What is LGPD?

The Lei Geral de Proteção de Dados (LGPD) is Brazil’s general data protection law. Enacted in 2018 and effective from September 2020, it establishes the national legal framework for the processing of personal data by private and public-sector entities, including in digital environments. Its stated purpose is to protect the fundamental rights of liberty, privacy, and the free development of personality.

The LGPD sets out the rules for when personal data may be processed, defines the rights of data subjects, regulates cross-border transfers, and establishes duties for controllers and processors. It also created a unified national standard for data protection in Brazil, replacing a more fragmented landscape of sector-specific rules, and is enforced by the Autoridade Nacional de Proteção de Dados (ANPD).

Who does LGPD apply to?

Any natural person or legal organization, whether public or private, that processes personal data in any of the following situations is subject to LGPD:

  • The procedure takes place on Brazilian soil.
  • The processing activity's goal is to offer or supply goods or services to people in Brazil.
  • The personal information being processed was gathered in Brazil, indicating that the data subject was there at the time of collection.

Regardless of the organization's headquarters or the location of the data storage, the legislation applies to both digital and physical data processing. Although the ANPD has created streamlined compliance frameworks for small-scale processors, LGPD still applies to startups, major corporations, and small companies.

LGPD and Clickwrap Agreements

Clickwrap agreements with consumers still mostly depend on agreement, notwithstanding the LGPD's eleven legal reasons for handling personal data under Article 7. Articles 7(I), 8, and 11 provide strict guidelines for obtaining that consent, stating that it must be free, informed, and unambiguous, directed toward a specific purpose, and given through a mechanism that gives the data subject full control. The ANPD has made it apparent through its enforcement posture that it will carefully consider whether consent interfaces truly reflect these standards.

How LGPD Affects Clickwrap Design

Consent must be given in writing or by another method that indicates the expression of the data subject's will according to Article 8, caput. The permission clause must exist as a separate clause, clearly distinguished from other contractual elements when it is secured in writing. This is immediately violated by a clickwrap that incorporates permission into the general terms of service.

Article 10 imposes a balancing test: the controller must take into account the data subject's reasonable expectations, measure the processing against their basic rights, and, when practical, employ protections such anonymization. Article 7(IX) acknowledges legitimate interest as a legal foundation. This ground cannot be used as a general substitute for permission, especially where the processing entails direct interaction with the data subject, according to the ANPD's 2022 advice on legitimate interest.

Article 11(I) requires that processing of sensitive data be grounded in specific and highlighted consent for defined purposes. Health data, biometric identifiers, racial or ethnic origin, and religious beliefs each require their own clearly marked consent action. Bundling sensitive and non-sensitive data processing under a single checkbox fails the specificity requirement, and the ANPD has authority under Article 52 to impose daily fines until the violation is remediated.

Every controller is required by Article 41 to designate a Data Protection Officer (DPO), whose contact details must be made public. To ensure that data subjects may exercise their rights without needless difficulty, the clickwrap interface shall reveal the DPO's identity and contact details or offer a direct link to this information.

What Must Be Shown Under LGPD

Articles 8 and 9 set out the information that must be provided when consent is used as the legal basis for processing.

The following information should be disclosed clearly on a clickwrap agreement:

  • The specific purpose for which consent is being requested.
  • The form and duration of the processing.
  • The identity and contact details of the controller.
  • Information about the shared use of data by the controller and the purpose of that sharing.
  • The responsibilities of the agents carrying out the processing.
  • The consequences of refusing consent.

Article 8(4) also makes clear that generic authorizations are null, so the purpose statement must be specific rather than open-ended. Article 9(3) further requires that, where consent is necessary, the data subject must be informed of the consequences of refusing it.

What Records You Must Keep Under LGPD

Article 8(2) places the burden on the controller to prove that consent was obtained in accordance with the law. If processing is based on consent, the controller must be able to show who consented, what they consented to, and the circumstances in which the consent was given. Article 8(5) also provides that consent may be revoked at any time by an express manifestation of the data subject, through a free and facilitated procedure.

A compliant consent record should capture:

  • The data subject’s identity - Name, email, CPF, account ID, or another identifier linking the consent event to the individual.
  • The action timestamp - The date and time of the consent action.
  • The agreement or notice version - The specific version of the privacy notice, terms, or consent text presented at the moment of acceptance.
  • The consent mechanism - The checkbox, button, toggle, or other interface element used to capture consent.
  • The purposes consented to - Each specific purpose for which consent was obtained.

A record showing only that “consent was given” is not enough. The controller should be able to reconstruct the consent event from the information shown to the data subject, the purposes presented, and the method used to capture agreement. Revocation records should also be retained, including when consent was withdrawn and the scope of the withdrawal.

LGPD and Clickwrap Agreements

Key Provisions of LGPD

Personal Data
Brazil's LGPD defines personal data as information related to an identified or identifiable natural person, a broad definition that covers data that can directly or indirectly identify an individual (Article 5, I).
Sensitive Personal Data
Sensitive data under includes personal data on racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical, or political organization membership, health, sex life, and genetic or biometric data when linked to a natural person. Processing requires specific and highlighted consent or another applicable legal basis under Article 11 (Article 5, II).
Consent
Consent under the LGPD must be a free, informed, and unambiguous manifestation by which the data subject agrees to processing for a specific purpose. Generic authorizations for broad processing are void (Article 5, XII).
Data Controller (Controlador)
The controller is the natural or legal person, under public or private law, who determines the decisions regarding the processing of personal data (Article 5, VI).
Data Portability
Data subjects have the right to data portability to another service or product provider, upon express request and subject to ANPD regulation, with due regard for trade and industrial secrets (Article 18, V).
International Data Transfer
Cross-border transfers are permitted where the receiving country or international organization provides an adequate level of protection, or where other lawful transfer mechanisms or specific legal exceptions apply, including contractual safeguards (Article 33).

Penalties for LGPD Non-Compliance

Administrative fines Up to 2% of revenue, capped at BRL 50 million per infraction
The ANPD can impose fines of up to 2% of a private legal entity's revenue in Brazil for the prior fiscal year, excluding taxes, capped at R$50 million per individual infraction.
Daily fines Up to BRL 50 million total
The ANPD may impose daily compounding fines to enforce compliance with an order, up to the same R$50 million maximum. These escalating penalties incentivize rapid remediation of violations.
Non-monetary sanctions Public disclosure, data blocking, or deletion
The ANPD can issue warnings, order public disclosure of the infraction, block or delete the personal data related to the violation, and partially or fully suspend database operations.

Frequently Asked Questions

Yes. It applies to processing operations carried out by any person or company, regardless of where they are located, when the processing relates to offering goods or services to individuals in Brazil, or when the personal data was collected in Brazil.
It was heavily influenced by GDPR and shares many core concepts, including lawful bases, data subject rights, breach-related obligations, and cross-border transfer rules. A key difference is that it has ten legal bases for processing, including a specific basis for credit protection, while GDPR has six.

Related Regulations

GDPR
General Data Protection Regulation
EU-wide · Active 2018
CCPA / CPRA
California Consumer Privacy Act & Privacy Rights Act
California · Updated 2020
PIPEDA
Personal Information Protection and Electronic Documents Act
Canada · Active 2000
This entry is for informational purposes only and does not constitute legal advice. Consult a qualified legal professional for guidance specific to your situation.