In Santa Catarina, Brazil: How to Handle Personal Data Protection Without Getting Lost

💡 律咖编者按： 本文由律咖网社群读者 hephaestus 投稿分享。 为了方便大家阅读，律咖网编辑 JingJing（微信：lvga2015）对原文进行了细致的逻辑润色与合规性整理。希望能给正在 巴西 创业路上的你带来真实的参考。

I still don’t know if I’m collecting too much data — or not enough.

Three months ago, I launched a small Google Ads consultancy in Florianópolis, Santa Catarina. My goal? Help Chinese SMEs reach Brazilian buyers. Simple, right? But every time I asked a client for their email, phone number, or even their business registration code, my stomach tightened. Was I breaking the law? Was I putting them at risk? Was I being paranoid?

I also didn’t know if Brazil’s data rules were like the GDPR — strict but clear — or something weirder, like a maze built by someone who’d never used a smartphone.

I thought I’d figure it out by Googling “Brazil personal data protection.” That led me to a dozen broken links, half-translated PDFs, and one Reddit thread where someone said, “Just don’t store anything.” That didn’t help.

So I started reading. Not just blogs. Not just forums. I dug into the actual law: Lei Geral de Proteção de Dados (LGPD) — Brazil’s General Data Protection Law. It came into full effect in August 2020. And yes — it applies to you, even if you’re a foreigner running a one-person shop from a co-working space in Florianópolis.

I almost misunderstood it as “just for big companies.” I thought: I’m not Amazon. I don’t have 500,000 customers. Why would they care?

Then I realized: the process is more complex than I imagined.

The Reality: It’s Not About Size — It’s About Sensitivity

Here’s what I learned, slowly and painfully:

LGPD applies to anyone who processes personal data — even if you’re just collecting an email to send a newsletter. “Processing” includes collecting, storing, sharing, deleting, or even viewing. If you touch it, you’re in scope.

The law doesn’t care if you’re a startup or a multinational. What matters is:

• What data you collect (name, phone, ID, payment info, IP address, even location)
• Why you collect it
• How long you keep it
• Who you share it with

For example: if you use a Brazilian payment processor like Pix (which, by the way, is now dominating e-commerce here — see EBANX report), you’re handing over customer data to a third party. That’s a “data sharing” event under LGPD. You need to disclose it.

I once asked a local lawyer: “Can I just write ‘We collect data for business purposes’ in my privacy policy?”
He laughed. “That’s like saying ‘I breathe air.’ It’s true, but it doesn’t protect anyone.”

The Two Big Traps I Almost Fell Into

Trap 1: “I’m just using Google Forms.”

I used Google Forms to collect client onboarding info. Simple, right? But Google is a U.S. company. Under LGPD, transferring data outside Brazil requires additional safeguards — like Standard Contractual Clauses (SCCs) or binding corporate rules. Even if you’re not storing it, just passing it through Google’s servers counts.

I switched to a Brazilian-hosted form tool — Formulario.io — which is LGPD-compliant and stores data locally. It cost me 30 BRL/month. Worth it.

Trap 2: “I don’t need consent if it’s for marketing.”

Wrong.

LGPD has 10 legal bases for processing data. Consent is just one. But for marketing? Yes — you need explicit, unambiguous consent. Pre-ticked boxes? No. “By using this site, you agree”? No. You need a clear “Yes, I allow you to contact me for marketing” checkbox — and the option to withdraw anytime.

I added a simple toggle on my website:

“I agree to receive promotional emails about digital advertising tools for SMEs. I can unsubscribe anytime.”
[✅ Yes, I agree]
[❌ No, thank you]

That’s it. No legalese. No walls of text.

How to Tell If a Source Is Reliable

Here’s how I stopped trusting random blogs:

1. Look for the source: Is it from the ANPD (Autoridade Nacional de Proteção de Dados)? That’s Brazil’s data protection authority. Their site is anpd.gov.br — in Portuguese, but Google Translate works.
2. Check for updates: LGPD is still evolving. In January 2026, the Supreme Court was discussing fines for non-compliance — see Toffoli’s denial of payments for context on how seriously courts are taking data governance.
3. Avoid U.S.-centric advice: The Trump administration’s push for social media data collection (as reported by AP and Daily Mail) is a red herring here. Brazil’s law is not about surveillance — it’s about individual rights. Don’t mix them up.
4. Ask for local examples: One of the most helpful things I did was join a small Facebook group: “Empreendedores Digitais em Santa Catarina.” Someone posted: “I got fined 5k BRL for not having a privacy policy on my Shopify store.” That was my wake-up call.

❓ FAQ: Common Questions from Foreign Entrepreneurs

Q1: Do I need a Data Protection Officer (DPO) if I’m just one person?

Steps:

1. Check if your processing is “high risk” — e.g., handling health data, children’s data, or large-scale profiling.
2. For most small digital businesses (ads, e-commerce, consulting), you don’t need a formal DPO.
3. But you must designate someone — even if it’s you — to handle data requests and complaints.

Path:

• Add a “Contato para Proteção de Dados” section to your website footer.
• Include an email (e.g., data@yourbusiness.com.br) and response timeline (e.g., “We respond within 15 days”).

Key Points:

• You don’t need a title. You need a process.
• Keep a log of all data access requests — even if you get none.
• Use a free template from ANPD’s website.

Q2: Can I use WhatsApp to communicate with clients?

Steps:

1. WhatsApp is not end-to-end encrypted for business use unless you use WhatsApp Business API — which requires approval.
2. For casual chats? You can use it — but only if you have consent.
3. Never store client phone numbers in a Google Sheet unless you encrypt it and delete after 6 months.

Path:

• Send a message: “Olá! Vou te enviar informações por WhatsApp. Você concorda com isso? Se sim, responda ‘sim’.”
• Save replies. Delete after 6 months.

Key Points:

• WhatsApp is common here — but legally risky.
• Never send ID documents or bank details over WhatsApp.
• Use encrypted tools like Tresorit or ProtonMail for sensitive files.

Q3: What if I’m just a freelancer using a Brazilian client’s logo and data in my portfolio?

Steps:

1. Even if you’re not monetizing, using someone’s name, logo, or business data publicly = processing personal data.
2. You need their written permission — even if you worked with them for free.

Path:

• Draft a simple one-liner:

“I, [Client Name], authorize [Your Name] to use my company name and project details for portfolio purposes.”

• Get them to sign via DocuSign or even a WhatsApp photo of a signed paper.

Key Points:

• Don’t assume “they’re happy” = consent.
• If you’re unsure, don’t use it.
• Your reputation matters more than a portfolio pic.

What I Do Now — A Simple Routine

Here’s my weekly 15-minute compliance check:

• ☑️ Review my privacy policy — updated it in January 2026
• ☑️ Delete old client emails older than 12 months
• ☑️ Check if any new tools I’m using (like Canva or Mailchimp) have LGPD-compliant settings
• ☑️ Ask one client: “Is there anything you’d like to know about how I handle your data?”
• ☑️ Save the reply. Even if it’s “No, you’re fine.”

I don’t feel “compliant.” I feel responsible.

And that’s the difference.

4 Actionable Steps (Start Today)

1. Write a 300-word privacy policy in Portuguese, using ANPD’s template. Put it on your website footer.
2. Stop using Google Forms for client intake. Switch to a Brazilian-hosted tool.
3. Add a consent toggle to every email signup or contact form. No exceptions.
4. Keep a log — even a simple Notion page — of every time you receive, store, or delete personal data.

You don’t need a lawyer to start.
You just need to be honest — with yourself, and with your clients.

If you’re also in Brazil — maybe in Santa Catarina, maybe in São Paulo or Belém — and you’re wondering if you’re doing data right… you’re not alone.

I was terrified. I still get nervous when I send a client’s email to a payment processor.

But I’m learning.

And I’m not rushing.

If you’re also in the middle of this — unsure, tired, maybe overwhelmed — you can always reach out to JingJing at lvga2015 on WeChat. We don’t offer legal advice. We don’t promise outcomes. But we do share what we’ve learned — slowly, carefully, one honest conversation at a time.

You’re not behind.
You’re just beginning.

🔗 延伸阅读

🔸 Brazil directs X to ‘immediately’ block Grok sexualised AI-generated images
🗞️ 来源: Mathrubhumi – 📅 2026-02-12
🔗 阅读原文

🔸 E-commerce: UPI sparks a credit card boom in India while Pix overtakes card dominance in Brazil, EBANX finds
🗞️ 来源: PR Newswire APAC – 📅 2026-02-12
🔗 阅读原文

🔸 Brazil Supreme Court’s Toffoli denies receiving payments, links to Banco Master’s Vorcaro
🗞️ 来源: Yahoo News – 📅 2026-02-12
🔗 阅读原文

📌 免责声明

请知悉：律咖网（Lvga.com）是跨境创业公开信息与内容分享平台，不提供法律、税务、会计或合规服务。
本文内容基于公开资料，并由人工编辑与 AI 工具协助整理，仅供信息参考之用，不构成任何法律、投资、移民或商业决策建议。
政策可能随时间变化，请以官方渠道与当地持牌专业人士意见为准。
如内容有需要修订之处，欢迎随时与我联系。