Standard commercial diligence does not surface LGPD compliance gaps. The questions are too general, the data requests too high-level, and the reviewers are typically financial analysts, not data governance specialists. What follows is a framework for the five investigation areas that produce actionable findings in pre-LOI LGPD reviews.
1. Legal Basis Mapping and Documentation
LGPD Article 7 enumerates ten legal bases for processing personal data. The first question in any pre-LOI review is whether the target company can produce a document that maps each processing activity to a specific legal basis. Not a privacy policy. A processing register that identifies the data category, the purpose, the legal basis, and the retention period for every distinct processing operation.
What we see consistently is that companies default to "consent" as their stated legal basis for everything, without understanding LGPD's specific requirements for valid consent. Consent must be free, informed, and for a specific purpose. Pre-checked boxes, bundled terms, and implied consent do not qualify. When a company claims consent as its basis but cannot produce timestamped consent records tied to specific processing purposes, the legal basis collapses.
The alternative bases matter too. Legitimate interest under LGPD requires a balancing test documented in a Legitimate Interest Assessment (LIA). Contract performance has narrower scope than many companies assume. The pre-LOI deliverable is a gap analysis: which processing activities have a defensible legal basis, and which do not.
2. Consent Architecture Audit
Consent architecture is the technical implementation of consent collection, storage, and enforcement across the marketing and data stack. It is distinct from the privacy policy. The policy says what the company claims to do. The architecture shows what the company actually does.
In a pre-LOI review, we pull the consent management platform (CMP) configuration, compare it against the tag manager implementation, and cross-reference both against the ESP and CDP consent records. The gaps are predictable. The CMP collects a generic consent signal. The tag manager fires analytics and advertising tags regardless of consent status. The ESP has no consent field or has a consent field that was bulk-updated during a migration with no individual verification.
For PE acquirers, the consent architecture audit answers a specific question: if ANPD audits this company's consent practices tomorrow, will the records survive scrutiny? In the majority of pre-LOI reviews we conduct on Brazil-market companies, the answer is no.
3. Cross-Border Data Transfer Mechanisms
Every PE acquisition that involves a Brazil entity sending data to a parent company, ESP, analytics provider, or cloud platform outside Brazil triggers LGPD Article 33. The article permits transfers under specific conditions: adequacy decisions (none issued yet), standard contractual clauses, binding corporate rules, specific consent, or regulatory cooperation agreements.
The pre-LOI investigation maps every cross-border data flow, identifies the legal mechanism supporting each flow, and flags flows with no documented mechanism. The most common finding is that the target company has never audited its cross-border transfers. Data flows to Salesforce (US), HubSpot (US), Google Analytics (US/Ireland), and Meta (US) without any transfer mechanism in place.
ANPD published its regulation on international data transfers in 2024, establishing requirements for standard contractual clauses. Companies that have not adopted these clauses are exposed. The remediation cost is real but manageable pre-close. Post-close, it becomes an operational drag that competes with value creation priorities.
4. Sensitive Data Processing in Marketing
LGPD Article 11 creates a separate, higher-bar regime for processing sensitive personal data: health data, biometric data, genetic data, religious belief, political opinion, trade union membership, and data related to sex life or sexual orientation. Processing sensitive data requires specific and highlighted consent, or one of the narrow exceptions in Article 11(2).
Performance marketing stacks routinely process sensitive data without recognizing it. Health and wellness brands build ad audiences based on purchase history that reveals health conditions. Financial services companies segment users by inferred income. EdTech platforms collect data on children and adolescents, which LGPD Article 14 subjects to additional restrictions.
The pre-LOI review identifies whether sensitive data categories exist in the data estate, where they flow, and whether the required legal basis exists. This is not a theoretical exercise. ANPD's enforcement priorities explicitly include high-risk processing and children's data. A PE acquirer inheriting undocumented sensitive data processing inherits a priority enforcement target.
5. ANPD Enforcement Exposure Assessment
The final investigation area evaluates the target's exposure to ANPD enforcement based on public enforcement actions, sector-specific guidance, and the company's own compliance posture. ANPD publishes its enforcement priorities. Companies operating in priority sectors (health, education, financial services, telecommunications) face heightened scrutiny.
The assessment considers three dimensions. First, whether the company has received any ANPD communications, complaints, or preliminary investigations. Second, whether the company operates in a sector that ANPD has publicly identified as a priority. Third, whether the company's compliance gaps align with the specific violations ANPD has sanctioned in published decisions.
The output is a risk-weighted exposure estimate that can be incorporated into the deal model. The estimate factors in the maximum fine (2% of Brazil revenue, capped at R$50 million per infraction), the probability of enforcement based on sector and gap severity, and the remediation cost required to reduce exposure to an acceptable level. This becomes a negotiating input: a basis for purchase price adjustment, specific indemnification, or seller-funded remediation.