Brazil's LGPD is not a future concern for digital sellers. It is the present operating environment for any business that collects an email address, processes a payment, or runs a retargeting ad targeting people in Brazil — regardless of where the seller is incorporated.

Foreign companies and creators often assume data protection law only applies to large enterprises. The LGPD does not draw that line. What it does offer, through ANPD regulation, is a simplified compliance regime for smaller operators — which reduces the administrative burden without eliminating the obligation.

This checklist covers the minimum legal stack before the first lead enters any funnel targeting Brazil.

Who the LGPD Applies To

Brazil's General Data Protection Law (LGPD, Law No. 13,709/2018) applies to any processing of personal data:

  • Carried out in Brazilian territory
  • Targeting the offering of goods or services to individuals in Brazil
  • Involving data collected from individuals in Brazil

The location of the processing entity is irrelevant. A US-based creator selling a course to Brazilian buyers, a European SaaS product with Brazilian users, a Southeast Asian brand running paid ads to Brazilian consumers — all are subject to the LGPD for data they collect from those Brazilian interactions.

Personal data under the LGPD includes names, email addresses, CPF numbers, IP addresses, device identifiers, purchase history, and behavioral data from tracking pixels. Any funnel — from the ad click to the purchase confirmation email — processes personal data.

Data Mapping: From Ad Click to Customer

Before writing a privacy policy, map what data actually flows through the operation:

Stage Data collected Processor Legal basis needed
Ad IP, device ID, behavioral Meta/Google Legitimate interest or consent
Lead magnet Name, email Email platform (Kit, Mailchimp, etc.) Consent (opt-in)
Checkout Name, CPF, payment data Payment gateway Contract performance
Post-purchase Purchase history, access logs Course platform Contract performance
Remarketing Email, behavioral Ad platform Consent or legitimate interest

Every processor that touches data on behalf of the seller (email platforms, payment gateways, CRMs, analytics tools) must have a data processing agreement (DPA) in place. Many major platforms include standard DPAs in their terms — but verifying this, and documenting it, is the seller's responsibility.

The LGPD requires a specific legal basis for each processing purpose. The two most relevant for digital sellers:

Consent (Art. 7, I)

  • Requires: express, free, informed, and unambiguous opt-in
  • The purpose must be stated at the moment of collection
  • Pre-checked boxes, bundled consent, or silence do not qualify
  • Consent must be revocable at any time — and the process for doing so must be simple
  • Best for: newsletter opt-ins, marketing communications, retargeting consent

Legitimate interest (Art. 7, IX)

  • Applies when: there is a pre-existing commercial relationship; the processing is proportionate; the data subject would reasonably expect the communication
  • Requires a legitimate interest assessment (LIA) documenting the balancing test
  • Cannot be used for cold lists or purchased databases
  • Best for: transactional follow-up, post-purchase communications with existing customers

Contract performance (Art. 7, V) covers processing necessary to deliver the product or service purchased — access management, invoice generation, support communications.

Using the wrong basis — or no documented basis — is a compliance gap that ANPD examines in enforcement actions.

Privacy Policy That Holds Up

An LGPD-compliant privacy policy is not a generic template from another jurisdiction with the company name changed. It must, at minimum:

  • Identify the data controller — who is responsible for the data — with contact information
  • Identify the DPO (or simplified contact point) with a communication channel
  • List the categories of data collected and the purpose for each
  • State the legal basis for each processing purpose
  • Specify data retention periods — or the criteria used to determine them
  • Disclose data sharing: every processor and third party who receives data, and why
  • Address international data transfers if data leaves Brazil — and the safeguards applied
  • Explain data subject rights (access, correction, deletion, portability, objection) and how to exercise them
  • State when the policy was last updated

For foreign companies: the policy must be accessible in Portuguese for Brazilian consumers. An English-only policy does not satisfy LGPD transparency obligations for Brazilian data subjects.

DPO: When Designation Is Required and the Simplified Regime

The LGPD requires data controllers and processors to designate a Data Protection Officer (Encarregado de Dados / DPO). However, ANPD Resolution CD/ANPD No. 2/2022 established a simplified regime for:

  • Microempresas (micro-enterprises)
  • Empresas de pequeno porte (small businesses)
  • Startups as defined by Brazil's Startup Legal Framework (LC No. 182/2021)

Under the simplified regime, smaller operators may simplify certain obligations, including the manner of DPO designation. The resolution does not eliminate the obligation entirely — but it allows flexibility in how the DPO role is structured and disclosed.

Even under the simplified regime: maintain a named contact point for data-related communications, ensure that contact point is reachable, and document responses to data subject requests.

For operations processing sensitive personal data (health, financial, biometric) or large volumes of data, formal DPO designation remains advisable regardless of company size.

The Incident-Notification Window Under ANPD Resolution 15/2024

When a security incident occurs that may cause relevant risk or harm to data subjects — a breach, unauthorized access, data exposure — ANPD Resolution CD/ANPD No. 15/2024 requires notification to ANPD and affected data subjects within the deadline set by the resolution, counted from when the data processor becomes aware of the incident.

The notification must include:

  • Nature and categories of the affected data
  • Information on the affected data subjects
  • Technical and security measures that were in place and were bypassed
  • Associated risks to data subjects
  • Corrective and mitigation actions taken or planned

The practical implication: a data breach is not a communications problem to manage after the fact. It is a regulated event with a hard deadline. An incident response plan — even a simple one — must exist before any incident occurs.

Minimum incident response plan for a digital seller operation:

  1. Detection: how will you know when an incident has occurred? (Monitoring, alerts, third-party notification)
  2. Containment: who does what in the first hours? (Suspend compromised access, notify processor)
  3. Assessment: is notification required? Who assesses?
  4. Notification: who drafts and sends the ANPD notification? Who contacts affected subjects?
  5. Documentation: preserve all logs, communications, and timeline records

ANPD Sanctions and How Good Faith Affects Outcomes

The LGPD (Art. 52) provides for administrative sanctions including:

  • Warning
  • Simple fine of up to 2% of Brazilian revenue (capped at BRL 50 million per violation)
  • Daily fine
  • Publication of the infraction
  • Blocking or deletion of the relevant data

ANPD's penalty calibration framework considers: the nature and severity of the violation, the number of affected data subjects, the economic benefit derived from the violation, the offender's good faith, mitigation measures adopted, and the compliance history of the organization.

Good faith documented through genuine compliance efforts — privacy policy in place, incident response plan written, DPO designated, legal bases identified — materially influences outcomes in administrative proceedings. It does not eliminate liability but consistently reduces the severity of sanctions imposed.

30-Day Implementation Checklist

For a digital seller starting LGPD compliance from scratch:

Week 1 — Map

  • List every data point collected (email, name, CPF, behavioral, payment)
  • Identify every processor that touches data (email platform, gateway, CRM, analytics)
  • Map the legal basis for each processing purpose

Week 2 — Document

  • Draft or update the privacy policy to LGPD standards (in Portuguese for Brazilian audiences)
  • Verify DPAs exist with all processors (or obtain them)
  • Review opt-in forms — confirm express consent language and purpose statement

Week 3 — Structure

  • Designate a DPO or contact point (simplified regime if applicable)
  • Write a basic incident response plan (detection → containment → assessment → notification → documentation)
  • Document legal bases formally in a processing register

Week 4 — Operationalize

  • Add data subject rights mechanism to website (access, correction, deletion request form)
  • Set data retention policy and implement deletion workflow for inactive contacts
  • Train anyone with access to customer data on basic LGPD obligations

We assist digital sellers and foreign companies in building LGPD-compliant operations in Brazil. Our practice covers data protection and privacy and digital contracts. See also: Creator Monetization in Brazil: Legal Structures.

FAQ

I'm a small digital seller. Do I really need to comply with Brazil's LGPD?

Yes. The LGPD (Law No. 13,709/2018) applies to any natural or legal person processing personal data in Brazil — regardless of size. Micro-enterprises and startups have a simplified regime under ANPD Resolution No. 2/2022 but are not exempt. Regulatory risk is lower for low-volume operations without sensitive data, but contractual and reputational risk remains: payment platforms and brand partners increasingly require evidence of compliance.

What legal bases should I use for email marketing in Brazil?

Two main options. Consent (LGPD Art. 7, I): express, clear, and unambiguous opt-in with specific purpose stated in the form. Legitimate interest (Art. 7, IX): for proportionate and expected communications within pre-existing commercial relationships. Purchased or third-party lists without subjects' consent create significant regulatory exposure. The privacy policy must state the basis used and the data subject's right to withdraw at any time.

We had a data breach. What must we do, and in what timeframe?

Notify ANPD and affected data subjects under LGPD Art. 48 and ANPD Resolution No. 15/2024 whenever there is relevant risk or harm — within the deadline set by the resolution, counted from when the data processor becomes aware of the incident. The notification must describe the nature of the data, the subjects involved, the technical and security measures adopted, the risks, and the corrective actions. Internally: activate the incident response plan, preserve evidence, and involve legal from the start.

Do I need a Data Protection Officer (DPO) in Brazil?

The LGPD requires a DPO designation by controllers and processors. ANPD Resolution No. 2/2022 established a simplified regime for micro-enterprises, small businesses, and startups, allowing simplification of certain obligations including the manner of designation. Even under the simplified regime, maintaining an identified contact point for data-related communications is advisable.

If I make a good-faith mistake, will ANPD fine me anyway?

The LGPD (Art. 52) provides for sanctions ranging from warnings to fines of up to 2% of Brazilian revenue, capped at BRL 50 million per violation. ANPD considers in calibrating sanctions the offender's good faith, mitigation measures, and compliance history. Good faith alone does not exclude liability — it reduces severity. Companies in documented compliance build-out are treated favorably in administrative proceedings.

// PRACTICE AREA
Data Protection & PrivacyLGPD compliance, legal bases, and ANPD liaison for foreign businesses.Digital ContractsCustom contracts for digital products, creators, and licensing in Brazil.
Monika Hosaki
Author
Monika Hosaki

Managing Partner and founder of Hosaki Advogados. Practice in intellectual property, digital law, and creator economy.