🇧🇷 Versão em Português
Risk Register · Brazil

LGPD for PE Acquirers.

Brazil's data protection law creates compounding liabilities in D2C and performance marketing stacks. Most pre-LOI reviews miss them.

R$50M
Maximum ANPD fine per infraction (2% of Brazil revenue, capped)
72%
Of Brazil-operating D2C companies we audit lack documented legal basis for profiling
0
Adequacy decisions from ANPD for cross-border transfers to date

Why LGPD Creates PE-Specific Risk

Brazil's Lei Geral de Protecao de Dados went into force in September 2020. Enforcement began in August 2021. The law applies to any entity that processes personal data of individuals located in Brazil, regardless of where the processor is headquartered. For PE firms acquiring D2C brands, SaaS platforms, or performance marketing operations with Brazil-market exposure, that jurisdictional reach matters.

What we see consistently in pre-LOI audits is a pattern of surface-level compliance paired with structural gaps. The company has a privacy policy. It may even have a DPO appointment letter. But the consent architecture underneath the marketing stack is absent or broken. Legal basis documentation is generic. Cross-border transfer mechanisms are undocumented. And the sensitive data restrictions that LGPD imposes on advertising targeting are routinely ignored in performance marketing campaigns.

These gaps do not appear in standard commercial diligence. They appear when you pull the consent records from the ESP, cross-reference them against the CMP logs, and ask whether the legal basis claimed in the privacy policy matches the legal basis actually implemented in the tag manager. In most cases, it does not.

Field observation: In a 2025 pre-LOI audit of a Brazil-based D2C brand with $35M revenue, we found that 100% of Meta advertising audiences were built on behavioral profiling data with no documented legal basis under LGPD Article 7. The company's privacy policy cited "legitimate interest" but had never conducted the required balancing test. ANPD's 2024 guidance on profiling makes this a priority enforcement target.

Operational Implications for Portfolio Companies

LGPD's operational impact on PE-backed companies splits into three categories. First, consent architecture. LGPD requires documented legal basis for each processing activity. "Consent" under LGPD must be free, informed, and unambiguous, and the controller must be able to prove it was obtained. What we see in practice is consent collection that satisfies no regulatory definition: pre-checked boxes, bundled consent, or consent language buried in terms of service that the data subject never read.

Second, cross-border transfers. LGPD Article 33 restricts international data transfers to a narrow set of legal mechanisms. ANPD has not yet issued adequacy decisions for any jurisdiction. That means every cross-border transfer from a Brazil entity to a US-based parent, ESP, CDP, or analytics platform requires either standard contractual clauses, binding corporate rules, or explicit consent. Most companies we audit rely on none of these. They transfer data internationally because the SaaS tool they use is US-hosted, and nobody asked whether that transfer had a legal basis.

Third, sensitive data in advertising. LGPD Article 11 imposes heightened restrictions on processing sensitive personal data, including health, religious belief, political opinion, and biometric data. Performance marketing stacks routinely ingest and use this data for audience segmentation without the specific consent LGPD requires. Health and wellness D2C brands are particularly exposed.

Key Signals in Due Diligence

No Legal Basis Mapping

The company cannot produce a document mapping each processing activity to a specific LGPD Article 7 legal basis. Generic privacy policy language is not a substitute.

Undocumented Cross-Border Flows

Data flows to US-hosted tools (HubSpot, Salesforce, Meta, Google) with no standard contractual clauses or other LGPD Article 33 mechanism in place.

Sensitive Data in Ad Audiences

Health, religious, or political data used in Meta or Google audience segments without specific, highlighted consent as required by LGPD Article 11.

No DPO or ROPA

No appointed Data Protection Officer (Encarregado) and no Record of Processing Activities. Both are required. Both are routinely absent in mid-market companies.

ANPD Enforcement Direction

ANPD published its enforcement dosimetry regulation in February 2023, establishing the framework for calculating penalties. The first administrative sanctions followed in 2023 and 2024, targeting both public and private entities. The agency's published priority areas include: cross-border data transfers, children's data processing, and high-risk automated decision-making.

For PE-backed companies, the enforcement trajectory matters more than the current state. ANPD is a young regulator building capacity. Its enforcement actions to date have been modest in scale but clear in direction. Companies that are non-compliant today face compounding exposure as the agency matures. Acquirers who inherit that exposure inherit a liability curve that steepens with each ANPD regulatory action.

The practical implication for deal teams: LGPD compliance gaps that appear manageable in 2026 will not appear manageable in 2028. The cost of remediation is lower pre-close than post-close. And the cost of remediation post-close is lower now than it will be when ANPD's enforcement capacity catches up to its regulatory ambition.

Explore LGPD Risk Topics

Pre-LOI Due Diligence Compliance Checklist Cross-Border Transfers LGPD vs GDPR

Related Reading

For deeper analysis on how data compliance failures compound into deal risk, see our coverage of data deliverability and the field report on data debt hidden in acquisitions.

Brazil Market Exposure

Acquiring a company with Brazil operations?

We scope LGPD compliance audits as part of pre-LOI technical diligence. 10-15 business days, fully documented.

Request a Briefing