// SCOPE
Web analytics, cookies, tag managers, CMPs, ad pixels, and session-replay tools as deployed on websites and apps targeting Brazil. Sectoral rules (banking via BCB, healthcare, telecoms via Anatel) are touched only where they intersect with the analytics layer.
Applicable laws
The legal framework that governs personal data processing here.
National addons
Country-specific statutes layered on the EU baseline.
LGPD
Lei Geral de Proteção de Dados Pessoais
Brazil's omnibus data-protection law — extraterritorial scope (Art 3) covering processing of personal data of individuals in Brazilian territory, regardless of controller location. 10 legal bases (Art 7) — broader than GDPR's 6, including legitimate interest, credit protection, and a separate basis for sensitive data (Art 11). Administered by ANPD.
- Art 3 Extraterritorial scope — processing in Brazil OR offering goods/services to people in Brazil OR data collected in Brazil
- Art 5 XVIII Representante — controllers based outside Brazil must designate a representative
- Art 7 10 legal bases for processing personal data (including legitimate interest)
- Art 11 Separate legal-basis regime for sensitive data — narrower than Art 7
- Art 14 Children (under 12) — parental consent required for any processing where consent is the basis; adolescents (12–18) — best-interests test applies, all Art 7 bases available per ANPD 2023 statement
- Art 33 International transfers — adequacy decisions, SCC-equivalent contracts, BCRs, specific consent, or legal-claim necessity
- Art 41 Encarregado (DPO) — mandatory for controllers, with small-scale-agent exemption per Resolution CD/ANPD 2/2022
- Art 52 Sanctions — warning, fine up to 2% of Brazilian-group revenue capped at R$50M per infraction, daily fines, public disclosure, blocking, deletion, partial/total prohibition
Dosimetry Regulation
Regulamento de Dosimetria e Aplicação de Sanções Administrativas (Resolução CD/ANPD nº 4/2023)
ANPD's calculation framework for administrative sanctions under LGPD Art 52. Defines aggravating/mitigating factors, infraction grades (light/medium/serious), and the methodology for setting fines based on annual revenue, gravity, and good-faith conduct. Effective 27 Feb 2023 — unblocked the first ANPD sanctions in mid-2023.
- Art 8 Infraction grades — light, medium, serious — drives base-fine calculation
- Art 11 Aggravating circumstances — recidivism, profit-from-violation, victim count, sensitive data
- Art 12 Mitigating circumstances — good-faith adoption, cooperation with ANPD, prompt remediation
ANPD Cookies Guide
Guia Orientativo: Cookies e Proteção de Dados Pessoais
Non-binding orientation document on cookie compliance. Categorizes cookies (necessary / functional / analytics / advertising) and recommends consent as the legal basis for advertising and most analytics cookies. Establishes Cookie Policy + Cookie Banner expectations. Not a regulation but treated as the de facto enforcement standard.
- § 4 Cookie categories — necessary cookies may rely on legitimate-interest; advertising cookies require consent
- § 5 Cookie banner — must be transparent, granular, and offer equal-prominence reject option
- § 6 Cookie policy — separate document recommended in addition to general privacy notice
Small-Scale Agents Regulation
Regulamento de Aplicação da LGPD para Agentes de Tratamento de Pequeno Porte (Resolução CD/ANPD nº 2/2022)
Regulatory relief for small-scale processing agents — microenterprises, small businesses, startups, non-profits, and natural persons. Exempts from mandatory DPO appointment (Art 41) unless processing is high-risk; relaxes ROPA, consent-record, and incident-reporting deadlines. Replaces DPO with a 'communication channel' for data-subject complaints.
- Art 2 Definition of small-scale agent — turnover/headcount thresholds + non-high-risk processing
- Art 11 DPO exemption — communication channel sufficient unless high-risk processing
- Art 14 ROPA simplification — minimum-content record permitted
Incident Notification Regulation
Regulamento de Comunicação de Incidente de Segurança (Resolução CD/ANPD nº 15/2024)
Mandatory ANPD notification within 3 business days of awareness (6 days for small-scale agents). Significant-risk threshold triggers additional data-subject notification. Mandatory incident-management report and 5-year record retention. Aligns Brazil with GDPR Art 33 timeline philosophy though counted in business days.
- Art 5 Notification trigger — significant risk or damage to data subjects (sensitive data, children, financial, authentication, large-scale)
- Art 6 Notification deadline — 3 business days controllers / 6 business days small-scale agents
- Art 11 Incident management report — mandatory; ANPD may request anytime; 5-year retention
Marco Civil da Internet
Lei nº 12.965, de 23 de abril de 2014 — Marco Civil da Internet
Brazil's 'internet bill of rights' — net neutrality, intermediary liability, log-retention duties (12 months for connection logs, 6 months for application logs), and data-protection rights for internet users. Survives alongside LGPD; ISPs and platforms remain bound by Marco Civil log-retention obligations independent of LGPD's data-minimization principle.
- Art 7 Internet user rights — privacy, data protection, transparency in collection terms
- Art 13 Connection log retention — 12 months mandatory for autonomous-system administrators
- Art 15 Application log retention — 6 months mandatory for application providers
Regulators
Supervisory authorities that interpret and enforce privacy law here.
FEDERAL
ANPD · Autoridade Nacional de Proteção de Dados
Sole national authority for LGPD enforcement, regulation, and guidance. Federal autarchy under MP 1.124/2022 (autonomous since Oct 2022, previously linked to Presidency of the Republic). Issues Resoluções, Guias Orientativos, and administrative sanctions.
Coordination body
PROCON network + sectoral regulators · PROCONs (state-level consumer-protection agencies) + BCB (banking) + Anatel (telecom) + ANS (health insurance)
PROCONs enforce CDC (Consumer Defence Code) on data-protection adjacent issues — unsolicited marketing, transparency in B2C contracts. Banco Central do Bank (BCB) enforces sectoral data rules for banks (Open Finance, financial-system circulars). Anatel oversees telecom-sector data. ANS oversees private-health-insurer data. Coexists with ANPD without formal coordination protocol.
- 2022-10-18 · ANPD Cookies Guide — Guia Orientativo 'Cookies e Proteção de Dados Pessoais' — categorizes cookies and recommends consent for advertising and most analytics cookies.
- 2023-02-24 · Dosimetry Regulation — Resolução CD/ANPD 4/2023 — sanctions calculation methodology unblocked first ANPD fines in Jul 2023.
- 2023-05 · Children & Adolescents data — ANPD statement clarifying that adolescents (12–18) may rely on any LGPD Art 7 legal basis when best-interests test is documented; consent not exclusive.
- 2024-04-24 · Incident Notification — Resolução CD/ANPD 15/2024 — 3-business-day ANPD notification + significant-risk threshold for data-subject notification.
- 2024-07-17 · DPO Statute — Resolução CD/ANPD 18/2024 — detailed DPO competencies, independence, and conflict-of-interest rules; complements small-scale exemption from Resolution 2/2022.
- 2024-10 · Meta AI suspension — Precautionary measure ordering Meta to suspend training of generative-AI models on Brazilian users' data — first major ANPD action against a US tech platform.
Notable enforcement
ANPD took a deliberately educational stance for the first 24 months — issuing guides, orientations, and warnings rather than fines. The Dosimetry Regulation (Feb 2023) unblocked the sanctions track; the first fine (Telekall, Jul 2023) was statutorily small (R$14,400 = 2% of annual revenue cap for the offender) but symbolically significant. Fast Shop (Apr 2024) crossed into six-figure-BRL territory. The Meta AI precautionary measure (Oct 2024) signalled willingness to act against US Big Tech without waiting for sanctions process. ANPD's enforcement remains far below European levels in monetary terms but is escalating in frequency and scope.
GA4 status
GA4 is usable in Brazil with prior consent for non-essential cookies under the ANPD Cookies Guide (Oct 2022). LGPD Art 7 IX (legitimate interest) is theoretically available for first-party analytics but ANPD's cookies guide treats advertising and behavioral analytics as consent-based. Cross-border transfer to Google's US servers operates under Art 33 — currently relying on contract clauses + Google's own corporate commitments since no Brazil-US adequacy decision exists. ANPD has not yet issued a specific GA4 ruling.
| DPA | Stance |
|---|---|
| ANPD | No specific GA4 enforcement yet. Cookies Guide treats analytics as consent-based; controllers should gate GA4 behind a CMP and document Art 33 transfer basis. |
| PROCONs | Focus on consumer-transparency rather than vendor-specific positions. PROCON-SP active on Big Tech consumer rights but defers to ANPD on data-protection technicalities. |
Cross-border transfers + Schrems II
Brazil has no equivalent to the EU-US DPF. Transfers from Brazil are governed by LGPD Art 33 — 9 mechanisms including adequacy decisions (none yet issued by ANPD as of May 2026), SCC-equivalent contracts (cláusulas-padrão contratuais — ANPD draft public consultation completed 2023, final regulation pending), specific consent for the transfer, and legal-claim or contract-execution necessity. The US is not on any Brazilian adequacy list — controllers transferring to US recipients rely on contract clauses + supplementary measures by analogy with Schrems II.
ANPD's draft cláusulas-padrão (SCC equivalents) released for public consultation in Aug 2023; final adoption expected 2026. In the interim, controllers use freely-drafted intercontroller/controller-processor agreements meeting LGPD Art 33-46 requirements. EU SCCs (2021/914) are commonly retro-fitted with LGPD-specific addenda.
Employee data
Key thresholds
Child consent age
12 years
Article 27 representative
Required
Marketing consent
Single opt-in
Vendor signals
Red / yellow / green markers are an editorial reading of public regulator guidance and published enforcement actions, applied to vendor behavior we can observe or that the vendor documents. They are not legal conclusions, not endorsements, and not advice about your specific processing. Configuration changes the picture — a "yellow" vendor in one configuration may be defensible in another.
Analytics tools · 12 · 6 green · 5 yellow · 1 red
| Vendor | Status | Rationale |
|---|---|---|
| GREEN | Cookieless by design. EU-routed via Cloudflare. No DPA required for Lite tier (no PII). | |
| GREEN | Self-hosted on your infrastructure. Full data control, configurable IP anon. Meets every jurisdiction with cookieless config. | |
| GREEN | EU-hosted with cookieless mode available. With cookies disabled qualifies for §25(2) exception in Germany. | |
| GREEN | German-hosted, cookieless, GDPR-aligned by design. | |
| GREEN | EU-hosted, no cookies, no PII processed. ePrivacy-exempt for cookieless tracking. No banner required. | |
| GREEN | Open-source, cookieless, fully self-hostable. Default-green when self-hosted. | |
| YELLOW | Visitor ID cookie + cross-suite stitching with Experience Platform. DPIA strongly recommended; configure ECID + IP obfuscation. | |
| YELLOW | EU residency available on paid plans; default cloud is US. Persistent user IDs require config + DPA + DPF chain. | |
| YELLOW | Default config sends data to US infrastructure. Needs Consent Mode v2 + IP anonymization + DPF active + signed DPA + reject-all banner. Server-side EU proxy moves to green. | |
| YELLOW | EU residency available on paid plans; default cloud is US. Identifies users by default — needs config. | |
| YELLOW | EU cloud helps but session recording + autocapture default to PII collection. Disable autocapture and recordings or self-host for green. | |
| RED | Auto-capture grabs every click and form value — broad PII risk under GDPR Art 5(1)(c) data minimization. |
Consent management platforms · 5 · 5 green · 0 yellow · 0 red
| Vendor | Status | Rationale |
|---|---|---|
| GREEN | Danish-based, EU-hosted. Auto-blocks third-party scripts pre-consent — verify your manual scripts also gate. | |
| GREEN | Italian-based, EU-hosted. Free tier limits 5k pageviews/mo; granular per-vendor controls require paid plan. | |
| GREEN | Open-source, self-hosted. No managed updates — site owner maintains vendor list. | |
| GREEN | GDPR + CCPA + multi-region templates available. Common config error: GDPR/CCPA mode mismatch — verify per-region defaults. | |
| GREEN | German-based, EU-hosted. v3 SDK required for Consent Mode v2; TCF flow can over-collect for non-AdTech sites. |
Tag managers · 1 · 0 green · 1 yellow · 0 red
| Vendor | Status | Rationale |
|---|---|---|
| YELLOW | Container only — verdict depends on which tags fire and when. Block until consent. Server-side GTM in EU recommended. |
Session replay · 3 · 0 green · 0 yellow · 3 red
| Vendor | Status | Rationale |
|---|---|---|
| RED | Full session capture — highest-risk category. Explicit consent + DPIA + strict retention. | |
| RED | Session replay — high-risk processing per EDPB Guidelines 3/2019. DPIA + explicit consent required. Cannot run pre-consent. | |
| RED | Session replay + Microsoft tracking. DPIA + explicit consent required. |
Ad pixels · 3 · 0 green · 0 yellow · 3 red
| Vendor | Status | Rationale |
|---|---|---|
| RED | Loads pre-consent if naively placed; cross-device matching broad. Block until consent + IAB TCF string set. | |
| RED | Schrems II concerns persist; advanced matching hashes PII but does not fix EU→US transfer problem. | |
| RED | PRC-parent ownership flagged by Italian Garante and EDPB; transfers to China contested. Consent + risk acknowledgement required. |
Server-side · 3 · 2 green · 1 yellow · 0 red
| Vendor | Status | Rationale |
|---|---|---|
| GREEN | EU-only datacenters strong for FR/DE compliance; per-event pricing scales steeply at high traffic. | |
| GREEN | EU server containers handle the routing — but server-side tagging does NOT auto-fix consent. CMP must still gate browser-side pings. | |
| YELLOW | "EU server" ≠ EU data — clients still transmit to Google ad backends downstream. Use only for Google-ecosystem first-party-routing. |
Compare with neighbors
Side-by-side rule comparison.
Common questions
Does LGPD apply to non-Brazilian companies?
Yes. LGPD Art 3 has extraterritorial scope: it applies to any processing activity (i) carried out in Brazilian territory, (ii) aimed at offering goods or services to people located in Brazil, or (iii) involving personal data collected in Brazil. A Brazilian-language website, BRL pricing, .com.br domain, or marketing targeted at Brazil all trigger applicability — controller location is irrelevant. Non-Brazilian controllers must designate a Brazilian representative under Art 5 XVIII.
When did ANPD enforcement actually start?
LGPD substantive rules entered force 18 Sep 2020; sanctions became applicable 1 Aug 2021 but ANPD took an educational stance for the first 24 months. The Dosimetry Regulation (Resolução CD/ANPD 4/2023, Feb 2023) unblocked the sanctions track. The first fine (Telekall Infoservice, R$14,400) was issued 6 Jul 2023. Enforcement frequency has accelerated since — Fast Shop fine Apr 2024, Meta AI precautionary measure Oct 2024.
Must my privacy notice be in Portuguese?
Yes for Brazil-targeted sites. LGPD Art 9 requires information to be provided in 'clear, adequate, and ostensive' form — ANPD has consistently interpreted this as requiring Portuguese for Brazilian audiences. English-only notices are non-compliant when targeting Brazilian users (the targeting test mirrors Art 3 — Portuguese-language site, BRL pricing, .com.br domain, marketing in Brazil).
What's the child-consent age in Brazil?
12. LGPD Art 14 distinguishes children (under 12) from adolescents (12–18). For children, processing requires specific and prominent parental/guardian consent when consent is the legal basis. For adolescents, ANPD's May 2023 statement clarified that any Art 7 legal basis is available (including legitimate interest) provided the best-interests test is documented. The age 12 threshold is lower than GDPR's 16 default and the US COPPA 13.
Do I need a Brazilian DPO (encarregado)?
Mandatory under LGPD Art 41 for all controllers — but Resolução CD/ANPD 2/2022 exempts small-scale agents (microenterprises, small businesses, startups, non-profits, natural persons) from the appointment duty unless they engage in high-risk processing. Small-scale agents must instead provide a public communication channel for data-subject complaints. Resolução CD/ANPD 18/2024 added detailed competency, independence, and conflict-of-interest rules for the encarregado role.
What is the ROPA / RNBD requirement?
LGPD Art 37 requires controllers and processors to maintain records of processing activities (Registro das Operações de Tratamento). The historic 'RNBD' (Relatório Nacional de Banco de Dados) was a separate, broader registration concept that did not survive into final LGPD — the operative obligation today is the Art 37 ROPA-equivalent. Small-scale agents may use a simplified record per Resolução 2/2022 Art 14.
Are sectoral rules separate from LGPD?
Yes. LGPD coexists with: (i) Marco Civil da Internet (log retention — 12 months connection logs, 6 months application logs); (ii) BCB circulars for banks (Open Finance, financial-system data sharing); (iii) Anatel rules for telecoms; (iv) ANS rules for private health insurance; (v) Lei do Cadastro Positivo (credit bureaus). LGPD applies on top of these sectoral regimes — controllers must satisfy both layers.
Is 'legitimate interest' a valid basis for analytics in Brazil?
Yes in principle (LGPD Art 7 IX), but the ANPD Cookies Guide (Oct 2022) treats advertising and most analytics cookies as consent-based. A defensible legitimate-interest analytics deployment requires: (i) cookieless or first-party-only configuration, (ii) documented balancing test (LGPD Art 10), (iii) transparent disclosure, (iv) opt-out mechanism. For GA4, advertising integrations, or session replay, consent is the safer basis.
Are international transfers from Brazil restricted?
LGPD Art 33 lists 9 transfer mechanisms. Adequacy decisions: ANPD has not issued any as of May 2026. SCC-equivalents (cláusulas-padrão): draft published Aug 2023, final adoption expected 2026. In the interim, transfers rely on freely-drafted intercontroller/processor contracts meeting Art 33-46 requirements, BCRs (rules corporativas globais), specific data-subject consent for the transfer, or legal-claim/contract-execution necessity. The US is not on any Brazilian adequacy list — controllers transferring to US recipients use contract clauses + supplementary measures.
What changed with the Meta AI precautionary measure (Oct 2024)?
ANPD ordered immediate suspension of Meta's training of generative-AI models on Brazilian users' data, citing inadequate legal basis under LGPD Art 7 + Art 11 (sensitive data) + Art 14 (children). Meta complied. The full sanctions proceeding is ongoing. Significance: ANPD demonstrated willingness to use precautionary measures (medidas cautelares) to halt Big Tech processing without waiting for the full administrative-sanctions track — a major escalation in posture.
// EDITORIAL · NOT LEGAL ADVICE This page summarises Brazil's privacy framework as of 2026-05-05. Rules vary by sector, establishment, and DPA position. For binding interpretation, consult counsel admitted here.