Brazil LGPD App Requirements: A Pre-Launch Overview for Indie Builders

If you ship an app or run an online store and any of your users are in Brazil, you are inside Brazil's digital-rules perimeter — wherever you happen to be based. Brazil's data-protection law was written to follow the user and the processing, not your registration, so "I'm not a Brazilian company" is rarely a reason a rule won't reach you. The good news: the core obligations look familiar if you already know GDPR, and the most visible launch-time signals are the same surfaces a careful reviewer checks anywhere.

This page is a practical orientation, not a complete legal map. It walks through the four areas an indie app or e-commerce site most often bumps into in Brazil — the LGPD (data protection), cookies and tracking, the Código de Defesa do Consumidor (Consumer Defense Code), and digital accessibility — and, for each, points to the LaunchTrust check that surfaces the related signal on your public pages. It is deliberately non-exhaustive: depending on your product you may also face tax, marketing, sector-specific, or platform rules not covered here.

LGPD: Brazil's data protection law

Brazil's core privacy law is the Lei Geral de Proteção de Dados (LGPD, Law No. 13.709/2018), supervised by the Autoridade Nacional de Proteção de Dados (ANPD). If your app collects names, emails, device identifiers, analytics, payment details, or any other personal data from people in Brazil, the LGPD generally applies — including, as commonly understood, to controllers based abroad when they process data of individuals located in Brazil or offer goods and services to the Brazilian market.

For an indie launcher, the practical core mirrors GDPR: process personal data on a valid legal basis (the LGPD lists several, including consent and legitimate interest), give people a clear notice of what you collect and why, and honor data-subject rights — the LGPD grants individuals rights such as access, correction, deletion, and portability of their data. Sensitive data and children's data carry heightened expectations.

The two most visible public signals are a privacy notice that actually exists and is linked, and a route for users to delete their account and data.

• A reachable, linked policy maps to the privacy policy detector. A Brazilian audience expects a notice they can read in Portuguese that names what you collect, your purpose, and how to exercise rights.
• A user-facing way to request account and data deletion maps to the account and data deletion detector, which surfaces whether a deletion route appears present.
• The data-protection items an indie app is measured against overlap heavily with the GDPR checklist for indie apps — much of that groundwork carries straight over to the LGPD, though the laws are separate regimes.

Cookies and tracking

The LGPD does not include a separate "cookie law" the way the EU does, but cookies and similar trackers that identify or profile a person are treated as processing of personal data under the LGPD. The practical expectation that has emerged in Brazil — reinforced by ANPD guidance on cookies and by consumer-transparency principles — is to be clear about what trackers you use, why, and to give users meaningful control over non-essential ones (analytics, advertising, embedded third-party widgets). Strictly necessary cookies generally sit on a different footing than tracking and profiling cookies.

For most indie apps and stores, the automated-scan signal here is twofold: whether a consent or preferences mechanism is even present, and whether known third-party trackers appear to fire on the page.

• A visible consent mechanism maps to the cookie consent banner detector, which reports whether a consent prompt appears present.
• The trackers themselves — analytics and advertising scripts loading on first paint — map to the third-party tracking detector. Seeing trackers fire before any user choice is the pattern most worth a second look.

Note the limit honestly: a detected banner is a signal that a prompt exists. It does not confirm the banner blocks non-essential trackers until consent, offers a genuine reject path, or matches your chosen LGPD legal basis. That requires looking at behavior, not just presence.

The Consumer Defense Code (CDC)

If you sell to Brazilian consumers — paid apps, subscriptions, digital downloads, or physical goods — the Código de Defesa do Consumidor (CDC, Law No. 8.078/1990) sets out strong protections, and e-commerce rules layered on top of it (commonly associated with Decree No. 7.962/2013) add specific online-selling duties. Two themes matter most at launch:

First, clear pre-purchase information and supplier identity. Online sellers are generally expected to make basic identification (who you are and how to reach you) and the essential terms of the offer — price, characteristics, and any recurring charges — easy to find before the consumer pays.

Second, the right of withdrawal (direito de arrependimento). Under Article 49 of the CDC, consumers buying off-premises — which is widely applied to online and app purchases — commonly have a 7-day window to withdraw from the contract. There are nuances for how this interacts with digital content and immediate delivery, so treat the 7-day point as the general rule and confirm specifics for your product type.

• Clear cancellation and refund terms map to the refund and cancellation policy detector.
• Recurring-billing and renewal disclosures map to the subscription auto-renewal disclosure detector.
• Supplier identity and a contact route — a core CDC and e-commerce expectation — map to the contact and imprint detector.

Digital accessibility

Brazil treats accessibility as a civil-rights matter. The Lei Brasileira de Inclusão (LBI, Law No. 13.146/2015) — the Brazilian Inclusion Act / Statute of Persons with Disabilities — sets out accessibility duties that reach websites and digital services made available to the public, and Brazil's public-sector accessibility guidance (eMAG) is aligned with WCAG principles. Whether and how strictly these apply to your specific product depends on its nature and reach, so don't assume it does or doesn't — check your category. Either way, the WCAG-aligned baseline is good practice and cheap to verify on a public page.

Several baseline accessibility signals are quick to surface:

• a declared page language (so screen readers pronounce Portuguese correctly) → page language attribute;
• a meaningful page title → page title accessibility;
• alt text on images → image alt text;
• labels on form inputs → form input labels;
• not disabling pinch-zoom → zoom not disabled.

These are starting signals, not an accessibility audit. Presence of a lang attribute or alt text says the basics are in place, not that the whole experience is usable with assistive technology.

What LaunchTrust checks for Brazil

LaunchTrust does not assess "LGPD adherence" or "CDC adherence" — no scanner can, and this overview is not legal advice. What it does is fetch your public pages as an anonymous visitor and report observable signals that a Brazil-minded reviewer would look for first:

• whether a privacy policy and cookie consent prompt appear present;
• whether third-party trackers load on the page;
• whether an account/data-deletion route is reachable;
• whether refund/cancellation, subscription, and contact/supplier information is reachable;
• whether accessibility basics (page language, title, alt text, form labels, zoom) are present.

Every result is a signal — detected, not detected, or unable to determine — never a verdict. "Detected" means the wording or markup is on the page; it does not confirm the item is worded sufficiently, configured correctly, or adequate for the LGPD, the CDC, or the LBI as they apply to your specific product. "Not detected" flags a gap worth a human look. "Unable to determine" means the page couldn't be fetched or assessed.

A concrete example

Here is a cookie-and-LGPD pattern a scan can flag. The page ships a consent banner, but an analytics tag is already in the markup and fires immediately:

<!-- consent banner present -->
<div id="cookie-banner">Usamos cookies. <button>OK</button></div>

<!-- ...but the tracker loads on first paint, before any choice -->
<script src="https://analytics.example.com/track.js" data-id="ID-REDACTED"></script>

A reviewer reads this as "consent banner detected, but a non-essential tracker also detected loading before any choice" — the transparency-and-control gap the LGPD cares about. The fix is to gate non-essential scripts behind the user's choice and explain them in your notice, not just to show a banner.

How to address Brazil requirements

1. Publish a clear, linked privacy notice — ideally in Portuguese — that names what data you collect, your LGPD legal basis, and how Brazilian users exercise their rights (access, correction, deletion, portability). Confirm it is reachable for logged-out visitors. → privacy policy
2. Offer an account- and data-deletion route users can find and use, and describe it in your notice. → account and data deletion
3. Be transparent about cookies and trackers, and gate non-essential ones behind a real choice — analytics and ad scripts should not fire before the user decides. → cookie consent banner
4. Make pre-purchase terms and supplier identity clear — price, recurring charges, who you are, and how to reach you — before checkout. → contact and imprint
5. State withdrawal, refund, and renewal terms plainly, keeping the CDC's 7-day withdrawal expectation in mind for consumer purchases. → refund and cancellation policy
6. Cover accessibility basics — page language, title, alt text, form labels, no disabled zoom. → page language attribute
7. Re-scan and verify that each signal flips to detected, then check the behavior yourself in a logged-out browser session — especially that trackers wait for the user's choice.

Check this in 30 seconds

Run your URL through LaunchTrust's free scanner. It fetches your live page and reports whether your privacy notice, cookie consent, data-deletion route, refund and subscription terms, supplier contact, and accessibility basics are detected, not detected, or unable to determine — so you can spot a missing Brazil-facing trust signal before a user, the ANPD, or an app reviewer does. No signup, and it only reads the same public HTML your visitors already get.

FAQ

Does the LGPD apply to me if I'm based outside Brazil? Often, yes. The LGPD is widely understood to reach controllers outside Brazil when they process the personal data of people located in Brazil or offer goods and services to the Brazilian market, regardless of where the business sits. If Brazilian users can sign up, buy, or chat, these areas are commonly in scope. Confirm specifics for your situation with a qualified source.

Is the LGPD basically the same as GDPR? They are closely aligned in structure — legal bases, data-subject rights, accountability — but they are separate laws with their own definitions, authorities (the ANPD vs. EU regulators), and details that can differ. Much of the practical groundwork overlaps, so the GDPR checklist for indie apps is a useful starting point, but treat Brazil as its own track.

Do I need a 7-day refund window for my Brazilian customers? The CDC's Article 49 commonly gives consumers a 7-day right of withdrawal for off-premises purchases, which is widely applied to online and app sales. How it interacts with already-delivered digital content has nuances, so treat the 7-day point as the general rule, disclose your terms clearly, and confirm specifics for your product type.

Does a clean LaunchTrust scan mean my app meets the LGPD? No. A scan surfaces observable signals on your public pages; it does not prove your app meets the LGPD, the CDC, the LBI, or any other Brazilian rule, and it issues no verdict, score, or certification. LaunchTrust reports signals — it is a compliance aid, not legal advice. For your specific situation, consult a qualified professional.

Compliance aid, not legal advice. LaunchTrust reports signals, not a verdict or certification.