LGPD Compliance
Configure your forms for the Brazilian Lei Geral de Proteção de Dados.
What is the LGPD?
The Lei Geral de Proteção de Dados (LGPD) is Brazil's general data protection law, in effect since September 2020. It applies to any organization that processes personal data of individuals located in Brazil, regardless of where the organization is based. It is heavily inspired by the EU's GDPR and shares many of the same principles.
If your web form can be accessed by people in Brazil and collects any personal data (name, email, IP address), the LGPD applies.
Why consent matters under the LGPD
Like the GDPR, the LGPD lists multiple legal bases for processing personal data (Article 7). Consent is one of the most commonly used bases for web forms:
- Consent (Article 7, I) — must be free, informed, and unambiguous. The data subject must clearly agree to the specific purpose of data processing.
- Legitimate interest (Article 7, IX) — available but requires a balancing test, and the LGPD's enforcement authority (ANPD) has been stricter about this than some EU regulators.
For most form use cases (contact forms, signups, feedback), collecting explicit consent is the safest approach under the LGPD.
What the LGPD preset configures
| Setting | Value | Why |
|---|---|---|
| Consent checkbox | Required | Article 7(I) requires free, informed, and unambiguous consent for data processing. |
| Consent message | "Concordo com o processamento dos meus dados pessoais conforme a LGPD." | Portuguese-language message for Brazilian users. Translates to: "I agree to the processing of my personal data in accordance with the LGPD." |
| IP anonymization | Enabled | IP addresses are personal data under the LGPD. Anonymizing them reduces your data processing scope. |
| Data retention | 365 days | Article 15 requires data to be deleted when it is no longer necessary for the purpose it was collected. One year is a reasonable default. |
| User-agent storage | Disabled | Browser fingerprint data can identify individuals. The LGPD's data minimization principle (Article 6, III) recommends collecting only what is necessary. |
Set up the LGPD preset
Account level
- Go to Account Settings in the sidebar.
- Scroll to Compliance.
- Select LGPD (Brazil) from the dropdown.
- Click Save.
Per form
- Open the form in your dashboard.
- Go to Settings → Compliance.
- Toggle Override account defaults.
- Select LGPD (Brazil).
- Click Save.
Add consent to custom HTML forms
On hosted forms, the consent checkbox is added automatically with the Portuguese message. For custom HTML forms, add the checkbox manually:
<label> <input type="checkbox" name="_fb_consent" value="true" required> Concordo com o processamento dos meus dados pessoais conforme a LGPD. <a href="https://seusite.com.br/privacidade">Política de Privacidade</a> </label>
The field name must be _fb_consent. FormBlade validates this field server-side and rejects submissions without it with a 422 response.
LGPD-specific considerations
Right to confirmation and access (Article 18, I-II)
Data subjects can request confirmation of whether their data is being processed and access to it. You can export submissions as CSV from the dashboard to fulfill these requests.
Right to deletion (Article 18, VI)
Data subjects can request deletion of their personal data processed on the basis of consent. Delete individual submissions from the dashboard. FormBlade's automatic data retention also ensures data is eventually purged.
Right to revoke consent (Article 18, IX)
The LGPD explicitly grants the right to revoke consent at any time. While FormBlade's consent checkbox gates future submissions, it does not manage ongoing consent for already-collected data. If a user revokes consent, delete their submissions from the dashboard.
Data Protection Officer (Article 41)
The LGPD requires organizations to appoint a Data Protection Officer (DPO), called the encarregado. The DPO's contact information must be publicly available. Include it in your privacy policy.
International data transfers (Article 33)
The LGPD restricts transfers of personal data to countries that do not provide an adequate level of data protection. FormBlade (ZNX Ltd) is an EU-based company and processes data on EU infrastructure. The EU has been recognized by Brazil's ANPD as providing adequate protection, so data transfers to FormBlade are permitted.
Consent is not stored
FormBlade validates the consent checkbox at submission time but strips the _fb_consent field before storing the submission. If your LGPD compliance process requires proof of consent, implement a separate consent log on your side.
LGPD vs GDPR
The LGPD and GDPR are similar in scope and principles. Key differences relevant to form data:
- Consent withdrawal — the LGPD is more explicit about the ease of revoking consent. It must be as easy to revoke as it was to give.
- DPO requirement — the LGPD requires a DPO for all organizations, not just those processing data at large scale (as in the GDPR).
- Fines — maximum fines under the LGPD are 2% of revenue in Brazil (capped at R$50 million per violation), compared to the GDPR's 4% of global revenue.
If you already comply with the GDPR, you are mostly compliant with the LGPD. The main addition is ensuring the consent message is in Portuguese for Brazilian users.