—
Brazil’s Lei Geral de Proteção de Dados (LGPD) has been enforceable since August 2021, but the ANPD (Autoridade Nacional de Proteção de Dados) issued its first significant fines in 2023 and ramped up enforcement posture through 2025. if you’re scraping Brazilian websites or collecting data that includes Brazilian residents, you can no longer treat LGPD as a soft law. the compliance calculus in 2026 is real, and the risk surface is wider than most engineers expect.
What LGPD Actually Covers for Scrapers
LGPD applies to any processing of personal data belonging to individuals located in Brazil, regardless of where the data processor is based. “processing” includes collection, storage, transmission, and analysis. scraping a Brazilian e-commerce site and extracting names, CPF numbers (Brazil’s national ID), or email addresses puts you squarely inside the law.
the law defines personal data broadly: any information that identifies or can identify a natural person. for scrapers, this means:
- full names combined with employer or location data
- email addresses and phone numbers
- IP addresses when linked to other identifiers
- profile photos with facial recognition potential
- CPF or CNPJ numbers found in public registries
publicly available data is not automatically exempt. LGPD’s Article 7 lists ten legal bases for processing, and “legitimate interest” (Article 10) is the most commonly cited basis by scrapers, but it requires a documented balancing test — a written assessment weighing your processing purpose against the rights of data subjects.
Legal Bases: Which One Fits Your Use Case
picking the right legal basis is not optional. unlike GDPR’s more flexible interpretation, ANPD has signaled it will scrutinize claims of legitimate interest closely. here’s how the main bases map to common scraping scenarios:
| Use Case | Viable Legal Basis | Risk Level |
|---|---|---|
| Price monitoring (public product pages) | Legitimate interest | Low |
| Lead generation from LinkedIn-style profiles | Legitimate interest + ToS risk | High |
| Research / journalism (named exemption) | Art. 4 / Art. 7(IV) | Low-Medium |
| Competitive intelligence (no personal data) | N/A (not personal data) | Low |
| Scraping contact directories | Consent or legitimate interest | High |
| Government open data (CNPJ registry) | Public data exception (Art. 7(II)) | Low |
for anything in the “High” row, you need a legitimate interest assessment (LIA) on file before you begin scraping at scale. the LIA doesn’t have to be long, but it must exist.
LGPD vs. GDPR: Key Differences That Affect Your Stack
if you’ve already built GDPR compliance into your pipeline, LGPD will feel familiar but has a few structural differences that affect how you implement controls. compared to what’s covered in the UK GDPR Post-Brexit and Web Scraping: 2026 Rules, LGPD’s enforcement teeth are slightly shorter (max fine is 2% of Brazil revenue, capped at R$50 million per infraction, versus GDPR’s 4% of global turnover), but the ANPD has shown it will stack violations.
Data Localization
LGPD does not impose hard data localization requirements for most use cases. cross-border transfers are permitted if the destination country provides an adequate level of protection, or if you use standard contractual clauses. the EU is considered adequate; the US is not on Brazil’s adequacy list, which means US-based scraping infrastructure that stores Brazilian personal data needs SCCs or a binding corporate rules framework.
Sensitive Data Categories
LGPD’s list of sensitive data is slightly different from GDPR. it explicitly includes biometric data used for identification purposes and health data, which matters if you’re scraping healthcare directories or fitness platforms. processing sensitive data requires explicit consent or one of three narrow statutory exceptions — legitimate interest does not apply.
No DPO Mandate for Small Operators
GDPR requires a DPO for controllers doing large-scale systematic monitoring. LGPD’s DPO equivalent (Encarregado) is required for any processing agent, but ANPD has signaled that micro and small companies can appoint a named contact rather than a full DPO role.
Practical Compliance Controls for Your Scraping Pipeline
the LGPD does not prescribe specific technical measures, but ANPD’s resolution framework references ISO 27001-compatible controls as the baseline. for a scraping operation, that translates into:
- data minimization at extraction time — strip fields you don’t need before writing to storage. if you need job titles but not phone numbers, drop the phone field in your parser, not in post-processing.
- retention limits with automated enforcement — set TTLs at the database level, not just in policy docs. a 90-day default with a review gate before extension is a defensible position.
- audit logging on access — know who queried which records and when. if ANPD requests a processing log, you need to produce it within the investigation window.
- pseudonymization for analytical workloads — if you’re running aggregations, replace direct identifiers with tokens before the data hits your analytics layer.
- documented LIA per data source — a short markdown file per scraping job that states the purpose, the data types, the necessity argument, and the balancing test outcome.
a minimal scraping config that enforces retention at the collection layer looks like this:
# scraper job config -- enforce retention at write time
JOB_CONFIG = {
"source": "br_ecommerce_reviews",
"legal_basis": "legitimate_interest",
"lia_doc": "docs/lia/br_ecommerce_reviews_2026.md",
"personal_fields": ["reviewer_name", "reviewer_city"],
"pseudonymize_before_store": True,
"retention_days": 90,
"data_subject_country": "BR",
"cross_border_transfer": True,
"transfer_mechanism": "SCC",
}keeping this config committed alongside your scraper means compliance evidence is co-located with the code that generates the data.
Terms of Service Intersection
LGPD compliance doesn’t insulate you from ToS exposure. Brazilian courts have enforced ToS agreements under contract law independently of LGPD, and the ANPD has not issued guidance that public data is always fair game for scraping. as covered in Web Scraping Terms of Service Analysis: When ToS Matters Legally (2026), the legal risk from ToS violations in Brazil sits on a separate track from data protection liability — you can face both simultaneously.
the practical overlap: sites that prohibit automated access in their ToS and also hold personal data create double exposure. your LIA must account for whether the scraping method itself is lawful, not just whether the data use is lawful. if you’re using residential proxies to bypass bot detection on a site that prohibits scraping, that’s a separate legal risk layer from the data protection analysis.
for teams building compliance across multiple jurisdictions, the ASEAN Data Protection Laws: A Web Scraping Compliance Matrix is worth reading alongside this guide, since Brazil’s LGPD shares structural DNA with Southeast Asian frameworks like Thailand’s PDPA and Singapore’s PDPA. the California CCPA and Web Scraping: 2026 Compliance Guide also covers similar legitimate interest mechanics for comparison.
Bottom Line
LGPD enforcement is no longer theoretical: document your legal basis, pseudonymize personal data before it hits analytical systems, and don’t assume public availability equals permission to process. if you’re operating at scale in Brazil, the legitimate interest path is viable but requires a written LIA per data source — shortcuts here are what ANPD is looking for. DRT covers the full compliance stack across jurisdictions, so if Brazil is one node in a multi-country data operation, treat this as a starting point, not a ceiling.