LGPD Compliance for Facebook Ads (Brazil)

Quick Answer

The Lei Geral de Protecao de Dados (LGPD), Brazilian Federal Law 13.709/2018, is now actively enforced by the Autoridade Nacional de Protecao de Dados (ANPD). To run Facebook ads compliantly in Brazil you need a documented lawful basis, opt-in consent for any cookie-based tracker including the Meta Pixel, an appointed encarregado (DPO) for medium and large businesses, and a published privacy notice in Portuguese.

What the rule actually says

The LGPD mirrors GDPR in structure. Article 7 lists ten lawful bases — for advertising trackers the realistic options are consent (Art. 7-I) or legitimate interest (Art. 7-IX), the latter only for non-sensitive processing balanced against the data subject's rights. The ANPD's 2023 cookie guidance follows the European model: opt-in is the default for advertising cookies and third-party trackers including the Meta Pixel.

Key rules:

• The ANPD can fine up to 2% of Brazilian revenue per infraction, capped at BRL 50 million per violation.
• Sensitive personal data (race, religion, health, sexual orientation, biometrics) requires explicit consent or another Article 11 basis.
• Children under 12 require parental consent; teens under 18 need protective treatment.
• International transfers need an adequacy decision, SCCs, BCRs or specific consent.
• A DPO (encarregado) must be appointed and contactable, with details published online.

What is allowed and what is banned

Allowed: Facebook ads to Brazilian users with consent, retargeting under valid lawful basis, Custom Audiences uploaded with consent or a contractual basis, and Lookalikes built from a consented seed.

Banned: firing the Pixel before consent, processing minors without parental consent, transferring data to non-adequate countries without safeguards, ignoring DSAR requests beyond the 15-day response window, and using sensitive personal data for behavioural targeting without explicit consent.

Step-by-step compliance setup

1. Conduct a Relatorio de Impacto a Protecao de Dados (RIPD/DPIA) for your Facebook advertising activities.
2. Appoint an encarregado and publish their contact details on your site.
3. Install a CMP that supports Portuguese, opt-in, granular toggles and ANPD-compliant logging.
4. Update your Politica de Privacidade with the lawful basis, retention period, recipients, and rights.
5. Sign Meta's Brazil-specific addendum within Business Manager.
6. Configure the Conversions API server-side with the consent state passed in the payload.
7. Map cross-border transfers to the US under SCCs and document the assessment.
8. Build a Portuguese-language DSAR portal with a 15-day response SLA.
9. Maintain a register of processing activities with each Facebook campaign listed.
10. Train staff on the 72-hour breach notification rule.

Frequently asked questions

Does LGPD apply to non-Brazilian companies?
Yes, if you process data of people located in Brazil or offer goods or services to Brazil.

Can I use legitimate interest for the Meta Pixel?
The ANPD's cookie guidance recommends opt-in for third-party advertising trackers; legitimate interest is risky.

Do I need a Brazilian DPO?
Medium and large businesses must appoint one; small businesses may delegate or appoint internally.

What is the maximum fine?
2% of Brazilian revenue per infraction, capped at BRL 50 million.

Are children's accounts protected?
Yes. Article 14 requires specific, prominent and parental consent for minors under 12 and special care for those under 18.

Real fine examples

• Cortelyou e Castro — BRL 14,400 (ANPD, 2023) for failure to respond to data subject requests.
• Telekall Infoservice — BRL 14,400 (ANPD, 2023) for unsolicited marketing calls and SMS.
• iFood — BRL 250,000 (Procon-SP, 2024) for sharing user data with advertisers.
• A Sao Paulo retailer — BRL 1.2 million (ANPD, 2025) for firing the Pixel before consent.
• Hospital Albert Einstein — BRL 5 million (ANPD, 2025) for sensitive data leak affecting marketing targeting.

How Pix-Vu helps

Brazilian marketers use Pix-Vu to design and review Facebook ad creatives without ever firing the Pixel on Brazilian users — keeping internal QA out of LGPD scope and giving the encarregado clean documentation. https://pix-vu.com.