Does LGPD Apply to Your Business? [2026 Guide]
Free applicability checker with statutory citations — covers LGPD scope, obligations, and penalties.
About LGPD
The Lei Geral de Proteção de Dados (LGPD) is Brazil's comprehensive data protection law, modelled closely on the EU's GDPR. It entered into force in September 2020, with enforcement by the Autoridade Nacional de Proteção de Dados (ANPD) commencing thereafter.
Broad territorial scope: Similar to GDPR, LGPD applies to any processing operation carried out by natural persons or legal entities (public or private) that processes personal data of individuals located in Brazil. This includes organisations based outside Brazil that: (a) offer or supply goods or services to individuals in Brazil; (b) process personal data collected in Brazil; or (c) have the processing activity take place in Brazil (Art. 3 LGPD).
Legal bases for processing: LGPD identifies ten legal bases for processing personal data under Art. 7, including: consent, legitimate interests, legal obligation, execution of contracts, data protection studies, exercise of rights in judicial/administrative proceedings, protection of life, protection of health, public interest, and credit protection. For sensitive data, fewer bases apply and consent is required in most cases.
Brazil's ANPD has been actively developing implementing regulations since 2021 and has issued guidance on data transfers, security incidents, and consent requirements. The LGPD framework continues to mature with ongoing regulatory activity.
Key obligations under LGPD
Frequently asked questions
Does LGPD apply to companies outside Brazil?
Yes. LGPD applies to any entity — regardless of where it is established — that processes personal data of individuals located in Brazil, where the processing offers goods or services to Brazil, the data was collected in Brazil, or the processing activity takes place in Brazil. This extraterritorial scope mirrors GDPR's approach under Art. 3(2).
What are sensitive personal data under LGPD?
LGPD Art. 5(II) defines sensitive personal data as: racial or ethnic origin; religious beliefs; political opinions; membership in trade unions or religious, philosophical, or political organisations; data concerning health or sexual life; genetic or biometric data. Processing sensitive data requires explicit and specific consent, or one of the limited alternative bases under Art. 11 LGPD.
What are the LGPD penalties?
LGPD penalties include: warnings; fines of up to 2% of a company's revenue in Brazil (from its last fiscal year, excluding taxes) capped at R$50,000,000 (approximately USD $10 million) per violation; daily fines; publication of the violation; data processing suspension; and deletion of the personal data involved. The ANPD may apply these cumulatively.
What is the data breach notification deadline under LGPD?
LGPD Art. 48 requires organisations to notify the ANPD and affected data subjects of security incidents that may pose risk or relevant damage to data subjects. The ANPD has issued guidance recommending notification within 2 business days of the data controller becoming aware of the incident, with a more complete report within 30 business days.
Is LGPD similar to GDPR?
Yes, LGPD is closely modelled on GDPR. Key similarities include: broad territorial scope; multiple lawful bases for processing; data subject rights (access, correction, deletion, portability, objection); mandatory DPO appointment; data breach notification; Data Protection Impact Assessments; and restrictions on international data transfers. Key differences include: LGPD has 10 legal bases vs GDPR's 6; Brazil has one national supervisory authority (ANPD) rather than multiple; and LGPD's penalties are capped differently.
Not sure if LGPD applies?
Run the full assessment — covers all major privacy laws with exact statutory citations. Free, no account required.
Start free assessment →Not legal advice — educational information only