Can I send marketing emails to a purchased list under LGPD?

No, with extremely rare exceptions. LGPD article 7 requires a valid legal basis for every processing activity, and consent is the only realistic one for marketing emails. A list purchased from a broker carries consent given to that broker (or to no one) — not to you. Sending without your own opt-in record is an LGPD violation regardless of how the list was obtained.

What if the broker tells me the list is LGPD-compliant?

Demand a per-record consent receipt — date, IP, exact wording of the opt-in form, and an explicit mention of your company name as a recipient. If the broker can't produce that for each address, the consent isn't transferable. Reputable Brazilian data brokers won't sell marketing lists at all because the LGPD makes the transfer effectively impossible.

Are B2B emails exempt from LGPD?

No. The LGPD applies to all 'pessoa natural' (natural person) data, including work emails like john@company.com. The B2B exemption you may have seen exists under PECR in the UK or CAN-SPAM in the US — Brazil does not have an equivalent. Sending a cold pitch to a purchased B2B list is still illegal under LGPD.

What about 'soft opt-in' — emailing past customers?

LGPD allows the 'legitimate interest' legal basis (article 7-IX) for some processing, but the ANPD has been restrictive: re-emailing your own past customers about similar products is generally tolerated if (1) the customer can opt out in one click and (2) the original purchase was after LGPD entry (Aug 2020). For purchased lists, legitimate interest is NOT a valid basis.

How much does the ANPD fine for non-compliant email marketing?

Up to 2% of Brazilian revenue per violation, capped at 50 million BRL. The first sanctions in 2024-2025 ranged from 14,000 BRL (Telekall) to 200,000+ BRL per infraction. The ANPD also issues public warnings, which damages brand reputation and customer trust independently of the fine amount.

What's the safest way to grow a Brazilian email list under LGPD?

Build your list with a clear opt-in form on your own site: double opt-in (DOI) with a confirmation email, granular consent (transactional vs marketing), a clearly worded privacy notice mentioning each purpose, and a log of consent (IP, timestamp, form version). This is also the only path that survives an ANPD audit.

LGPD Email Marketing 2026: Purchased Lists?

The Brazilian General Data Protection Law (LGPD) has reshaped how companies can run email marketing campaigns, and one question keeps coming up from business owners and marketers: can I legally send marketing emails to a purchased list in 2026? The short, honest answer is: almost never. This guide breaks down exactly why, what the ANPD has been enforcing, and what your compliant alternatives are.

TL;DR — LGPD email marketing on purchased lists

The rule: LGPD (article 7) requires a valid legal basis for every processing of personal data. For email marketing, the only realistic basis is consent given to you, the sender — not to a broker, not to a partner, not “implied” from a public registry.
Purchased lists: the consent (if any) was given to whoever collected the data originally. That consent is not transferable to a third-party buyer in the vast majority of cases. Sending to a purchased list without your own opt-in record is therefore a direct violation.
B2B is not exempt: unlike the EU’s ePrivacy + GDPR softer treatment of work emails, the LGPD treats all natural-person data the same. john@company.com is protected.
Penalties: up to 2% of revenue, capped at 50M BRL. The ANPD has been actively sanctioning small and medium businesses since 2024.

LGPD article 7 lists ten legal bases for processing personal data. Three are frequently quoted in marketing contexts, but only one actually applies to cold email:

Legal basis (LGPD art. 7)	Applies to email marketing on a purchased list?
I — Consent of the data subject	✅ Only if the consent was given to you directly
II — Legal obligation	❌
V — Performance of a contract	❌ (no contract with the cold prospect)
IX — Legitimate interest	⚠️ Theoretically possible but ANPD restrictive — see below

Consent under the LGPD must be free, informed, unambiguous, and specific (article 5, XII). It also needs to be demonstrable by the controller (article 8, §2) — meaning you, as the email sender, must be able to produce evidence of the consent on demand from the ANPD.

A list bought from a broker fails almost every test:

The consent (if any) was given to the broker, not to you.
The data subject was almost certainly not informed that their email would be transferred to your company specifically.
There’s no consent receipt naming your brand.

”But the seller says the list is LGPD-compliant”

This is the most common pitfall. Brokers often label their lists as “LGPD-compliant” or “opt-in” — but the test is simple: can the seller produce a per-record consent receipt that names your specific company as a recipient?

A valid consent receipt under the LGPD should include:

the exact date and time of the opt-in
the IP address of the data subject
the exact wording of the consent form they signed
the named recipients of the consent (the controllers receiving the data)
the purposes covered (marketing, newsletter, partner offers, etc.)

In practice, no Brazilian broker can produce this evidence per record because that would require getting individual consent for every potential buyer of the list — which is not how the broker market works.

Reputable Brazilian data brokers (like Serasa Experian for credit data) have actually exited the marketing-list business since the LGPD entered into force, because the law makes the transfer of marketing consent commercially impossible.

What about “legitimate interest” (art. 7-IX)?

The “legitimate interest” basis allows processing without consent when the controller’s interests are not overridden by the data subject’s rights and freedoms. It’s been the favorite escape hatch for cold-emailing marketers globally.

The ANPD has issued guidance (Resolution CD/ANPD No. 4/2023 and related opinions) clarifying that:

Legitimate interest can apply to first-party customer communication (re-engaging past customers, abandoned cart reminders, related offers).
It does not apply to acquiring new prospects by purchasing third-party lists, because the “reasonable expectation” test (article 7-IX requires the processing to be within what the data subject would reasonably expect) fails.
The controller must conduct a Legitimate Interest Assessment (LIA) documenting the balancing test and keep it available.

In short: legitimate interest never saves a purchased-list campaign. It can save some forms of own-list reactivation, but only with the documented LIA.

What about B2B email?

A common belief is that emailing professional contacts at companies is exempt from the LGPD because “the email belongs to the company”. The ANPD has rejected this interpretation.

LGPD definition of personal data (article 5, I): “information related to an identified or identifiable natural person”. A work email like maria.silva@empresa.com.br identifies a specific person, so it falls under the LGPD regardless of whether the contract was signed by the company.

This is different from:

the UK (PECR + GDPR), where corporate subscribers have weaker protection
the US (CAN-SPAM), which allows opt-out marketing under specific conditions
Australia (Spam Act 2003), which has a B2B carve-out for businesses with consent inferred from a publicly-listed address

Brazil has no equivalent carve-out. A cold pitch to maria.silva@empresa.com.br requires the same opt-in as maria.silva@gmail.com.

ANPD enforcement in 2024-2026

The ANPD published its first wave of marketing-related sanctions in late 2023 and accelerated in 2024-2025. Public penalties so far have included:

Telekall (telecommunications, 2024): 14,400 BRL for non-consensual SMS marketing
Several SaaS startups (2024-2025): warnings + compliance orders, often coupled with mandatory consent log audits
Real estate brokers (2025): a wave of public warnings for using publicly-scraped agent emails for outreach

The penalty range to date is 14,000 BRL to ~200,000 BRL per documented violation, with the median around 60,000-80,000 BRL. The ANPD has consistently emphasized that purchased-list campaigns are presumptively non-compliant, shifting the burden of proof to the controller.

Beyond the fine, every ANPD sanction is published on the agency’s website and indexed by Google. The reputational cost for a B2B company often exceeds the cash fine.

5 compliant alternatives to purchased lists

Lead magnet on your own site: ebook, template, scanner, calculator. Collect emails with a clearly worded double-opt-in form. This is the single most defensible approach.
Webinar and content registration: a registration form for a webinar or a gated whitepaper, with explicit consent for marketing follow-up. The double consent (event + marketing) survives an ANPD audit.
Referral programs: existing customers refer new contacts who opt in themselves. The chain of consent stays clean.
Public-database scraping for B2B with caveats: scraping LinkedIn or directory data and then sending a first email asking for permission to send more is a gray zone. The ANPD has not directly sanctioned this practice yet (as of 2026), but the recommended pattern is to limit the first contact strictly to a permission request, with no marketing pitch.
Paid acquisition (Google Ads, Meta Ads) directing traffic to your opt-in form. Slower than buying a list, but every email captured is yours and legally defensible.

For an end-to-end view of LGPD requirements for a Brazilian online business, see our complete LGPD guide for Brazilian e-commerce and the top 10 LGPD fines issued by the ANPD.

Whatever acquisition channel you choose, three documents and one technical setup are non-negotiable under the LGPD:

A privacy policy explicitly mentioning email marketing as a purpose, the legal basis (consent), and the retention period for the email address.
A consent log — usually a database row per opt-in, with IP, timestamp, form URL, and form version. Mailchimp, Brevo, ActiveCampaign, and Mailzy all generate this log automatically.
A one-click unsubscribe that processes the request within at most 2 business days (the ANPD considers anything slower a violation of the data subject’s right to revoke consent under article 8, §5).
A cookie consent banner for any tracking script you load before the form, since pre-checking your marketing checkbox is forbidden under the LGPD.

WebLegal.ai generates a fully LGPD-compliant privacy policy and cookie policy in under 10 minutes — the same dataset can be re-used for GDPR (EU) and CCPA (California) if you operate cross-jurisdiction.

Conclusion

Buying a Brazilian email list and running a cold campaign on it is, in 2026, almost guaranteed to violate the LGPD — regardless of what the broker promises in their sales pitch. The ANPD’s enforcement trend is unambiguous: prove individual, informed, demonstrable consent for each email you send, or expect a sanction.

The good news is that the compliant alternatives (own opt-in funnel, content marketing, referrals, paid acquisition) actually outperform purchased lists on engagement and revenue metrics in nearly every benchmark study published since 2022. The LGPD didn’t kill email marketing in Brazil — it forced marketers to build assets they actually own.

If you’re starting from scratch on your LGPD compliance, the cheapest path is to install a privacy policy, a cookie consent banner, and a transparent opt-in form on your site — in that order. Start your LGPD audit with our free scanner before the ANPD audits you.

TL;DR — LGPD email marketing on purchased lists

What LGPD says about consent for marketing

”But the seller says the list is LGPD-compliant”

What about “legitimate interest” (art. 7-IX)?

What about B2B email?

ANPD enforcement in 2024-2026

5 compliant alternatives to purchased lists

The privacy policy and consent infrastructure

Conclusion

Related articles

Shopify DPA 2026: When You Need One

LGPD for Brazilian E-Commerce 2026: Guide

Free Compliance Scanner: Test Your Website Now