LGPD Applies to
Your US Company

Brazil's data protection law has extraterritorial reach — just like GDPR. If your website has Brazilian visitors and uses analytics or advertising cookies, LGPD applies to you regardless of where your company is based.

Get compliant free What LGPD requires

Does LGPD apply to US companies?

Yes — LGPD has extraterritorial reach. Brazil's Lei Geral de Proteção de Dados (LGPD, Law 13.709/2018) applies to any organization that processes personal data from Brazilian residents, regardless of where the organization is headquartered. This includes US companies, even if they have no physical presence in Brazil.

The trigger is simple: if your website has Brazilian visitors and uses analytics (Google Analytics, Mixpanel), advertising pixels (Meta Pixel, Google Ads), or any other cookie that collects personal data, LGPD applies to you. Brazil's ANPD has been actively enforcing since 2023.

Source: LGPD Art. 3 — "This Law applies to any processing operation carried out by a natural or legal person of public or private law, regardless of the country where the data processing organization is headquartered, provided that: I — the processing operation is carried out in the national territory; II — the processing activity is intended to offer or provide goods or services or the processing of data of individuals located in the national territory."

LGPD vs GDPR — shield with Brazil map illustrating data protection compliance under Lei 13.709/2018 (LGPD) and the General Data Protection Regulation (GDPR), enforced by ANPD and EU DPAs

What LGPD requires for your website

Brazil's ANPD published official cookie guidance in 2023. These five requirements apply to any website with Brazilian users.

Script blocking before consent

Analytics and advertising scripts must not load until the visitor actively accepts. Pre-loading scripts and retroactively asking for consent is not compliant — LGPD requires prior consent.

  • Google Analytics blocked until opt-in
  • Meta Pixel blocked until opt-in
  • All marketing tags blocked until opt-in

Equal-weight Accept and Reject

The ANPD guidance explicitly prohibits dark patterns. Accept and Reject buttons must have equal visual prominence — same size, same color weight, same position. Making rejection harder than acceptance is a violation.

  • No pre-ticked consent boxes
  • Reject button same size as Accept
  • No deceptive "X" that actually accepts

Tamper-proof consent log

Every consent decision must be recorded with a timestamp, the exact text shown at the time, and a pseudonymized visitor identifier. This log is your proof of compliance in an ANPD audit.

  • Timestamp and consent decision recorded
  • Banner version tracked per consent
  • Exportable for legal review
Start free — no credit card
LGPD vs GDPR comparison

LGPD vs CCPA — they are not the same

If your current compliance relies on CCPA, you are not covered for Brazilian users. The consent models are fundamentally different.

Requirement LGPD
Brazil		 CCPA/CPRA
California, USA
Consent model Opt-in required Opt-out
Scripts before consent Must be blocked Can run by default
Cookie banner required Yes (ANPD guidance) Yes (opt-out link)
Max fine R$ 50M or 2% BR revenue $7,500 per violation
Enforcement authority ANPD (Brazil) CPPA (California)
CookieFácil support Full Partial

LGPD compliance in under 10 minutes

CookieFácil handles every technical LGPD requirement automatically. No legal team needed for the setup.

One script tag. Full compliance.

Add one line of JavaScript before your closing </head> tag. CookieFácil automatically detects all scripts on your page, blocks non-essential ones before consent, and re-injects them after the visitor accepts.

Google Consent Mode v2 signals fire automatically. Your consent log is built in the background. Nothing else to configure.

  • Works on any platform — WordPress, Shopify, Nuvemshop, custom
  • Google Tag Manager template available — no code required
  • REST API for consent log access from your own systems
  • Free plan covers up to 5,000 monthly consent interactions
Create free account See all regulations covered
// Add before </head> — that's all
<script
data-cfasync="false"
src="https://cdn.cookiefacil.com.br/cdn/cf-banner.min.js?site=YOUR_ID"
async
></script>

Choose the right plan for your business

Start free and scale as your consent volume grows. Billed in BRL — no credit card required to start.

Free

Start collecting consent records

  • 1 site · 1,000 visitors/month

  • Cookie consent banner — LGPD + GDPR ready

  • Basic consent reports

Start Free
Most Popular

Basic

For growing businesses

  • 2 sites · 5,000 visitors/month

  • CSV export of consent records

  • Remove CookieFácil branding

Get Started

Professional

For multiple sites and agencies

  • 5 sites · 50,000 visitors/month

  • CSV + PDF + advanced reports

  • Custom CSS and geo-targeting rules

Get Started
See all plans and features →

Frequently asked questions

  • Does LGPD apply to US companies?

    Yes. LGPD Art. 3 has explicit extraterritorial reach — it applies to any organization that processes personal data from Brazilian residents, regardless of where the company is headquartered. If your website has Brazilian visitors and uses analytics, advertising pixels, or any cookie that collects personal data, LGPD applies to you.

  • What does LGPD require for a US company's website?

    A US company serving Brazilian users must: (1) display a cookie consent banner before any non-essential scripts load, (2) block analytics and marketing scripts until the visitor opts in, (3) provide equal-weight Accept and Reject buttons with no dark patterns, (4) allow one-click consent withdrawal, and (5) maintain a tamper-proof consent log with timestamp and pseudonymized user identifier.

  • Is LGPD similar to CCPA?

    LGPD and CCPA are fundamentally different on consent: LGPD requires opt-in consent (scripts must be blocked until the visitor actively accepts), while CCPA uses an opt-out model (scripts run by default and users can opt out). For a US company, existing CCPA compliance is not sufficient for Brazilian users — a separate LGPD-compliant consent flow is required.

  • What are the penalties for LGPD non-compliance?

    Brazil's ANPD can issue fines of up to 2% of the company's revenue from Brazil, capped at R$ 50 million per violation. Penalties apply regardless of where the company is headquartered. The ANPD has been actively enforcing since 2023, with cases involving both Brazilian and international companies.

  • How long does it take to make a US company website LGPD-compliant?

    With CookieFácil, the technical implementation takes under 10 minutes: create an account, add your site, paste one script tag before </head>. The banner automatically blocks non-essential scripts, records consent, and fires Google Consent Mode v2 signals. No developer required for most platforms.

  • Does LGPD apply to B2B US companies?

    Yes. LGPD applies to any processing of personal data from Brazilian residents, including employees, leads, and business contacts. B2B companies that process contact details, IP addresses, or behavioral data of Brazilian individuals fall within LGPD's scope. The law does not distinguish between B2B and B2C data subjects.