The privacy policy is the central document of LGPD compliance (Law No. 13,709/2018). It materializes the transparency principle (Article 6, VI) and is the primary instrument through which your business informs data subjects about how their personal data is collected, used, stored, and shared. An inadequate privacy policy is not merely a documentation failure — it is a violation of the law that can result in administrative sanctions, legal proceedings, and reputational damage. This guide details the mandatory elements, common mistakes, and best practices for creating an LGPD-compliant privacy policy.
Why a Privacy Policy Is Mandatory
The LGPD does not use the phrase “privacy policy” literally, but Articles 6 (principles), 9 (right to information), and 18 (data subject rights) make this document implicitly mandatory. Article 9 determines that data subjects have the right to facilitated access to information about the processing of their data, which must be made available in a clear, adequate, and conspicuous manner.
In practice, the ANPD and Brazilian courts expect every organization that processes personal data to make a privacy policy accessible on its website. The absence of this document or its insufficiency constitutes a violation of the transparency and free access principles, subjecting the business to the sanctions of Article 52.
For a comprehensive overview of LGPD obligations, see our complete LGPD guide for businesses.
Mandatory Elements of an LGPD Privacy Policy
Based on Articles 6, 9, 10, and 18 of the LGPD, your privacy policy must contain the following elements:
1. Identification of the controller and DPO
Provide the full name and contact details of the controller (your business) and the data protection officer (encarregado). Article 41 requires the appointment of a DPO, and Article 41, paragraph 1, requires their identity and contact information to be publicly disclosed, preferably on the controller’s website.
2. Personal data collected
List clearly and specifically the types of personal data you collect. Do not use vague terms like “various personal information.” Be explicit:
- Identification data: name, CPF (tax ID), ID number, date of birth
- Contact data: email, phone, address
- Financial data: credit card details, transaction history
- Browsing data: IP address, cookies, browsing history, device information
- Sensitive data (if applicable): health data, biometric data, racial or ethnic origin
3. Purposes of processing
For each category of data collected, describe the specific purpose of processing (Article 6, I). Examples:
- “Contact data is collected for sending order confirmations and service communications”
- “Browsing data is collected for website performance analysis and user experience improvement”
- “Financial data is collected for payment processing”
Generic purposes like “to improve our services” are insufficient.
4. Legal bases used
Indicate the legal basis (Article 7) that supports each processing activity:
- Consent (Article 7, I) — for marketing, newsletters, non-essential cookies
- Contract execution (Article 7, V) — for order processing, service delivery
- Legal obligation (Article 7, II) — for tax data retention, employment compliance
- Legitimate interest (Article 7, IX) — for fraud prevention, security
5. Third-party sharing
Identify the categories of third parties with whom you share personal data and the purposes of this sharing:
- Payment processors
- Hosting and infrastructure providers
- Analytics and marketing tools
- Public authorities (when required by law)
6. International transfers
If you transfer personal data outside Brazil, disclose:
- The countries or organizations to which data is transferred
- The legal basis for the transfer (Article 33)
- The safeguards adopted to protect the data
7. Retention periods
State how long each category of data will be retained and the criteria for determining this period (Article 15). Example: “Transaction data is retained for 5 years after service completion, in accordance with tax requirements.”
8. Data subject rights
Describe the rights that data subjects may exercise under Article 18:
- Confirmation and access
- Correction
- Anonymization, blocking, or deletion
- Portability
- Deletion of data processed on the basis of consent
- Information about sharing
- Revocation of consent
Clearly indicate how to exercise these rights: contact channel (email, form), response time, and procedure.
9. Security measures
Describe, in general terms, the technical and administrative measures adopted to protect personal data (Article 46). Do not reveal details that could compromise security, but demonstrate that reasonable measures are in place: encryption, access control, monitoring, backups.
10. Cookies and tracking technologies
If your website uses cookies, tracking pixels, or similar technologies, describe:
- The types of cookies used (essential, analytics, marketing)
- The purposes of each type
- How users can manage their cookie preferences
To manage cookie consent in a compliant way, you can use a free GDPR-compliant cookie banner.
Common Privacy Policy Mistakes
1. Copying from another website. A privacy policy that does not reflect your actual data processing practices violates the transparency principle. The ANPD expects your policy to be specific to your organization.
2. Using consent as the only legal basis. Many businesses declare that all processing is based on consent when they actually rely on contract execution or legal obligation. This creates problems when a data subject revokes consent for processing that did not depend on it.
3. Omitting the DPO. The LGPD requires the appointment of a DPO (Article 41). Omitting this information from your privacy policy is a clear violation.
4. Not mentioning international transfers. If you use services like Google Analytics, AWS, Stripe, or Mailchimp, your data is transferred outside Brazil. These transfers must be disclosed.
5. Inaccessible language. The LGPD requires that information be made available in a clear and adequate manner (Article 9). Excessive legal jargon violates this requirement.
6. Not updating regularly. Your processing practices evolve: new vendors, new features, new types of data. Your policy must keep pace with these changes.
Difference Between Privacy Policy and Terms of Use
These are distinct documents with different purposes:
Privacy policy: Explains how you collect, use, and protect personal data. Founded on the LGPD. Mandatory for any website that collects data.
Terms of use: Establish the rules for using your website or service. Founded on the Civil Code and Consumer Protection Code. Define responsibilities, usage restrictions, and intellectual property.
Both documents are necessary and should be complementary, cross-referencing each other where applicable.
For a detailed comparison of how the LGPD compares to the European GDPR, see our article on LGPD vs GDPR: key differences.
Four Approaches to Creating Your Privacy Policy
Hiring a specialized lawyer
Cost: BRL 5,000 to 15,000. Timeline: 2 to 4 weeks.
A lawyer specializing in data protection analyzes your data flows, identifies applicable legal bases, and drafts a tailored policy. Recommended for businesses with complex processing of sensitive data or significant international transfers.
Using a generic AI tool
Apparent cost: BRL 0. Real cost: a policy that appears complete but omits mandatory elements.
Generic AI tools do not audit your actual data flows and frequently produce policies that mix GDPR and LGPD requirements without proper adaptation to the Brazilian context.
Copying a free template
Cost: BRL 0. Risk: high.
Free templates are generic and never adapted to your specific activity. The ANPD expects each policy to reflect the organization’s actual practices, not a standard text.
Using a specialized legal document generator
Cost: €19.90 to €49.90. Timeline: under 10 minutes.
A specialized generator asks questions about your business, your data, your vendors, and your practices, and produces a privacy policy adapted to LGPD requirements. It includes legal bases, data subject rights, DPO information, and international transfer disclosures.
To quickly check your site’s compliance, use our free compliance scanner. See also our complete LGPD guide and our LGPD vs GDPR comparison.
Conclusion
A privacy policy is more than a legal document — it is the concrete expression of your business’s commitment to protecting your customers’ and users’ personal data. Under the LGPD, it must be specific, transparent, accessible, and up to date. With the ANPD actively enforcing and Brazilian courts increasingly sensitive to privacy issues, investing in an adequate privacy policy is one of the highest-return compliance actions you can take. Do not wait for a notification or a lawsuit to act — protect your customers and your business now.