LGPD

The LGPD is Brazil’s comprehensive data protection law, enacted in 2018 and enforceable since 2020. It applies to any organization that processes the personal data of individuals in Brazil, regardless of where the organization is based. The law draws significant inspiration from the GDPR and shares many of its structural elements.

The LGPD defines ten legal bases for processing personal data, including consent, legitimate interest, contract performance, and legal obligation. It grants data subjects rights to access, correct, delete, and port their data. Organizations must appoint a Data Protection Officer and report security incidents to the national authority, the ANPD.

Consent under the LGPD must be free, informed, and unambiguous, and it must be specific to defined purposes. Sensitive personal data, including biometric and health data, requires separate explicit consent or must fall under a specific legal exception.

For CIAM, the LGPD imposes requirements on consent capture, data subject rights workflows, and cross-border data transfer that mirror the GDPR’s demands for any platform serving Brazilian customers.