What are the key requirements of LGPD for email marketing?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Here's what you need in place to run an LGPD-compliant email marketing program.

Step 1: Establish a legal basis for processing. For email marketing, that's usually consent (the subscriber explicitly opted in) or legitimate interest (you have a documented, justifiable reason that doesn't override people's privacy interests). Consent is simpler to defend. Legitimate interest is more flexible than under GDPR but still requires a written balancing assessment. Pick one and document it.

Step 2: Be transparent. Your privacy notice needs to cover what personal data you collect, why you collect it, how it's used, and who it's shared with. It has to be accessible and written in plain language. When someone signs up, they should understand what they're agreeing to without reading a legal document.

Step 3: Honor individual rights. Brazilian subscribers can request access to their data, correction of errors, deletion, portability, information about third-party sharing, and revocation of consent. You need a process for handling those rights requests. If you're already managing GDPR rights requests, extend the same process to your Brazilian contacts.

Step 4: Secure the data and report breaches. Implement appropriate technical and organizational security measures. If a breach occurs that could affect individual rights, it must be reported to ANPD. Maintain records of your processing activities so you can demonstrate compliance if asked.

If you're already GDPR-compliant, most of this is familiar territory. The fastest path to LGPD compliance is auditing your existing processes and confirming they cover Brazilian subscribers. LGPD's consent standard is nearly identical to GDPR's: free, informed, and unambiguous.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Help me identify what's missing from my LGPD compliance checklist.

I read this on the Email Almanac about the key requirements of LGPD for email marketing. I need to figure out what I'm missing from my current email program to be LGPD-compliant. My situation: 1. Do I have a documented legal basis (consent or legitimate interest) for my Brazilian subscribers? yes / no / unsure 2. Does my privacy notice cover data collection purposes and third-party sharing? yes / no / needs work 3. Do I have a process for Brazilian subscribers to request access, correction, or deletion? yes / no / unsure 4. Do I have breach notification procedures in place? yes / no / unsure 5. Am I already GDPR-compliant? yes / partially / no --- My details: - Email platform/ESP: e.g. Mailchimp, SendGrid, HubSpot - Domain(s): your sending domain - Audience locations: global / Latin America-heavy / specific - Business type: B2B / B2C / both - Consent records stored: yes / no / partially

Edit the yellow boxes, then send to the AI of your choice.