Is your website LGPD-compliant? A guide for digital businesses in Brazil

The Lei Geral de Proteção de Dados (LGPD) is Brazil’s data protection law. If your website or online store collects data from Brazilian users, this law applies to you. In this guide, we explain its key requirements and how to comply step by step.

What is the LGPD?

The LGPD is Brazil’s General Data Protection Law, inspired by the GDPR. It was published in 2018, came into force in 2020, and penalties have been enforceable since 2021.

• Published: August 14, 2018
• Effective date: September 18, 2020
• Fines enforced since: August 1, 2021
• Supervisory authority: ANPD

Who does it apply to?

The LGPD applies to any organization that processes personal data of individuals located in Brazil, regardless of where the company is based.

Example: If you sell products in Brazil or collect emails from Brazilian users via your website, you must comply with the LGPD.

What is personal data, according to the LGPD?

Article 5, I: Any information relating to an identified or identifiable natural person.

• Name, email, CPF, phone number
• IP address, cookies, browsing behavior

Article 5, II: Sensitive data (e.g. health, religion, political views) requires extra protection and explicit consent.

User rights

Article 18: The LGPD grants nine key rights to data subjects, including:

• Confirmation of processing
• Access to their personal data
• Correction or deletion of data
• Data portability
• Right to object to processing
• Right not to be subject to automated decisions

Key obligations

1. Privacy notice
You must inform users about data collection, processing purposes, legal basis, user rights, and contact details.
Articles 9 and 18

2. Valid consent
Consent must be clear, free, and informed. Pre-checked boxes are not valid.
Article 7, I

3. Data processing records
You must document what data you collect, why, how you protect it, and who has access.
Article 37

4. Security measures
You must implement technical and administrative safeguards to prevent unauthorized access or loss.
Article 46

5. Third-party data sharing
You must sign contracts with service providers that process personal data on your behalf.
Article 39

What does the LGPD mean for your website?

• You need a clear privacy policy
• A cookie banner with valid consent is required
• You must provide a form for users to exercise their rights
• Each data use must have a valid legal basis
• You need contracts with third-party providers (email, CRM, payment platforms...)

What happens if you don’t comply?

• Official warnings
• Fines of up to 2% of annual revenue (max R$50 million per violation)
• Suspension or deletion of processed data

How to Comply with the LGPD

• Audit what data you collect and why
• Define the legal basis for each processing activity
• Update your privacy policy
• Implement a cookie banner
• Enable a user rights request form
• Review contracts with external data processors

How Lawwwing can help

Lawwwing automates compliance with privacy laws such as the LGPD, GDPR, and CCPA/CPRA.

• Generates a fully customized LGPD privacy policy
• Includes a compliant cookie banner
• Adds user rights request forms to your site
• Detects potential compliance issues automatically
• Tracks user requests and proof of compliance

Conclusion

The LGPD is fully enforceable and affects any business with users in Brazil. Compliance not only avoids penalties but builds user trust and boosts your brand’s credibility.

Make it easy. Make it legal. Make it with Lawwwing.