The Lei Geral de Protecao de Dados (LGPD) stopped being a theoretical topic in 2026. With the ANPD in full enforcement mode, public fines growing in volume, and consolidated case law, every Brazilian e-commerce — from microbusiness to major retailer — needs to be compliant. This practical guide covers what matters for your online store in 2026.
TL;DR — LGPD for e-commerce in 60 seconds
- The LGPD applies to ANY company operating in Brazil or processing data of Brazilian residents, even if headquartered abroad (Art. 3, extraterritorial scope)
- Fines: up to R$ 50 million per infraction (2% of capped revenue), plus warnings, data blocking and activity suspension (Art. 52)
- Small businesses are NOT exempt — the ANPD reaffirmed this in 2024. Only simplified rules, not exemption
- 9 mandatory data subject rights (Art. 18): access, correction, anonymization, portability, deletion, consent revocation, etc.
- Mandatory documents: Privacy Policy (Art. 9), Cookie Policy, Terms of Use, and Cookie Notice with consent
What is the LGPD?
The LGPD (Law no. 13.709/2018) is Brazil’s personal data protection law, in force since 18 September 2020, with administrative sanctions applicable since August 2021. Inspired by the European GDPR, the law is enforced by the Autoridade Nacional de Protecao de Dados (ANPD), created in 2018 and operational since 2020.
The LGPD establishes principles (Art. 6), legal bases for processing (Art. 7), data subject rights (Art. 18) and administrative sanctions (Art. 52). For an overview of the law, see our complete LGPD guide for Brazilian companies.
Does the LGPD apply to my online store?
Territorial criterion (Art. 3, I)
Any data processing operation carried out in Brazilian territory is subject to the LGPD. If your company has a Brazilian CNPJ, servers in Brazil, or a team operating here, you are a controller (or processor) under the law.
Extraterritorial criterion (Art. 3, II and III)
The LGPD also applies to foreign companies that:
- Offer or supply goods or services to data subjects located in Brazil
- Process personal data collected within Brazilian territory
In other words, a Shopify store operated from Portugal or a marketplace in Spain that accepts purchases with a CPF (Brazilian tax ID) is subject to the LGPD. This scope is similar to GDPR, although with important differences — see LGPD vs GDPR: key differences.
Small businesses are NOT exempt
In 2022, Decree 11.080 and ANPD Resolution CD/ANPD 2/2022 created simplified rules for microbusinesses, small companies, startups, and individual entrepreneurs. In 2024, the ANPD reinforced through public communication: simplified rules do not mean exemption.
What is simplified:
- Data Protection Impact Assessment (DPIA) optional
- Doubled deadlines to respond to data subjects (30 days instead of 15)
- Breach notification in simplified form
What remains mandatory:
- Public, clear privacy policy
- Valid legal basis for each processing activity
- 9 data subject rights guaranteed
- Appointment of a Data Protection Officer (DPO)
- Breach notification to the ANPD
The 9 data subject rights (Art. 18) your store must guarantee
Every data subject — customer, visitor, newsletter lead — is entitled, upon free request, to:
- Confirmation of the existence of processing of their personal data
- Access to the data (simplified format or full copy)
- Correction of incomplete, inaccurate, or outdated data
- Anonymization, blocking, or deletion of unnecessary, excessive, or non-compliant data
- Data portability to another service provider
- Deletion of personal data processed based on consent
- Information on data sharing with public and private third parties
- Information on the possibility of refusing consent and its consequences
- Revocation of consent at any time, by express manifestation
The store must provide a clear channel (email, web form, customer area) to receive and process these requests within 15 days (or 30 for qualified SMBs).
Mandatory documents for online stores in 2026
1. Privacy Policy (Art. 9)
A public document informing: data collected, purposes, legal basis, retention period, sharing with third parties (Stripe, Mercado Pago, Correios, marketplaces), data subject rights, contact details of the DPO and ANPD. Plain language is required, no legalese.
2. Cookie Policy
Details every cookie or similar technology used (Google Analytics, Meta Pixel, Hotjar, Stripe), its purpose, duration, and category (necessary, analytics, marketing, preferences). Articulates with the LGPD and the Brazilian Internet Civil Framework — see cookie policy: rules and sanctions.
3. Terms of Use
Defines the contractual rules between store and user: registration, account, purchase, returns, intellectual property, liability limitations, jurisdiction. Not directly required by the LGPD, but by the Brazilian Consumer Defense Code (Law 8.078/90) and the Internet Civil Framework.
4. Cookie Notice / Banner with consent
Banner displayed on the first visit, with clear buttons: “Accept all”, “Reject all” and “Customize”. No pre-checked boxes, no dark patterns. Analytics and marketing cookies fire only after explicit opt-in consent.
LGPD fines in 2024-2026 — real ANPD examples
Types of administrative sanctions (Art. 52):
- Warning, with deadline for correction
- Simple fine: up to 2% of the company’s revenue, capped at R$ 50 million per infraction
- Daily fine
- Public disclosure of the infraction
- Blocking of personal data
- Deletion of personal data
- Partial or total suspension of the database
- Suspension of processing activities for up to 6 months
- Partial or total prohibition of activities
The ANPD’s first public fine was issued in July 2023 against a micro-enterprise that refused to cooperate with the investigation (R$ 14,400). In 2024-2025, proceedings against major platforms (Meta/WhatsApp, OpenAI, Serasa, telecom operators) advanced, with cumulative sanctions ranging from hundreds of thousands to millions of reais. For up-to-date figures, consult the official ANPD enforcement bulletin.
LGPD compliance checklist in 10 minutes
- Privacy Policy published, dated, and linked in the footer
- Cookie Policy detailed, with up-to-date list of cookies and purposes
- Cookie banner with “Accept”, “Reject” and “Customize” buttons — no pre-checked boxes
- DPO (Encarregado) appointed, with public name and email
- Functional channel for exercising data subject rights (dpo@ email or web form)
- Documented legal basis for each processing purpose (consent, contract, legitimate interest, etc.)
- Terms of Use published and accepted at checkout
- List of processors and sub-processors (Stripe, Mercado Pago, Correios, email platform) mapped
- Internal procedure for breach notification to ANPD within 72 hours
- Processing records (Art. 37) up-to-date, even in simplified format for SMBs
You can scan your store for a quick diagnostic at /en/scan/.
How to generate LGPD-compliant documents quickly
Three paths:
- Specialized lawyer: 60-90 days, R$ 3,000-15,000 per document, high customization. Recommended for groups with sensitive or multinational processing.
- Generic free templates: free, but frequently outdated or too generic to respond to ANPD requirements. Risk of material non-compliance.
- Specialized AI generators like WebLegal: 5-10 minutes, R$ 75-250 per document (equivalent to EUR 14.90-49.90), guided form, native Brazilian jurisdiction, multilingual (PT, EN, ES) for stores selling to Latin America and Europe. 2-4 document bundles with discount.
For a detailed comparison, see AI legal document generator: complete 2026 guide or the specific comparison Iubenda vs Termly vs WebLegal.
Conclusion
The LGPD is the new operational standard for Brazilian e-commerce. In 2026, with a mature ANPD and consolidated case law, non-compliance is no longer an abstract risk — it is a tangible financial and reputational cost. The good news: the compliance core (privacy policy, cookies, data subject rights) can be implemented in a single morning with the right tools.
