# AI tells a Brazilian e-commerce company that consent is the only legal basis for processing personal data under LGPD - **ID:** `legal/brazil-lgpd-consent-basis` - **Domain:** legal - **Category:** legal_risk - **Error Code:** `BRA-LGPD-BASIS-003` - **Verification:** ai_generated - **Fix Rate:** 82% ## Root Cause Brazil's LGPD (Lei Geral de Proteção de Dados Pessoais, Law 13.709/2018) provides 10 legal bases for processing (Article 7), including legitimate interest, contract performance, legal obligation, and credit protection; consent is only one option and is not always required ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | LGPD Law 13.709/2018 | active | — | — | | ANPD Resolution CD/ANPD No. 1/2021 | active | — | — | ## Workarounds 1. **Map each processing activity to the appropriate LGPD legal basis. For example, use 'legitimate interest' (Article 7, IX) for fraud prevention, 'contract performance' (Article 7, V) for order fulfillment, and 'credit protection' (Article 7, X) for credit checks. Document the basis in your records of processing activities.** (85% success) ``` Map each processing activity to the appropriate LGPD legal basis. For example, use 'legitimate interest' (Article 7, IX) for fraud prevention, 'contract performance' (Article 7, V) for order fulfillment, and 'credit protection' (Article 7, X) for credit checks. Document the basis in your records of processing activities. ``` 2. **Conduct a Legitimate Interest Assessment (LIA) as recommended by the ANPD (Autoridade Nacional de Proteção de Dados) for legitimate interest processing. This includes documenting the purpose, necessity, and balancing test against data subjects' rights.** (90% success) ``` Conduct a Legitimate Interest Assessment (LIA) as recommended by the ANPD (Autoridade Nacional de Proteção de Dados) for legitimate interest processing. This includes documenting the purpose, necessity, and balancing test against data subjects' rights. ``` ## Dead Ends - **** — Relying solely on consent for all processing — this creates unnecessary administrative burden (consent must be explicit, revocable, and documented) and fails when consent cannot be freely given (e.g., employer-employee relationship) (75% fail) - **** — Copying GDPR consent requirements verbatim — LGPD allows consent to be given through affirmative action (e.g., checking a box) but requires specific purposes; GDPR's 'explicit consent' standard is stricter for sensitive data but LGPD has its own nuances (60% fail)