Brazil LGPD and Guest WiFi: A Compliance Guide

Brazil LGPD and Guest WiFi: A Compliance Guide. A Purple Intelligence Briefing. Welcome to the Purple Intelligence Briefing. I'm your host, and today we're tackling something that every IT manager, network architect, and compliance officer operating in Brazil needs to get right: the Lei Geral de Proteção de Dados — the LGPD — and specifically what it means for your guest WiFi deployments. If you're already GDPR-compliant across your European operations, you might assume Brazil is a straightforward extension of that work. And you'd be partly right — but only partly. The LGPD has some meaningful differences that will catch out multinationals who simply copy-paste their EU compliance posture. And with the ANPD — Brazil's data protection authority — steadily maturing its enforcement capability, the window for a casual approach is closing fast. So let's get into it. We'll cover the legal framework, the lawful bases that actually apply to WiFi sign-ups, how the ANPD compares to regulators like the ICO and CNIL, and what your captive portal needs to look like to keep you on the right side of the law. Let's start with the fundamentals. The LGPD — Law Number 13,709 — came into force in August 2020, with administrative sanctions kicking in from August 2021. It was modelled closely on the GDPR, which means if you understand one, you have a solid foundation for the other. But the devil is in the details. The moment a guest connects to your WiFi network, you are collecting personal data. MAC addresses, IP addresses, connection timestamps, session duration — all of this falls squarely within the LGPD's definition of personal data. Add a captive portal registration form collecting names, email addresses, or phone numbers, and you've moved firmly into territory that requires a clear lawful basis for processing. The LGPD provides ten lawful bases under Article 7. For guest WiFi, three are particularly relevant. First, consent — Article 7, Roman numeral one. This is the most straightforward basis: the guest actively agrees to your privacy notice and ticks a consent checkbox before connecting. The consent must be free, informed, unambiguous, and specific to the purpose. You cannot bundle marketing consent with the basic connectivity consent — those need to be separate checkboxes. Second, contract performance — Article 7, Roman numeral five. This applies when WiFi connectivity is part of a contracted service. A hotel guest who has booked a room that includes WiFi access can have their connection data processed under this basis, because it's necessary to deliver the service they've contracted for. This is a cleaner basis for hospitality operators than consent, because it doesn't require an active tick — it's inherent to the service relationship. Third, legitimate interests — Article 7, Roman numeral nine. This is the most flexible but also the most legally exposed basis. You need to conduct and document a legitimate interests assessment — a balancing test — demonstrating that your interests don't override the data subject's fundamental rights. For basic network security logging, this is generally defensible. For behavioural analytics or marketing profiling, it becomes much harder to justify. Now, here's something that catches out a lot of operators: the Marco Civil da Internet. This is Brazil's internet civil rights framework — Law 12,965 of 2014 — and it sits alongside the LGPD rather than being superseded by it. Under Article 13 of the Marco Civil, internet connection providers must retain connection logs for a minimum of one year. If your venue is providing internet access to the public, you may well fall within that definition. That means your data retention policy cannot simply say we delete everything after 30 days — you have a statutory obligation to retain connection logs for twelve months, regardless of what your LGPD privacy notice says about data minimisation. Let's talk about the ANPD — the Autoridade Nacional de Proteção de Dados. It was established by the LGPD itself and operates as a special federal authority linked to the Ministry of Justice. Its mandate covers supervision, guidance, and enforcement. How does it compare to the ICO in the UK or the CNIL in France? The honest answer is that the ANPD is still maturing. The ICO has issued fines in the tens of millions — British Airways received a twenty-million-pound penalty, Marriott eighteen-point-four million. The CNIL fined Google a hundred and fifty million euros and Facebook sixty million. The ANPD's first fine, issued in July 2023, was a total of fourteen thousand four hundred Brazilian reais — roughly three thousand US dollars — against a small telemarketing firm. In 2024, its enforcement actions were all against public sector entities and resulted in warnings rather than financial penalties. But don't let that lull you into complacency. The ANPD's enforcement trajectory is clearly upward. In July 2024, it issued a preventive measure against Meta, ordering the immediate suspension of Meta's AI training data policy. In December 2024, it took action against X Corp over children's data. The ANPD's regulatory agenda for 2025 and 2026 explicitly prioritises AI and facial recognition — which is directly relevant to any venue deploying biometric authentication for WiFi access. The maximum penalty under the LGPD is two percent of a company's Brazilian annual revenue, capped at fifty million reais per violation — approximately nine million euros at current exchange rates. That's significantly lower than GDPR's four percent of global revenue, but it's calculated on Brazilian revenue only. For a multinational with substantial Brazilian operations, the exposure is still material. One critical difference from GDPR: the LGPD requires a Data Protection Officer for all data controllers, full stop. Under GDPR, a DPO is only mandatory in specific circumstances. Under the LGPD, if you're processing personal data in Brazil, you need one. ANPD Resolution 18, published in July 2024, sets out the detailed responsibilities and qualifications required. The DPO's contact details must be publicly disclosed — typically on your website. Data subject rights under the LGPD number nine, compared to GDPR's eight. The practical differences for WiFi operators are two-fold. First, you have fifteen days to respond to a data subject access request — half the thirty-day window under GDPR. If you're running a large venue network with thousands of daily connections, your data retrieval and response processes need to be operationally capable of meeting that tighter deadline. Second, the LGPD includes an explicit right to request anonymisation of data, not just deletion. Your platform needs to support both responses. So what does a compliant deployment actually look like? Let me walk you through the key implementation requirements. Your captive portal must display a privacy notice in Portuguese — Brazilian Portuguese, not European Portuguese. The notice must identify the data controller, state the lawful basis for processing, specify the purposes for which data will be used, identify any third parties with whom data will be shared, and provide the DPO's contact details. This is non-negotiable. Consent checkboxes must be unchecked by default. Pre-ticked boxes do not constitute valid consent under the LGPD, just as they don't under GDPR. Marketing consent must be separate from the connectivity consent — you cannot gate internet access on the guest agreeing to receive promotional emails. On data minimisation: only collect what you actually need. If you're deploying guest WiFi purely for connectivity, you don't need a date of birth or a home address. If you're running a loyalty programme through your WiFi platform, you need to justify each additional data field against the stated purpose. For data retention, document your policy explicitly. Connection logs: one year minimum under the Marco Civil. Marketing data: retain only as long as necessary for the stated purpose, and delete on withdrawal of consent. Your WiFi analytics platform should support automated retention schedules and deletion workflows. The biggest pitfall I see in practice is the consent bundling problem. Operators build a single consent screen that covers connectivity, analytics, and marketing in one checkbox. That's non-compliant under both LGPD and GDPR. Separate the consents. Yes, it adds friction. But the alternative is an enforcement action that costs you far more. The second major pitfall is ignoring the Marco Civil. Operators who focus entirely on LGPD compliance and forget about the one-year connection log retention obligation under the Marco Civil create a different kind of legal exposure. These are two separate legal instruments and both apply. Third pitfall: failing to implement a data subject rights workflow. It's not enough to have a privacy notice that says contact us to exercise your rights. You need an operational process — a dedicated email address or web form, a documented internal workflow, and the technical capability to retrieve, correct, export, or delete a specific individual's data within fifteen days. Let me run through some quick questions I hear regularly from clients. Do we need a DPO if we only have one venue in Brazil? Yes. The LGPD applies to all data controllers processing personal data in Brazil, regardless of scale. Can we use legitimate interests as our basis for WiFi analytics? Potentially, but you need a documented legitimate interests assessment. For basic network security and operational analytics, it's defensible. For behavioural marketing profiling, it's much harder to justify. What about biometric authentication — facial recognition at the WiFi portal? That's sensitive data under the LGPD. You need explicit consent, and you need to be very careful about how you store and process it. The ANPD has this squarely in its sights for 2025 to 2026 enforcement. We're GDPR-compliant — does that cover us for LGPD? Largely yes, but not entirely. The tighter data subject access request response window, the mandatory DPO requirement, the Marco Civil retention obligation, and the Portuguese-language notice requirement are all areas where GDPR compliance alone won't get you there. To wrap up: the LGPD is a mature, GDPR-inspired data protection framework with some important Brazil-specific characteristics. For guest WiFi operators, the key actions are these. Audit your captive portal: is your privacy notice in Brazilian Portuguese, does it state the lawful basis, are your consent checkboxes separate and unchecked by default? Appoint a DPO and publish their contact details. This is mandatory for all controllers. Check your data retention policy against the Marco Civil's one-year connection log requirement. Build a data subject rights workflow capable of responding within fifteen days. And if you're deploying any form of biometric authentication or advanced analytics, get a Data Protection Impact Assessment done before you go live. Purple's guest WiFi platform is built with these compliance requirements in mind — configurable consent flows, automated retention schedules, and data subject rights tooling that works across both GDPR and LGPD jurisdictions. If you're deploying across Brazil and want to talk through your specific compliance architecture, reach out to the Purple team. That's it for today's briefing. Thanks for listening, and we'll see you next time.