What is LGPD?

The Lei Geral de Proteção de Dados Pessoais (LGPD) is Brazil's data protection law, governing the collection, use, and storage of personal data from Brazilian citizens. Effective since August 2020, it closely aligns with the EU's General Data Protection Regulation (GDPR).

Where does the LGPD apply to?

The LGPD applies to all individuals and businesses processing personal data in Brazil, regardless of their location. This includes both Brazilian and foreign entities that handle data in Brazil, offer goods or services to Brazilian residents, collect data from individuals in Brazil, or monitor their behavior.

What Are the Possible Reasons for LGPD Penalties?

Fines may be imposed for failing to follow data protection principles, not appointing a DPO, neglecting DPIAs, not reporting data breaches, or failing to uphold data subject rights under the LGPD. Additional penalties can include orders to stop data processing, corrective actions, and reprimands. Legal actions from affected individuals are also possible.

Who is Liable for LGPD Penalties?

The law defines "data controllers" as any website or company that collects data. However, there are exceptions, including individuals using data for personal, non-economic purposes, those using data for journalistic, artistic, or academic purposes, and public security or national defense agents using data to enforce the law. In these cases, formal consent is not required, and no fines can be imposed, as these activities do not violate the law.

What Are the LGPD Penalties for
Non-Compliance?

Non-compliance with the LGPD can lead to substantial fines and penalties. The National Data Protection Authority (ANPD) may impose fines of up to 2% of a company's annual gross revenue or 50 million reais (about 12.5 million US dollars), whichever is higher.

Get the LGPD checklist for Free

Improve the effectiveness of your compliance strategy now.

Download checklist

Frequently Asked Questions

How is the LGPD different from GDPR?

The LGPD was inspired by the European Union’s General Data Protection Regulation (GDPR) and incorporates many of its key concepts. However, the LGPD extends its coverage in certain areas, offering four additional legal bases for processing personal data compared to the GDPR.

There are also differences between the two regulations. For example, while both require data breach notifications, the GDPR mandates reporting within 72 hours, whereas the LGPD does not specify a timeline. Additionally, the LGPD requires controllers to appoint a Data Protection Officer (DPO), but this is not explicitly required for processors. In contrast, the GDPR mandates that both controllers and processors appoint a DPO under specific conditions.

What are the record-keeping requirements under the LGPD?

Under the LGPD, organizations must maintain records of their data processing activities, including the purposes, categories of personal data, recipients, data transfers, and security measures. These records help demonstrate compliance and should be readily accessible to the Brazilian Data Protection Authority (ANPD) upon request.

How to make my business compliant with the LGPD?

To assure GDPR compliance for your business, start by implementing clear data protection policies and procedures. One of the easiest ways to simplify compliance is by using a Consent Management Platform (CMP) like Consentmo, which is designed specifically for Shopify stores. Our app helps you manage cookie consent, data requests, and user rights, verifying your store meets GDPR requirements without hassle.

Is your site compliant?