This page uses cookies to improve the user experience on our website. By clicking "Accept", you consent to the collection and use of the information to ensure the best browsing experience. To find out more, read out our Privacy Policy.


General Data Protection Law (LGPD) in Brazil: what you need to know

Published on 10/01/2020 - Updated on 05/08/2023

On September 18th, 2020, the LGPD – Brazil’s General Data Protection Law – became effective. This brings a series of implications for companies of any nature that hold personal data – including ecommerce businesses.

With this resolution, how can businesses comply with the regulations? This is what we will address in this article.


What is LGPD?

The LGDP establishes rules regarding the collection, storage, treatment, and sharing of personal data. This will result in higher safety measures for personal data and severer penalties for non-compliance. This means that all companies operating in Brazil that hold personal information in their databases are expected to comply with the law.

The LGPD shares a number of similarities with the EU’s General Data Protection Regulation (GDPR), one being that it applies to any business or organization that processes the personal data of people in Brazil, regardless of where the business or organization is located.


What actions should companies take to comply with LGPD?

According to Statista, as of March 2020 around 37% of companies surveyed in Brazil stated that they had policies and/or norms regarding personal data protection. Less than 14 percent of the companies surveyed were mapping risks in data protection and information security.




To guarantee a company’s compliance with the LGPD, Hartmann Burmeister advises the following steps:

1. Talk to a lawyer so he or she may analyze the data collected by your company and formulate changes in the contracts, as well as write consents and the terms of use.

2. Appoint a professional responsible for information security to make the changes necessary in the area of technology.

3. Involve Human Resources to help guide your team with data collection.

4. Hire an auditor or risk analyst to ensure that the process is appropriate for your situation.


Understand the twists and turns

LGPD’s effective date has suffered many vacillations. According to Pinheiro Neto:

“LGPD’s effective date suffered with many twists and turns given the legislative process involving Provisional Measure (executive order) 959/2020 (“MP 959”), which extended that date to May 2021, and other bills of law on the same subject. The Brazilian Senate had the final word rejecting the extension and converting MP 959 into Bill 34/2020, which was then swiftly handed over to Brazil’s president for signature”.

Signature by President Jair Bolsonaro occurred on September 18th, 2020, and Law 14.508/20/20 has been made public. Under Brazil’s Constitution (article 62, paragraph 12), MP 959 remained effective until September 17th.

In other words, the LGPD  became effective on September 18th; however, the sanctions provided in the law will take effect on August 1st, 2021. Such penalties can be applied to up to 2% on the company’s revenue, reaching a limit of BRL 50 million.

Preparing your company to comply with the LGPD is crucial at this point. Talk to a legal professional, evaluate the necessity of nominating a DPO (data protection officer), and stay ahead!

Paula Martins is a journalist specializing in Marketing. Her areas of expertise include payment methods, digital payments, and e-commerce. Currently, ... View profile

Leave a Reply

Your email address will not be published.