LGPD Overview

Brazil's Lei Geral de Proteção de Dados (LGPD) took effect in 2020. It applies to any organization processing personal data of individuals in Brazil, regardless of where the organization is located.

Key Differences from GDPR

Legal Bases

GDPR has 6 legal bases. LGPD has 10, including "protection of credit" and "regular exercise of rights." For cookies, both typically rely on consent.

Consent Requirements

Both require informed, unambiguous consent. LGPD is slightly less prescriptive about banner design — no explicit "reject button" mandate like CNIL's guidance. However, consent must still be freely given and withdrawable.

DPO Requirements

GDPR requires a DPO for certain controllers. LGPD requires every controller to appoint a DPO (encarregado).

Penalties

GDPR: up to EUR 20M or 4% global revenue. LGPD: up to 2% of Brazilian revenue, capped at R$50M per violation.

Cookie Consent Under LGPD

LGPD does not have an equivalent of the ePrivacy Directive. Cookie consent falls under the general consent provisions of LGPD Article 7 and Article 8. The ANPD (National Data Protection Authority) has issued guidance recommending cookie banners for websites with Brazilian users.

Handling Both with One CMP

FlexyConsent's geo-targeting shows GDPR-compliant banners to EU visitors and LGPD-appropriate banners to Brazilian visitors. One CMP, two regulatory frameworks, zero configuration complexity.