The Lei Geral de Protecao de Dados (LGPD) stopped being a theoretical topic in 2026. With the ANPD in full enforcement mode, public fines growing in volume, and consolidated case law, every Brazilian e-commerce — from microbusiness to major retailer — needs to be compliant. This practical guide covers what matters for your online store in 2026.
TL;DR — LGPD for e-commerce in 60 seconds
- The LGPD applies to ANY company operating in Brazil or processing data of Brazilian residents, even if headquartered abroad (Art. 3, extraterritorial scope)
- Fines: up to R$ 50 million per infraction (2% of capped revenue), plus warnings, data blocking and activity suspension (Art. 52)
- Small businesses are NOT exempt — the ANPD reaffirmed this in 2024. Only simplified rules, not exemption
- 9 mandatory data subject rights (Art. 18): access, correction, anonymization, portability, deletion, consent revocation, etc.
- Mandatory documents: Privacy Policy (Art. 9), Cookie Policy, Terms of Use, and Cookie Notice with consent
What is the LGPD?
The LGPD (Law no. 13.709/2018) is Brazil’s personal data protection law, in force since 18 September 2020, with administrative sanctions applicable since August 2021. Inspired by the European GDPR, the law is enforced by the Autoridade Nacional de Protecao de Dados (ANPD), created in 2018 and operational since 2020.
The LGPD establishes principles (Art. 6), legal bases for processing (Art. 7), data subject rights (Art. 18) and administrative sanctions (Art. 52). For an overview of the law, see our complete LGPD guide for Brazilian companies.
Does the LGPD apply to my online store?
Territorial criterion (Art. 3, I)
Any data processing operation carried out in Brazilian territory is subject to the LGPD. If your company has a Brazilian CNPJ, servers in Brazil, or a team operating here, you are a controller (or processor) under the law.
Extraterritorial criterion (Art. 3, II and III)
The LGPD also applies to foreign companies that:
- Offer or supply goods or services to data subjects located in Brazil
- Process personal data collected within Brazilian territory
In other words, a Shopify store operated from Portugal or a marketplace in Spain that accepts purchases with a CPF (Brazilian tax ID) is subject to the LGPD. This scope is similar to GDPR, although with important differences — see LGPD vs GDPR: key differences.
Small businesses are NOT exempt
In 2022, Decree 11.080 and ANPD Resolution CD/ANPD 2/2022 created simplified rules for microbusinesses, small companies, startups, and individual entrepreneurs. In 2024, the ANPD reinforced through public communication: simplified rules do not mean exemption.
What is simplified:
- Data Protection Impact Assessment (DPIA) optional
- Doubled deadlines to respond to data subjects (30 days instead of 15)
- Breach notification in simplified form
What remains mandatory:
- Public, clear privacy policy
- Valid legal basis for each processing activity
- 9 data subject rights guaranteed
- Appointment of a Data Protection Officer (DPO)
- Breach notification to the ANPD
The 9 data subject rights (Art. 18) your store must guarantee
Every data subject — customer, visitor, newsletter lead — is entitled, upon free request, to:
- Confirmation of the existence of processing of their personal data
- Access to the data (simplified format or full copy)
- Correction of incomplete, inaccurate, or outdated data
- Anonymization, blocking, or deletion of unnecessary, excessive, or non-compliant data
- Data portability to another service provider
- Deletion of personal data processed based on consent
- Information on data sharing with public and private third parties
- Information on the possibility of refusing consent and its consequences
- Revocation of consent at any time, by express manifestation
The store must provide a clear channel (email, web form, customer area) to receive and process these requests within 15 days (or 30 for qualified SMBs).
Mandatory documents for online stores in 2026
1. Privacy Policy (Art. 9)
A public document informing: data collected, purposes, legal basis, retention period, sharing with third parties (Stripe, Mercado Pago, Correios, marketplaces), data subject rights, contact details of the DPO and ANPD. Plain language is required, no legalese.
2. Cookie Policy
Details every cookie or similar technology used (Google Analytics, Meta Pixel, Hotjar, Stripe), its purpose, duration, and category (necessary, analytics, marketing, preferences). Articulates with the LGPD and the Brazilian Internet Civil Framework — see cookie policy: rules and sanctions.
3. Terms of Use
Defines the contractual rules between store and user: registration, account, purchase, returns, intellectual property, liability limitations, jurisdiction. Not directly required by the LGPD, but by the Brazilian Consumer Defense Code (Law 8.078/90) and the Internet Civil Framework.
4. Cookie Notice / Banner with consent
Banner displayed on the first visit, with clear buttons: “Accept all”, “Reject all” and “Customize”. No pre-checked boxes, no dark patterns. Analytics and marketing cookies fire only after explicit opt-in consent.
LGPD email marketing: consent rules for purchased lists
Email marketing is one of the most audited areas under the LGPD, especially for Brazilian e-commerce stores that buy or rent contact lists. The short answer: purchased lists are not LGPD-compliant by default, even when the seller claims “opted-in” contacts.
LGPD Art. 7 lists 10 lawful bases for processing personal data, but for marketing communications to natural persons, the only practical base is consent (Art. 7, I) or legitimate interest (Art. 7, IX) — and consent must be “free, informed, unambiguous” (Art. 5, XII). Consent obtained for “company A” cannot be transferred to “company B” through a list sale.
What this means concretely:
- Purchased B2C lists: not usable. The original consent was given to the seller, not to you. Sending email to those contacts requires fresh consent (e.g., a confirmed double opt-in on your own form).
- Purchased B2B lists (corporate emails like
contact@company.com): the LGPD applies to natural persons, so generic role-based addresses are in a gray zone. ANPD has signaled enforcement priority on B2C cases first, but B2B cold-emailing remains risky if the recipient is identifiable (e.g.,john.silva@company.com). - List rental (you don’t see the addresses, the broker sends): same problem — the recipient must have consented to receive your communication, not just “third-party offers”.
- Re-engagement campaigns on inactive contacts: still require valid consent at the moment of sending. If consent is older than 12-18 months without re-confirmation, ANPD may consider it stale.
Compliant alternatives:
- Build your own list with a transparent opt-in form (cookie/data consent + marketing consent are separate checkboxes).
- Use double opt-in (confirmation email) to prove consent quality.
- Keep an audit trail: timestamp, source, IP, exact wording of the consent text shown.
- Honor unsubscribe requests within 5 working days (Art. 18, IX) and stop processing immediately.
- For B2B, prefer LinkedIn outreach or qualified inbound (content marketing) over cold email blasts.
ANPD has fined companies for LGPD-violating email campaigns based on purchased lists since 2024, with sanctions ranging from R$ 50,000 to multi-million reais on repeat offenders. The reputational damage from a public ANPD ruling typically exceeds the fine itself.
LGPD fines in 2024-2026 — real ANPD examples
Types of administrative sanctions (Art. 52):
- Warning, with deadline for correction
- Simple fine: up to 2% of the company’s revenue, capped at R$ 50 million per infraction
- Daily fine
- Public disclosure of the infraction
- Blocking of personal data
- Deletion of personal data
- Partial or total suspension of the database
- Suspension of processing activities for up to 6 months
- Partial or total prohibition of activities
The ANPD’s first public fine was issued in July 2023 against a micro-enterprise that refused to cooperate with the investigation (R$ 14,400). In 2024-2025, proceedings against major platforms (Meta/WhatsApp, OpenAI, Serasa, telecom operators) advanced, with cumulative sanctions ranging from hundreds of thousands to millions of reais. For up-to-date figures, consult the official ANPD enforcement bulletin.
LGPD compliance checklist in 10 minutes
- Privacy Policy published, dated, and linked in the footer
- Cookie Policy detailed, with up-to-date list of cookies and purposes
- Cookie banner with “Accept”, “Reject” and “Customize” buttons — no pre-checked boxes
- DPO (Encarregado) appointed, with public name and email
- Functional channel for exercising data subject rights (dpo@ email or web form)
- Documented legal basis for each processing purpose (consent, contract, legitimate interest, etc.)
- Terms of Use published and accepted at checkout
- List of processors and sub-processors (Stripe, Mercado Pago, Correios, email platform) mapped
- Internal procedure for breach notification to ANPD within 72 hours
- Processing records (Art. 37) up-to-date, even in simplified format for SMBs
You can scan your store for a quick diagnostic at /en/scan/.
How to generate LGPD-compliant documents quickly
Three paths:
- Specialized lawyer: 60-90 days, R$ 3,000-15,000 per document, high customization. Recommended for groups with sensitive or multinational processing.
- Generic free templates: free, but frequently outdated or too generic to respond to ANPD requirements. Risk of material non-compliance.
- Specialized AI generators like WebLegal: 5-10 minutes, R$ 75-250 per document (equivalent to €19.90-49.90), guided form, native Brazilian jurisdiction, multilingual (PT, EN, ES) for stores selling to Latin America and Europe. 2-4 document bundles with discount.
For a detailed comparison, see AI legal document generator: complete 2026 guide or the specific comparison Iubenda vs Termly vs WebLegal.
Conclusion
The LGPD is the new operational standard for Brazilian e-commerce. In 2026, with a mature ANPD and consolidated case law, non-compliance is no longer an abstract risk — it is a tangible financial and reputational cost. The good news: the compliance core (privacy policy, cookies, data subject rights) can be implemented in a single morning with the right tools.
