LGPD Privacy Policy: What to Include + Example

Table of Contents

lgpd privacy policy

The LGPD privacy policy plays an essential role in today’s business landscape, particularly as data protection, privacy, and obtaining consent become increasingly important.

This article will explore the details of what to include in an LGPD privacy policy for your business.

Let’s dive right into it.

Key Takeaways

  • The LGPD, also known as the General Data Protection Law, is a regulation in Brazil designed to safeguard an individual’s personal information. It is crucial for businesses to achieve LGPD compliance in order to ensure data security.
  • Having an understanding of the data that businesses possess plays a role in complying with the LGPD.
  • Failure to comply with the LGPD privacy policy can have consequences for businesses, including repercussions and financial losses.

Does My Business Need a Privacy Policy Under the LGPD?

Although the LGPD is different from the GDPR, they both focus on protecting individuals’ privacy and preventing potential data breaches. It’s like a set of rules that businesses must follow when doing data processing, collecting, or using customer’s information, ensuring they have the necessary consent.

Similar to how schools have regulations for ensuring safety, the LGPD privacy policy has implemented rules to safeguard people’s data. So, considering cookies and their usage, does your business need a privacy policy under the LGPD?

The answer is yes! Having a data protection officer can help ensure that cookie policies align with LGPD requirements.

If your business collects or uses any data from individuals residing in Brazil, it is necessary to have a privacy policy. This policy informs individuals about how their information is being used and the data processing methods involved and ensures transparency and honesty.

Why does the LGPD, as a significant privacy law, require businesses to have specific policies? It ultimately comes down to trust. When people know that businesses are complying with regulations and taking steps to protect their data, they feel more secure and trusting towards those businesses. Moreover, the LGPD aims to promote fairness and ensure that all businesses handle data with respect.

10 Things to Include in Your LGPD Privacy Policy

Creating a privacy policy compliant with Brazil’s General Data Protection Law involves including several key components to ensure transparency and adherence to legal requirements. Here’s what to include:

  1. Data Collection:
    • Clearly state the types of personal data collected (e.g., names, contact details, financial information).
    • Specify the methods of data collection (e.g., forms, cookies, third-party sources).
  2. Purpose of Data Processing:
    • Explain the purposes for which personal data is processed (e.g., providing services, marketing, legal compliance).
    • Ensure that the purposes are legitimate, necessary, and specified in advance.
  3. Legal Basis for Processing:
    • Identify the legal basis for processing personal data (e.g., consent, contract performance, legal obligation, legitimate interest).
    • If relying on consent, provide details on how consent is obtained and managed.
  4. Data Subject Rights:
    • Detail the rights of data subjects under the LGPD, including access, correction, deletion, data portability, and the right to withdraw consent.
    • Provide clear instructions on how data subjects can exercise their rights.
  5. Data Sharing and Transfers:
    • Indicate whether personal data is shared with third parties, including processors and joint controllers.
    • Describe the categories of recipients and the purposes of data sharing.
    • Include information on international data transfers and the safeguards in place (e.g., standard contractual clauses).
  6. Data Security:
    • Outline the technical and organizational measures implemented to protect personal data against unauthorized access, disclosure, alteration, and destruction.
    • Mention encryption, access controls, and regular security assessments.
  7. Data Retention:
    • Specify the duration for which personal data will be retained and the criteria used to determine this period.
    • Explain the procedures for securely disposing of personal data once it is no longer needed.
  8. Contact Information:
    • Provide contact details for the data protection officer (DPO) or another designated point of contact for privacy-related inquiries.
    • Include an email address, phone number, and physical address.
  9. Policy Updates:
    • State how and when the privacy policy will be updated.
    • Inform users how they will be notified of significant changes (e.g., via email or website notification).
  10. Complaints:
    • Explain the process for lodging complaints about data processing practices.
    • Provide information on how to contact the National Data Protection Authority (ANPD) for unresolved issues.

Including these components in your LGPD privacy policy will help ensure transparency and compliance with Brazil’s data protection regulations.

Reasons a Privacy Policy Is Important for the LGPD

Privacy policies are crucial in safeguarding customers’ sensitive information from misuse or theft while defining a business’s practices around how this information gets processed. These legally binding agreements guide their actions relating to user-specific details.


A good privacy policy can build trust between a company and its customers by showing that the business cares about protecting their personal data.

Many countries (including Brazil) require businesses to have one in place – it’s illegal not to have an adequate privacy policy, so having one protects your business against legal action, fines, and more.


Privacy policies show how companies collect, store, protect, and use consumers’ private information, which enhances transparency in business operations.

Customer Rights Protection

A privacy policy underlines the rights of customers towards their personal data. This could include deleting, amending, or transferring to other service providers among all the LGPD data subject rights.

What to Include in an LGPD Privacy Policy?

Creating a privacy policy that aligns with the LGPD is similar to establishing the rules for a game. It serves as a document that outlines how the game is played and what consumers can expect.

The LGPD privacy policy enforces regulations on what should be included in this policy. Let’s explore each aspect further.

Details about Data Collection

Businesses are required to provide information about the data they collect and obtain consent, just like someone would inform others about which toys they want to borrow. They should present all the information gathered from consumers in a manner.

Purpose of Data Collection

Similar to explaining why you want to borrow a toy, businesses should communicate their reasons for collecting personal data. This includes disclosing the purpose or objective behind the collection.

Duration of Data Storage

Businesses should explicitly inform consumers about how they plan to protect their data, like one would inform a friend about how they will keep their borrowed toy safe until it’s returned.

There needs to be a justification for collecting personal data, which businesses are obliged to explain. Just as there is always a reason when borrowing something from someone, this concept operates on the principle.

Informing Consumers about LGPD Rights

Under the LGPD, businesses have an obligation to engage with consumers, educate them about their rights, and ensure they have their consent.

It is important for businesses to educate their consumers about their rights, including informing them that they can request the return of their belongings at any time.

Helping Consumers Exercise Their Data Rights

However, simply providing information about consumer rights is not enough. Businesses should also offer guidance on how consumers can exercise these rights. It’s like teaching someone how to play with a toy and helping them understand and utilize their data-related rights.

Third-Party Relationships

Businesses must be transparent about any third-party relationships they have regarding the collection and processing of personal data.

This includes informing consumers if their data will be shared with or accessed by other organizations, just as one would disclose who else is allowed to play with a borrowed toy.

Data Security Measures

Given that businesses are responsible for protecting consumer information, it’s crucial for them to outline the security measures they have in place to safeguard this data.

This can include information about encryption, firewalls, access controls, and other measures to prevent unauthorized access or disclosure. It’s like explaining how you will keep a borrowed toy safe from damage or loss.

Data Breach Notification

In the event of a data breach that may result in harm to consumers, businesses are required to promptly notify the affected individuals and relevant authorities. It’s like informing someone if a borrowed toy gets damaged or lost so that they can take appropriate action.

Data Transfer

If personal data is transferred outside of Brazil, businesses must inform consumers about this transfer and provide adequate safeguards for protecting their data in accordance with LGPD requirements.

This includes ensuring that the recipient country has equivalent privacy protections as provided by Brazilian law, obtaining consent from consumers when necessary, or implementing other legal mechanisms, such as standard contractual clauses or binding corporate rules.

Children’s Data

If a business collects personal data from children under the age of 18, it must obtain parental consent and provide specific information about how this data is collected, used, and protected.

This includes adopting measures suitable for protecting children’s privacy rights when handling their data.

Contact Details

Making sure that consumers have access to contact information is crucial so that they can reach out with any questions or concerns regarding their data.

It’s similar to sharing your phone number with a friend so they can contact you if they need something returned. Businesses should provide a way to communicate, such as email, phone, or any other suitable means.

LGPD Privacy Policy Example

Creating an LGPD Privacy Policy in accordance with LGPD is crucial for businesses engaged in interactions with individuals in Brazil. It can be likened to a handbook that outlines how a business will manage and utilize data.

However, it’s important to note that each business is distinctive, so while we offer an example here, businesses may need to customize it according to their requirements.

Example Policy for Captain Compliance

  • Data Collection Details – At Captain Compliance, we highly appreciate the trust you place in us. In order to provide you with service, we are data processing and gathering personal information such as names, email addresses, and contact numbers. It’s important for us to be transparent about the data we collect from you.
  • Purpose of Data Collection – We collect your personal data for communication purposes to provide our services and to enhance what we offer. It’s similar to why we would need a tool to fix something.
  • Data Storage Duration – Your personal data is stored with us for a duration of one year. After that period, it’s comparable to returning a borrowed toy – we don’t keep it longer than necessary.
  • Legal Basis for Data Collection – We ensure that our data collection adheres to the established regulations. We only gather data when there is a reason, such as when you subscribe to our newsletter or make a purchase from us.
  • LGPD data subject rights – According to the LGPD, you have rights concerning your personal data. You can request access, make changes, or even ask us to delete it. It’s akin to knowing you can always ask for your toy back.
  • Exercising Your Rights – If you wish to view your personal data or have any inquiries about it, simply let us know. We’ve made it effortless for you to contact us and exercise your rights.
  • Third-Party Relationships – Captain Compliance may engage with third-party service providers to assist in the collection and processing of personal data. These service providers are required to adhere to strict confidentiality obligations and comply with relevant laws and regulations.
  • Data Security Measures – We take the security of your personal data seriously. We have implemented appropriate technical, organizational, and physical measures to safeguard your information against unauthorized access or disclosure. Our security measures include encryption, firewalls, access controls, regular system updates, employee training on data protection practices, and ongoing monitoring for potential vulnerabilities or breaches.
  • Data Breach Notification – In the unfortunate event that there is a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data that may result in a risk to your rights and freedoms, we will promptly notify you as required by law. We will also take immediate steps to mitigate the impact of such a breach and cooperate with relevant authorities.
  • Data Transfer – It is possible that your personal data may be transferred outside of Brazil for processing purposes. In such cases, we ensure that appropriate safeguards are implemented in accordance with LGPD requirements. This includes ensuring that the recipient country has equivalent privacy protections as provided by Brazilian law or implementing other legal mechanisms like standard contractual clauses approved by competent authorities.
  • Children’s Data – Captain Compliance does not knowingly collect personal data from individuals under the age of 18 without obtaining verifiable parental consent. If we become aware that we have collected personal information from a child without parental consent, we will take steps to delete such information as soon as possible. If you believe that your child has provided us with their personal data without your consent, please get in touch with us immediately, and we will remove it from our records.
  • How to Contact Us – Do you have any questions or concerns regarding your personal data? You can reach out at [email protected] or (954) 408-2192. We’re here to assist you like a friend who is always available for conversation.

LGPD Non-Compliance Penalty

Imagine you’re playing a game. You decide to bend the rules. Well, guess what? Just like there are consequences in games, businesses also face consequences when it comes to the LGPD. If businesses fail to adhere to the LGPD regulations regarding data, they have to face penalties.

When authorities discover that a business is not complying with the LGPD, they have the power to impose LGPD fines on that business. And we’re not talking about pocket change. These fines can really put a dent in the business income.

But it doesn’t stop at money – there are repercussions as well. In fact, some ranking executives might even find themselves facing charges. It’s like being shown a card in a game and being told you’re no longer allowed to play.

Then there’s how people perceive your business, too. If consumers come to know that a business isn’t taking care of their data, they might lose faith in that business altogether. This can seriously damage a business’s reputation.

With the rise of corporate compliance, it is absolutely crucial for businesses to abide by the LGPD rules – not because of the penalties involved but because it is simply the right thing to do.


Now, you may be thinking, how can I ensure that every step you take is in accordance with the LGPD? Well, this is where Captain Compliance steps in, offering outsourced compliance and data compliance solutions.

We’re here to assist businesses in comprehending these regulations and ensuring they play by the rules. Whether it’s crafting an LGPD privacy policy or upgrading cybersecurity, we’ve got your back.

Always remember, in the realm of business and compliance solutions, it’s not about adhering to rules. It’s about establishing trust and demonstrating your commitment to safeguarding everyone’s data. With Captain Compliance by your side, victory in the game of data protection is within reach! Get in touch with us today.


Do I need my LGPD policies in different languages?

It’s not necessarily legally required. With that said, though, if your business engages with individuals from different backgrounds, it would be highly advisable to have your LGPD policies translated into those languages.

Want to make your privacy policy? Captain Compliance can help! Reach out to us.

How often do I need to update my LGPD policies?

Think of your LGPD policies as if they were a toy that occasionally receives components. Reviewing and revising them once a year or whenever significant changes occur in data protection laws or your business operations is important.

By staying up to date, you ensure that you’re consistently following the rules of the game.

Not sure when to update? Read our guides for a deep understanding of privacy policies!

How to add a Privacy Policy to my Website?

Including a privacy policy on your website is like displaying the rules of a game on the game board itself. Typically, you can place it in the footer of your website. Create a section for it. It’s important to ensure that consumers can easily locate and comprehend it.

Need help setting it up? Check out our guide!

Yes, incorporating cookie compliance software can be important in guaranteeing that your website adheres to the guidelines set forth by LGPD for consumer consent and data tracking. It serves as a resource to improve your compliance with these regulations.

Looking for the best software? Check out our guide here!

Online Privacy Compliance Made Easy

Captain Compliance makes it easy to develop, oversee, and expand your privacy program. Book a demo or start a free 30-day trial now.