What is the scope of LGPD (Brazil)?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
If you have any Brazilian subscribers, LGPD applies to you. Here's how the scope works.
LGPD covers personal data processing in three situations: the processing happens in Brazil, the processing aims to offer goods or services to people in Brazil, or the data was originally collected in Brazil. Your company's location doesn't matter. A US-based SaaS with Brazilian users is in scope.
"Personal data" means any information that relates to an identified or identifiable person. Email addresses qualify. "Processing" covers basically everything you do with data: collecting it, storing it, using it, sharing it, modifying it, deleting it. Sending a marketing email to a Brazilian subscriber involves multiple processing activities under LGPD.
LGPD applies to both data controllers (organizations that determine how data is processed) and data processors (organizations that process it on someone's behalf). Some processing is exempt: purely personal activities, journalistic or academic purposes, and public security uses. Commercial email marketing doesn't qualify for any exemption.
If you have Brazilian subscribers, assume LGPD applies and treat them the same way you'd treat EU subscribers under GDPR. Start by confirming you have a valid legal basis for processing their data, then check that your individual rights processes cover Brazilian contacts.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.