LGPD Compliance for SaaS Founders: Brazil's Privacy Law in 2026
Brazil's Lei Geral de Proteção de Dados Pessoais (LGPD, Law No. 13,709/2018) has been in force since September 2020, but enforcement by the Autoridade Nacional de Proteção de Dados (ANPD) only really started biting in 2023–2024. In 2026, ANPD is fully staffed, has published several regulatory frameworks, and has begun issuing meaningful fines.
If your SaaS has Brazilian users — or you offer goods or services to people in Brazil — LGPD applies to you, regardless of where you're incorporated. Here's what every founder needs to know.
Does LGPD Apply to You?
LGPD Art. 3 establishes extraterritorial scope, similar to GDPR Art. 3. LGPD applies if any one of the following is true:
- The processing activity takes place in Brazilian territory, OR
- The processing activity has the purpose of offering goods or services to data subjects located in Brazil, OR data is collected from data subjects in Brazil
| Scope test | GDPR (Art. 3) | LGPD (Art. 3) |
|---|---|---|
| Establishment in jurisdiction | Yes — EU establishment triggers | Yes — Brazil establishment triggers |
| Offering goods/services to data subjects in jurisdiction | Yes — even without establishment | Yes — even without establishment |
| Monitoring behaviour of data subjects in jurisdiction | Yes (Art. 3(2)(b)) | Yes (collected in Brazil) |
| Minimum threshold | No revenue threshold | No revenue threshold |
If your sign-up page lists Brazil in the country dropdown, accepts Brazilian credit cards, has Portuguese-Brazilian localisation, or you market specifically to Brazilian users — you are in scope.
10 Lawful Bases (vs GDPR's 6)
LGPD provides ten lawful bases under Art. 7 (general data) and additional bases under Art. 11 (sensitive data). The general bases are:
| Basis | LGPD Art. | When to Use | SaaS Example |
|---|---|---|---|
| Consent | Art. 7, I | Marketing, optional analytics, sensitive data (Art. 11) | Newsletter sign-up opt-in |
| Compliance with legal obligation | Art. 7, II | Tax records, anti-money-laundering | Brazilian SaaS invoicing & CPF retention |
| Public policy execution | Art. 7, III | Public-sector processing | Usually N/A for private SaaS |
| Studies by research bodies | Art. 7, IV | Statistical / scientific research | Anonymised analytics for academic partners |
| Performance of contract | Art. 7, V | Service delivery, billing | Most core SaaS processing |
| Regular exercise of rights | Art. 7, VI | Judicial, administrative, arbitration | Defending against a chargeback dispute |
| Protection of life / physical safety | Art. 7, VII | Emergency contact, vital interest | Health SaaS emergency disclosure |
| Health protection | Art. 7, VIII | Health entities / professionals | Telehealth platforms |
| Legitimate interests | Art. 7, IX | Fraud prevention, security, B2B prospecting | Account security logging |
| Credit protection | Art. 7, X | Credit bureaus, scoring | Fintech SaaS underwriting |
Key differences from GDPR: LGPD has explicit bases for credit protection and health processing that GDPR rolls into other articles. "Public policy execution" is a Brazilian-specific basis usually not relevant to private SaaS.
Sensitive Data (Dados Sensíveis) — Art. 11
LGPD recognises six categories of sensitive personal data:
- Racial or ethnic origin
- Religious belief or conviction
- Political opinion or union membership
- Health or sex life data
- Genetic data
- Biometric data when used for unique identification
Why this matters for SaaS: If you use biometric authentication (Face ID for app sign-in, voice authentication, fingerprint), that's sensitive data under LGPD even if GDPR treats it slightly differently. Religious belief and political opinion are also explicitly sensitive — if you build community or social SaaS that collects this, you need stronger safeguards.
Sensitive data requires either explicit consent OR one of ten narrower bases listed in Art. 11(2) (e.g. legal obligation, health protection by a health professional, fraud prevention by a credit institution).
9 Data Subject Rights (Art. 18) — More Than GDPR
| Right | LGPD Art. 18 | GDPR Equivalent | Notable Difference |
|---|---|---|---|
| Confirmation of processing | I | Art. 15 (part) | Explicit in LGPD as separate right |
| Access to data | II | Art. 15 | Substantially similar |
| Correction | III | Art. 16 | Similar |
| Anonymisation, blocking or deletion of unnecessary data | IV | No direct equivalent | LGPD-specific; covers unnecessary/excessive/non-compliant data |
| Portability | V | Art. 20 | Pending detailed ANPD regulation |
| Deletion of data processed with consent | VI | Art. 17 (part) | Narrower — only for consent-based processing |
| Information about sharing | VII | Art. 15 (part) | Explicit right to identify third-party recipients |
| Information about consent refusal | VIII | No direct equivalent | Unique to LGPD — you must explain consequences of saying no |
| Revocation of consent | IX | Art. 7(3) | Similar |
LGPD doesn't have a separate "restriction of processing" right like GDPR Art. 18, but the right to anonymise / block in Art. 18(IV) covers similar ground in practice.
Response timeframe: LGPD itself doesn't specify a hard deadline, but ANPD guidance and market practice converge on 15 days from the request. Build your DSR workflow for 15 days.
ANPD Fines — Art. 52
ANPD's enforcement powers escalate:
- Simple warning (with correction period)
- Publication of the infraction
- Blocking of personal data to which the infraction refers
- Deletion of the personal data
- Partial or total suspension of the processing activities
- Fine of up to 2% of the company's revenue in Brazil in its last fiscal year (gross), limited to R$50 million per violation
- Daily fines
ANPD has been ramping up enforcement — the first significant fines hit during 2023–2025, and 2026 is expected to see broader enforcement now that the agency is fully staffed. Don't bank on "ANPD won't notice us."
The Encarregado (DPO Equivalent)
Under ANPD Resolution No. 2/2022, controllers processing personal data are required to designate an Encarregado (Encarregado pelo Tratamento de Dados Pessoais). In practice, this is mandatory for effectively all LGPD-covered companies. Small businesses have lighter documentation requirements but still need to designate someone.
Duties of the Encarregado (Art. 41):
- Accept complaints and communications from data subjects, respond, and adopt measures
- Receive communications from ANPD and adopt measures
- Guide employees and contractors on data protection practices
- Carry out other activities determined by the controller or established in supplementary norms
The Encarregado can be an internal employee, a third-party service provider, or an external consultant. Their identity and contact must be publicly available — typically on your privacy page.
International Data Transfers (Art. 33–35)
Brazil has not issued many adequacy decisions yet. The transfer mechanisms under Art. 33 are:
- Adequacy decision by ANPD (very few countries to date)
- Standard contractual clauses (ANPD has published its own model SCCs)
- Global corporate policies / BCRs
- Specific contractual clauses approved by ANPD
- ANPD cooperation agreements with foreign authorities
- International cooperation for legal/regulatory obligations
- Protection of life or physical safety
- Authorisation by ANPD
- Commitments assumed in international cooperation
- Execution of public policy or legal attribution of public service
- Specific and highlighted consent of the data subject for the transfer
For most SaaS founders, the realistic options are ANPD-style SCCs or explicit consent. The ANPD's regulatory framework around international transfers is still developing in 2026 — it lags GDPR's by several years.
Practical 8-Step LGPD Compliance Checklist
- Appoint an Encarregado. Publish their name (or company name if outsourced) and contact email on your privacy page. This is your single most visible LGPD signal.
- Map your data. Build a Record of Processing Activities (Art. 37) equivalent. Track each processing purpose, lawful basis, data categories, retention, and sub-processors. RoPA Generator →
- Review and update your Privacy Policy with LGPD-specific disclosures: 10 lawful bases, 9 Art. 18 rights, Encarregado contact, ANPD complaint rights, fines context. Privacy Policy Generator →
- Create an Aviso de Coleta (Notice at Collection) for each data collection point. This is a short notice required by Art. 9 — distinct from your full privacy policy. LGPD Compliance Pack Generator →
- Implement mechanisms for all 9 data subject rights with a 15-day response window. DSR Response Generator →
- Review and document your lawful bases. Most SaaS will use a mix of "performance of contract" (Art. 7, V), "legitimate interests" (Art. 7, IX), and "consent" (Art. 7, I, for marketing and sensitive data).
- Assess international transfers. Where does Brazilian user data physically go? AWS São Paulo region keeps it in Brazil; us-east-1 doesn't. Implement appropriate Art. 33 mechanism. DPA Generator →
- Train your team on LGPD obligations: who the Encarregado is, what to do when a data subject request arrives, breach response (ANPD breach notification is required — timeline determined case-by-case).
The Bottom Line
LGPD is GDPR-adjacent but not identical — it has more lawful bases, more data subject rights, and an Encarregado requirement that's effectively universal. If you've done GDPR work, you're 70% of the way there. The remaining 30% is the Encarregado, the Aviso de Coleta, the LGPD-specific rights language, and the international transfer framework.
Skipping LGPD because "we're not based in Brazil" is a bet you'll lose once ANPD starts cross-border enforcement — which it can do via cooperation agreements with foreign DPAs.
Related guides: GDPR vs LGPD: Side-by-side comparison · PDPA Thailand and Singapore · CCPA vs GDPR for SaaS
Tools: LGPD Compliance Pack Generator · Privacy Policy · DPA · DSR Response
⚠️ This guide is for informational purposes and does not constitute legal advice. LGPD is enforced by ANPD and has Brazilian-specific procedural requirements — always verify with qualified Brazilian privacy counsel before relying on any compliance approach.