# AI tells a company operating in Brazil that explicit opt-in consent is not required for processing personal data if they have a legitimate interest - **ID:** `legal/brazil-lgpd-consent-myth` - **Domain:** legal - **Category:** regulatory_barrier - **Verification:** ai_generated - **Fix Rate:** 81% ## Root Cause Brazil's Lei Geral de Proteção de Dados (LGPD, Law 13.709/2018) requires explicit consent for processing personal data unless one of the other nine legal bases applies (e.g., legal obligation, contract execution, legitimate interest), but legitimate interest is narrowly defined and cannot override the data subject's rights; the ANPD (Autoridade Nacional de Proteção de Dados) has issued guidance limiting legitimate interest for processing sensitive data or direct marketing ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | LGPD Law 13.709/2018 | active | — | — | | ANPD Resolution CD/ANPD N° 1/2021 | active | — | — | | ANPD Guidance on Legitimate Interest 2022 | active | — | — | ## Workarounds 1. **Implement explicit opt-in consent mechanisms for all data processing activities, especially for marketing, profiling, and sharing with third parties. For legitimate interest claims, conduct a Legitimate Interest Assessment (LIA) documenting the necessity, proportionality, and data subject's reasonable expectations, and provide an easy opt-out mechanism.** (88% success) ``` Implement explicit opt-in consent mechanisms for all data processing activities, especially for marketing, profiling, and sharing with third parties. For legitimate interest claims, conduct a Legitimate Interest Assessment (LIA) documenting the necessity, proportionality, and data subject's reasonable expectations, and provide an easy opt-out mechanism. ``` 2. **Engage a Brazilian DPO (Data Protection Officer) registered with the ANPD to review processing activities and ensure compliance; the DPO can help determine which legal basis applies and document the balancing test for legitimate interest** (82% success) ``` Engage a Brazilian DPO (Data Protection Officer) registered with the ANPD to review processing activities and ensure compliance; the DPO can help determine which legal basis applies and document the balancing test for legitimate interest ``` ## Dead Ends - **** — LGPD's legitimate interest (Art. 10) is more restrictive than GDPR; ANPD guidance explicitly states that legitimate interest cannot be used for processing sensitive data, credit protection, or direct marketing without prior consent (90% fail) - **** — The 2023 Resolution only clarified the balancing test but did not expand the scope; the ANPD has fined companies for improper use of legitimate interest, particularly in marketing contexts (85% fail) - **** — LGPD applies to personal data; if data is truly anonymized (not pseudonymized), it falls outside scope, but most 'anonymization' techniques used by companies do not meet the LGPD's strict standards (75% fail)