Skip to main content

What is LGPD?

The LGPD (Lei Geral de Proteção de Dados Pessoais) is Brazil’s general data protection law, enacted in September 2020. It regulates how personal data of individuals in Brazil is collected, processed, stored, and shared. LGPD is heavily inspired by GDPR and shares many of the same principles, but has important differences that Brazilian businesses and any company processing data of Brazilian residents need to understand.

Who does LGPD apply to?

LGPD applies to you if:
  • You process personal data of individuals located in Brazil
  • The data processing takes place in Brazil
  • The data was collected in Brazil
  • You offer goods or services to individuals in Brazil
It doesn’t matter where your company is headquartered. If you email Brazilian recipients, LGPD applies.

Key principles for email

Like GDPR, LGPD requires a legal basis to process personal data. For email marketing, the relevant bases are: Consent — the most straightforward basis. The recipient explicitly agrees to receive your emails. Legitimate interest — you have a genuine reason to contact the person, balanced against their privacy rights. LGPD requires a Legitimate Interest Assessment (LIA) documenting this balance. For transactional emails, the basis is typically contract execution or regular exercise of rights — the email is necessary for a service the user has with you. LGPD consent for email marketing must be:
RequirementWhat it means
FreeNot coerced or bundled with other terms
InformedThe recipient knows what they’re consenting to
UnambiguousClear affirmative action (not silence or pre-checked boxes)
SpecificFor a specific purpose (“marketing emails from SendKit”)
Like GDPR, LGPD does not accept pre-checked checkboxes or bundled consent as valid. The recipient must take an explicit action to opt in.

3. Right to information

At the time of data collection, you must inform the recipient about:
  • What data you’re collecting
  • Why you’re collecting it (purpose)
  • How long you’ll keep it
  • Who you’ll share it with (including email service providers like SendKit)
  • How they can exercise their rights
This is typically handled through a privacy policy linked from your signup form.

4. Rights of data subjects

LGPD grants recipients several rights:
RightDescription
ConfirmationConfirm whether their data is being processed
AccessRequest a copy of their personal data
CorrectionRequest correction of inaccurate data
DeletionRequest deletion of unnecessary or excessive data
PortabilityRequest data in a standard format for transfer
RevocationWithdraw consent at any time
InformationKnow which third parties their data was shared with
For email, the most common requests are deletion (remove me from your lists) and revocation (I withdraw my consent for marketing emails).

5. Data minimization

Only collect and process the data you actually need. For email sending, this means: Necessary: Email address, name (for personalization), consent record Probably not necessary: Phone number, physical address, date of birth (unless relevant to your product) Don’t collect extra data “just in case” — this violates the data minimization principle.

LGPD vs GDPR

AspectLGPDGDPR
Geographic scopeData of individuals in BrazilData of individuals in EU/EEA
Legal bases10 legal bases6 legal bases
DPO requirementRequired for all organizationsRequired only in specific cases
Consent for marketingExplicit consent requiredExplicit consent required
Data breach notification”Reasonable time” (no specific deadline)72 hours
FinesUp to 2% of revenue, max R$50 million per violationUp to 4% of global revenue or €20M
EnforcementANPD (Autoridade Nacional de Proteção de Dados)National DPAs in each EU country

Notable differences

More legal bases — LGPD has 10 legal bases for processing (vs GDPR’s 6), including “protection of credit” and “regular exercise of rights.” DPO for everyone — LGPD requires every organization that processes personal data to appoint a Data Protection Officer (DPO), called “Encarregado” in Portuguese. GDPR only requires a DPO in specific cases. Vaguer breach notification — LGPD requires notification in a “reasonable time” rather than GDPR’s strict 72-hour deadline.

The role of ANPD

The ANPD (Autoridade Nacional de Proteção de Dados) is Brazil’s data protection authority. It’s responsible for:
  • Issuing guidance on LGPD compliance
  • Investigating complaints
  • Imposing penalties
  • Approving codes of conduct and certifications
ANPD has been actively issuing guidelines and increasing enforcement since 2023.

Penalties

Penalty typeMaximum
WarningWith a deadline to fix the issue
Simple fine2% of revenue, up to R$50 million per violation
Daily fineFor ongoing violations
Data blockingProhibition on using the data until the issue is resolved
Data deletionMandatory deletion of the data involved

Checklist for compliance

  • Marketing emails only go to recipients who gave explicit consent
  • Consent records include what, when, how, and purpose
  • Privacy policy is accessible and explains data processing practices
  • Every marketing email has a working unsubscribe link
  • You can process data access, correction, deletion, and portability requests
  • A DPO (Encarregado) has been appointed
  • Data processing agreements are in place with third-party processors (like SendKit)
  • Only necessary data is collected (data minimization)

FAQ

Yes, if you process personal data of individuals in Brazil or offer goods/services to people in Brazil. The company’s location doesn’t matter — what matters is the location of the data subjects.
Yes. Under LGPD, all organizations that process personal data must appoint an Encarregado (DPO). This can be an internal employee or an external service. The DPO’s contact information must be publicly available.
Not explicitly required, but strongly recommended. Double opt-in provides strong evidence of consent and is viewed favorably by the ANPD. It also protects you from fraudulent signups.