Email marketing is the oldest tactic in the digital playbook and the most commonly mishandled under the LGPD. Operators run sequences against lists they cannot fully document, with consent that does not meet the legal standard, on legal bases they cannot articulate when asked. The result is a system that works in market terms — opens, clicks, conversions — and fails in regulatory terms.

This article covers the two legal bases the LGPD allows for email marketing, when each fits, and the operational practices that keep both defensible.

The two paths under the LGPD

Brazil's General Data Protection Law (LGPD, Law No. 13,709/2018) establishes ten legal bases in Art. 7. Two are relevant for email marketing.

Path one — consent (Art. 7, I)

Consent under the LGPD is not casual. Article 5, XII defines it as a "free, informed, and unambiguous manifestation by which the data subject agrees to the processing of their personal data for a specific purpose." The cumulative requirements:

  • Free — no coercion, no bundling with services in a way that effectively forces acceptance
  • Informed — the subject knows what is being collected, by whom, for what
  • Unambiguous — an affirmative act, not silence or pre-checked boxes
  • Specific — for a defined purpose, not generic blanket authorization

In practice, this means:

  • Forms with unchecked boxes the user must actively tick
  • Clear language about what the email list will be used for
  • Granular options when multiple purposes are involved (newsletter, promotional offers, partner communications) — separate checkboxes per purpose
  • Documentation of the moment of consent (timestamp, IP, form version, language shown)

Double opt-in (confirmation email after sign-up that the subject must click) strengthens the evidentiary trail and is best practice for high-stakes operations.

Path two — legitimate interest (Art. 7, IX)

Legitimate interest is narrower than market intuition usually assumes. The LGPD frames it as processing that:

  • Serves a legitimate interest of the controller
  • Has been balanced against the rights and freedoms of the data subject
  • Is within the reasonable expectation of the data subject given the context

For email marketing, legitimate interest typically fits:

  • Post-purchase communications to active customers about products related to what they purchased
  • B2B communications within a pre-existing commercial relationship (e.g., emailing the contact at a partner company about a product update)
  • Service emails that have a marketing component but are primarily informational

Legitimate interest does not fit:

  • Cold leads acquired without prior interaction
  • Aggressive cross-sell outside the original transaction scope
  • Purchased lists or third-party audiences without direct consent
  • Any campaign the typical recipient would not reasonably expect

Documenting a Legitimate Interest Assessment (LIA) — a written analysis weighing the interest, the necessity, and the impact on the data subject — is good practice.

What about purchased lists

Buying or scraping lists creates exposure that scales with use. The reasoning:

  • Consent given to the original list holder generally does not transfer to a third-party buyer (the original consent was for that specific controller)
  • Legitimate interest does not apply because there is no pre-existing commercial relationship between the buyer and the data subjects
  • The data subjects have no reasonable expectation of receiving from the new controller

The exposure is regulatory (ANPD has authority to act under LGPD Art. 52), reputational (high spam complaint rates damage sender reputation across email providers), and operational (deliverability collapses; future legitimate campaigns suffer).

Building the list via opt-in is slower. It is also the only path that scales.

Day-to-day practices

Documentation of consent

Every email subscriber should have a record showing:

  • Date and time of opt-in
  • IP address from which the opt-in was submitted
  • Form version and language shown at the moment of opt-in
  • Confirmation of double opt-in if used
  • The legal basis recorded for that processing

Most professional email marketing platforms (Kit, Mailchimp, ActiveCampaign, HubSpot) capture this automatically. The operator's job is to make sure the data is being captured and to be able to retrieve it on request.

Easy revocation

Every email must include an unsubscribe link. The link must work, must process the request promptly, and the operator must cease sending immediately upon revocation (LGPD Art. 8, § 5).

Best practice: maintain a suppression list (records of those who opted out) to prevent future inadvertent re-inclusion. Suppression lists are protective in nature, not active processing.

Right to data portability and access

Subscribers have the right to know what data is being processed about them (Art. 18, II) and to request portability (Art. 18, V). Email platforms typically support export by subscriber on request.

Sharing with operators

The email platform itself is a processor (operador) under the LGPD. The relationship with the platform should be governed by a Data Processing Agreement (DPA). Most established platforms include DPA terms in their service agreements.

What changes when the relationship ends

When a customer cancels, the consent for ongoing marketing emails generally lapses with the relationship — but the data does not disappear automatically. Tax records, transaction history, and service logs typically have retention periods established by Brazilian tax and accounting legislation.

The discipline is to separate:

  • Marketing data — deleted or moved to suppression on cancellation
  • Operational data — retained per the legal/regulatory requirement
  • Aggregated/anonymized data — can be retained for analytics if true anonymization is achieved (LGPD Art. 12)

The compounding effect

Email marketing programs that are LGPD-compliant from the start compound advantages:

  • Higher engagement rates because the list consists of subscribers who actively opted in
  • Better deliverability because spam complaints stay low
  • Lower regulatory exposure because consent and basis are documented
  • Faster diligence and partnership conversations because compliance evidence is at hand

Programs built without that foundation try to fix the problem after the fact, by which point the database is contaminated, the sender reputation is damaged, and the regulatory exposure is real. Starting clean is cheaper than retrofitting.

FAQ

Can I buy a leads list and run email marketing to them?

Buying a list creates significant regulatory exposure. Under the LGPD, data processing requires a legal basis — and consent given to a third-party list seller rarely meets the Art. 7, I criterion (free, informed, unambiguous, and specific). Without valid consent and without a pre-existing commercial relationship that sustains legitimate interest, there is no legal basis. The result: ANPD fine risk, reputational exposure, and low effectiveness (high spam rate, poor deliverability). Building a list via opt-in is slower, but it is the sustainable foundation.

Does a pre-checked box count as consent?

No. Under the LGPD (Art. 5, XII and Art. 7, I), consent must be free, informed, unambiguous, and specific. A pre-checked box fails the "free" and "unambiguous" tests — there is no affirmative act by the data subject. The correct pattern is express opt-in: an unchecked box the user must actively check, with clear text about the purpose of the communication. For maximum compliance, double opt-in (email confirmation after sign-up) reinforces consent documentation.

When can I use legitimate interest instead of consent?

Legitimate interest (Art. 7, IX) fits specific situations: the processing serves a legitimate interest of the controller, the data subject has a reasonable expectation of that processing, and the data subject's rights do not prevail. For email marketing, typical cases: post-purchase communications to active customers about related products; B2B communications in pre-existing commercial relationships. It does not fit: cold leads without prior interaction; aggressive cross-sell outside the original scope; audiences purchased from third parties. Documenting the proportionality test (LIA - Legitimate Interest Assessment) is good practice.

The customer unsubscribed. Do I have to delete the email from the database?

Unsubscribing revokes consent for future sends (LGPD Art. 8, § 5) and requires immediate cessation of sending — it does not require deleting the record from the database. The data can be kept in suppression (a list of those who opted out) to ensure future sends do not reach the subject again — this is protective, not active processing. If there is a specific deletion request (Art. 18, VI right), then deletion as applicable.

Has ANPD already fined for non-compliant email marketing?

ANPD has been applying sanctions in cases of improper use of personal data for marketing purposes — specific and updated information about administrative proceedings is on ANPD's official site. The observed pattern: prioritization of cases with significant volume, associated breaches, or systemic non-compliance. For digital sellers with their own list built via correct opt-in, regulatory risk is lower; for operations with purchased lists or questionable consent, risk is proportional to volume and visibility.

// PRACTICE AREA
Data Protection & PrivacyLGPD compliance, legal bases, and ANPD liaison for foreign businesses.Digital Law & Creator EconomyPlatform law, content moderation, and creator monetization in Brazil.
Author

Managing Partner and founder of Hosaki Advogados. Practice in intellectual property, digital law, and creator economy. Over 10 years at the intersection of technology and law.