Security + privacy regulations in Brazil

LGPD (Law 13.709/2018, in force since August 2020) is South America's most-established privacy regime and one of the most comprehensive emerging-market privacy laws. It mirrors GDPR in structure — ten legal bases for processing, data-subject rights, breach notification, Data Protection Officer designation for certain data processing activities. ANPD (Autoridade Nacional de Proteção de Dados) is the regulator, operational since 2022 and increasingly active in enforcement. LGPD applies extraterritorially: anyone processing personal data of Brazilian residents falls in scope regardless of where the service is based. Penalties can reach 2% of revenue in Brazil (up to BRL 50M per infraction). Brazilian data-subject rights are strong. The right to data portability, the right to revoke consent at any time, and the right to request information about which third parties have received one's data are all explicit. ANPD has issued guidance on cookies, legitimate-interest assessments, and DPO designation. Marco Civil (Brazilian Internet Law, 2014) regulates internet service providers and intermediary liability. It requires ISPs to retain connection logs for a year and imposes specific obligations for content moderation. Most SaaS startups are not directly in its scope but may encounter it via hosting providers.

Key laws + frameworks

LGPD

Brazil's general data protection law. GDPR-adjacent with Brazilian-specific variations.

Marco Civil

Internet regulatory framework — ISP data retention + intermediary liability.

Consumer Defense Code (CDC)

Consumer-protection law applied by courts to privacy-related service disputes.

Regulators
  • Autoridade Nacional de Proteção de Dados (ANPD)
  • Consumer-protection agencies (PROCON)
Breach notification

To ANPD and affected data subjects within a reasonable timeframe. ANPD guidance (2022+) suggests within 2 business days for high-risk breaches though not statutorily fixed.

Cross-border transfer

Allowed if: destination country has adequate-level data protection (ANPD assessment), contractual safeguards (SCCs), binding corporate rules, or specific consent. ANPD has published initial adequacy guidance; list evolving.

Startup priority

Priority stack for Brazil-facing SaaS: (1) If GDPR-compliant, LGPD compliance is a 1-2 week extension — Brazilian-Portuguese Privacy Policy, DPA template adapted for LGPD terminology, consent flow meeting LGPD's specificity requirements. (2) Appoint a Data Protection Officer (mandatory for certain processing activities). (3) Register ANPD as a regulator in your incident-response runbook.