Quick answer: LGPD (Lei Geral de Proteção de Dados) is Brazil's data protection law, modelled after GDPR but with key differences. If your website or SaaS has users in Brazil, you likely need to comply with both LGPD and GDPR. The main differences are in legal bases for processing, DPO requirements, and enforcement mechanisms.
LGPD vs GDPR: Side-by-Side Comparison
| Aspect | GDPR (EU) | LGPD (Brazil) |
|---|---|---|
| Effective Date | May 2018 | September 2020 |
| Scope | EU residents' data, anywhere processed | Data collected/processed in Brazil or of individuals in Brazil |
| Legal Bases | 6 legal bases | 10 legal bases (adds credit protection, health protection) |
| Consent | Must be freely given, specific, informed, unambiguous | Same — must be free, informed, unambiguous, and for a specific purpose |
| Legitimate Interest | Allowed with balancing test | Allowed but ANPD can request a LIA (Legitimate Interest Assessment) |
| DPO Required? | Required for large-scale processing or public bodies | Required for all controllers (ANPD may exempt small businesses) |
| Breach Notification | 72 hours to DPA | "Reasonable time" — no fixed deadline (ANPD recommends 2 business days) |
| DPIA Required? | When processing poses high risk | ANPD can request a "Privacy Impact Report" at any time |
| Cross-Border Transfers | Adequacy decisions, SCCs, BCRs | Similar — adequacy, SCCs, BCRs, or specific consent |
| Fines | Up to €20M or 4% of global revenue | Up to 2% of Brazilian revenue, capped at R$50M (~€8.5M) per violation |
| Enforcement Authority | National DPAs (CNIL, ICO, BfDI, etc.) | ANPD (Autoridade Nacional de Proteção de Dados) |
| Data Portability | Required | Required |
| Right to Erasure | Yes (with exceptions) | Yes (with fewer exceptions) |
| Children's Data | Parental consent under 16 (Member States can lower to 13) | Parental consent required for under 18 |
Key Differences That Matter in Practice
1. More Legal Bases Under LGPD
LGPD recognizes 10 legal bases for processing (vs. GDPR's 6), including:
- Credit protection: Processing for credit scoring and risk assessment
- Health protection: Processing of health data by health professionals in emergencies
- Research by study bodies: Academic and statistical research
- Protection of life: Broader than GDPR's "vital interests"
2. DPO for Everyone
Under GDPR, a DPO is required only in specific cases. Under LGPD, every data controller must appoint a DPO ("encarregado"). The ANPD may dispense small businesses from this obligation, but it hasn't broadly done so yet.
3. Lower Fines, But Growing Enforcement
LGPD fines are capped at R$50 million (~€8.5M) per violation, significantly lower than GDPR. However, the ANPD has been actively enforcing since 2023, and penalties include daily fines, public disclosure of violations, and data processing bans.
4. Cookie Consent
Unlike the EU's ePrivacy Directive, Brazil does not have a separate cookie law. However, cookies that process personal data fall under LGPD, meaning consent is still required for tracking cookies. Use a cookie consent banner that covers both GDPR and LGPD.
If You're Already GDPR Compliant, What Extra Steps for LGPD?
- Appoint a DPO (if you haven't already) — LGPD requires this for all controllers
- Update your privacy policy to mention LGPD compliance and ANPD as the authority
- Review your legal bases — some processing may have different legal bases under LGPD
- Add Portuguese translation of your privacy policy and cookie notice
- Prepare for ANPD requests — they can ask for Privacy Impact Reports at any time
- Map data flows to/from Brazil and ensure adequate transfer mechanisms
Frequently Asked Questions
Does LGPD apply if my company is not in Brazil?
Yes. LGPD applies to any organization that processes data of individuals located in Brazil, or collects data in Brazil — regardless of where the organization is based. This mirrors GDPR's extraterritorial reach.
Can I use the same DPA for GDPR and LGPD?
You can include LGPD provisions in your existing DPA, but you should add specific references to LGPD articles and the 10 legal bases. Many companies use a single "Global DPA" that covers both.
Is Brazil considered adequate under GDPR?
Not yet. The EU has not granted Brazil an adequacy decision as of 2026. Data transfers from the EU to Brazil require Standard Contractual Clauses or other safeguards under GDPR Chapter V.
How do I check if my website complies with both GDPR and LGPD?
Use PrivacyChecker to scan your website for cookie compliance, consent banner implementation, privacy policy completeness, and third-party tracker detection. The same privacy standards apply to both regulations.