Brazil is the largest economy in Latin America, home to over 215 million people — and growing fast as a B2B SaaS market. If your product has Brazilian users, employees, or lead data, Brazil's Lei Geral de Proteção de Dados (LGPD) applies to you.
LGPD came into force on September 18, 2020, with enforcement starting in August 2021. The law was heavily inspired by GDPR — but there are meaningful differences that trip up European and American founders who assume the two are identical.
This guide covers what LGPD is, how it compares to GDPR, the legal bases, what your privacy policy needs to say, and what fines look like.
What is LGPD?
LGPD (Lei nº 13.709/2018) is Brazil's federal data protection law. It was modelled closely on GDPR and is enforced by the Autoridade Nacional de Proteção de Dados (ANPD) — Brazil's data protection authority, established in 2020.
LGPD applies to any processing of personal data of individuals located in Brazil, regardless of where the processor is based — including cloud services operating outside Brazil.
Does LGPD apply to your SaaS?
LGPD applies if any of the following are true:
- The processing happens in Brazil
- The processing is done to offer goods or services to people in Brazil
- The personal data was collected in Brazil
Unlike GDPR, LGPD does not have a minimum user threshold (GDPR has no threshold either, but some misread it as requiring substantial EU presence). If you have even one paying Brazilian customer or one Brazilian trial user, LGPD is in scope.
LGPD vs GDPR: Key similarities
The two laws share a common DNA:
- Data subject rights — access, correction, deletion, portability, and the right to object all exist in LGPD
- Legal bases for processing — you need a legal basis (LGPD has 10; GDPR has 6)
- Privacy by design — both require technical and organisational measures
- Data breach notification — LGPD requires notification to ANPD and affected individuals within a "reasonable timeframe" (ANPD guidance suggests 2 business days for high-risk breaches)
- Data processing records — both require records of processing activities
- DPO appointment — both require or recommend a Data Protection Officer
LGPD vs GDPR: Key differences
1. Legal bases — LGPD has 10, not 6
GDPR has 6 legal bases (consent, contract, legal obligation, vital interests, public task, legitimate interests). LGPD has 10:
- Consent of the data subject
- Compliance with a legal obligation
- Execution of public policies by the government
- Research studies (with anonymisation)
- Execution of a contract or pre-contractual steps
- Exercise of rights in judicial, administrative, or arbitration proceedings
- Protection of life or physical safety
- Protection of health (by health professionals or entities)
- Legitimate interests of the controller — similar to GDPR Art. 6(1)(f), but scope is narrower under LGPD
- Credit protection
For SaaS: you'll most commonly rely on consent, contract performance, and legitimate interests. The "credit protection" basis is irrelevant for most SaaS.
2. Consent requirements are stricter
Under LGPD, consent must be free, informed, unambiguous, and for a specific purpose — and it must be written or in an equivalent form. Oral consent is harder to prove. Withdrawal of consent must be as easy as granting it — exactly like GDPR. However, LGPD explicitly states that consent obtained through general "terms of service" clauses is invalid if data processing is buried in a wall of text.
3. Sensitive data — broader than GDPR
LGPD includes a broader list of "sensitive personal data" (dados pessoais sensíveis):
- Racial or ethnic origin
- Religious beliefs
- Political opinions
- Union membership
- Health or sex life data
- Genetic or biometric data
- Sexual orientation — explicitly included (not mentioned in GDPR Art. 9, though inferred)
If your SaaS processes any of these categories, you need explicit consent or a qualifying exception.
4. No equivalent to SCCs for international transfers
GDPR has Standard Contractual Clauses (SCCs) as the workhorse mechanism for international data transfers. LGPD is less mature here. Valid mechanisms include:
- ANPD adequacy decisions (none yet published as of 2026, though EU and UK are under review)
- Contractual clauses approved by ANPD (equivalent to SCCs, but ANPD has not yet published standard clauses)
- Explicit consent of the data subject (for occasional transfers)
- BCRs (binding corporate rules for multinationals)
- Compliance programs recognised by ANPD (still being developed)
Practical upshot: Most SaaS use explicit consent or contractual clauses (often GDPR SCCs adapted for LGPD contexts) until ANPD publishes standard clauses. Keep an eye on ANPD's website for updates.
5. Fines — lower, but still significant
LGPD fines are lower than GDPR in absolute terms but significant relative to Brazil's enforcement landscape:
- Maximum: 2% of Brazilian revenue, capped at R$ 50 million (≈ €9 million / US$10 million) per infraction
- GDPR maximum: 4% of global annual turnover or €20 million, whichever is higher
ANPD can also suspend data processing activities — a far more damaging sanction than a fine for a SaaS company.
6. DPO requirements differ
LGPD requires companies to appoint an Encarregado de Proteção de Dados (equivalent to DPO) and publish their contact details publicly. Unlike GDPR (which only mandates DPOs for certain processors), LGPD broadly requires one for most data controllers. ANPD has since clarified that small businesses may have lighter obligations, but SaaS companies processing customer data at scale should appoint one.
What your privacy policy needs (LGPD specifics)
Under LGPD Art. 9, you must disclose:
- The specific purpose of processing
- The legal basis for each processing activity
- The retention period, or the criteria used to determine it
- Whether sharing with third parties occurs and with whom
- Contact details of the Encarregado (DPO)
- Whether international transfers occur and under what safeguards
- How to exercise data subject rights
Your GDPR-compliant privacy policy will cover most of this. The main gaps are usually: (1) LGPD-specific legal bases aren't mapped, (2) ANPD and Encarregado aren't mentioned, and (3) international transfer mechanisms aren't described for Brazil specifically.
Practical compliance checklist for SaaS with Brazilian users
- ✅ Add an LGPD section to your privacy policy (mention ANPD, Encarregado contact, LGPD Art. 9 disclosures)
- ✅ Map your legal bases for Brazilian data — don't assume GDPR bases map directly
- ✅ Appoint or designate an Encarregado (can be the same person as your GDPR DPO)
- ✅ Ensure your data subject rights workflow covers Brazilian users (access, correction, deletion, portability)
- ✅ Review your international transfer mechanisms for Brazilian data flows
- ✅ Update breach notification procedures — ANPD notification within 2 business days for high-risk breaches
- ✅ Check consent mechanisms — no bundled consents buried in ToS
Is LGPD adequacy with the EU coming?
Brazil applied for GDPR adequacy in 2023. As of mid-2026, the EU Commission has not yet issued a formal adequacy decision, but the process is ongoing. An adequacy decision would simplify EU-Brazil data flows significantly. Watch for ANPD announcements and EU Commission updates.
Bottom line
LGPD is GDPR's close cousin — if you're already GDPR-compliant, you're about 70% of the way there. The gaps that matter most for SaaS are: legal basis mapping, consent language for Brazilian users, international transfer documentation, and appointing an Encarregado. Fix those and you're in reasonable shape for Brazil.
Start with your privacy policy — our generator creates GDPR and CCPA-aware policies that you can extend for LGPD compliance with your lawyer's help.