments, precise location tracking – you must rely on consent, not legitimate interests.

ANPD and Enforcement

The Autoridade Nacional de Proteção de Dados (ANPD) is Brazil’s data protection authority, responsible for interpreting, overseeing, and enforcing the LGPD.

ANPD Independence: A Turning Point

In February 2026, Law 15.352/2026 formally transformed the ANPD into an independent regulatory agency with full functional, technical, decision-making, administrative, and financial autonomy. This is a significant milestone. Previously, the ANPD operated as a subordinate body with limited independence and resources, which constrained its enforcement capacity.

The newly independent ANPD has 200 new specialist positions being filled. Its enforcement toolkit includes the power to suspend or prohibit processing activities under Article 52, and its new inspection staff have operational powers to order establishments to cease operations and seize goods during investigations.

Penalty Structure

The LGPD’s penalty framework under Article 52 includes:

  • Warning with a deadline for corrective measures
  • Simple fine of up to 2% of the company’s revenue in Brazil (excluding taxes), capped at R$50 million (~USD 10 million) per violation
  • Daily fine to compel compliance
  • Public disclosure of the violation
  • Blocking or deletion of the personal data involved
  • Partial or total suspension of the database or processing activity for up to six months
  • Prohibition of processing activities

While LGPD fines are lower than the GDPR’s 4% of global turnover, the power to suspend processing activities or publicly disclose violations can be equally disruptive to a publisher’s business.

2026-2027 Enforcement Priorities

The ANPD has published its priority areas for the 2026-2027 biennium:

  1. Data subject rights – with special attention to the use of sensitive data for advertising and secondary uses of personal data for targeted advertising
  2. Protection of children and adolescents – age verification, privacy by default, blocking inappropriate content
  3. Public authorities – LGPD compliance and data sharing by government entities
  4. AI and emerging technologies – biometrics, high-risk processing, privacy by design

The first priority is a signal publishers should not ignore: the ANPD is focusing on how personal data is used for advertising. Combined with the agency’s new independence and expanded resources, the enforcement landscape in Brazil is shifting.

Cross-Border Data Transfers

The LGPD restricts international transfers of personal data under Articles 33-36. For publishers working with ad-tech vendors that process data outside Brazil, this is directly relevant.

Transfers are permitted when:

  • The receiving country provides an adequate level of data protection (as determined by the ANPD)
  • The controller provides appropriate safeguards, including Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs)
  • The data subject provides specific, informed consent for the transfer

A critical deadline passed on August 23, 2025: the end of the grace period for implementing ANPD-approved SCCs under Resolution CD/ANPD No. 19/2024. All international data transfers must now use approved SCCs or another valid mechanism.

In January 2026, Brazil and the EU reached a mutual adequacy decision, recognizing each other’s data protection frameworks as providing adequate protection. This simplifies data flows between the two jurisdictions but also creates additional accountability – both sides have committed to periodic reviews of the arrangement.

Children’s Data

The LGPD imposes specific protections for children’s and adolescents’ data under Article 14:

  • Processing personal data of children (under 12) requires specific and prominent consent from at least one parent or legal guardian
  • Processing data of adolescents (12-17) must be carried out in their best interest, with heightened scrutiny
  • Controllers must make reasonable efforts to verify that consent was given by a parent or guardian
  • Data collection must be limited to what is strictly necessary

The ANPD’s 2026-2027 priorities explicitly target children’s data, particularly in the context of the Digital Statute for Children and Adolescents (Digital ECA), which introduces additional requirements for technology providers. Publishers with content likely accessed by minors should implement appropriate safeguards.

What Publishers Should Do Now

1. Deploy LGPD-Compliant Consent Management

Implement a CMP that serves Brazilian visitors with a consent flow that meets ANPD recommendations: Portuguese language, three equally prominent buttons (reject/configure/accept), category-level toggles with non-essential cookies off by default, and a persistent mechanism for changing preferences. If you already use a CMP for GDPR, ensure it supports geo-targeted flows that show the appropriate banner based on the visitor’s location.

2. Audit Your Data Practices

Map all personal data collected from Brazilian users – cookies, device identifiers, IP addresses, behavioral data, and data passed through programmatic auctions. Document the legal basis for each processing activity and identify all third parties receiving data.

3. Appoint a Data Protection Officer

The LGPD requires controllers to appoint a DPO (Encarregado). ANPD Resolution No. 2/2022 exempts small processing agents – micro-enterprises, small businesses, startups, and individual processors – provided they maintain a communication channel for data subjects. However, this exemption does not apply if the small agent performs high-risk processing (large-scale data or processing that significantly affects fundamental rights). Most publishers with meaningful Brazilian traffic will need to appoint a DPO. Publish the DPO’s contact information and ensure they can handle data subject requests and interface with the ANPD.

4. Update Privacy Notices

Draft clear privacy and cookie policies in Portuguese that describe what data you collect, the legal basis for each processing activity, which third parties receive data, and how data subjects can exercise their rights.

5. Review Cross-Border Data Transfers

Confirm that ANPD-approved SCCs or other valid transfer mechanisms are in place for all international data flows involving Brazilian users’ personal data.

6. Build Data Subject Rights Processes

Implement workflows to handle access, correction, deletion, portability, and consent withdrawal requests from Brazilian users. If you already have DSAR processes for GDPR, extend them to cover LGPD-specific rights.

How Clickio Consent Helps with LGPD Compliance

Clickio Consent is a multi-regulation consent management platform built for publishers. It provides the capabilities needed to meet the LGPD’s requirements alongside your existing GDPR compliance.

Multi-Regulation, Geo-Targeted Consent Flows

Clickio Consent handles multiple regulatory frameworks from a single implementation. It automatically detects visitor location and serves the appropriate consent experience – TCF-compliant flows for EU/EEA visitors and LGPD-appropriate flows for Brazilian visitors – eliminating the need for separate CMP deployments.

Multi-Language Support

With support for 26+ languages including Portuguese, Clickio Consent can serve Brazilian visitors with a fully localized consent experience – meeting the ANPD’s requirement that cookie information be provided in the user’s language.

Purpose-Specific Consent Collection

Clickio Consent presents users with clear choices for each category of data processing – analytics, personalized advertising, cross-site tracking – rather than bundling everything into a single “accept all” action. This aligns with the LGPD’s requirement for purpose-specific consent and the ANPD’s guidance on category-level controls.

Consent Record-Keeping

The LGPD places the burden of proof on the controller to demonstrate that valid consent was obtained. Clickio Consent automatically maintains a full audit trail of consent events – when consent was given, for which purposes, and when it was withdrawn.

Google Consent Mode v2

For publishers running Google Ad Manager, AdSense, or Google Analytics, Clickio Consent communicates consent signals directly to Google services via Consent Mode v2, ensuring that ad serving and analytics adjust automatically based on each user’s consent status.

Try Clickio Consent Free

Frequently Asked Questions

Does the LGPD apply to publishers outside Brazil?

Yes. The LGPD has extraterritorial scope. If you collect personal data from individuals located in Brazil – even through cookies set when a Brazilian user visits your site – the law applies regardless of where your company is based.

Can I use the same CMP for EU and Brazilian visitors?

Yes – you need one CMP, but it must be configured differently for each region. Brazilian visitors need Portuguese language, ANPD-compliant button layout, and a data subject rights link. A multi-regulation CMP detects visitor location and serves the right configuration automatically.

Is LGPD enforcement ramping up?

Yes. The ANPD gained full independence in February 2026, is filling 200 new specialist positions, and has published enforcement priorities that explicitly target the use of personal data for advertising. Publishers who get their consent management in order now will be well-positioned as enforcement scales up.

How is the LGPD different from the GDPR?

The core principles are similar, but the practical differences matter for publishers. The LGPD has 10 legal bases (vs. 6), requires Portuguese-language consent banners with specific ANPD-mandated design requirements, requires a DPO for most controllers (with exemptions for small processing agents), and includes both monetary penalties and the power to suspend data processing activities. See the comparison table above for details.

What about the CCPA – do I need to comply with that too?

If you serve US traffic, the CCPA likely applies as well. Each privacy law has its own requirements, which is why a multi-regulation CMP is the most practical approach for publishers with a global audience.

Conclusion

Brazil’s LGPD governs one of the world’s largest digital markets, and the regulatory landscape is evolving rapidly. With the ANPD now operating as a fully independent agency and enforcement priorities explicitly targeting advertising-related data practices, the compliance window for publishers is narrowing.

The good news is that if you already have a CMP in place for GDPR, extending it to cover LGPD is straightforward – it is a matter of configuring the right consent experience for Brazilian visitors: Portuguese language, ANPD-compliant banner design, and proper consent collection. A multi-regulation CMP can handle LGPD alongside your existing GDPR and CCPA compliance from a single implementation.

The time to act is now. Audit your data practices, deploy LGPD-compliant consent management for your Brazilian traffic, and ensure your privacy notices and data subject rights processes are ready.

Get Started with Clickio Consent
(Visited 1 times, 1 visits today)
See more articles on this topic: Compliance
Sign up