Why LGPD is not just a privacy page

The LGPD (Brazil's data protection law) is the biggest regulatory change the Brazilian web has seen since the 90s, but you'd hardly notice looking at the sites out there. Most put a "Privacy Policy" link in the footer, copy an adapted foreign template, add "updated per the LGPD" to the title — and think they're compliant.

They aren't.

What the LGPD actually requires (seen from outside)

When an auditor (human or automated) looks at your site, they can verify five things without needing internal access:

1. Consent banner before tracking

If the site loads Google Analytics, Meta Pixel or any marketing cookie before the user accepts, the consent is invalid. The LGPD requires prior opt-in for data collected based on consent (art. 8).

How Sentinela detects it: the LGPD probe makes a request to the site without accepting anything and checks whether tracking cookies appear in the initial response. If they do, it's the finding lgpd.consent.cookies_before_banner.

2. Accessible Privacy Policy

It's not enough for it to exist — it must be linked from the footer on every page, accessible without login, and cover the formal points: data collected, purposes, legal bases, retention, data-subject rights.

3. Controller identification

Who is the company? Legal name, CNPJ, address. Hiding this behind a trade name is a legal gray area — the data subject needs to know who to complain to.

4. Data Protection Officer (DPO) contact

Article 41 requires you to designate a data protection officer, with a publicly accessible communication channel. It's not enough to put legal@company.com — there must be an explicit reference to "DPO" or "Encarregado".

5. Data-subject rights

Article 18 gives the data subject eight rights: confirmation, access, correction, anonymization, portability, deletion, information about sharing, revocation of consent. The policy must explain how to exercise each one.

What the LGPD does not require (and many overdo)

• It doesn't require an ANPD-friendly tracking icon — that's diligence, not an obligation
• It doesn't require a banner with symmetric "Accept all / Reject all" — though it's good practice
• It doesn't require specific AES-256 encryption — only "reasonable technical measures"
• It doesn't require an annual public report — only for high-risk controllers and when requested by the ANPD

How to check your site now

You can run a free Sentinela audit and see the LGPD layer findings. The probe doesn't replace a lawyer, but it catches the formal mistakes 80% of sites make:

• Nonexistent policy or broken link
• Missing DPO or with a generic contact
• Tracking before the banner
• Banner with no real option to refuse
• Lack of information about rights

And if you're not compliant?

The ANPD applies administrative sanctions ranging from a warning to a fine of 2% of revenue (capped at R$ 50 million per infraction). But the real and most common risk isn't the fine — it's reputational damage: a data subject complains publicly, it becomes a LinkedIn post, a class action, a support ticket that eats up time.

Most cases sanctioned by the ANPD so far have been for an unreported security incident (art. 48) or for denial of a rights request. Both detectable externally: a leak occurs because the site exposes .env (also detected by Sentinela), and a denied right becomes a public complaint.

Practical conclusion

LGPD isn't a page. It's a posture observable from outside. Do three things today:

1. Put up a functional cookie banner (blocks tracking before consent)
2. Write a real policy (don't copy a template) with the DPO's name
3. Audit your own site externally — before someone audits it for you

The rest is legal detail you adjust over time. The basics, any external ASM scanner identifies in 30 seconds.