Brésil LGPD et WiFi invité : Un guide de conformité

Ce guide de référence technique détaille comment la LGPD brésilienne s'applique aux déploiements de WiFi invité en entreprise, en se concentrant sur la conformité des Captive Portal, les bases légales de traitement et l'intersection avec le Marco Civil da Internet. Il fournit des conseils de mise en œuvre exploitables pour les responsables informatiques et les architectes réseau afin d'atténuer les risques réglementaires tout en maintenant l'utilité du réseau.

📖 5 min de lecture📝 1,004 mots🔧 2 exemples❓ 3 questions📚 8 termes clés

🎧 Écouter ce guide

Voir la transcription

Brazil LGPD and Guest WiFi: A Compliance Guide. A Purple Intelligence Briefing.

Welcome to the Purple Intelligence Briefing. I'm your host, and today we're tackling something that every IT manager, network architect, and compliance officer operating in Brazil needs to get right: the Lei Geral de Proteção de Dados — the LGPD — and specifically what it means for your guest WiFi deployments.

If you're already GDPR-compliant across your European operations, you might assume Brazil is a straightforward extension of that work. And you'd be partly right — but only partly. The LGPD has some meaningful differences that will catch out multinationals who simply copy-paste their EU compliance posture. And with the ANPD — Brazil's data protection authority — steadily maturing its enforcement capability, the window for a casual approach is closing fast.

So let's get into it. We'll cover the legal framework, the lawful bases that actually apply to WiFi sign-ups, how the ANPD compares to regulators like the ICO and CNIL, and what your captive portal needs to look like to keep you on the right side of the law.

Let's start with the fundamentals. The LGPD — Law Number 13,709 — came into force in August 2020, with administrative sanctions kicking in from August 2021. It was modelled closely on the GDPR, which means if you understand one, you have a solid foundation for the other. But the devil is in the details.

The moment a guest connects to your WiFi network, you are collecting personal data. MAC addresses, IP addresses, connection timestamps, session duration — all of this falls squarely within the LGPD's definition of personal data. Add a captive portal registration form collecting names, email addresses, or phone numbers, and you've moved firmly into territory that requires a clear lawful basis for processing.

The LGPD provides ten lawful bases under Article 7. For guest WiFi, three are particularly relevant. First, consent — Article 7, Roman numeral one. This is the most straightforward basis: the guest actively agrees to your privacy notice and ticks a consent checkbox before connecting. The consent must be free, informed, unambiguous, and specific to the purpose. You cannot bundle marketing consent with the basic connectivity consent — those need to be separate checkboxes.

Second, contract performance — Article 7, Roman numeral five. This applies when WiFi connectivity is part of a contracted service. A hotel guest who has booked a room that includes WiFi access can have their connection data processed under this basis, because it's necessary to deliver the service they've contracted for. This is a cleaner basis for hospitality operators than consent, because it doesn't require an active tick — it's inherent to the service relationship.

Third, legitimate interests — Article 7, Roman numeral nine. This is the most flexible but also the most legally exposed basis. You need to conduct and document a legitimate interests assessment — a balancing test — demonstrating that your interests don't override the data subject's fundamental rights. For basic network security logging, this is generally defensible. For behavioural analytics or marketing profiling, it becomes much harder to justify.

Now, here's something that catches out a lot of operators: the Marco Civil da Internet. This is Brazil's internet civil rights framework — Law 12,965 of 2014 — and it sits alongside the LGPD rather than being superseded by it. Under Article 13 of the Marco Civil, internet connection providers must retain connection logs for a minimum of one year. If your venue is providing internet access to the public, you may well fall within that definition. That means your data retention policy cannot simply say we delete everything after 30 days — you have a statutory obligation to retain connection logs for twelve months, regardless of what your LGPD privacy notice says about data minimisation.

Let's talk about the ANPD — the Autoridade Nacional de Proteção de Dados. It was established by the LGPD itself and operates as a special federal authority linked to the Ministry of Justice. Its mandate covers supervision, guidance, and enforcement.

How does it compare to the ICO in the UK or the CNIL in France? The honest answer is that the ANPD is still maturing. The ICO has issued fines in the tens of millions — British Airways received a twenty-million-pound penalty, Marriott eighteen-point-four million. The CNIL fined Google a hundred and fifty million euros and Facebook sixty million. The ANPD's first fine, issued in July 2023, was a total of fourteen thousand four hundred Brazilian reais — roughly three thousand US dollars — against a small telemarketing firm. In 2024, its enforcement actions were all against public sector entities and resulted in warnings rather than financial penalties.

But don't let that lull you into complacency. The ANPD's enforcement trajectory is clearly upward. In July 2024, it issued a preventive measure against Meta, ordering the immediate suspension of Meta's AI training data policy. In December 2024, it took action against X Corp over children's data. The ANPD's regulatory agenda for 2025 and 2026 explicitly prioritises AI and facial recognition — which is directly relevant to any venue deploying biometric authentication for WiFi access.

The maximum penalty under the LGPD is two percent of a company's Brazilian annual revenue, capped at fifty million reais per violation — approximately nine million euros at current exchange rates. That's significantly lower than GDPR's four percent of global revenue, but it's calculated on Brazilian revenue only. For a multinational with substantial Brazilian operations, the exposure is still material.

One critical difference from GDPR: the LGPD requires a Data Protection Officer for all data controllers, full stop. Under GDPR, a DPO is only mandatory in specific circumstances. Under the LGPD, if you're processing personal data in Brazil, you need one. ANPD Resolution 18, published in July 2024, sets out the detailed responsibilities and qualifications required. The DPO's contact details must be publicly disclosed — typically on your website.

Data subject rights under the LGPD number nine, compared to GDPR's eight. The practical differences for WiFi operators are two-fold. First, you have fifteen days to respond to a data subject access request — half the thirty-day window under GDPR. If you're running a large venue network with thousands of daily connections, your data retrieval and response processes need to be operationally capable of meeting that tighter deadline. Second, the LGPD includes an explicit right to request anonymisation of data, not just deletion. Your platform needs to support both responses.

So what does a compliant deployment actually look like? Let me walk you through the key implementation requirements.

Your captive portal must display a privacy notice in Portuguese — Brazilian Portuguese, not European Portuguese. The notice must identify the data controller, state the lawful basis for processing, specify the purposes for which data will be used, identify any third parties with whom data will be shared, and provide the DPO's contact details. This is non-negotiable.

Consent checkboxes must be unchecked by default. Pre-ticked boxes do not constitute valid consent under the LGPD, just as they don't under GDPR. Marketing consent must be separate from the connectivity consent — you cannot gate internet access on the guest agreeing to receive promotional emails.

On data minimisation: only collect what you actually need. If you're deploying guest WiFi purely for connectivity, you don't need a date of birth or a home address. If you're running a loyalty programme through your WiFi platform, you need to justify each additional data field against the stated purpose.

For data retention, document your policy explicitly. Connection logs: one year minimum under the Marco Civil. Marketing data: retain only as long as necessary for the stated purpose, and delete on withdrawal of consent. Your WiFi analytics platform should support automated retention schedules and deletion workflows.

The biggest pitfall I see in practice is the consent bundling problem. Operators build a single consent screen that covers connectivity, analytics, and marketing in one checkbox. That's non-compliant under both LGPD and GDPR. Separate the consents. Yes, it adds friction. But the alternative is an enforcement action that costs you far more.

The second major pitfall is ignoring the Marco Civil. Operators who focus entirely on LGPD compliance and forget about the one-year connection log retention obligation under the Marco Civil create a different kind of legal exposure. These are two separate legal instruments and both apply.

Third pitfall: failing to implement a data subject rights workflow. It's not enough to have a privacy notice that says contact us to exercise your rights. You need an operational process — a dedicated email address or web form, a documented internal workflow, and the technical capability to retrieve, correct, export, or delete a specific individual's data within fifteen days.

Let me run through some quick questions I hear regularly from clients.

Do we need a DPO if we only have one venue in Brazil? Yes. The LGPD applies to all data controllers processing personal data in Brazil, regardless of scale.

Can we use legitimate interests as our basis for WiFi analytics? Potentially, but you need a documented legitimate interests assessment. For basic network security and operational analytics, it's defensible. For behavioural marketing profiling, it's much harder to justify.

What about biometric authentication — facial recognition at the WiFi portal? That's sensitive data under the LGPD. You need explicit consent, and you need to be very careful about how you store and process it. The ANPD has this squarely in its sights for 2025 to 2026 enforcement.

We're GDPR-compliant — does that cover us for LGPD? Largely yes, but not entirely. The tighter data subject access request response window, the mandatory DPO requirement, the Marco Civil retention obligation, and the Portuguese-language notice requirement are all areas where GDPR compliance alone won't get you there.

To wrap up: the LGPD is a mature, GDPR-inspired data protection framework with some important Brazil-specific characteristics. For guest WiFi operators, the key actions are these.

Audit your captive portal: is your privacy notice in Brazilian Portuguese, does it state the lawful basis, are your consent checkboxes separate and unchecked by default?

Appoint a DPO and publish their contact details. This is mandatory for all controllers.

Check your data retention policy against the Marco Civil's one-year connection log requirement.

Build a data subject rights workflow capable of responding within fifteen days.

And if you're deploying any form of biometric authentication or advanced analytics, get a Data Protection Impact Assessment done before you go live.

Purple's guest WiFi platform is built with these compliance requirements in mind — configurable consent flows, automated retention schedules, and data subject rights tooling that works across both GDPR and LGPD jurisdictions. If you're deploying across Brazil and want to talk through your specific compliance architecture, reach out to the Purple team.

That's it for today's briefing. Thanks for listening, and we'll see you next time.

Points clés à retenir

✓The LGPD applies to all guest WiFi deployments in Brazil, treating MAC addresses, IPs, and session data as personal data.
✓Consent for network access cannot be bundled with marketing consent; checkboxes must be separate and unchecked by default.
✓The Marco Civil da Internet mandates a 1-year retention period for connection logs, overriding standard data minimisation policies.
✓Unlike GDPR, the LGPD requires all data controllers to appoint a Data Protection Officer (DPO) and publicly display their contact details.
✓Network operators have only 15 days to respond to Data Subject Access Requests (DSARs) under the LGPD, necessitating automated retrieval tools.
✓Profile-based authentication and 'Contract Performance' lawful bases offer robust, low-friction compliance architectures for hospitality and enterprise venues.
✓ANPD enforcement is escalating, with maximum fines reaching 2% of Brazilian revenue (up to R$50 million), making compliance a critical operational requirement.

Résumé Exécutif

Pour les responsables informatiques d'entreprise et les architectes réseau déployant le WiFi invité dans leurs opérations brésiliennes, la Lei Geral de Proteção de Dados (LGPD) présente un défi de conformité distinct. Bien que fortement influencé par le GDPR européen, le cadre de protection des données du Brésil contient des nuances critiques — telles qu'une exigence obligatoire de Délégué à la Protection des Données (DPO), des délais de réponse plus courts pour les demandes des personnes concernées, et les obligations cumulatives du Marco Civil da Internet. L'Autoridade Nacional de Proteção de Dados (ANPD) a progressivement renforcé sa position en matière d'application tout au long de 2024 et 2025, passant des avertissements initiaux à des sanctions ciblées. Ce guide fournit une référence technique définitive pour structurer l'authentification du Captive Portal, gérer les cycles de vie de rétention des données et assurer une conformité robuste sans sacrifier l'intelligence opérationnelle dérivée de votre Analyse WiFi .

Approfondissement Technique : Le Cadre LGPD pour les Opérateurs Réseau

Lorsqu'un utilisateur se connecte à un réseau invité public ou d'entreprise, l'infrastructure traite intrinsèquement des données personnelles. En vertu de la LGPD (Loi n° 13.709/2018), les adresses MAC, les allocations IP, les horodatages de session et toute information collectée via le Captive Portal constituent des données personnelles nécessitant une base légale pour leur traitement.

Bases Légales pour l'Authentification du Captive Portal

La LGPD établit dix bases légales pour le traitement des données personnelles (Article 7). Pour les déploiements de WiFi invité, les architectes doivent soigneusement mapper les flux de données à la base appropriée :

1. Consentement (Article 7, I) La base la plus courante pour les lieux publics (tels que les environnements de Commerce de Détail ). Le consentement doit être libre, éclairé, univoque et spécifique. Le Captive Portal doit présenter une case à cocher non pré-remplie renvoyant à une politique de confidentialité en langue portugaise. Il est crucial que les opérateurs ne puissent pas regrouper le consentement d'accès au réseau avec le consentement marketing ; ceux-ci doivent rester des actions distinctes.

2. Exécution du Contrat (Article 7, V) Très pertinent pour les déploiements dans le secteur de l' Hôtellerie . Lorsqu'un client réserve une chambre d'hôtel qui inclut explicitement l'accès WiFi, le traitement de ses données de connexion est nécessaire à l'exécution de ce contrat. Cela fournit une base solide pour la fourniture de réseau de base sans nécessiter de consentement actif par case à cocher sur le portail.

3. Intérêts Légitimes (Article 7, IX) Cette base nécessite un test d'équilibre documenté démontrant que les intérêts du responsable du traitement ne prévalent pas sur les droits fondamentaux de la personne concernée. Bien que défendable pour la journalisation de sécurité réseau de base et l'atténuation des menaces, s'appuyer sur les intérêts légitimes pour l'analyse comportementale ou le profilage marketing comporte un risque réglementaire significatif.

L'Intersection avec le Marco Civil da Internet

Un point de défaillance critique pour les déploiements multinationaux est de traiter la LGPD de manière isolée. Le cadre des droits civils de l'internet du Brésil, le Marco Civil da Internet (Loi 12.965/2014), fonctionne simultanément. En vertu de l'Article 13 du Marco Civil, les entités qualifiées de fournisseurs de connexion internet sont légalement tenues de conserver les journaux de connexion pendant un minimum d'un an. Cela annule les principes standard de minimisation des données de la LGPD ; une politique stipulant que "toutes les données de connexion sont supprimées après 30 jours" est activement non conforme au Marco Civil.

Guide de Mise en Œuvre : Architecturer la Conformité

Le déploiement d'une architecture conforme nécessite l'alignement des contrôleurs réseau, des fournisseurs d'identité et des plateformes d'analyse. Purple agit comme un fournisseur d'identité transparent, permettant une authentification sécurisée et conforme — y compris la prise en charge d'OpenRoaming sous la licence Connect — tout en gérant le cycle de vie du consentement sous-jacent.

1. Configuration du Captive Portal

Localisation Linguistique : La politique de confidentialité et les mécanismes de consentement doivent être présentés en portugais brésilien.
Architecture de Consentement Granulaire : Mettre en œuvre des cases à cocher distinctes et non pré-remplies pour (a) l'acceptation des Conditions Générales de Service/Politique de Confidentialité requise pour l'accès, et (b) les communications marketing facultatives.
Identification du Responsable du Traitement : Le portail doit clairement identifier le responsable du traitement des données et fournir les coordonnées directes du Délégué à la Protection des Données (DPO) obligatoire.

2. Gestion du Cycle de Vie de la Rétention des Données

Configurez des politiques automatisées de cycle de vie des données au sein de votre plateforme d'analyse :

Journaux de Connexion : Définissez la rétention à exactement un an pour satisfaire l'obligation du Marco Civil, suivie d'une suppression automatisée.
Données Marketing/Profil : Liez la rétention directement à l'objectif déclaré et assurez une suppression immédiate en cas de retrait du consentement.

3. Flux de Travail des Demandes d'Accès des Personnes Concernées (DSAR)

La LGPD impose un délai de réponse de 15 jours pour les DSAR — la moitié du temps autorisé par le GDPR. Les opérateurs réseau doivent mettre en œuvre des outils automatisés pour récupérer, exporter, corriger ou anonymiser les données d'un utilisateur spécifique à travers toute l'architecture WiFi dans ce délai contraint.

Bonnes Pratiques et Normes de l'Industrie

Lors de la conception de votre architecture réseau, tenez compte de ces bonnes pratiques établies :

Adopter l'Authentification Basée sur les Profils : La transition vers l'authentification basée sur les profils (telle que Passpoint/OpenRoaming) réduit la dépendance à la collecte répétitive de données via le Captive Portal, améliorant la sécurité tout en rationalisant l'empreinte de conformité. Ceci s'aligne avec les principes modernes de l' Architecture de l'Internet des Objets : Un Guide Complet .
Nomination obligatoire d'un DPO : Contrairement au GDPR, la LGPD exige que tous les responsables du traitement des données nomment un DPO. Assurez-vous que ce rôle est pourvu et documenté publiquement conformément à la résolution 18 de l'ANPD.
Évaluations d'impact sur la protection des données (EIPD) : Menez une EIPD formelle avant de déployer des analyses avancées, telles qu'un Guide des systèmes de positionnement intérieur : UWB, BLE et WiFi , car le suivi de localisation implique des implications accrues en matière de confidentialité.

Dépannage et atténuation des risques

Modes de défaillance courants

Le piège de la traduction : Utiliser le portugais européen au lieu du portugais brésilien pour les avis de confidentialité, ce qui peut invalider le consentement éclairé.
L'excès de suppression : Configurer des politiques agressives de suppression de données après 30 jours qui violent le mandat de conservation d'un an du Marco Civil pour les journaux de connexion.
Le regroupement des consentements : Forcer les utilisateurs à accepter les communications marketing pour obtenir l'accès au réseau. Cela viole l'exigence de la LGPD selon laquelle le consentement doit être donné librement.

Réalité de l'application de l'ANPD

Bien que les amendes initiales de l'ANPD aient été relativement faibles par rapport à l'ICO ou à la CNIL, leur trajectoire d'application s'accélère. Des actions récentes ont ciblé le partage de données inapproprié et les mesures de sécurité inadéquates. La pénalité maximale est de 2 % du chiffre d'affaires annuel brésilien (plafonnée à 50 millions de R$ par violation), faisant de la conformité une priorité au niveau du conseil d'administration pour les opérateurs d'entreprise.

Retour sur investissement et impact commercial

Investir dans une architecture WiFi robuste et conforme à la LGPD offre une valeur commerciale mesurable au-delà de l'atténuation des risques. Un processus d'authentification transparent et sécurisé renforce la confiance des utilisateurs, augmentant les taux de conversion du portail. De plus, en utilisant une plateforme conforme comme Purple, les lieux peuvent exploiter en toute sécurité la monétisation des médias de détail et l'analyse opérationnelle sans exposer l'entreprise à des sanctions réglementaires. Le retour sur investissement est calculé non seulement en amendes évitées, mais aussi en la capacité soutenue à générer des données de première partie sur le marché brésilien.

Briefing Podcast

Écoutez notre briefing complet de 10 minutes sur l'architecture de la conformité LGPD pour les réseaux WiFi d'entreprise :

Termes clés et définitions

Autoridade Nacional de Proteção de Dados (ANPD)

Brazil's national data protection authority, responsible for issuing guidance, auditing compliance, and enforcing administrative sanctions under the LGPD.

IT teams must monitor ANPD resolutions (such as Resolution 18 regarding DPOs) to ensure their technical configurations remain aligned with regulatory expectations.

Marco Civil da Internet

Brazil's internet civil rights framework (Law 12,965/2014) which mandates specific data retention periods for internet connection providers.

Network architects must configure storage systems to retain connection logs for one year to satisfy this law, running parallel to LGPD requirements.

Lawful Basis

The specific legal justification required under Article 7 of the LGPD to process personal data, such as Consent or Contract Performance.

Before deploying a captive portal, the IT team must document exactly which lawful basis applies to the data being collected to survive an ANPD audit.

Data Subject Access Request (DSAR)

A formal request from an individual to access, correct, anonymise, or delete their personal data held by a controller.

WiFi operators must have automated tooling to process these requests across all databases within the strict 15-day window mandated by the LGPD.

Data Protection Officer (DPO)

The individual designated by the controller to act as a communication channel between the controller, data subjects, and the ANPD.

Unlike GDPR, the LGPD requires all entities processing personal data to appoint a DPO and publicly display their contact information on the captive portal.

Profile-Based Authentication

A secure method of network access (e.g., OpenRoaming) where devices authenticate automatically using a cryptographic profile rather than a web-based captive portal.

Reduces compliance overhead by minimizing repetitive data collection and relying on established identity providers.

Connection Logs

Technical metadata generated during network access, including IP addresses, MAC addresses, and session timestamps.

Must be securely stored for exactly one year under the Marco Civil, requiring specific configuration in the network controller or analytics platform.

Anonymisation

The process of irreversibly altering personal data so that it can no longer be attributed to a specific individual.

Under the LGPD, users have an explicit right to request anonymisation of their data, which analytics platforms must support as an alternative to outright deletion.

Études de cas

A multinational retail chain is expanding into São Paulo and needs to deploy guest WiFi across 50 stores. They currently use a standard GDPR captive portal that deletes all data after 90 days. How must they adapt this architecture for the Brazilian market?

The architecture requires three critical modifications. First, the data retention policy must be bifurcated: connection logs (IP, MAC, timestamps) must be retained for exactly one year to comply with Article 13 of the Marco Civil da Internet, while marketing data can follow the 90-day policy. Second, the privacy notice must be translated into Brazilian Portuguese and explicitly name the mandatory Data Protection Officer (DPO). Third, the automated DSAR response workflow must be reconfigured to ensure data retrieval or deletion is executed within 15 days, rather than the 30 days permitted under GDPR.

Notes de mise en œuvre : This approach correctly identifies the intersection of the LGPD and the Marco Civil, which is the most common architectural failure point for foreign entities entering Brazil. It also practically addresses the operational impact of the compressed 15-day DSAR window.

A luxury hotel in Rio de Janeiro wants to provide seamless WiFi to guests without requiring them to fill out a captive portal form every time they connect. How can they achieve this compliantly under the LGPD?

The hotel should leverage 'Contract Performance' (Article 7, V) as the lawful basis for processing connection data for registered guests, as internet access is a contracted amenity of the room booking. They can implement profile-based authentication (like Passpoint) tied to the guest's reservation profile. For non-guests (e.g., conference attendees or restaurant patrons), the network should segment them to a standard captive portal relying on explicit 'Consent' (Article 7, I).

Notes de mise en œuvre : This demonstrates advanced architectural thinking by segmenting user types and applying the most appropriate lawful basis to each, thereby reducing friction for high-value users while maintaining strict compliance.

Analyse de scénario

Q1. Your marketing team wants to implement a new captive portal in your São Paulo locations that requires users to provide their email address and agree to receive promotional offers before they can access the free WiFi. As the network architect, how should you respond?

💡 Astuce :Consider the LGPD requirements for consent to be 'freely given' and the concept of consent bundling.

Afficher l'approche recommandée

You must reject this architecture. Under the LGPD, consent must be freely given. Conditioning the provision of a service (WiFi access) on consent for an unrelated purpose (marketing communications) invalidates the consent. The portal must be redesigned with two separate checkboxes: one mandatory checkbox for accepting the network terms of service, and one optional, unchecked checkbox for marketing communications.

Q2. A user who connected to your stadium WiFi six months ago submits a formal request to have all their data deleted under the LGPD. Your automated system is configured to purge their CRM profile, but the network engineering team points out that deleting their connection logs violates the Marco Civil. How do you resolve this conflict?

💡 Astuce :Evaluate the hierarchy and interaction between the LGPD data subject rights and statutory retention obligations.

Afficher l'approche recommandée

You must execute a partial deletion. Under the LGPD, the right to deletion is not absolute; it does not override statutory obligations. You must delete the user's marketing and profile data from the CRM and analytics platforms. However, you must retain the core connection logs (IP, MAC, timestamps) for the remainder of the 1-year period mandated by Article 13 of the Marco Civil. You must respond to the user within 15 days explaining exactly what was deleted and why the connection logs were retained.

Q3. You are migrating your European WiFi architecture to Brazil. Your current GDPR process allows 30 days to respond to Data Subject Access Requests (DSARs) and relies on manual database queries by the IT team. Why is this problematic for the Brazilian deployment?

💡 Astuce :Compare the statutory response windows between the two regulatory frameworks.

Afficher l'approche recommandée

This is problematic because the LGPD mandates a 15-day response window for DSARs, exactly half the time allowed under GDPR. A manual query process that takes up to 30 days will result in compliance failures in Brazil. The IT team must implement automated tooling within the analytics platform to rapidly retrieve, compile, and export user data to meet the stricter 15-day SLA.