AI tells a company operating in Brazil that explicit opt-in consent is not required for processing personal data if they have a legitimate interest
ID: legal/brazil-lgpd-consent-myth
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| LGPD Law 13.709/2018 | active | — | — | — |
| ANPD Resolution CD/ANPD N° 1/2021 | active | — | — | — |
| ANPD Guidance on Legitimate Interest 2022 | active | — | — | — |
Root Cause
Brazil's Lei Geral de Proteção de Dados (LGPD, Law 13.709/2018) requires explicit consent for processing personal data unless one of the other nine legal bases applies (e.g., legal obligation, contract execution, legitimate interest), but legitimate interest is narrowly defined and cannot override the data subject's rights; the ANPD (Autoridade Nacional de Proteção de Dados) has issued guidance limiting legitimate interest for processing sensitive data or direct marketing
generic中文
巴西《通用数据保护法》(LGPD, 第13.709/2018号法律)要求处理个人数据必须获得明确同意,除非适用其他九种法律依据之一(如法律义务、合同执行、合法利益),但合法利益的定义狭窄,不能凌驾于数据主体权利之上;国家数据保护局(ANPD)已发布指导意见,限制在敏感数据处理或直接营销中使用合法利益
Official Documentation
https://www.gov.br/anpd/pt-br/assuntos/legislacao/lei-geral-de-protecao-de-dadosWorkarounds
-
88% success Implement explicit opt-in consent mechanisms for all data processing activities, especially for marketing, profiling, and sharing with third parties. For legitimate interest claims, conduct a Legitimate Interest Assessment (LIA) documenting the necessity, proportionality, and data subject's reasonable expectations, and provide an easy opt-out mechanism.
Implement explicit opt-in consent mechanisms for all data processing activities, especially for marketing, profiling, and sharing with third parties. For legitimate interest claims, conduct a Legitimate Interest Assessment (LIA) documenting the necessity, proportionality, and data subject's reasonable expectations, and provide an easy opt-out mechanism.
-
82% success Engage a Brazilian DPO (Data Protection Officer) registered with the ANPD to review processing activities and ensure compliance; the DPO can help determine which legal basis applies and document the balancing test for legitimate interest
Engage a Brazilian DPO (Data Protection Officer) registered with the ANPD to review processing activities and ensure compliance; the DPO can help determine which legal basis applies and document the balancing test for legitimate interest
中文步骤
Implement explicit opt-in consent mechanisms for all data processing activities, especially for marketing, profiling, and sharing with third parties. For legitimate interest claims, conduct a Legitimate Interest Assessment (LIA) documenting the necessity, proportionality, and data subject's reasonable expectations, and provide an easy opt-out mechanism.
Engage a Brazilian DPO (Data Protection Officer) registered with the ANPD to review processing activities and ensure compliance; the DPO can help determine which legal basis applies and document the balancing test for legitimate interest
Dead Ends
Common approaches that don't work:
-
90% fail
LGPD's legitimate interest (Art. 10) is more restrictive than GDPR; ANPD guidance explicitly states that legitimate interest cannot be used for processing sensitive data, credit protection, or direct marketing without prior consent
-
85% fail
The 2023 Resolution only clarified the balancing test but did not expand the scope; the ANPD has fined companies for improper use of legitimate interest, particularly in marketing contexts
-
75% fail
LGPD applies to personal data; if data is truly anonymized (not pseudonymized), it falls outside scope, but most 'anonymization' techniques used by companies do not meet the LGPD's strict standards