What Is Lei Geral de Proteção de Dados Pessoais?
The Lei Geral de Proteção de Dados Pessoais (General Personal Data Protection Law, Law No. 13,709 of 2018) is Brazil's comprehensive data protection framework. In force since 18 September 2020, with administrative sanctions enforceable from 1 August 2021, LGPD is closely modelled on EU GDPR and governs the processing of personal data by any entity — public or private — in Brazil. LGPD defines 10 legal bases for processing (two more than GDPR: credit protection and executive/legislative function), 9 data subject rights, and establishes the Autoridade Nacional de Proteção de Dados (ANPD) as the federal regulator. ANPD became fully operational in 2021 and has been increasingly active — issuing Resolution CD/ANPD No. 4/2023 on administrative fines methodology and publishing guidance on cookies, data protection officers, and international transfers. LGPD has extraterritorial scope: it applies to any processing operation where data was collected in Brazil, where the data subject was in Brazil at collection time, or where processing aims to offer goods or services to individuals in Brazil (Article 3).
At a glance
- Full name
- Lei Geral de Proteção de Dados Pessoais
- Short code
- LGPD
- Jurisdiction
- Brazil
- Enacted
- 2018
- Last major update
- In force 18 September 2020; administrative penalties enforceable from August 2021
- Regulator
- Autoridade Nacional de Proteção de Dados (ANPD)
- Private right of action
- Yes
- Statutory citation
- Lei nº 13.709, de 14 de agosto de 2018
Scope — who LGPD covers
Protected data
Data subject rights
Right of confirmation that the processing exists (Article 18 I)
Right of access to data (Article 18 II)
Right of correction of incomplete, inaccurate, or outdated data (Article 18 III)
Right to anonymization, blocking, or deletion of unnecessary/excessive data (Article 18 IV)
Right of data portability to another provider (Article 18 V)
Right to deletion of personal data processed with consent (Article 18 VI)
Right to information about public and private entities with which data was shared (Article 18 VII)
Right to information about the possibility of denying consent and the consequences (Article 18 VIII)
Right to revocation of consent (Article 18 IX)
Notable features
LGPD's distinctive features include ten legal bases for processing (two more than GDPR — credit protection and execution of public policy by public entities), a specific regime for processing by public authorities, and a strong connection to Brazil's Federal Constitution right to data protection (added by Constitutional Amendment No. 115/2022 as a fundamental right). ANPD has also been notably active on cross-border transfers, publishing an International Data Transfer Regulation (Resolution 19/2024).
Enforcement & penalties
Regulator: Autoridade Nacional de Proteção de Dados (ANPD)
Penalties: Administrative sanctions under Article 52: warning; simple fine up to 2% of revenue from the previous financial year in Brazil, capped at R$50 million per violation; daily fine up to R$50 million; publication of the violation; blocking of personal data; elimination of personal data; partial suspension of database operations (up to 6 months); partial or total prohibition of data-processing activities.
Private right of action: Article 42 LGPD creates an express right to compensation (material, moral, individual, or collective damages). Joint and several liability between controllers and processors applies. Consumer class actions (ações civis públicas) brought by Public Prosecutors (Ministério Público) and consumer protection authorities (Procons) have driven several high-profile LGPD settlements.
Relevance to data brokers
LGPD applies extraterritorially to any data broker collecting, using, or selling data about individuals in Brazil. ANPD enforcement has been active — Meta, Vivo Telecom, and Serasa Experian have all faced LGPD-related investigations. Brazilian residents can file complaints online at gov.br/anpd/pt-br. The R$50M per-violation cap plus potential consumer class actions make LGPD one of the more financially significant non-EU/US privacy regimes.
Exercise your rights
Remove your data from 300+ brokers for $5
OfflistMe drafts opt-out emails citing LGPD and other applicable laws. Citations included. You send from your own inbox. No account, no ID upload.
Start for $5 →FAQ
Does LGPD apply to companies outside Brazil?+
Yes. Article 3 gives LGPD extraterritorial scope: it applies whenever data is processed in Brazil, collected in Brazil, or when processing aims to offer goods or services to individuals located in Brazil. A US data broker holding data on Brazilian residents is subject to LGPD.
How do I file a complaint with ANPD?+
Submit a petition at gov.br/anpd/pt-br (the "Peticionamento" portal). ANPD can investigate, issue corrective orders, and levy fines. For consumer class-scale issues, the Ministério Público and consumer protection authorities (Procons) are parallel enforcement channels.
What are the 10 legal bases for processing under LGPD?+
Per Article 7: (1) consent, (2) compliance with legal/regulatory obligation, (3) public administration processing, (4) studies by research bodies, (5) contract performance, (6) judicial proceedings, (7) legitimate interest, (8) credit protection, (9) protection of life/physical safety, (10) health protection. Sensitive data has a separate, narrower set of legal bases under Article 11.
Official sources & citations
Other international privacy regimes
LGPD sits in a global ecosystem of data-protection laws. Compare with other jurisdictions that shape cross-border data flows: