LGPD Compliance for Engineering Teams: Brazil's Privacy Law in 2026

LGPD — Lei Geral de Proteção de Dados — has been Brazil’s comprehensive privacy law since August 2020. The framework is consciously modeled on GDPR with substantive Brazilian adaptations. The ANPD (Autoridade Nacional de Proteção de Dados) has been operating as the supervisory regulator since 2021 and has progressively expanded its enforcement posture. The 2025 amendments — known informally as LGPD 2.0 — tightened obligations around AI processing, children’s data, and breach notification. By 2026, LGPD is a mature regime with enforcement actions producing real consequences.

For engineering teams operating in Brazil or processing data of Brazilian residents, the practical compliance work matters.

The model in plain terms#

LGPD defines a Data Subject (Titular), a Data Controller (Controlador), and a Data Processor (Operador) — the GDPR-aligned roles with Portuguese-language terminology. The Act applies to any processing of personal data of individuals in Brazil, regardless of where the processing entity is headquartered. Extraterritorial reach is comparable to GDPR.

Penalties under LGPD include fines up to 2% of group revenue in Brazil (capped at R$50 million per infraction), publication of the infraction, and administrative blocks on processing. The ANPD has been measured in fine sizes so far but the trajectory is firming.

Where LGPD matches GDPR#

The conceptual overlap is substantial:

• Six lawful bases for processing (slightly different numbering but functionally equivalent)
• Purpose limitation and data minimization
• Rights of access, correction, deletion, portability, anonymization, and to object
• Data Protection Officer (Encarregado de Dados) requirement for many controllers
• Cross-border transfer with adequacy decisions and contractual safeguards
• Mandatory breach notification to ANPD and (in serious cases) to affected individuals
• Records of processing activities requirement
• Data Protection Impact Assessment for high-risk processing

A solid GDPR program covers most of this. The carryover work focuses on Brazilian-specific details.

Where LGPD differs#

Five practical differences for engineering teams:

Sensitive Personal Data category — LGPD’s sensitive category includes religious belief, philosophical opinion, political opinion, union affiliation, racial origin, biometric data, genetic data, health data, sex life, and political-organization affiliation. Slightly broader than GDPR’s special categories. Stricter handling requirements apply.

Children’s data — children are defined as under 12 (younger than GDPR’s 16, similar to COPPA in the US). Parental consent is required for processing.

Cross-border transfer — the ANPD has issued contractual clauses (Cláusulas-Padrão Contratuais) similar to EU SCCs. Adequacy decisions for specific countries are in development; the EU has reciprocal adequacy with Brazil under discussion as of 2026.

Anonymization vs pseudonymization — LGPD’s treatment of anonymized data is similar to GDPR’s; pseudonymized data remains personal data under LGPD.

Public-sector specificity — LGPD includes provisions for processing of personal data by public-sector entities that are more detailed than GDPR’s equivalent.

The 2025 amendments — LGPD 2.0#

The 2025 update introduced several substantive changes:

AI-related processing obligations. For automated decision-making affecting individuals, the controller must provide meaningful information about the logic, the criteria, and the right to human review. Stricter than GDPR’s Article 22 in some respects (LGPD imposes specific transparency obligations even for “supplementary” automated systems).

Children’s data tightening. The 2025 amendment introduced age-verification requirements with specific mechanisms accepted by ANPD (parent ID verification through public registries, etc.).

Breach notification timeline. Previously “without undue delay”; the 2025 amendment specifies 48 hours to the ANPD and to affected individuals for serious breaches. Comparable to GDPR’s 72 hours.

Significant Data Operator designation. Modeled loosely on India’s DPDPA SDF concept, the 2025 amendment introduced a tier of “Operadores de Tratamento de Grande Porte” with additional obligations including periodic audits, DPO independence requirements, and algorithmic transparency.

Practical engineering checklist for 2026#

What we typically implement for LGPD-targeted programs:

1. Privacy notice in Portuguese, maintained as content (not hard-coded), reflecting the specific disclosures LGPD requires — purposes, retention, third-party sharing, cross-border transfer, rights, controller contact information.

2. Consent management with separate records for marketing consent, sensitive-data consent, cross-border transfer consent, and children’s-data consent (where applicable).

3. Data flow inventory as code — tagging every data store with purpose, retention, sensitivity, and jurisdiction.

4. DSAR workflow with 15-day default response SLA (the ANPD’s expected timeline), integrated with internal ticketing.

5. Cross-border transfer mechanisms — Cláusulas-Padrão Contratuais where applicable, adequacy reliance where the destination qualifies, consent-based transfer documentation otherwise.

6. Breach detection and notification with the 48-hour ANPD path automated.

7. Encarregado de Dados (DPO) designated and documented. For large processors, the DPO must have specific independence.

8. Algorithmic transparency surface for AI processing affecting individuals — particularly important post-LGPD 2.0.

9. Children’s data age-verification for any service that does not explicitly bar under-12s.

10. Annual compliance review with documented findings and the ANPD-aligned templates.

ANPD enforcement posture in 2026#

ANPD has progressively become more active. The 2024-2025 period saw a number of administrative actions and the first significant fines. The 2025 enforcement guidance, published in early 2026, signals continued enforcement priority on:

• Health data processing — particularly by insurance and digital health platforms.
• Financial data and credit scoring — particularly when automated decisioning affects credit access.
• Children’s data — particularly platforms with significant under-12 user bases.
• Cross-border transfer without proper mechanisms — companies transferring to US-headquartered cloud providers without documented mechanisms.
• Breach notification compliance — late notifications have been a frequent finding.

The ANPD’s posture is more measured than some European DPAs (the CNIL in France, the Garante in Italy) but is moving steadily toward EU-level rigor.

The interaction with sectoral regulators#

Like Japan and India, Brazil’s LGPD operates alongside sector-specific regulators with their own data-handling expectations:

• Banco Central do Brasil (BCB) for banking and payment data.
• CVM for capital markets data.
• SUSEP for insurance data.
• ANS for health insurance and supplementary health data.
• ANATEL for telecommunications data.

The general approach is that sector regulators have primary jurisdiction in their domains, with the ANPD as a backstop for non-sector-specific privacy questions.

Where pdpspectra fits#

We run LGPD compliance programs for clients operating in Brazil and Latin America, often as part of broader regional privacy initiatives. Our work spans regulatory architecture, technical implementation, and the operational rails that make a privacy program sustainable.

Related reading: the GDPR compliance engineering post, the India DPDPA compliance post, and the cross-border data transfer post.

---

LGPD has matured. Talk to our team about your Brazilian compliance program.