:PROPERTIES:
:ID:       auto-lgpd
:CREATED:  [2026-05-23 Sat]
:END:
#+title: 
#+filetags: :passepartout:compliance:framework:lgpd:


Brazil's comprehensive privacy law (effective 2020, fines effective 2023).
Modeled on GDPR but with differences: LGPD defines "data processing agents"
(controller and operator), requires appointment of DPO (data protection officer),
mandates breach notification to ANPD (National Data Protection Authority) and
affected data subjects. 10 legal bases for processing (vs 6 in GDPR).

Penalties: Up to 2% of revenue in Brazil per violation, capped at 50M BRL
(~$10M) per violation. ANPD can also order suspension of processing, partial
or total prohibition of database operation.

Who must comply: Any organization (public or private) processing personal data
of Brazilian residents, regardless of where the organization is based. No
revenue threshold.

Why it matters: LGPD affects every business operating in Latin America's largest
economy. The 2% revenue penalty structure creates strong economic incentive.
First-mover advantage: fewer compliance automation vendors in the Portuguese
market. A Portuguese-language gate package with LGPD-specific consent and data
subject rights gates captures a market of 210M people.