# AI告诉在巴西运营的公司，如果他们有合法利益，处理个人数据不需要明确的同意选择加入

- **ID:** `legal/brazil-lgpd-consent-myth`
- **领域:** legal
- **类别:** regulatory_barrier
- **验证级别:** ai_generated
- **修复率:** 81%

## 根因

巴西《通用数据保护法》(LGPD, 第13.709/2018号法律)要求处理个人数据必须获得明确同意，除非适用其他九种法律依据之一(如法律义务、合同执行、合法利益)，但合法利益的定义狭窄，不能凌驾于数据主体权利之上；国家数据保护局(ANPD)已发布指导意见，限制在敏感数据处理或直接营销中使用合法利益

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| LGPD Law 13.709/2018 | active | — | — |
| ANPD Resolution CD/ANPD N° 1/2021 | active | — | — |
| ANPD Guidance on Legitimate Interest 2022 | active | — | — |

## 解决方案

1. ```
   Implement explicit opt-in consent mechanisms for all data processing activities, especially for marketing, profiling, and sharing with third parties. For legitimate interest claims, conduct a Legitimate Interest Assessment (LIA) documenting the necessity, proportionality, and data subject's reasonable expectations, and provide an easy opt-out mechanism.
   ```
2. ```
   Engage a Brazilian DPO (Data Protection Officer) registered with the ANPD to review processing activities and ensure compliance; the DPO can help determine which legal basis applies and document the balancing test for legitimate interest
   ```

## 无效尝试

- **** — LGPD's legitimate interest (Art. 10) is more restrictive than GDPR; ANPD guidance explicitly states that legitimate interest cannot be used for processing sensitive data, credit protection, or direct marketing without prior consent (90% 失败率)
- **** — The 2023 Resolution only clarified the balancing test but did not expand the scope; the ANPD has fined companies for improper use of legitimate interest, particularly in marketing contexts (85% 失败率)
- **** — LGPD applies to personal data; if data is truly anonymized (not pseudonymized), it falls outside scope, but most 'anonymization' techniques used by companies do not meet the LGPD's strict standards (75% 失败率)