Brazil LGPD compliance: Privacy law guide for app builders

In August 2023, the ANPD - Brazil's data protection authority - fined a telecom company R$1.8 million for exposing personal data of thousands of customers. It was the authority's first major public fine. The case involved a breach where names, CPF numbers (Brazil's national ID), and contact data were accessible without authorization.

The fine itself wasn't catastrophic. What followed was. Media coverage damaged the company's reputation in a market of 215 million people. Regulator attention intensified. And every other company with Brazilian users suddenly had proof that the ANPD was done warming up.

Brazil's LGPD has been law since 2018. Enforcement started in 2020. The ANPD has been actively investigating since 2021. If your app has Brazilian users and you haven't looked at LGPD, you're behind.

What LGPD is and where it came from

LGPD - Lei Geral de Protecao de Dados, or the General Data Protection Law - was signed in 2018 and went into force in September 2020. Administrative sanctions (fines and penalties) became active in August 2021, after the Brazilian Supreme Court confirmed the ANPD's authority to enforce them.

Brazil modeled LGPD closely on GDPR. The structure is similar. The rights are similar. The principles - purpose limitation, data minimization, transparency - are the same.

The market context explains the urgency. According to Brazil's official IBGE 2024 survey, 168 million Brazilians aged 10 and over - 89.1% of the population in that age group - used the internet in 2024. That's a massive digital market, and every one of those users generates personal data subject to LGPD.

But LGPD isn't a copy. It has 10 legal bases where GDPR has 6. It treats credit protection as a distinct lawful basis - which matters for any fintech product operating in Brazil. And it operates through an authority - the ANPD - that is newer, smaller, and still building its enforcement muscle compared to European data protection regulators.

That doesn't mean the risk is lower. The ANPD issued formal guidelines in 2021, started investigations in 2022, and issued fines in 2023. The trajectory is clearly toward stricter enforcement. Mayer Brown's reporting on the ANPD's first enforcement action confirms the July 2023 fine against telecom company Telekall - two fines of BRL 7,200 each (BRL 14,400 total) for exposing customer data. The fines were proportionate to the company's size. Larger companies face proportionately larger exposure.

Who LGPD applies to

LGPD applies to the processing of personal data when:

• The data processing takes place in Brazil - regardless of where the company is
• The purpose of the processing is to offer goods or services to individuals in Brazil - the "offering" test applies even if your company never incorporated in Brazil
• The personal data was collected in Brazil - even if it's later processed abroad

The extraterritorial reach is real. A US-based company running an app available in Brazil, with Brazilian users creating accounts and generating data, is subject to LGPD. No Brazilian subsidiary needed.

The practical test: if your app is live in the Brazilian app stores, if you accept Brazilian payment methods, if your site is in Portuguese, or if you advertise to Brazilian users - LGPD applies.

The 10 legal bases for processing

This is where LGPD most visibly differs from GDPR. Where GDPR offers 6 lawful bases for processing, LGPD offers 10. The additional bases reflect Brazil's legal traditions and specific policy priorities.

Credit protection is unique to LGPD and has no direct equivalent in GDPR. It means fintech apps operating in Brazil can process certain financial data for credit-related purposes without relying on consent - which is practically significant in a market where credit access is a major product category.

Legitimate interest requires a balancing test - just like GDPR. You must document that your legitimate interest doesn't override the data subject's rights. The ANPD expects this analysis to be written down, not just assumed.

Data subject rights under LGPD

LGPD gives Brazilian residents rights over their personal data. The structure is similar to GDPR, with some Brazilian-specific nuances.

Right of access - Users can request confirmation that you process their data and a copy of what you hold. You must respond within a reasonable time (ANPD guidance suggests 15 days for most requests).

Right to correction - Users can request corrections to incomplete, inaccurate, or outdated data.

Right to anonymization, blocking, or deletion - Users can request that unnecessary, excessive, or non-compliant data be anonymized, blocked, or deleted. This applies specifically to data processed on the basis of consent.

Right to portability - Users can request their data in a structured format to transfer to another service provider.

Right to information about sharing - Users can request information about which public and private entities their data has been shared with. This is more explicit than GDPR's equivalent right.

Right to revoke consent - When consent is the legal basis, users can withdraw it at any time. The withdrawal must be as easy as giving consent.

Right to object - Users can object to processing, particularly when it causes harm.

Sensitive data - a higher protection standard

LGPD applies stricter rules to sensitive personal data categories. These categories get a shorter list of legal bases - you can't use legitimate interest or credit protection for sensitive data.

Sensitive data under LGPD includes:

• Racial or ethnic origin
• Religious belief
• Political opinion
• Trade union membership
• Health data (including mental health)
• Sexual orientation and sex life data
• Genetic data
• Biometric data when used for identification purposes
• Data of children and adolescents (under 18)

For sensitive data, the legal basis is typically explicit consent or a legal/regulatory obligation. "Legitimate interest" is not available for sensitive categories.

Practical implications: a health app tracking symptoms or conditions, a fitness app using biometric data, or a platform collecting demographic data about users is processing sensitive data. The consent flow must be more explicit - layered consent, not just a general terms acceptance.

Children's data is particularly strict. Under LGPD, processing data of users under 18 requires parental or guardian consent.

The DPO (encarregado) requirement

LGPD requires controllers to designate an Encarregado - what GDPR calls a Data Protection Officer (DPO). This person:

• Receives data protection complaints and requests from data subjects
• Communicates with the ANPD
• Guides employees on LGPD requirements
• Is publicly identified - the controller must make the DPO's contact information available

LGPD doesn't define exact thresholds for when a DPO is required the way GDPR does. The ANPD's guidance treats the appointment as effectively mandatory for any organization doing large-scale personal data processing.

For most companies with significant Brazilian user bases, appointing a DPO is the safest approach. The ANPD looks favorably on organizations that have a designated contact for data protection matters. In a November 2024 enforcement campaign, the ANPD opened proceedings against 20 companies for failing to appoint or disclose a DPO - and all 20 were required to achieve compliance before the matter closed in April 2025.

The DPO can be an employee or an external service provider. They don't have to be based in Brazil.

LGPD vs GDPR - the key differences

"The biggest mistake we see with LGPD projects is teams assuming it's just GDPR with different branding. The 10 legal bases trip people up - especially fintech products that rely on credit protection as a lawful basis. That basis doesn't exist in GDPR. If your team is mapping LGPD onto your existing GDPR playbook and calling it done, you're likely missing Brazil-specific requirements that the ANPD will notice." - Ashit Vora, Captain at 1Raft

If your team already has GDPR processes in place, LGPD compliance is achievable without starting from scratch. But the differences matter.

The most important practical difference is the credit protection legal basis. Fintech apps in Brazil can process financial data for credit-related purposes without needing consent - which is significant in a market where credit scoring data is commercially valuable and widely used.

The fine structure is different but not necessarily lower. LGPD's cap of R$50 million per violation sounds lower than GDPR's uncapped fines. But if the ANPD treats each affected data subject as a separate violation, the total exposure can be substantial for a breach affecting millions of Brazilians.

How LGPD affects your app architecture

LGPD's requirements translate into the same kinds of technical systems as GDPR - but you need to account for Brazilian-specific needs.

Cross-border transfers

This is the area where LGPD is still evolving. The ANPD has authority to publish adequacy decisions for countries that provide adequate data protection. As of 2026, the ANPD's adequacy decision list is still limited.

For most international data transfers, standard contractual clauses (SCCs) are the practical mechanism. The ANPD published its own standard contractual clauses model, which differs from the EU's SCCs.

The practical advice: if you're serving Brazilian users with servers outside Brazil, map your data flows, identify what's being transferred internationally, and implement SCCs for those transfers. Keep documentation that shows you've thought through the transfer mechanism.

Questions to ask your development partner

1. "How does your consent system track legal basis - not just consent status?" - For LGPD, you need to record which of the 10 legal bases applies to each data processing activity. A binary "consented yes/no" flag isn't enough.

2. "How do you handle data subject deletion requests when different data was collected under different legal bases?" - An experienced team should explain that LGPD's deletion right is basis-specific. Data collected for contract performance may not be deletable on demand in the same way as consent-collected data.

3. "Do you have experience building apps for the Brazilian market specifically?" - LGPD has local nuances - CPF as the primary identifier, Brazilian payment data regulations, credit protection as a legal basis for fintech. Market-specific experience matters.

4. "How do you handle sensitive data categories in your data model and consent flows?" - Look for explicit separation of sensitive data, separate consent UI for each sensitive category, and documented justification for the legal basis used.

5. "What's your approach to ANPD data breach notification?" - They should describe breach detection capabilities, documented response procedures, and a notification workflow that can reach the ANPD within a reasonable timeframe.

6. "How do you handle the DPO contact requirement in the app and privacy policy?" - This is a visible requirement. The DPO's contact must be publicly accessible. Ask how they've implemented this in previous projects.

Your LGPD compliance checklist

Before development starts:

• Confirm LGPD applies to your app (Brazilian users, data collected in Brazil, or offering services to Brazilians)
• Map every type of personal data your app will collect from Brazilian users
• Identify which of the 10 legal bases applies to each data processing activity
• Identify sensitive data categories and plan separate handling
• Appoint a DPO (Encarregado) or designate a compliance contact
• Determine cross-border transfer mechanisms if your servers are outside Brazil

During development:

• Build consent management that records legal basis, not just consent status
• Build explicit, layered consent flows for sensitive data categories
• Build age verification or parental consent flow for users under 18
• Implement data subject access request handling (15-day target response time)
• Build deletion workflows that check legal basis before processing requests
• Build data portability export functionality
• Build audit logging for data access and modifications
• Add DPO contact information to privacy policy and accessible in-app

Before launch:

• Publish a LGPD-compliant privacy policy in Portuguese
• Test data subject rights flows - access, correction, deletion, portability
• Test consent collection and withdrawal flows
• Document all data processing activities with their legal bases
• Implement cross-border transfer mechanisms and maintain documentation
• Set up data breach detection and ANPD notification procedures
• Complete a data protection impact assessment for high-risk processing activities

LGPD enforcement is still younger than GDPR enforcement. But the ANPD is active, Brazil's courts have upheld its authority, and fines have started flowing. Building LGPD compliance in from the start is far cheaper than retrofitting it under regulatory pressure.