LGPD vs GDPR:
What Actually Changes
LGPD and GDPR share the same opt-in model — but they are enforced by different authorities, calculate fines differently, and have distinct data subject rights. If your company serves Brazilian users, GDPR compliance alone is not enough.
Is LGPD the same as GDPR?
Similar framework, different jurisdiction. LGPD and GDPR both require opt-in consent before non-essential cookies fire. Both prohibit dark patterns. Both give data subjects the right to access, correct, and delete their data. But LGPD is enforced by Brazil's ANPD — not by EU DPAs — and fines are calculated against Brazilian revenue specifically, not global turnover.
A GDPR-compliant consent banner is a strong starting point for LGPD. The required adjustments are minor: ensure your banner is served to Brazilian visitors, that your consent logs satisfy ANPD's specific requirements, and that your data subject request process meets LGPD's response timeframes.
LGPD vs GDPR — side by side
The same core principles, different implementation details that matter for compliance teams.
| Requirement | LGPD Brazil — ANPD |
GDPR European Union — EDPB |
|---|---|---|
| Consent model | Opt-in | Opt-in |
| Script blocking required | Yes | Yes |
| Cookie banner required | Yes (ANPD guidance) | Yes (ePrivacy) |
| Enforcement authority | ANPD (Brazil) | National DPAs (EU) |
| Max fine | R$ 50M or 2% BR revenue | €20M or 4% global revenue |
| Fine calculation base | Brazilian revenue only | Global annual turnover |
| Legal bases for processing | 10 bases | 6 bases |
| DPO / Encarregado required | Yes — most controllers | Yes — high-risk processing |
| Data subject request window | 15 days | 30 days (extendable to 90) |
| CookieFácil support | Full | Full |
Three differences that matter most
These are the gaps where GDPR-compliant companies most often fall short of LGPD requirements.
Different enforcement authority
LGPD is enforced by Brazil's ANPD — not by any EU DPA. A complaint from a Brazilian user goes to the ANPD, not to the ICO or CNIL. Your EU compliance program does not cover Brazilian enforcement.
- ANPD has its own audit procedures
- Brazilian data subjects can complain to ANPD directly
- EU adequacy decision for Brazil not yet in force
Faster data subject response
LGPD requires responding to data subject requests within 15 days — not GDPR's 30-day window. If your process assumes a 30-day timeline for all regions, Brazilian requests may already be in violation.
- LGPD: 15-day response window
- GDPR: 30 days (extendable to 90)
- Same rights, different clocks
Brazilian revenue fine basis
LGPD fines are calculated against revenue in Brazil specifically — not global turnover. For most international companies, this means the effective maximum fine is much lower than GDPR's, but it still applies even with zero physical presence in Brazil.
- Up to 2% of BR revenue per violation
- Hard cap at R$ 50M per violation
- No physical presence required for liability
Choose the right plan for your business
Start free and scale as your consent volume grows. Billed in BRL — no credit card required to start.
Free
Start collecting consent records
1 site · 1,000 visitors/month
Cookie consent banner — LGPD + GDPR ready
Basic consent reports
Basic
For growing businesses
2 sites · 5,000 visitors/month
CSV export of consent records
Remove CookieFácil branding
Professional
For multiple sites and agencies
5 sites · 50,000 visitors/month
CSV + PDF + advanced reports
Custom CSS and geo-targeting rules
Frequently asked questions
-
Is LGPD the same as GDPR?
LGPD and GDPR share the same opt-in consent model and core principles, but they are enforced by different authorities — LGPD by Brazil's ANPD, GDPR by EU member state DPAs. Fines differ: GDPR caps at €20M or 4% of global turnover; LGPD caps at R$ 50M or 2% of Brazilian revenue per violation. Data subject rights have different response timeframes.
-
If we are GDPR-compliant, are we LGPD-compliant?
Mostly, but not entirely. GDPR compliance gives you the right framework — opt-in consent, script blocking, consent logs. The gaps: LGPD is enforced by ANPD (not EU DPAs), data subject rights have different response windows (15 days vs 30), and fines are calculated against Brazilian revenue specifically. A GDPR-compliant banner needs minor adjustments to be fully LGPD-compliant.
-
What are the main differences between LGPD and GDPR?
Key differences: (1) Enforcement — ANPD for LGPD, national DPAs for GDPR. (2) Fines — LGPD uses Brazilian revenue; GDPR uses global turnover. (3) Legal bases — LGPD has 10 vs GDPR's 6. (4) Response window — LGPD requires 15 days; GDPR allows 30. (5) DPO requirement — LGPD requires a data officer for most controllers regardless of size.
-
Does LGPD require a cookie banner like GDPR?
Yes. Brazil's ANPD published official cookie guidance requiring the same core elements as GDPR/ePrivacy: a clear consent banner before non-essential scripts fire, equal-weight Accept and Reject buttons, granular category controls, and one-click withdrawal. The ANPD guidance explicitly prohibits dark patterns such as pre-ticked boxes or making rejection harder than acceptance.
-
Can one tool handle both LGPD and GDPR compliance?
Yes. CookieFácil supports both LGPD and GDPR from a single dashboard. The consent banner blocks non-essential scripts before consent on all sessions, fires Google Consent Mode v2 signals, and maintains tamper-proof consent logs that satisfy both ANPD and EU DPA audit requirements.
-
Which companies need to comply with both LGPD and GDPR?
Any company with both EU and Brazilian users. This includes: EU companies with Brazilian operations or website visitors, Brazilian companies with EU customers, and multinationals serving both markets. Both laws have extraterritorial reach — jurisdiction follows the data subject's location, not the company's headquarters.