Do I really need a privacy policy?

Yes. If your website collects any data — including analytics, cookies, or email addresses — you're legally required to have one. GDPR (EU), CCPA (California), PIPEDA (Canada), and LGPD (Brazil) all mandate it. Google AdSense, Apple App Store, and Stripe also require one.

Is this a legally valid privacy policy?

PolicyForge generates professionally structured policies based on current privacy law frameworks. While we cover all major compliance areas, we recommend consulting an attorney for complex or high-risk situations. For most small businesses and startups, our policies provide solid coverage.

Why PolicyForge instead of a free template?

Free templates are generic and often outdated. PolicyForge customizes your policy based on your specific data practices — whether you use cookies, process payments, have user accounts, or handle children's data. Pro policies include GDPR/CCPA-specific rights sections that most templates miss entirely.

What's the difference between Free and Pro?

Free gives you 2 basic privacy policies per day. Pro ($12.99 one-time) adds unlimited generations, full GDPR/CCPA rights sections, data retention clauses, security measures, children's privacy, Terms of Service generator, and removes PolicyForge branding.

Is this a subscription?

No. All plans are one-time payments. Pay once, use forever. No recurring charges.

LGPD Privacy Policy Generator for Brazil

Brazil's Lei Geral de Proteção de Dados (LGPD) is one of the world's most comprehensive data protection laws, modeled after the EU's GDPR. If your website, app, or service collects personal data from anyone in Brazil — regardless of where your business is based — you must comply with the LGPD. With over 150 million internet users, Brazil represents a massive market that cannot be ignored. The Autoridade Nacional de Proteção de Dados (ANPD) actively enforces compliance, with penalties reaching 2% of revenue up to R$50 million per violation.

Generate Your LGPD-Compliant Privacy Policy in 2 Minutes

PolicyForge creates privacy policies that cover LGPD, GDPR, and CCPA requirements simultaneously. One policy, multiple jurisdictions. Starting at $4.99 — not $500 for a lawyer.

Generate Free Policy Check Your Compliance

What Is the LGPD?

The LGPD (Lei Geral de Proteção de Dados, or General Data Protection Law) is Brazil's comprehensive data protection regulation, enacted in August 2018 and fully effective since August 2020. It regulates how personal data of individuals in Brazil is collected, processed, stored, and shared.

The LGPD applies to any organization that processes personal data of individuals located in Brazil, processes data collected in Brazil, or offers goods or services to the Brazilian market. Like GDPR, the LGPD has extraterritorial reach — your business does not need to be in Brazil for the law to apply.

LGPD at a Glance

Full Name

Lei Geral de Proteção de Dados (Law No. 13,709/2018)

Effective Date

August 16, 2020 (penalties from August 2021)

Enforcing Authority

ANPD (Autoridade Nacional de Proteção de Dados)

Maximum Penalty

2% of revenue in Brazil, up to R$50 million (~$10M USD) per violation

Scope

Any organization processing data of individuals in Brazil

Internet Users in Brazil

150+ million (5th largest internet population globally)

LGPD's 10 Legal Bases for Processing

Unlike GDPR (which has 6 legal bases), the LGPD provides 10 legal bases for processing personal data. Your privacy policy must identify which base applies to each processing activity:

Consent

Free, informed, and unambiguous consent from the data subject. Must be specific and can be revoked at any time.

Legal obligation

Processing necessary to comply with a legal or regulatory obligation.

Public policy

Processing by public administration for executing public policies.

Research

Processing for studies by research bodies, with anonymization where possible.

Contract performance

Processing necessary for executing a contract or preliminary procedures related to a contract.

Legal proceedings

Processing for exercising rights in judicial, administrative, or arbitration proceedings.

Protection of life

Processing to protect the life or physical safety of the data subject or third party.

Health protection

Processing for health-related purposes by health professionals or health services.

Legitimate interest

Processing for the legitimate interests of the controller or third party, unless overridden by the data subject's rights.

Credit protection

Processing for credit protection purposes (unique to LGPD, not found in GDPR).

LGPD vs. GDPR: Key Differences

While the LGPD was inspired by GDPR, there are important differences that affect your privacy policy:

AspectGDPR (EU)LGPD (Brazil)

Legal bases6 legal bases10 legal bases (includes credit protection)

DPO requirementRequired in specific casesRequired for ALL controllers

Consent definitionFreely given, specific, informed, unambiguousFree, informed, unambiguous (similar but slightly different standard)

Breach notification72 hours to supervisory authority'Reasonable time' to ANPD (no fixed deadline)

Maximum fine€20M or 4% global revenueR$50M (~$10M USD) or 2% revenue in Brazil

Data portabilityRight to data portabilityRight to data portability (broader scope)

Anonymized dataExcluded from GDPR scopeExcluded unless anonymization can be reversed

International transfersAdequacy decisions, SCCs, BCRsSimilar mechanisms, ANPD-approved countries

Data Subject Rights Under LGPD

Brazilian data subjects (titulares) have extensive rights under the LGPD. Your privacy policy must list all of these rights and explain how individuals can exercise them:

✓Confirmation of the existence of data processing

✓Access to their personal data

✓Correction of incomplete, inaccurate, or outdated data

✓Anonymization, blocking, or deletion of unnecessary or excessive data

✓Portability of data to another service provider

✓Deletion of data processed with consent

✓Information about public and private entities with whom data has been shared

✓Information about the possibility of denying consent and its consequences

✓Revocation of consent at any time

✓Review of automated decisions that affect their interests

Under LGPD, data subjects can exercise these rights at any time through a simple request. You must respond within 15 days (compared to GDPR's 30 days). Your privacy policy must provide clear instructions for how to submit these requests.

What Your LGPD Privacy Policy Must Include

✓Identity and contact details of the data controller (controlador)

✓Identity and contact details of the Data Protection Officer (encarregado)

✓All categories of personal data collected

✓Purpose of processing for each category of data

✓Legal basis for each processing activity (from the 10 legal bases)

✓How personal data is collected (forms, cookies, APIs, third parties)

✓Third parties and data processors with whom data is shared

✓International data transfer details and safeguards

✓Data retention periods for each category

✓Security measures implemented to protect personal data

✓Complete list of data subject rights under LGPD

✓How data subjects can exercise their rights (contact method, response time)

✓Cookie policy and consent mechanisms

✓Whether automated decision-making is used and how to request review

✓Policy update procedures and notification methods

ANPD Enforcement and Penalties

The ANPD (Autoridade Nacional de Proteção de Dados) is Brazil's data protection authority, responsible for interpreting and enforcing the LGPD. The ANPD has been increasingly active since its establishment, issuing guidance documents, conducting investigations, and applying sanctions.

Warning with deadline

The ANPD may issue a warning with a deadline for corrective measures.

Simple fine

Up to 2% of the company's revenue in Brazil, limited to R$50 million (~$10M USD) per violation.

Daily fine

Accumulating daily fines until the violation is corrected, up to the same R$50 million ceiling.

Public disclosure

The ANPD can publicly disclose the violation after investigation and confirmation, causing reputational damage.

Data processing suspension

Partial or total suspension of data processing activities related to the violation for up to 6 months (renewable).

Generate Your LGPD-Compliant Privacy Policy Now

PolicyForge generates privacy policies that comply with LGPD, GDPR, and CCPA simultaneously. One policy, full international coverage. Done in under 2 minutes for $4.99 — not $500.

Generate Free Policy Check Your Compliance

Frequently Asked Questions

Does the LGPD apply to my business if I'm not in Brazil?

Yes. The LGPD has extraterritorial scope. It applies to any organization that processes personal data of individuals in Brazil, collects data in Brazil, or offers goods or services to the Brazilian market. If your website or app is accessible to Brazilian users and collects any personal data (even IP addresses via analytics), the LGPD likely applies.

Do I need a DPO under the LGPD?

Yes. Unlike GDPR, which only requires a DPO in specific circumstances, the LGPD requires ALL data controllers to appoint an encarregado (DPO). However, the ANPD issued Resolution No. 2/2022 which exempts small businesses and startups from some requirements. Your privacy policy must still name and provide contact details for your DPO or explain the exemption.

Can I use the same privacy policy for LGPD and GDPR?

Yes, with additions. A GDPR-compliant policy covers most LGPD requirements since the laws are similar. However, you must add: reference to LGPD-specific legal bases (especially credit protection), the 15-day response deadline for data subject requests, ANPD contact information, and the right to review automated decisions. PolicyForge generates policies that cover both frameworks simultaneously.

Does the LGPD require cookie consent?

The LGPD does not have a specific cookie provision like the EU's ePrivacy Directive. However, cookies that collect personal data (analytics, advertising, personalization) fall under the LGPD's general consent requirements. If you rely on consent as your legal basis for processing cookie data, you need a cookie consent mechanism. The ANPD has indicated that cookie banners may be required in future guidance.

What is the penalty for not having a privacy policy under LGPD?

Failing to provide transparent information about data processing (which includes not having a privacy policy) can result in penalties up to 2% of your revenue in Brazil, capped at R$50 million (~$10M USD) per violation. The ANPD can also suspend your data processing activities entirely, which for an online business means you cannot serve Brazilian customers.

Related Resources

GDPR Privacy Policy Generator

Full EU GDPR-compliant privacy policy for any website.

CCPA Privacy Policy Generator

California Consumer Privacy Act compliant privacy policy.

PIPEDA Privacy Policy (Canada)

Canadian PIPEDA-compliant privacy policy generator.

SaaS-specific privacy policy covering international users.

PolicyForge helps businesses comply with LGPD, GDPR, and CCPA.
Generate a privacy policy | Check your compliance | Generate terms of service