Creating an LGPD checklist for e-commerce is no longer an optional precaution—it has become part of the legal operation of any online store in Brazil. The Brazilian General Data Protection Law (LGPD) applies to all companies that collect and process the personal data of individuals in Brazil, regardless of the size of the business or its revenue. E-commerce businesses are among the sectors that naturally process the largest amount of personal data: names, addresses, taxpayer identification numbers (CPF), email addresses, browsing history, product preferences, and payment information are collected at virtually every stage of the purchasing process.
All of this data collection is legitimate, provided that it is based on a defined legal basis, a declared purpose, and documented processes. What separates an online store that can confidently respond to an audit from one that faces notifications and fines is, in most cases, the existence of these processes before any inspection takes place.
What Does the LGPD Require from an E-commerce Business?
Before going through the checklist, it is important to understand two concepts that guide all of the obligations below. In most cases, the e-commerce business is the data controller for the information it collects: it decides why the data is collected and how it will be used. When it hires payment platforms, email marketing tools, or order management systems, it works with data processors, third parties that process data on behalf of the controller.
This distinction matters because the controller’s legal responsibility does not transfer to the processor, regardless of who performs the data processing activities.
The 12-Point LGPD Checklist for E-commerce
None of the points below must necessarily be implemented all at once, but all of them should be in place before any regulatory inspection.
The order follows a logical progression: the first items establish the documentation foundation, the middle items address operational processes, and the final ones cover the technical and human layers that support the entire compliance structure.
1. Up-to-Date and Accessible Privacy Policy
The privacy policy must be available on the website in clear and accessible language, explaining what data is collected, the legal basis for the collection, its purpose, how long the data will be stored, and what rights data subjects have. A generic policy copied from another website does not meet the legal requirements and may worsen the situation during an audit.
2. Defined Legal Bases for Each Type of Data Processing
Each data collection activity must have a legal basis that authorizes it. Consent, contract performance, legitimate interest, and legal obligation are the most common legal bases in e-commerce.
A frequent issue is that online stores collect data without defining which legal basis justifies each processing activity, making the processing non-compliant even when there is no bad faith.
3. Documented and Revocable Consent
When consent is the chosen legal basis, it must be obtained in a specific, freely given, and unambiguous manner. Pre-checked boxes are not valid. Data subjects must be able to withdraw their consent at any time with the same ease with which they gave it, and the online store must be able to prove that consent was obtained.
4. Declared Cookies and Tracking Technologies
The use of cookies, tracking pixels, and analytics tools must be described in the privacy policy and, whenever personal data is collected, users must be given the option to accept or reject their use.
Ignoring this requirement is one of the most common mistakes made by online stores, especially those using third-party plugins without verifying what information they collect.
5. Communication Channel for Data Subject Rights
The LGPD guarantees individuals the right to access their personal data, correct inaccurate information, request data portability, request deletion, and withdraw consent.
An e-commerce business must provide a functional communication channel to receive and respond to these requests within the legally required timeframes. A dedicated email address is sufficient, provided that it is monitored and that a response procedure has been established.
6. Designated DPO or Documented Exemption
The Data Protection Officer (DPO) is responsible for receiving communications from the Brazilian National Data Protection Authority (ANPD) and data subjects, as well as providing internal guidance on compliance matters.
For smaller e-commerce businesses, the ANPD allows certain flexibilities, but the designation—or justified exemption—must be formally documented, and the DPO’s contact information should appear in the privacy policy.
7. Contracts with Data Processors That Include Security Obligations
Every platform or service provider that processes customer data on behalf of the e-commerce business must have a contract establishing security, confidentiality, and LGPD compliance obligations. This includes payment gateways, email platforms, ERP systems, and logistics providers.
Companies that fail to formalize these obligations remain exposed to data breaches originating from vendors or third-party integrations without having contractual mechanisms to hold those providers accountable.
8. Records of Processing Activities
The LGPD requires controllers to maintain documented records of their data processing activities, including information about the purpose of processing, legal basis, categories of personal data, retention periods, and data sharing activities.
This document, commonly referred to in the market as the Record of Processing Activities (ROPA), is often one of the first items requested during compliance audits.
9. Information Security Measures
The law requires controllers to implement appropriate security measures to protect the personal data they process.
For an e-commerce business, this includes HTTPS enabled across all website pages, password policies for administrative access, access controls over customer databases, and, where applicable, encryption of sensitive information.
Documenting these practices within an information security policy allows the company to objectively demonstrate compliance during an inspection.
10. Incident Notification Protocol
Whenever a personal data breach or unauthorized access presents a potential risk or significant harm to data subjects, the ANPD must be notified within three business days from the moment the controller becomes aware that the incident affected personal data, in accordance with ANPD Resolution CD/ANPD No. 15/2024.
An e-commerce business must have an internal procedure for identifying, documenting, and reporting these incidents. Without an established process, the three-business-day deadline is often consumed by internal discussions about what actually happened.
11. Data Retention and Secure Disposal Policies
Keeping customer data indefinitely simply because it “might be useful someday” is not compatible with the LGPD.
Each category of personal data must have a defined retention period linked to the purpose for which it was collected, along with a secure disposal process once that period expires.
Financial transaction data, for example, is subject to specific retention periods established by tax legislation, which must be considered alongside data protection requirements.
12. Training Employees Who Access Customer Data
Human error remains one of the leading causes of personal data incidents.
Employees who access customer databases, process orders, or respond to customer service requests must understand what they may and may not do with that information, how to recognize requests from data subjects, and when to escalate situations that fall outside normal procedures.
Compliance involves technology, but it depends equally on processes and people.
What Happens When the ANPD Audits an E-commerce Business Without These Processes?
When the ANPD initiates an administrative proceeding, the online store must demonstrate that the processes described above are actually operating—not simply claim that they exist.
The lack of documentation, inadequate contracts with data processors, or the absence of a channel for handling data subject requests are among the issues most likely to turn an inspection into an enforcement action.
The sanctions established by the LGPD include warnings, fines of up to 2% of the company’s net revenue from the previous fiscal year, limited to BRL 50 million per violation, public disclosure of the violation, and the blocking or deletion of personal data processed unlawfully.
For a medium-sized e-commerce business, any of these measures can have operational and reputational consequences that go far beyond the financial penalty itself.
Where to Begin Your LGPD Compliance Journey for E-commerce
The first step is data mapping: identifying what information is collected, where it is stored, who has access to it, and with which third parties it is shared.
This assessment provides the foundation for all subsequent documentation and compliance processes, and often reveals unnecessary data collection activities that can be eliminated before any technical measures are implemented.
For businesses starting from scratch, LGPD compliance involves everything from assessing the current environment to establishing a governance program capable of sustaining compliance over the long term.
Compliance does not need to happen all at once, but it should not be postponed indefinitely. The more data an online store accumulates without clear governance, the more difficult the regularization process becomes—and the greater the exposure during that period.
STWBrasil supports e-commerce businesses throughout the LGPD compliance process, from the initial data mapping phase to the development of the documentation, contracts, and protocols required by law. If your online store has not yet established this compliance framework, now is the time to get started.




