What Is Brazil’s LGPD? A Complete Guide for Organizations

Share:

Brazil’s Lei Geral de Proteção de Dados (LGPD) is Brazil’s federal data protection law. It has been in force since September 2020, with enforcement provisions active since August 2021, and is administered by the ANPD (Autoridade Nacional de Proteção de Dados). The LGPD applies extraterritorially to any organization processing the personal data of people in Brazil, requiring a lawful basis for processing, a Data Protection Officer in most cases, and mandatory breach notification. Non-compliance can result in fines of up to 2% of a company’s Brazilian revenue, capped at R$50 million per violation.

For cybersecurity teams building or maintaining a Brazil-facing compliance program, understanding exactly what the LGPD requires, who enforces it, and how enforcement priorities are shifting is essential to keeping controls audit-ready. This guide answers the core questions security leaders ask about the law.

What Is the LGPD?

The LGPD (Law No. 13.709/2018) is Brazil’s comprehensive data protection statute, in force since September 18, 2020. It governs how organizations collect, store, process, and share the personal data of individuals in Brazil, covering everything from basic identifiers like names and emails to sensitive categories such as health records and religious affiliation.

The law establishes lawful bases for processing, requires a DPO for most organizations, mandates incident notification, and grants data subject rights including access, correction, deletion, portability, and objection.

If your organization is auditing its LGPD program, our data privacy compliance services team can map these requirements against your existing controls.

Who Enforces the LGPD, and Who Must Comply?

lgpd-applies

The ANPD is Brazil’s federal regulator, holding authority to enforce LGPD obligations and apply statutory penalties, including fines and prohibition of processing activities in the country. The ANPD sits within the Ministry of Justice and was formalized as a full regulatory agency under Decree No. 12.881/2026.

Enforcement isn’t limited to the ANPD alone. Companies can also face claims from data subjects, consumer protection authorities, and sector regulators such as the central bank, telecom regulator, and securities commission. Financial institutions, telecom providers, and public entities often face overlapping obligations from these bodies in addition to the ANPD.

Compliance applies to any private company, public entity, or nonprofit processing personal data tied to Brazil, including foreign SaaS vendors, cloud providers, and multinationals with Brazilian customers, regardless of headquarters location.

When Did the LGPD Take Effect, and What’s the Enforcement Timeline?

The LGPD was passed in 2018 and entered into effect on September 18, 2020, though its enforcement and sanctioning provisions didn’t take hold until August 1, 2021. Since then, enforcement has accelerated in distinct phases:

  • The ANPD’s first sanction, issued in 2023, targeted a small telecom firm to signal that compliance obligations apply to businesses of every size.
  • Between 2023 and 2025, the ANPD imposed roughly BRL 98 million (about $20 million) in cumulative fines across telecom, healthcare, and public sector cases.
  • In December 2025, the ANPD published its Map of Priority Issues for the 2026 to 2027 biennium alongside an updated Regulatory Agenda, formally prioritizing data subject rights, children’s data protection under Brazil’s Digital ECA, public sector governance, and AI oversight as enforcement focus areas.

That progression, from a single symbolic sanction to a structured, multi-year enforcement roadmap, signals a maturing regulatory posture. Security teams should treat this period as high-risk for compliance gaps to surface.

Where Does the LGPD Apply?

The LGPD applies wherever the processing operation is carried out in Brazil, where the goods or services offered target individuals located in Brazil, or where the personal data was collected in Brazil, regardless of where the controller or processor is legally based.

In practice, a company headquartered anywhere in the world is in scope the moment it processes the personal data of people in Brazil. A marketing site targeting Brazilian consumers, an app with Brazilian users, or a vendor storing data collected from Brazil all trigger LGPD obligations. No local office or subsidiary is required.

What is the Importance of LGPD?

Three factors make the LGPD a priority rather than a regional afterthought for security leaders:

  1. Enforcement is accelerating, not stabilizing: Fine totals and case volume have both grown year over year since 2023, and the ANPD’s published priority map signals continued escalation through 2027.
  2. Sector regulators add another layer: Financial services, telecom, and healthcare organizations face LGPD obligations on top of rules from bodies like BACEN, ANATEL, and CVM, meaning a single incident can trigger multiple regulatory exposures.
  3. AI and children’s data are now explicit enforcement priorities: The ANPD’s 2026 to 2027 priority map explicitly names AI and emerging technologies, plus protection of children and adolescents, as central enforcement axes. Any organization deploying AI systems that touch Brazilian personal data should expect closer scrutiny.

How Should Cybersecurity Teams Approach LGPD Compliance?

approach-lgpd-compliance
  1. Map all data flows tied to Brazil: Identify every system, vendor, and process that collects, stores, or transmits data belonging to individuals in Brazil, including data gathered indirectly through analytics or advertising tools.
  2. Confirm DPO appointment and authority: The LGPD’s DPO requirement applies more broadly than many organizations assume. Confirm the role has real authority over data governance, not just a nominal title.
  3. Build breach procedures around ANPD requirements: Notification obligations apply regardless of incident size, so your response plan needs a clear trigger and timeline specific to Brazil.
  4. Establish a lawful basis for every processing activity: Document which of the law’s ten lawful bases applies to each data flow and keep that documentation current.
  5. Monitor ANPD regulatory output continuously: The ANPD actively issues new resolutions, not just a static rulebook. The official ANPD website publishes its resolutions and priority maps directly. For the full statutory text, the official LGPD law text is the authoritative reference.
  6. Prioritize AI and minors’ data processing: Given the ANPD’s stated focus areas, any system processing children’s data or training AI models on personal data warrants a dedicated risk review.

Ready to Strengthen Your LGPD Compliance Posture?

Enforcement is accelerating, and the ANPD’s next round of priorities is already public.

Talk to our data privacy and compliance team for a full LGPD gap assessment that identifies exposure across your data flows, vendor relationships, and AI systems before the ANPD does.

Enjoyed reading this blog? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.

×

7th August 2026

New Delhi, India

Know more
Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

Talk to an expert