Educational overview, not legal advice. The LGPD is interpreted and enforced by the ANPD; specific obligations depend on your processing activities, role as controller or operator, and the categories of data involved. Consult Brazilian counsel for anything that affects your live product.
π What the LGPD Is
The Lei Geral de Proteção de Dados (Law 13.709/2018) is Brazil's general data-protection law. It came into force in 2020, with administrative sanctions enforceable since August 2021. It is conceptually close to the GDPR β same set of principles, same general structure of legal bases, similar data-subject rights β but with important Brazilian specifics, including the ANPD as the supervisory authority and a particular definition of "data of children and adolescents."
π When the LGPD Applies to Your App
The LGPD has extraterritorial reach. It applies if any of the following is true:
- β’Processing happens in Brazil.
- β’The processing aims to offer goods or services to individuals in Brazil.
- β’The personal data was collected in Brazil.
In practice, if your mobile app is available on Brazilian app stores or has Brazilian users, plan as though the LGPD applies.
π What Counts as Personal Data
"Dado pessoal" β any information related to an identified or identifiable natural person. For mobile apps the practical list usually includes:
| Field | Why it is in scope |
|---|---|
| IDFA / GAID / Android ID | Persistent identifiers that uniquely point to a device β and effectively a person. |
| IP address | Treated as personal data when retained alongside behavioral records. |
| Precise location | GPS-level coordinates are personal data and frequently sensitive. |
| Custom event properties | Can contain emails, names, or free-text that identifies people. |
| Device fingerprint | Any combination that uniquely identifies a device functions as personal data. |
Sensitive data ("dado pessoal sensΓvel") β racial origin, religion, political views, health, sexual life, biometrics, genetics β has stricter rules. Most mobile analytics SDKs do not need to touch sensitive data; if yours does, that is a strong signal to redesign.
βοΈ Legal Bases You Will Encounter
The LGPD enumerates ten legal bases. For mobile analytics, the practically relevant ones are:
- β’Consent. Specific, informed, and unambiguous. Pre-ticked boxes do not count. Consent must be revocable.
- β’Legitimate interest. Requires a balancing test (LIA) and may not be used for sensitive data or children's data.
- β’Execution of contract. When processing is necessary to provide the app's core service.
- β’Compliance with a legal/regulatory obligation. When another law mandates the processing.
π€ Data-Subject Rights to Implement
Article 18 lists rights that residents of Brazil can exercise. The product-relevant ones for a mobile app are:
- β’Access. A copy of the personal data being processed.
- β’Correction. Fix incomplete, inaccurate, or outdated data.
- β’Anonymization, blocking, or deletion. When data is unnecessary, excessive, or processed unlawfully.
- β’Portability. Receive data in a structured, commonly used format.
- β’Withdrawal of consent when consent is the legal basis.
If your analytics architecture genuinely does not retain personal data, the volume of access/deletion requests you can fulfill drops dramatically β there is nothing to access or delete in the analytics database. (Aggregated session counts are not the resident's personal data.) See why over-deletion is better for the cautious approach if you do retain anything.
ποΈ ANPD Enforcement Trends
The ANPD has progressively activated its enforcement powers since 2022. Recurring themes worth watching as a developer:
- β’Penalties up to 2% of revenue in Brazil per infraction, capped at R$50 million per infraction.
- β’Active guidance on cookies, tracking technologies, children's data, and DPO appointment criteria.
- β’A clear preference for documented LIAs (legitimate-interest assessments) over hand-wavy claims.
- β’Higher scrutiny of international data transfers; the LGPD requires a specific transfer mechanism.
π‘οΈ How Architecture Reduces LGPD Scope
The LGPD lists "data minimization" as one of its core principles (Art. 6, III). An architecture that doesn't collect personal data in the first place changes the practical compliance picture:
- β’No device identifiers β IDFA, GAID, Android ID are simply not collected.
- β’No stored IP β country lookup happens transiently; the IP is discarded.
- β’No custom properties β accidental PII collection through free-text is the leading cause of incidents.
- β’Session-based identifiers β RAM-only, rotating every two hours.
- β’Five stored fields total β
event_name,session_id,timestamp,platform,country.
This is not a compliance claim. It is an architectural fact: the analytics pipeline does not retain data that identifies a person. Whether your overall product processing is LGPD-compliant depends on every other system you operate, and your legal team is the only authority on that.
β Frequently Asked Questions
What is the LGPD?
Brazil's general data-protection law (Law 13.709/2018), in effect since 2020 and enforced by the ANPD.
Does the LGPD apply to mobile apps?
Yes, when the app processes personal data of individuals in Brazil. Device identifiers, IP addresses, and custom properties are typical in-scope fields.
What counts as personal data under the LGPD?
Any data related to an identified or identifiable natural person, including device IDs, IP addresses, persistent install IDs, and free-text fields that may contain identifiers.
What are the LGPD legal bases for processing?
Ten bases. The practically common ones for analytics: consent, legitimate interest (with a documented balancing test), execution of contract.
How can mobile apps reduce their LGPD scope?
By collecting less. No device IDs, no stored IPs, no custom properties β the data processed by the analytics pipeline is much narrower in scope.
Legal Disclaimer: This information is provided for educational purposes and does not constitute legal advice. LGPD interpretation is the responsibility of the ANPD and Brazilian courts; specific obligations depend on your processing activities. Consult Brazilian counsel for product decisions.