Brazil's Lei Geral de Proteção de Dados (LGPD) has strict compliance requirements for companies that handle the personal data of Brazilian residents. U.S.-based companies - namely eCommerce and SaaS companies - may be required to comply with the LGPD if they have customers or users located in Brazil.
This article will explain the common ways that U.S. companies can inadvertently trigger LGPD enforcement, with a focus on eCommerce and SaaS businesses. We will also give you practical and actionable steps to help ensure you're in compliance with the LGPD.
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:
-
At Step 1, select the Website option or App option or both.
-
Answer some questions about your website or app.
-
Answer some questions about your business.
-
Enter the email address where you'd like the Privacy Policy delivered and click "Generate."
You'll be able to instantly access and download your new Privacy Policy.
- 1. How Does Brazil's LGPD's Apply to U.S.-Based Companies?
- 2. What Activities by U.S.-Based eCommerce and SaaS Companies Can Trigger LGPD Compliance Requirements?
- 2.1. eCommerce Companies
- 2.2. SaaS Companies
- 3. Examples of Enforcement Cases and Fines For LGPD Violations
- 4. What are Some Common Mistakes That U.S.-Based Companies Make that Can Trigger LGPD Enforcement?
- 4.1. Not Being Aware That the LGPD Applies to You
- 4.2. Failing to Obtain Valid Consent When Required
- 4.3. Processing Personal Data Without a Legal Basis
- 4.4. Engaging in Unauthorized International Data Transfers
- 4.5. Sharing Data With Third Parties That Aren't LGDP-Compliant
- 4.6. Failing to Honor Data Subject Rights Requests
- 4.7. Not Having Adequate Data Security Measures in Place
- 4.8. Not Having Adequate Data Breach Notification Processes in Place
- 4.9. Not Having a Data Protection Officer (DPO)
- 4.10. Targeting Brazilian Users Without Localization of Legal Policies
- 4.11. Purchasing or Using Third-Party Marketing Lists
- 5. What Steps Can U.S.-Based Companies Take to Avoid Inadvertently Triggering LGPD Enforcement?
- 5.1. 1. Conduct a Data Mapping Exercise
- 5.2. 2. Make Sure You Have Robust Consent Mechanisms Implemented
- 5.3. 3. Store and Transfer Data in a Secure Way
- 5.4. 4. Have a Process in Place for Handling Data Subject Rights Requests
- 5.5. 5. Update Your Privacy Policy
- 5.6. 6. Review Third-Party Vendors to Ensure Their Compliance
- 5.7. 7. Appoint a Data Protection Officer (DPO), If Applicable
- 6. Summary
How Does Brazil's LGPD's Apply to U.S.-Based Companies?
U.S. companies often assume that because they aren't operating physically within Brazil, they aren't required to comply with the LGPD. But this isn't correct.
The LGPD can apply to U.S.-based companies because it applies to any organization, regardless of its location, that processes personal data of individuals in Brazil, if the data processing has a connection to Brazil.
For the U.S.-based company's data processing to be "connected to Brazil," it must meet at least one of the following:
- Data processing that takes place in Brazil: Any collection, storage, or use of personal data is done by systems or personnel physically located in Brazil. (This is not likely to apply here.)
- Offering goods or services to residents of Brazil: Customers in Brazil are targeted by the business, such as through marketing campaigns accessible in Brazil, having Portuguese-language interfaces on a SaaS system, shipping to addresses in Brazil, or by accepting payments in Brazilian currency. (This may apply here.)
- Monitoring behavior of people located in Brazil: User activities, such as browsing habits and analytics data, are tracked from Brazilian IP addresses. (This is very likely to apply here.)
For U.S.-based eCommerce and SaaS companies, this means that even without a physical presence in Brazil, if you serve customers with Brazilian IP addresses, compliance obligations, the LGPD can apply to you.
What Activities by U.S.-Based eCommerce and SaaS Companies Can Trigger LGPD Compliance Requirements?
The following activities of eCommerce and SaaS companies can trigger their need to comply with the LDPD.
eCommerce Companies
- Checkout Processes: Collecting data like payment information and shipping addresses from customers in Brazil without first having compliant practices in place can violate LGPD requirements. For example, storing a customer’s credit card details for any future purchases without them explicitly consenting to this is a commonly seen violation.
- Cross-Border Data Transfers: eCommerce platforms will often transfer Brazilian customers' data from Brazil to U.S.-based servers or third-party service providers. Without LGPD-compliant data transfer agreements in place, these transfers can violate the law.
- Marketing Practices: Retargeting Brazilian customers with ads based on their browsing data history requires the use of a legal basis under the LGPD. Many eCommerce companies use cookies and tracking pixels without first obtaining consent. If this happens with a customer in Brazil, it can lead to enforcement actions.
SaaS Companies
- User Tracking: SaaS platforms often track user behaviors, like how features are used, how long sessions last, etc., to help improve services. If Brazilian users' data is collected and processed for this without a clear legal basis or consent, this violates the LGPD.
- Subscription Models: SaaS companies often store payment and financial account data for recurring billing under subscription models. If this data isn't stored in a secure manner, and with clear data retention information available in a Privacy Policy, this can lead to non-compliance.
- Global Infrastructure: SaaS providers often use cloud servers. If data from Brazilian users is stored or processed on servers in jurisdictions with weaker data protection laws, the SaaS provider must ensure that LGPD-compliant safeguards are in place to protect the data from Brazilian users.
Examples of Enforcement Cases and Fines For LGPD Violations
Since 2023, enforcement of the LGPD has increased substantially. This means that if you're in violation of its requirements, it's more likely than ever that you will face penalties and fines.
Fines can be up to 2% of a company's revenue from Brazilian sources, and up to $10 million per violation.
Here are just a few examples of cases of LGPD enforcement actions against U.S.-based entities.
- National Social Security Institute: In 2024, the NSSI had a public data breach that involved the sensitive personal data of Brazilian residents. This was because the NSSI hadn't implemented adequate levels of security. Not having adequate encryption and data access controls left it open to penalties.
- Meta/Facebook: In 2024, Meta/Facebook was found to be using personal data it collected via Facebook and Instagram posts to train generative AI models without first obtaining Brazilian users' consent to use it in this way. Under the LGPD, the company was ordered to stop doing this, and will be assessed with fines.
What are Some Common Mistakes That U.S.-Based Companies Make that Can Trigger LGPD Enforcement?
There are a number of very common but potentially very detrimental mistakes that U.S.-based eCommerce and SaaS companies can make that can inadvertently lead to violating the LGPD.
Brazil's National Data Protection Authority (ANPD) has targeted U.S.-based companies for the following non-compliant practices and has issued fines for failing to comply.
Note: The LGPD's requirements are very similar to the GDPR's requirements. This means that if you're complying with the GDPR, you may only need to make slight changes, if any, to be compliant with the LGPD as well.
We'll offer solutions to each of these mistakes in a later chapter of this article.
Not Being Aware That the LGPD Applies to You
Many U.S. companies are unaware that the LGPD can and often does apply to them.
For example, a U.S.-based SaaS company that offers project management software might not realize that by having Brazilian users that access the app via Brazilian IP addresses, the LGPD will apply.
As another example, consider an eCommerce company that ships physical products to shoppers in Brazil and collects personal data like shipping addresses and payment information as part of the process. However, it hasn't even heard of the LGPD and hasn't implemented any LGPD-compliant processes.
This type of lack of awareness of the law and when it applies can lead to violations of the law.
Failing to Obtain Valid Consent When Required
When it comes to consent, the LGPD requires explicit, informed, and unambiguous consent for processing personal data, except in cases where another legal basis (such as performance of a contract or a legal obligation) applies.
U.S.-based companies most frequently violate the LGPD here by:
- Not having a compliant Cookie Consent notice banner, and/or
- Using pre-ticked consent forms when requesting personal data
In the U.S., businesses still often rely on implied consent - think "by browsing this site, you agree to..." type of language. Or, they will have a Cookie Consent notice banner that is more of just a cookie notice, with no consent options, as seen here:
This is not compliant with the LGPD.
Businesses In the U.S. also still often use pre-checked checkboxes on consent request forms. This is not a compliant method of getting consent. You must set the default to "unchecked" and your Brazilian users must actively check a box to give consent.
Here's an example of what not to do:
Processing Personal Data Without a Legal Basis
U.S.-based companies often trigger LGPD enforcement by processing personal data of Brazil residents without making it clear which of the ten legal bases outlined in Article 7 of the LGPD is being used, such as consent, legitimate interest, or to fulfill a contract.
Using a legal basis in an incorrect or deceptive way (intentionally or not) is also a violation.
For example, let's consider the legal basis of "legitimate interests."
The LGPD allows for the legal basis of legitimate interests to be used when one of the following is met:
- The personal data isn't legally required to be processed, but doing so provides a clear benefit to the company
- Processing the data comes with very little to no risk of causing a privacy violation for data subjects
- Data subjects would reasonably expect their data to be used in such a way
Now consider an eCommerce company that says it collects personal data under legitimate interests, such as email addresses of customers who want to join a rewards club. This would be compliant.
However, if the company then uses the email addresses in a way a data subject would never expect, such as using them to sign people up for a different company's marketing emails, this would not be ok.
The same goes for using consent as the legal basis. You can only process data for the exact and specific purpose someone consented to if you declare consent as the legal basis.
Not only should you have a legal basis, but you must communicate it via your Privacy Policy to make it clear that you're in compliance.
Engaging in Unauthorized International Data Transfers
The LGPD doesn't allow personal data of Brazilian residents to be transferred outside of Brazil unless the country receiving the data has adequate protections and safeguards in place for the data transfer, such as Standard Contractual Clauses (SCCs).
U.S.-based companies often transfer data from Brazil to the U.S. without having any safeguards in place. They often treat all data the same, regardless of whether it's coming from within the U.S., or from elsewhere like Brazil.
Sharing Data With Third Parties That Aren't LGDP-Compliant
eCommerce and SaaS companies frequently rely on third-party vendors for things like processing payments, running marketing campaigns, or collecting analytical data.
The LGPD requires that companies take steps and do due diligence to ensure any third-party vendors they work with are also complying with data protection standards. Failing to do this and then sharing data with non-compliant third parties can trigger LGPD enforcement.
Consider how a U.S.-based SaaS provider might use a U.S.-based third-party analytics tool to track user behavior. The SaaS provider will end up sharing data like Brazilian users' IP addresses and usage data with the analytics tool.
If the third party processes Brazilian data in any way that violates the LGPD, the U.S.-based company remains liable.
Failing to Honor Data Subject Rights Requests
The LGPD grants Brazilian data subjects a number of rights including the rights to access, correct, and delete their personal data.
U.S.-based companies often don't have processes and procedures in place to handle such requests. Or, they may delay too long with handling any requests, and still end up violating the LGPD.
For example, say a Brazilian customer of a U.S.-based eCommerce store requests that their account be deleted in full. If the U.S.-based company isn't aware of the LGPD's user rights and their requirements, the company may not delete the account at all, or it may not do it within the required timeframe of about 15 days.
Not Having Adequate Data Security Measures in Place
The LGPD requires that companies implement adequate levels of technical and administrative security measures to protect personal data.
Many U.S. companies store customer data in cloud servers located outside of Brazil, which is allowed under the LGPD as long as adequate safeguards are in place, like using secure APIs and encrypting data.
Not Having Adequate Data Breach Notification Processes in Place
The LGPD has strict requirements for what must happen in the event of a data breach that affects Brazil residents' personal data.
U.S.-based companies may fail to notify the National Data Protection Authority (ANPD) and individuals affected by the breach within a "reasonable time" if they pose risks or harm to the individuals.
Not Having a Data Protection Officer (DPO)
The LGPD strictly requires organizations to appoint a Data Protection Officer, or DPO, if they don't fall within one of the exceptions, and work with personal data of Brazilians in any of the following ways:
- Process the personal data on a large scale
- Process "sensitive" personal data
- Offer goods or services to individuals located in Brazil, or
- Monitor the behavior of individuals located in Brazil
Exceptions to the DPO requirement: As of July of 2024, businesses that are considered small businesses, start-ups or non-profits aren't required to have a DPO. However, they are required to have some sort of communication channel available for Brazilian users to communicate with them and request to exercise LGPD-granted rights. This could be as simple as having an email address noted in your Privacy Policy.
Mid to large-sized U.S.-based companies may likely be overlooking this requirement, especially if they don't intentionally and specifically target business in Brazil.
Targeting Brazilian Users Without Localization of Legal Policies
A U.S.-based company may target a Brazilian customer base by offering things like promotions exclusively available in Brazil, local-focused websites, or support in Portuguese.
While this is fine to do, this will trigger compliance requirements with the LGPD and lead you to be more heavily scrutinized by Brazilian legal authorities. And if you aren't complying with the law, it will lead to issues.
For example, consider a U.S.-based SaaS company that offers free trials of its software to Brazilian IP addresses. If it doesn't also provide a Portuguese-language translation of its Privacy Policy and ensure any consent collecting mechanisms are available in Portuguese, this will be a problem.
Purchasing or Using Third-Party Marketing Lists
U.S.-based companies often purchase marketing lists from third parties without verifying that the personal data in the list was collected in a lawful and compliant manner, such as with valid consent.
If you purchase one of these lists and one or more of the records listed is for Brazilian residents, communicating with them if the personal data was obtained in an unlawful way opens you up to violating the LGPD.
What Steps Can U.S.-Based Companies Take to Avoid Inadvertently Triggering LGPD Enforcement?
U.S. companies including eCommerce and SaaS companies can take the following steps to help minimize their chances of violating the LGPD.
1. Conduct a Data Mapping Exercise
Take time to identify any and all personal data that you collect or process that comes from residents of Brazil.
This should include things like names, physical addresses, email addresses and financial information, as well as things like IP addresses and data collected through cookies.
Map out where and how this data is stored, processed, and shared. Doing this will help you see any gaps in your compliance, like collecting sensitive personal data without consent, or sharing data with a third party processor who doesn't comply with the LGPD.
2. Make Sure You Have Robust Consent Mechanisms Implemented
U.S.-based eCommerce websites or SaaS platforms are required to obtain consent from people located in Brazil before using cookies or tracking technologies that contain personally-identifying data.
This can be done by having a compliant Cookie Consent notice that lets users accept, reject, and adjust preferences, as well as consent forms when data is collected, both available in Portuguese.
Here's an example of a good Cookie Consent notice that gives users options to accept, reject, and manage cookie choices:
In other instances of collecting consent, such as consent to send email marketing newsletters, remember to use unchecked boxes where you collect consent.
Here's an example of how to request consent. Note how this can be used for agreement to your legal agreements like a Privacy Policy, as well as for agreeing to have their personal data used for a purpose like receiving marketing emails:
3. Store and Transfer Data in a Secure Way
Make sure that you implement security features like encryption and access controls to protect any Brazilian users' data. Conduct regular security audits.
Always use LGPD-approved mechanisms for international data transfers, like Standard Contractual Clauses (SCCs).
4. Have a Process in Place for Handling Data Subject Rights Requests
Create a streamlined process for how you will handle any data subject rights requests from your Brazilian users. Ensure that you acknowledge and complete the right request within 15 days.
Make sure your team understands the importance of escalating any LGPD-related rights that you receive from Brazilian users.
5. Update Your Privacy Policy
Set your Privacy Policy up so that it is translated into Portuguese, and understandable by your Brazilian users.
Include clauses that address the following LGPD-related requirements:
- What purposes you process personal data for/What your legal bases are
- What rights Brazilian data subjects have and how they can exercise them
- A mention of security, including international data transfers
Amazon's AWS Service has a Brazil-specific section of its Privacy Notice where it outlines its legal bases, as seen here:
It also addresses rights that data subjects in Brazil have available to them, and a linked way to contact Amazon to exercise any of them. Consent and the ability to withdraw it at any time is included as well:
It mentions security briefly here as well:
![]()
Amazon AWS also has an entire page dedicated to the LGPD, called "Brazil Data Privacy." On this page it goes more into detail about its globally recognized security frameworks and certifications that are in place to comply with the LGPD:
Make your Privacy Policy available in Portuguese so that your Brazilian users are able to understand it easily.
Check out our feature article for more information on why this is important, and how to implement it: Privacy Policies and Language Choices
6. Review Third-Party Vendors to Ensure Their Compliance
Do a check of any third-party vendors you work with or want to work with to make sure they are complying with the LGPD. You can do this by reviewing their legal agreements like a Privacy Policy.
For example, Stripe, a common third party payment processing platform, clearly mentions Brazil-related topics in its Privacy Policy:
Stripe also has information in its Support database about Brazil. This is evidence that the company is aware of legal requirements from Brazil, including the LGPD, and is likely operating in a compliant way:
Create your own Data Processing Agreements (DPAs) that clearly set out the vendor's responsibilities and liabilities when needed to make sure you limit your own liability and ensure vendor compliance with the LGPD.
If you buy marketing lists from third parties, make sure they collected the data in the lists in a compliant way. Ask for proof if possible of any Customer Relationship Management (CRM) data related to the consent status of Brazilians on the list.
7. Appoint a Data Protection Officer (DPO), If Applicable
The LGPD requires companies to appoint a DPO to oversee compliance, even if the company is based outside of Brazil. Remember that there are exceptions to this, including small businesses and start-ups
Make your DPO accessible to your Brazilian data subjects by providing their contact information in your Privacy Policy. And if you aren't required to have a DPO, provide general contact information instead.
Consider again this example from Stripe. The DPO is named, and a separate email address is listed for the individual so Brazil residents can easily contact the DPO:
If your company is on the smaller side, you can outsource the DPO role to a compliance firm that will handle it for you.
Summary
If your U.S.-based eCommerce or SaaS company has customers or end users in Brazil, the LGPD will most likely apply to you.
To avoid enforcement actions against you for inadvertently violating the LGPD, make sure you do the following:
- Obtain valid consent when needed
- Have a legal basis for processing data
- Have a DPO
- Securely store and transfer data
- Work with only LGPD-compliant third-party processors
- Make your Privacy Policy available in Portuguese
- Make sure your Privacy Policy includes all required information
- Acknowledge and honor Brazil users' rights requests
The first step to compliance: A Privacy Policy.
Stay compliant with our agreements, policies, and consent banners — everything you need, all in one place.