Brazil — Scope & Applicability

Brazil's General Data Protection Law (Lei Geral de Proteção de Dados, Law No. 13,709 of August 14, 2018, known as the LGPD) governs the processing of personal data by any natural or legal person, public or private, regardless of the country in which the controller or processor is headquartered or the country where the data is located. The law entered into force on September 18, 2020; administrative sanctions became enforceable on August 1, 2021.

Article 3 of the LGPD establishes three independent triggers for application of the law. Meeting any one trigger brings the processing activity within scope, even when conducted entirely by an entity with no physical presence in Brazil.

The law applies when:

1. The processing operation is carried out in Brazilian national territory (Article 3, I). This is classic territorial jurisdiction — if servers, offices, or personnel processing the data are located in Brazil, LGPD applies.

1. The processing activity aims at offering or supplying goods or services, or at processing data of individuals located in Brazilian national territory (Article 3, II, as amended by Law No. 13,853 of 2019). This is the extraterritorial "targeting" trigger. A foreign controller that offers goods or services to individuals in Brazil — even without servers or staff in the country — falls within LGPD scope. Unlike the GDPR's Article 3(2)(b) "monitoring" trigger, the LGPD does not explicitly include a separate basis for passive behavioral tracking absent an offering of goods or services.

1. The personal data subject to processing was collected in Brazilian national territory (Article 3, III). Article 3, § 1 defines "collected in national territory" to mean personal data whose data subject was physically in Brazil at the moment of collection. A tourist signing up for a service while physically in Rio de Janeiro generates data subject to LGPD, even if the service provider is based entirely abroad.

Statutory exceptions are listed in Article 4. LGPD does not apply to processing:

• by a natural person exclusively for personal and non-economic purposes (Article 4, I);
• exclusively for journalistic, artistic, or academic purposes (Article 4, II);
• exclusively for public security, national defense, state security, or the investigation and prosecution of criminal offenses (Article 4, III); or
• of data originating from outside Brazil that is not the object of communication or shared use with Brazilian processing agents, and not the object of international data transfer with a country other than the country of origin, provided the country of origin affords adequate protection (Article 4, IV).

The supervisory authority is the Autoridade Nacional de Proteção de Dados (ANPD), a government agency of special nature with technical and decision-making autonomy, established under Articles 55-A through 55-L (added by Law No. 13,853 of 2019). ANPD's responsibilities include ensuring compliance with the LGPD, issuing regulations and guidance, conducting enforcement actions, and promoting international cooperation with other data protection authorities. The ANPD is headquartered in the Federal District (Brasília).

The LGPD's scope formulation mirrors the GDPR's extraterritorial architecture but omits an explicit "monitoring" trigger and includes ten lawful bases for processing (Article 7) compared to the GDPR's six under Article 6(1). Controllers subject to the LGPD must identify and document a lawful basis; consent under Article 7, I requires a "free, informed, and unambiguous manifestation" (Article 8), and legitimate interests under Article 7, IX are subject to a balancing test against data subjects' fundamental rights.

Source: Lei nº 13.709, de 14 de agosto de 2018 (LGPD) Source: Lei nº 13.853, de 8 de julho de 2019 Source: ANPD — Autoridade Nacional de Proteção de Dados

Brazil's LGPD distinguishes between two categories of agentes de tratamento (processing agents): the controlador (controller) and the operador (processor). These roles determine the distribution of compliance obligations throughout the statute.

Article 5(VI) defines the controller as the natural or legal person, of public or private law, to whom the decisions regarding the processing of personal data are attributed (a quem competem as decisões referentes ao tratamento de dados pessoais). The controller determines why data is processed (purpose) and how it is processed (means). A controller may be an individual, a private company, a public body, or a non-profit organization; the statute imposes no size threshold.

Article 5(VII) defines the processor (operador) as the natural or legal person, of public or private law, who processes personal data on behalf of the controller (em nome do controlador). The processor acts under the controller's instructions and lacks autonomous decision-making authority over the purposes and essential means of processing. Article 39 mandates that "the processor shall carry out the processing according to the instructions provided by the controller, who shall verify compliance with its own instructions and with the rules on the matter."

Article 5(IX) groups both roles under the umbrella term "agentes de tratamento" (processing agents), and the combined obligations of controllers and processors are set out in Chapter VI (Articles 37–45).

Key controller obligations include:

• Article 37: Maintaining a record of processing operations (registro das operações de tratamento de dados pessoais), especially when processing relies on legitimate interests under Article 7(IX). Both controller and processor must keep records.
• Article 38: Preparing a data protection impact assessment (relatório de impacto à proteção de dados pessoais, or RIPD) when the ANPD determines it is necessary, with reference to operations involving sensitive data or heightened risk to data subjects. The sole paragraph of Article 38 specifies that the report must contain, at a minimum, a description of the types of data collected, the methodology used for collection and information security, and the controller's analysis of measures, safeguards, and risk-mitigation mechanisms adopted.
• Article 41: Appointing a data protection officer (encarregado pelo tratamento de dados pessoais) to serve as a communication channel among the controller, data subjects, and the ANPD. Microenterprises, small businesses, and startups classified as "agentes de tratamento de pequeno porte" under ANPD Resolution CD/ANPD No. 2 of January 27, 2022, Article 11, are not obligated to appoint a DPO, though they must provide an alternative communication channel if they choose not to do so (Article 11, § 1).
• Article 42: Adopting effective security, technical, and administrative measures to protect personal data from unauthorized access and accidental or unlawful destruction, loss, alteration, communication, or any form of improper or unlawful processing.
• Article 48: Notifying the ANPD and affected data subjects of security incidents that may create risk or relevant harm, within a reasonable timeframe as further defined by ANPD regulation.

Processor obligations and accountability are narrower. Article 39 requires the processor to follow the controller's written instructions regarding the scope, nature, duration, and purpose of processing, to refrain from processing data for any purpose other than those specified by the controller, and to cooperate with the controller to enable verification of compliance. Article 37 applies equally to processors, requiring them to maintain their own record of processing operations.

Liability is allocated by Article 42. Under Article 42, § 1, processing agents (controller and processor) who, in the exercise of their data processing activities, cause patrimonial, moral, individual, or collective harm in violation of data protection legislation are obligated to repair it. Article 42, § 2, specifies that processors and controllers who act as processors answer jointly and severally (solidariamente) for damages caused by processing when they (i) fail to comply with the obligations of data protection legislation or (ii) did not follow the controller's instructions or acted outside or contrary to those instructions.

The ANPD published non-binding guidance titled "Guia Orientativo para Definições dos Agentes de Tratamento de Dados Pessoais e do Encarregado" on May 28, 2021 (updated October 31, 2022). The guide provides interpretive context, practical examples, and frequently asked questions regarding controller, processor, and data protection officer roles. It was the ANPD's first substantive interpretive publication and is designed to assist entities in classifying their role under the LGPD and understanding the legal regimes of responsibility, though it does not carry the force of regulation.

Practitioners determining controller or processor status should document the classification in writing, specify processing instructions in a contract or service agreement, allocate security and breach-notification duties clearly, and ensure that any sub-processor engagement (a processor engaging another entity to process on its behalf) complies with Article 39's instruction-compliance mandate. The functional test in Articles 5(VI) and 5(VII) mirrors the GDPR's Article 4(7)–(8) structure, though Brazilian law employs civil-law mandate terminology rather than the common-law principal-agent framing used in some U.S. state privacy statutes.

Source: Lei nº 13.709, de 14 de agosto de 2018 (LGPD), Articles 5(VI), 5(VII), 5(IX), 37–42, 48 Source: ANPD Guia Orientativo para Definições dos Agentes de Tratamento de Dados Pessoais e do Encarregado (May 28, 2021; updated Oct. 31, 2022) Source: Resolução CD/ANPD nº 2, de 27 de janeiro de 2022 (small processing agent exemptions)

Brazil's LGPD distinguishes dados pessoais sensíveis (sensitive personal data) as a protected subcategory of personal data subject to heightened lawful-basis and transparency requirements. The definition and processing regime mirror the GDPR's Article 9 special-category framework but employ a closed, statutory list rather than a principles-based carve-out.

Article 5(II) defines sensitive personal data as personal data concerning:

• racial or ethnic origin (origem racial ou étnica);
• religious belief (convicção religiosa);
• political opinion (opinião política);
• affiliation to a trade union or to a religious, philosophical, or political organization (filiação a sindicato ou a organização de caráter religioso, filosófico ou político);
• data regarding health (dado referente à saúde);
• data regarding sexual life (dado referente à vida sexual);
• genetic data (dado genético); or
• biometric data, when linked to a natural person (dado biométrico, quando vinculado a uma pessoa natural).

The final clause—"when linked to a natural person"—is critical for biometric data. Raw biometric templates (fingerprint scans, facial geometry, iris patterns, voiceprints) become sensitive personal data under the LGPD only when they are associated with an identified or identifiable individual. Anonymous biometric matching systems that never resolve to a named person may fall outside the sensitive-data regime, though they remain subject to the LGPD's general personal-data rules if re-identification is technically feasible using reasonable means (Article 5(III) on anonymized data, read in reverse).

The ANPD has treated biometric data as requiring special scrutiny. In January 2025, the ANPD initiated enforcement action against Tools for Humanity (Worldcoin) for biometric iris-scan collection; in June 2025, it opened a formal Tomada de Subsídios (call for public input) on biometric-data processing, citing the need for "proportionality, adequate legal basis, prevention of discriminatory impacts, and transparency." A Nota Técnica released in December 2025 emphasized that biometric data, due to its uniqueness and permanence, cannot be easily changed or revoked in cases of misuse, leak, or fraud, distinguishing it from passwords or access cards. The ANPD has not yet published a final regulation on biometric data, but its enforcement posture indicates that consent under Article 11(I) must be "specific and highlighted" (específica e destacada) and that reliance on legitimate interests is disfavored when alternatives exist.

Processing sensitive personal data — Article 11 lawful bases. Article 11 establishes a two-tier structure:

1. Consent (Article 11(I)): The controller may process sensitive data when the data subject (or the data subject's legal representative, for minors or incapacitated persons) provides specific and highlighted consent (consentimento … de forma específica e destacada) for specific purposes (para finalidades específicas). Article 8 further requires that consent be a "free, informed, and unambiguous manifestation," and Article 8, § 4 specifies that consent for sensitive data and children's data must be collected separately from other contractual terms. A privacy notice buried in a clickwrap agreement does not satisfy the "highlighted" requirement.

1. Processing without consent (Article 11(II)): The controller may process sensitive data without consent when indispensable (indispensável) for:

• (a) compliance with a legal or regulatory obligation (cumprimento de obrigação legal ou regulatória);
• (b) shared processing necessary for the execution, by public administration, of public policies provided in laws or regulations (tratamento compartilhado de dados necessários à execução, pela administração pública, de políticas públicas);
• (c) conducting studies by a research body, with anonymization whenever possible (realização de estudos por órgão de pesquisa, garantida, sempre que possível, a anonimização);
• (d) regular exercise of rights, including in contract and in judicial, administrative, or arbitral proceedings (exercício regular de direitos … em contrato e em processo judicial, administrativo e arbitral);
• (e) protection of the life or physical safety of the data subject or third parties (proteção da vida ou da incolumidade física do titular ou de terceiro);
• (f) health care, in procedures performed by health or sanitary professionals (tutela da saúde, em procedimento realizado por profissionais da área da saúde ou sanitária); or
• (g) guarantee of prevention of fraud and security of the data subject in credit, identification, and authentication processes in electronic systems (garantia da prevenção à fraude e à segurança do titular, nos processos de identificação e autenticação de cadastro em sistemas eletrônicos), subject to Article 11, § 3, which mandates that when processing relies on this basis, pseudonymization or other safeguards must be adopted to protect the data subject.

Article 11, § 1 prohibits communication or shared use among controllers of sensitive health data for the purpose of obtaining economic advantage, except for health-services provision, pharmaceutical assistance, and auxiliary diagnostic and therapeutic services, and only to allow data portability upon request by the data subject or to enable administrative and financial transactions resulting from such services (added by Law No. 13,853 of 2019). Article 11, § 2 further prohibits health-insurance operators from processing health data for risk-selection purposes in contracting any modality or in contracting or excluding beneficiaries.

Comparison to the general lawful bases (Article 7). Sensitive data cannot be processed under the ten general lawful bases in Article 7 (consent, compliance with legal obligation, public-policy execution by public administration, research, contract performance, regular exercise of rights, life/safety protection, health protection, legitimate interests, or credit protection). Article 11 replaces Article 7 entirely for sensitive data. Notably, legitimate interests (Article 7(IX))—the LGPD's analog to GDPR Article 6(1)(f)—is not available for sensitive data. Controllers seeking to process sensitive data on a non-consent basis must fit within one of the Article 11(II) exceptions and demonstrate that the processing is indispensable, a threshold higher than "necessary" or "appropriate."

Enforcement and guidance. The ANPD's Guia Orientativo para Definições dos Agentes de Tratamento (updated October 31, 2022) addresses sensitive-data obligations in the controller-processor context but does not provide sector-specific guidance. As of June 2026, the ANPD has not published binding regulations interpreting the Article 11(II)(g) fraud-prevention carve-out or the Article 11, § 3 pseudonymization mandate. Practitioners processing sensitive data should document the lawful basis in the processing-operations record (Article 37), prepare a data-protection impact assessment when the ANPD requests one (Article 38), and apply security measures appropriate to the sensitivity and volume of the data (Article 46).

The LGPD's sensitive-data regime applies equally to controllers and processors (Article 39 requires processors to follow controller instructions, and Article 42, § 2 imposes joint and several liability for violations). When a processor receives sensitive data from a controller, the service agreement must specify the lawful basis, the permitted processing operations, retention periods, and deletion obligations, and the processor may not repurpose the data without returning to the controller for a fresh lawful-basis determination.

Source: Lei nº 13.709, de 14 de agosto de 2018 (LGPD), Articles 5(II), 5(III), 7, 8, 11, 37, 38, 39, 42, 46 Source: Lei nº 13.853, de 8 de julho de 2019 (amendments to Article 11) Source: ANPD — Tomada de Subsídios: Dados Biométricos (June 2025) Source: ANPD — Nota sobre coleta de dados biométricos pela Tools for Humanity (January 2025)

Brazil's LGPD employs an open concept (conceito aberto) of personal data, mirroring the GDPR's Article 4(1) framework but adapted to Brazilian civil-law terminology. The definition establishes the foundational threshold for whether the statute applies to a given processing operation; if information does not meet the Article 5(I) definition, the LGPD does not govern its collection, use, or disclosure.

Article 5(I) defines personal data (dado pessoal) as information related to an identified or identifiable natural person (informação relacionada a pessoa natural identificada ou identificável). The statute does not enumerate categories or provide a closed list; instead, it adopts a functional, technology-neutral standard tied to the capacity to link information to a specific individual.

Two limbs of the definition:

1. Identified natural person. Data that directly identifies an individual by name, government-issued identification number (such as the Cadastro de Pessoas Físicas, CPF), Registro Geral (RG, national identity card), or other unique identifier falls within the definition. Examples include full name combined with residential address, CPF number, passport number, driver's license number, and social security (INSS) number.

1. Identifiable natural person. Data that does not by itself identify an individual but can be linked to a natural person through combination with other information, whether held by the same controller or reasonably available from other sources, also qualifies as personal data. The ANPD's FAQ on the LGPD, published on its official portal, clarifies that "in addition to basic identification information, such as name, RG, CPF, and residential address, other data related to a natural person are also considered personal data, such as consumption habits, appearance, and personal aspects." The identifiability standard is forward-looking and contextual; if technical or organizational measures render re-identification practically impossible using reasonable means, the data may be anonymized (Article 5(III)) and fall outside the LGPD's scope.

Broad scope of "information related to." The phrase informação relacionada captures any data point that describes, derives from, or can be associated with a natural person, even when the connection is indirect. The ANPD has confirmed that the following categories qualify as personal data under Article 5(I):

• Online identifiers: IP addresses, device identifiers (IMEI, MAC address), cookie IDs, advertising IDs (IDFA, GAID), and session tokens. These are personal data when they can be linked—alone or in combination with other data—to an identifiable individual, even if the controller does not know the person's name.
• Location data: GPS coordinates, cell-tower triangulation data, Wi-Fi access point logs, and any geolocation metadata that can be associated with a device or account tied to a natural person.
• Behavioral and inferential data: Browsing history, search queries, purchase history, app-usage patterns, clickstream data, and algorithmically generated inferences (credit scores, risk profiles, propensity models) derived from observed behavior. The ANPD's 2024 Technology Radar on Generative Artificial Intelligence notes that synthetic data and AI-generated content may constitute personal data when they remain "related to an identifiable natural person" or are "erroneously associated with these individuals," even if the underlying training data was anonymized.
• Biometric data (when linked): As noted in the existing section on sensitive data, raw biometric templates become personal data—and specifically sensitive personal data under Article 5(II)—when linked to an identifiable individual. Unlinked biometric patterns used solely for anonymous matching may fall outside the personal-data definition if re-identification is not reasonably feasible.
• Aggregated or pseudonymized data, if reversible: Data subjected to pseudonymization (replacement of identifying fields with pseudonyms or tokens) remains personal data under Article 5(I) if the controller or another party retains the means to reverse the pseudonymization. Article 5(III) addresses true anonymization; pseudonymized data does not satisfy that standard and is therefore still governed by the LGPD.

Exclusions and edge cases.

• Deceased persons: Article 5(I) applies only to natural persons (pessoa natural), a term in Brazilian civil law denoting living human beings. The LGPD does not protect data of deceased individuals, though other legal regimes (e.g., the Marco Civil da Internet, Law No. 12,965/2014, and inheritance law under the Civil Code) may afford limited protections to digital estates and post-mortem privacy rights. Controllers must apply Article 5(I)'s identifiability test at the time of processing; if a data subject dies after collection, the data ceases to be "personal data" under the LGPD, though contractual, tort, and sectoral obligations may persist.

• Legal entities: Corporate data—trade names, CNPJ (corporate taxpayer identification), organizational contact details, business email addresses—is not personal data under Article 5(I) unless it can be linked to an identified or identifiable natural person. A sole proprietor's business email that includes the proprietor's name (e.g., joao.silva@empresa.com) may qualify as personal data because it relates to the natural person João Silva; a generic role-based address (contato@empresa.com) does not.

• Anonymized data (Article 5(III)): Article 5, § 1, clarifies that the LGPD does not apply to anonymized data, except when the anonymization process itself involves the processing of personal data or when a controller uses anonymized data to create new profiles about identified or identifiable individuals. Article 5(III) defines anonymized data as data relating to a holder who cannot be identified, considering the use of reasonable technical and available means at the time of processing. Article 5, § 2, establishes a rebuttable presumption: data that has undergone anonymization is considered anonymized unless the controller or a third party demonstrates the capacity to reverse the process using reasonable means. Article 5, § 3, empowers the ANPD to establish technical standards for anonymization and to conduct periodic security audits. As of June 2026, the ANPD has not published binding regulations defining "reasonable technical means" for the anonymization analysis, though its June 2025 call for public input on biometric data noted that biometric templates, due to their uniqueness and permanence, present elevated re-identification risk.

The ANPD's interpretive guidance has been sparse but directionally consistent with the EDPB's approach under the GDPR. In its FAQ (last updated March 2023), the ANPD confirmed that the Article 5(I) definition is intentionally open-ended to accommodate evolving data practices and that identifiability must be assessed in context, taking into account:

• the purpose of the processing (e.g., fraud detection, personalized advertising, scientific research);
• the technical and organizational safeguards the controller has implemented to prevent re-identification;
• the availability of auxiliary data that could enable linkage; and
• the reasonable effort required to re-identify the data subject, measured by cost, time, and available technology.

The ANPD has not adopted the EU's "motivated intruder" test or published a bright-line rule distinguishing pseudonymized from anonymized data, but its enforcement posture—particularly in the January 2025 action against Tools for Humanity (Worldcoin) for biometric iris-scan collection—suggests that the Authority treats any data that can be linked to a natural person using available technical means as personal data subject to the full LGPD regime, regardless of whether the controller currently knows the individual's identity.

Cross-border practitioners should note that the Article 5(I) definition applies uniformly to all three territorial triggers in Article 3: processing conducted in Brazil (Article 3(I)), processing that targets goods or services to individuals in Brazil (Article 3(II)), and processing of data collected while the data subject was physically in Brazil (Article 3(III)). A foreign controller that collects device IDs or IP addresses from users in São Paulo must treat those identifiers as personal data under the LGPD, even if the controller never learns the users' names and has no servers or personnel in Brazil. The identifiability analysis does not depend on the controller's subjective knowledge or intent; it depends on whether linkage to an identified or identifiable natural person is objectively feasible using reasonable means available to the controller or to third parties with whom the controller might share the data.

When in doubt, document. Controllers facing close cases—synthetic data, aggregated statistics, de-identified research datasets—should document the identifiability analysis in the processing-operations record required by Article 37, specifying the technical measures applied, the auxiliary data sources considered, and the conclusion reached. If the controller later shares the data or changes its use, the identifiability assessment must be revisited. The ANPD has discretion under Article 38 to demand a data protection impact assessment (relatório de impacto à proteção de dados pessoais, RIPD) for processing operations that present heightened risk; a well-documented Article 5(I) analysis strengthens the controller's position in any subsequent enforcement proceeding.

Source: Lei nº 13.709, de 14 de agosto de 2018 (LGPD), Article 5(I)–(III), § 1–3, Articles 37, 38 Source: ANPD — Perguntas Frequentes (FAQ), Question 1.2 (updated March 31, 2023)

Brazil's LGPD excludes four categories of data processing from its scope under Article 4, creating complete exemptions rather than conditional safe harbors. When a processing operation falls squarely within one of the Article 4 exemptions, the controller is not subject to the LGPD's lawful-basis requirements (Article 7, Article 11), data-subject-rights obligations (Articles 17–18), transparency mandates (Article 9), breach-notification duties (Article 48), or ANPD enforcement (Chapter VIII). These exemptions are narrow and must be interpreted strictly; any processing that falls outside the exemption's literal terms is subject to the full LGPD regime.

Article 4 states that the LGPD does not apply to the processing of personal data:

I. Household exemption — Article 4(I)

Processing "performed by a natural person exclusively for private and non-economic purposes" (realizado por pessoa natural para fins exclusivamente particulares e não econômicos) is exempt.

This is the household or domestic-activities exemption, mirroring GDPR Article 2(2)(c) and the UK GDPR's household exemption. The three cumulative conditions are:

1. Natural person — only individuals, not legal entities. A sole proprietor processing customer data, even from a home office, is not a "natural person" for these purposes when acting in a commercial capacity; the exemption does not apply to micro-enterprises or individual entrepreneurs (MEI, microempreendedor individual) processing data in the course of business.

1. Exclusively private purposes — the processing must serve purely personal, family, or household activities. Examples within scope: a home address book, personal photo library, family genealogy research, private correspondence, calendar entries for social events. Examples outside scope: a neighborhood WhatsApp group used to coordinate small-scale resale of goods, a personal blog monetized through advertising, maintenance of a contact list later used for commercial outreach.

1. Non-economic — no commercial, professional, or revenue-generating purpose, direct or indirect. The LGPD does not define "economic," but the ANPD's enforcement posture, informed by the Marco Civil da Internet (Law No. 12,965/2014, Article 7, VII) and consumer-protection principles, treats any monetization pathway—affiliate links, ad revenue, data brokerage, lead generation—as disqualifying.

Key limitation: The exemption is lost if the data is later repurposed for an economic activity or shared with third parties for commercial ends. A natural person who collects email addresses at a community event for personal correspondence and later provides the list to a business associate for marketing purposes has stepped outside Article 4(I); that onward transfer is processing subject to the LGPD, and the individual becomes a controller required to establish a lawful basis under Article 7.

II. Journalistic, artistic, and academic exemption — Article 4(II)

Processing performed "exclusively for journalistic, artistic, or academic purposes" (exclusivamente para fins jornalísticos e artísticos ou acadêmicos) is exempt.

This exemption protects freedom of expression (Brazilian Constitution, Article 5(IV), (IX), (XIV)) and academic freedom (Article 206(II)) from regulatory interference. The three enumerated purposes are:

• Journalistic purposes: Reporting, investigation, editorial content creation, and publication by media organizations, independent journalists, bloggers, and documentary filmmakers. The ANPD has not issued binding guidance on the journalistic exemption as of June 2026, but the legislative history and the Marco Civil's free-expression framework suggest that "journalistic" extends beyond traditional newsrooms to any natural or legal person engaged in gathering and disseminating information to the public on matters of public interest. Commercial media (newspapers, television broadcasters, digital-native publishers) and non-commercial outlets (academic journals, investigative NGOs) are both covered when processing serves editorial purposes.

• Artistic purposes: Creation, production, and exhibition of literary, musical, theatrical, photographic, cinematographic, and visual works. A filmmaker processing interviews and location footage for a documentary, a photographer maintaining a portfolio of street scenes including identifiable passersby, or a novelist researching real-world events for a fictionalized account may invoke Article 4(II). The boundary is purpose: if the same data is later repurposed for targeted advertising or sold to a data broker, the exemption does not shield the secondary use.

• Academic purposes: Scientific research, teaching, and scholarly publication by universities, research institutes, and individual researchers. Article 4(II) overlaps with but is distinct from the lawful basis for research in Article 7(IV) and the special-category research carve-out in Article 11(II)(c). Under Article 4(II), processing for purely academic ends—data collection, analysis, and publication in a peer-reviewed journal with no commercial application—falls entirely outside the LGPD. If the same research is later commercialized (e.g., dataset licensed to a private company, or findings used to develop a commercial product), the exemption no longer applies to the commercial processing.

Critical qualifier: "exclusively." The word exclusivamente means that mixed-purpose processing—data used for both exempt and non-exempt purposes—does not qualify. A newsroom that processes subscriber data for editorial purposes (exempt under Article 4(II)) and for subscription billing and targeted advertising (commercial purposes) cannot invoke the exemption for the entire dataset; the LGPD applies to the commercial processing, and the controller must segregate the data flows and document the lawful basis for each.

III. Public-security exemption — Article 4(III)

Processing performed "exclusively for public security, national defense, state security, or the investigation and prosecution of criminal offenses" (exclusivamente para fins de segurança pública, defesa nacional, segurança do Estado, ou atividades de investigação e repressão de infrações penais) is exempt from the LGPD, but Article 4, § 1 imposes a critical overlay: "The processing of personal data referred to in item III shall be governed by specific legislation, which must provide proportionate and strictly necessary measures to serve the public interest, observing due process of law, the general principles of protection, and the rights of data subjects provided in this Law."

This is a limited exemption with safeguards, not a blanket carve-out. The effect is:

• Specific legislation governs. Public-security, intelligence, and criminal-investigation processing is regulated by sectoral statutes—the Penal Code, Code of Criminal Procedure, National Public Security Law, intelligence-agency organic statutes, anti-money-laundering frameworks—rather than by the LGPD's general regime.

• Proportionality and necessity mandates remain. Article 4, § 1 requires that any specific legislation meet LGPD-equivalent standards: processing must be proportionate to the stated public-interest objective, strictly necessary (no broader collection or retention than required), respectful of due process (notice, opportunity to challenge, judicial oversight for intrusive measures), and consistent with the LGPD's general principles (Article 6: purpose limitation, necessity, transparency, security, prevention, non-discrimination, accountability).

• Private-sector exclusion. Article 4, § 2 (as amended by Law No. 13,853 of 2019) prohibits processing under the Article 4(III) exemption by private legal entities (pessoa de direito privado), except when the private entity acts under the supervision of a public legal entity (sob tutela de pessoa jurídica de direito público), in which case the private processor must notify the ANPD and comply with the limitation in Article 4, § 4: "In no case may the totality of personal data in a database referred to in item III be processed by a private legal entity, except by an entity with capital entirely constituted by the public sector." This means a private contractor engaged by a police department or intelligence agency to operate a specific investigative system may process a subset of the data for defined tasks, but only a wholly state-owned entity may hold or process the entire database.

• ANPD oversight and technical opinions. Article 4, § 3 empowers the ANPD to issue technical opinions or recommendations on the public-security exemption and to request data-protection impact assessments (relatórios de impacto à proteção de dados pessoais) from the responsible public entities. This is not enforcement jurisdiction—the ANPD cannot sanction a federal police operation under the LGPD—but it is an oversight and advisory role designed to prevent mission creep and ensure that public-security processing respects fundamental rights.

Practical boundary: A municipality's traffic-camera system that captures license plates and facial images for automated traffic enforcement is not exempt under Article 4(III) if the primary purpose is revenue generation (automated fines). If the system is used exclusively for criminal investigation (identifying stolen vehicles, locating fugitives), the exemption applies, subject to Article 4, § 1 safeguards. If the system serves both purposes, the LGPD applies to the revenue/administrative function, and the controller must document lawful bases, implement access controls to segregate investigative from administrative data, and honor data-subject rights (e.g., a driver's right to access their own traffic-camera records) for the non-exempt processing.

IV. Cross-border data exemption — Article 4(IV)

The LGPD does not apply to personal data "originating from outside Brazilian national territory and that is not the object of communication, shared use of data with Brazilian processing agents, or the object of international data transfer with a country other than the country of origin, provided that the country of origin affords a level of personal data protection adequate to that provided in this Law."

This is a "data-in-transit" exemption for foreign-to-foreign data flows that touch Brazil only incidentally. The four cumulative conditions are:

1. Origin outside Brazil — the data was collected outside Brazilian territory (the data subject was physically located abroad at the moment of collection, under Article 3, § 1, read in reverse).

1. No communication or shared use with Brazilian agents — the data is not disclosed to, accessed by, or jointly processed with any controller or processor headquartered or operating in Brazil.

1. No international transfer to a third country — the data does not leave the country of origin for onward transfer to yet another jurisdiction (other than incidental routing through Brazilian infrastructure, such as subsea cables or cloud-region failover).

1. Country of origin affords adequate protection — the originating jurisdiction must provide a "level of personal data protection adequate to that provided in [the LGPD]." The LGPD does not define "adequate," and the ANPD has not published an adequacy-decision framework as of June 2026. By analogy to the GDPR Article 45 adequacy regime and the ANPD's evolving international-cooperation posture, adequacy likely requires that the foreign jurisdiction have (a) a comprehensive data-protection statute with lawful-basis requirements, data-subject rights, and an independent supervisory authority; (b) effective enforcement; and (c) respect for rule of law and due process. The EU, UK, Canada (PIPEDA jurisdictions), Japan (APPI), South Korea (PIPA), Switzerland (revFADP), and Argentina are plausible candidates; the United States (with its sectoral patchwork) is not, absent a bilateral framework agreement.

Example within exemption: A French controller processes personal data of French residents on servers in Ireland (both EU, both GDPR-compliant). Data packets are routed via a submarine cable that lands in Fortaleza, Brazil, but the data is never accessed by Brazilian entities, never stored on Brazilian servers beyond transient router buffers, and never transferred onward to a third country. Article 4(IV) exempts this flow from the LGPD because the data originates outside Brazil, is not communicated to Brazilian agents, is not transferred to a non-EU third country, and France affords adequate protection. (Note, however, that if the same data were later transferred from Ireland to a Brazilian subsidiary of the French controller, the exemption would no longer apply under Article 3(I) or (II), and the LGPD would govern the Brazilian subsidiary's processing.)

Example outside exemption: A U.S. SaaS provider collects data from users in California and stores it on AWS São Paulo servers for latency optimization. The data originates in the U.S., but it is communicated to Brazilian infrastructure (the AWS São Paulo region is operated by a Brazilian legal entity under Article 3(I)). Article 4(IV) does not apply; the LGPD governs under Article 3(I) (processing conducted in Brazil) and Article 3(II) (offering services to individuals in Brazil).

Relationship to Article 3, § 2: Article 3, § 2 (added by Law No. 13,853 of 2019) cross-references Article 4(IV): "Excepted from the provisions of item I of this article [territorial processing] is the processing of data referred to in item IV of Article 4." This confirms that Article 4(IV) carves out certain foreign-origin data from the Article 3(I) territorial trigger, but only when all four Article 4(IV) conditions are met.

---

Burden of proof and documentation. The controller invoking an Article 4 exemption bears the burden of demonstrating that the processing meets every element of the exemption. Best practice: document the factual and legal basis for the exemption in the processing-operations record (Article 37), including the purpose classification (household, journalistic, etc.), the absence of economic or mixed purposes, or (for Article 4(IV)) the adequacy analysis for the country of origin and proof that no Brazilian agents accessed the data. If the ANPD challenges the exemption in an enforcement proceeding, the controller must be prepared to produce evidence; a conclusory assertion ("this is journalism") will not suffice.

No partial exemption. Article 4 operates as an on/off switch. A processing operation either falls entirely within an exemption or is entirely subject to the LGPD. There is no middle ground in which some LGPD obligations apply and others do not. Controllers processing data for mixed purposes must segment the processing activities, apply Article 4 to the exempt flow, and apply Articles 7–52 to the non-exempt flow.

ANPD guidance as of June 2026. The ANPD has not published binding regulations or interpretive guidance specifically addressing the Article 4 exemptions, though the Authority's FAQ (last updated March 31, 2023) confirms the existence of the exemptions and notes that "the law does not apply" when Article 4 conditions are met. Practitioners should monitor the ANPD's Agenda Regulatória (updated biannually) for any planned rulemaking on exemption boundaries, particularly for journalistic processing and the adequacy standard under Article 4(IV).

Source: Lei nº 13.709, de 14 de agosto de 2018 (LGPD), Article 4 and §§ 1–4 Source: Lei nº 13.853, de 8 de julho de 2019 (amendments to Article 3, § 2 and Article 4, § 2)

Brazil's LGPD establishes a heightened protection regime for the personal data of children (crianças) and adolescents (adolescentes) under Article 14, imposing distinct consent, transparency, and best-interests obligations that overlay the general lawful-basis framework in Article 7. The LGPD does not define the terms "child" or "adolescent"; those definitions are governed by the Estatuto da Criança e do Adolescente (ECA, Law No. 8,069 of July 13, 1990), which defines a criança as a person up to twelve years of age and an adolescente as a person between twelve and eighteen years of age (ECA Article 2). The ANPD applies these ECA definitions when interpreting Article 14.

Article 14 best-interests mandate. Article 14, caput, states: "The processing of personal data of children and adolescents shall be carried out in their best interest, in accordance with this article and pertinent legislation." This is an overriding principle applicable to all processing of data of persons under eighteen. The best-interests standard (melhor interesse) is imported from the 1989 UN Convention on the Rights of the Child (ratified by Brazil via Decree No. 99,710 of November 21, 1990, Article 3(1)), incorporated into the Brazilian Constitution (Article 227), and operationalized in the ECA (Article 4). The standard is contextual; controllers must evaluate the purpose, necessity, proportionality, and potential harms of the processing operation in light of the data subject's developmental stage and vulnerability.

Parental consent for children — Article 14, § 1

Article 14, § 1 provides: "The processing of personal data of children shall be carried out with specific and highlighted consent (consentimento específico e em destaque) given by at least one parent or legal guardian."

The provision establishes four requirements:

1. Scope: children only (crianças), meaning persons under twelve years of age per ECA Article 2. Processing data of adolescents (aged twelve to seventeen) is governed by Article 14, caput (best interests) and may rely on any of the Article 7 or Article 11 lawful bases, but is not subject to a mandatory parental-consent requirement under § 1. (The interaction between § 1 and the general lawful bases is addressed by ANPD Enunciado 01/2023, discussed below.)

1. Specific and highlighted consent (específico e em destaque). The consent must be specific to identified purposes and highlighted in presentation. Article 8, § 4, reinforces this requirement: "Consent shall refer to specific purposes, and generic authorizations for the processing of personal data shall be null." Article 8, § 4, also mandates that consent for children's data (and for sensitive data under Article 11) be presented separately from other contractual terms. A single checkbox embedded in a multi-page terms-of-service agreement does not satisfy the "highlighted" standard.

1. Specific purposes (finalidades específicas). Blanket consents covering unspecified future uses are void. The parent or guardian must be informed of the concrete purpose for which the child's data will be processed (e.g., "to provide personalized learning recommendations based on quiz performance"), and consent extends only to that purpose. If the controller later wishes to process the same data for a new purpose (e.g., to deliver targeted advertising), fresh parental consent is required under Article 8, § 5, which permits revocation of consent at any time.

1. At least one parent or legal guardian (pelo menos um dos pais ou pelo responsável legal). The statute requires consent from one parent, not dual-parent consent, even when both hold parental authority (poder familiar) under the Brazilian Civil Code (Law No. 10,406 of January 10, 2002, Article 1,631). "Legal guardian" (responsável legal) includes court-appointed tutors (tutores, Civil Code Articles 1,728 et seq.) and guardians (curadores, Civil Code Article 1,767) for children or adolescents subject to disability or other legal incapacity.

Transparency obligation — Article 14, § 2

Article 14, § 2 requires: "In the processing of data referred to in § 1 of this article, controllers shall make public (devero manter pública) the information about the types of data collected, the manner of their use, and the procedures for exercising the rights referred to in Article 18 of this Law."

This is a continuous public-disclosure obligation. Controllers must maintain a publicly accessible privacy notice specifying:

• the categories of personal data collected from children (e.g., name, age, device identifiers, activity logs);
• the manner of use (forma de sua utilização), meaning the purposes of processing and the types of processing operations (automated decision-making, profiling, third-party sharing);
• the procedures for data subjects—including children and their parents or guardians—to exercise the rights enumerated in Article 18: confirmation of processing, access, correction, anonymization/blocking/deletion, portability, deletion of consent-based data, information about data sharing with third parties, the right to refuse consent and understand its consequences, and revocation of consent.

The ANPD has not published binding regulations prescribing a format or template for the § 2 disclosure as of June 2026.

Exceptions to parental consent — Article 14, § 3

Article 14, § 3 permits processing of children's personal data without the parental consent required by § 1 in two narrow circumstances:

1. One-time contact to reach the parent or guardian (quando a coleta for necessária para contatar os pais ou o responsável legal, utilizados uma única vez e sem armazenamento). The controller may collect the minimum data necessary to contact the parent or guardian (e.g., an email address or phone number) for one use only and without storage. Example: a child attempts to register for a service; the controller collects the parent's email, sends a one-time consent request, and does not retain the email in a database. Logging the parent's contact information for compliance recordkeeping or future communications falls outside this exception and requires consent under § 1.

1. Protection of the child or third party (para sua proteção). The controller may collect and process children's data when necessary to protect the life or physical safety of the child or a third party. This exception mirrors the life-or-safety lawful basis in Article 7(VII) (general data) and Article 11(II)(e) (sensitive data). The processing must be necessary for the protective purpose, and the data may not be repurposed.

Critical limitation: Article 14, § 3, final clause, provides that in no case (em nenhum caso) may data collected under either exception be transferred to third parties (repassados a terceiro) without the parental consent required by § 1. A controller that collects a parent's email under the one-time-contact exception and then discloses it to a processor, co-controller, or advertiser violates the statute unless it obtains fresh parental consent for the disclosure.

ANPD Enunciado 01/2023 — lawful bases for children's and adolescents' data

On May 22, 2023, the ANPD Conselho Diretor (Governing Board) published Enunciado CD/ANPD nº 01/2023, resolving an interpretive question that had divided practitioners: whether Article 14, § 1's parental-consent requirement is the exclusive lawful basis for processing children's data, or whether controllers may rely on the other Article 7 bases (legal obligation, contract, legitimate interests, etc.) when the processing serves the child's best interests.

The Enunciado states:

> "The processing of personal data of children and adolescents may be carried out on the basis of the lawful bases provided in Article 7 or Article 11 of the General Data Protection Law (LGPD), provided that their best interest is observed and prevails, to be evaluated in the concrete case, in accordance with Article 14 of the Law."

Effect of Enunciado 01/2023:

• Article 14, § 1, is not the sole lawful basis. Controllers may process data of children (under twelve) and adolescents (twelve to seventeen) relying on any of the ten general lawful bases in Article 7 (consent, legal obligation, public-policy execution, research, contract performance, legal rights, life or safety protection, health protection, legitimate interests, or credit protection) or the sensitive-data bases in Article 11, without obtaining parental consent under § 1, if the processing serves the best interests of the child or adolescent and that best interest prevails over any competing controller or third-party interests.

• Best-interests standard is mandatory. Even when the controller relies on a non-consent basis (e.g., Article 7(V) contract performance to deliver an educational service subscribed by the child's school, or Article 7(IX) legitimate interests to prevent fraud), the controller must evaluate and document that the processing is age-appropriate, necessary, proportionate, and does not expose the child or adolescent to undue risk. The Enunciado specifies that the best-interests assessment must be conducted "in the concrete case" (no caso concreto), meaning it is fact-specific and not susceptible to blanket categorical determinations.

• Adolescents' consent and progressive autonomy. For adolescents (twelve to seventeen), the Enunciado confirms that parental consent is not required under Article 14, § 1, which applies only to crianças (children under twelve). Controllers may accept an adolescent's direct consent under Article 7(I) for processing that the adolescent is mature enough to understand. The ECA's doctrine of progressive autonomy (autonomia progressiva, recognized in General Comment No. 14 of the UN Committee on the Rights of the Child and applied by the ANPD in its May 24, 2023, press release accompanying the Enunciado) acknowledges that adolescents have increasing decision-making capacity as they mature. However, the best-interests mandate in Article 14, caput, remains in force, requiring controllers to assess whether the adolescent's consent—or reliance on another lawful basis—serves the adolescent's developmental and safety interests.

The Enunciado is non-binding guidance (an interpretive statement, not a regulation with force of law), but it represents the ANPD's official position and is highly persuasive in enforcement proceedings and litigation.

Relationship to the Estatuto Digital da Criança e do Adolescente (ECA Digital)

On September 17, 2025, Brazil enacted Law No. 15,211/2025, the Estatuto Digital da Criança e do Adolescente (ECA Digital), imposing age-assurance, parental-supervision, design-safety, and content-moderation obligations on providers of digital products and services directed at or likely to be accessed by persons under eighteen. The ANPD is the designated enforcement authority for the data-protection provisions of the ECA Digital. The ECA Digital is complementary to LGPD Article 14. Controllers processing data of children or adolescents in Brazil must comply with both the LGPD Article 14 parental-consent and best-interests rules and the ECA Digital's obligations, including:

• Age-assurance mechanisms (ECA Digital Article 12, requiring providers to implement "reliable mechanisms" to determine user age);
• Prohibition on profiling for targeted advertising (ECA Digital Article 22: "The use of profiling techniques for directing commercial advertising to children and adolescents is prohibited, as is the use of emotional analysis, augmented reality, extended reality, and virtual reality for that purpose");
• Parental-supervision tools (ECA Digital Article 17, requiring providers to offer parents or guardians "effective parental supervision functionalities");
• Purpose limitation for age-verification data (ECA Digital Article 13: "Data collected for age verification of children and adolescents may be used solely for that purpose, and its processing for any other purpose is prohibited").

The ANPD published preliminary guidance on age-assurance mechanisms on March 20, 2026, and opened a public consultation (Tomada de Subsídios) on a draft Guia Orientativo on age-assurance mechanisms on May 22, 2026 (open through July 9, 2026). As of June 2026, the ANPD has not published final binding regulations on the ECA Digital; the Agenda Regulatória 2025–2026 (updated December 24, 2025) schedules three ECA Digital rulemaking initiatives for completion in 2026–2027.

Practical takeaways

1. Age thresholds. Under twelve: parental consent required by Article 14, § 1, unless the controller relies on another Article 7 or Article 11 basis and demonstrates that the best interests of the child prevail (per Enunciado 01/2023). Twelve to seventeen: parental consent not required by statute, but the best-interests standard applies under Article 14, caput, and controllers must evaluate whether the adolescent's consent or another lawful basis is appropriate.

1. Consent must be specific, highlighted, and separate. Do not bury children's-data consent in a general terms-of-service clickwrap. Present it as a standalone, purpose-specific authorization screen addressed to the parent or guardian.

1. Transparency is public and continuous. Maintain a publicly accessible privacy notice detailing data categories, uses, and data-subject-rights procedures (Article 14, § 2).

1. Best-interests documentation. Even when relying on a non-consent lawful basis (contract, legal obligation, legitimate interests), document the best-interests assessment in the processing-operations record (Article 37) or in a data-protection impact assessment (Article 38). The Enunciado 01/2023 makes clear that the best-interests standard is not optional and must be evaluated "in the concrete case."

1. ECA Digital compliance overlays LGPD. Age-assurance, design-safety, and prohibition-on-profiling obligations under the ECA Digital apply in addition to LGPD Article 14. The ANPD is the single enforcement authority for both regimes as they relate to data protection.

Source: Lei nº 13.709, de 14 de agosto de 2018 (LGPD), Article 14 and §§ 1–3, Articles 7, 8, 11, 18, 37, 38 Source: Enunciado CD/ANPD nº 01, de 22 de maio de 2023 Source: ANPD press release on Enunciado 01/2023 (May 24, 2023) Source: Lei nº 15.211, de 17 de setembro de 2025 (Estatuto Digital da Criança e do Adolescente — ECA Digital)