Cold Email Brazil: LGPD Compliance for B2B Outreach in 2026
By Puzzle Inbox Team · May 22, 2026 · 8 min read
Cold email Brazil under LGPD 2026: legitimate interest basis, ANPD enforcement, opt-out, data subject rights, and a practical outbound playbook for compliant B2B sends.
Cold email Brazil is permitted under LGPD when you rely on legitimate interest, document the balancing test, and honor opt-out instantly.
Brazil's Lei Geral de Proteção de Dados (LGPD) treats a business email address as personal data when it identifies a natural person - which most do (maria.silva@empresa.com.br). That means every cold email Brazil campaign processes personal data and needs a lawful basis under Article 7. For B2B prospecting, the workable basis is "legitimate interest" (Article 7, IX), not consent.
The Autoridade Nacional de Proteção de Dados (ANPD) issued its outbound marketing guidance in late 2024 and began active enforcement in 2025. Fines reach 2% of Brazilian revenue, capped at BRL 50 million per violation. Cold email Brazil is still a viable channel - but only with a documented legitimate interest assessment (LIA) and operational opt-out hygiene.
Why legitimate interest, not consent, is the right basis
Consent under LGPD must be "free, informed, and unambiguous" - the same standard as GDPR. You cannot get that before a first cold touch, by definition. Legitimate interest lets you process publicly available B2B contact data for a clearly defined purpose (offering a relevant product to a relevant role) provided the data subject's rights and freedoms do not override your interest.
The balancing test is the document regulators ask for. It should show: (1) the specific purpose, (2) why email is necessary and proportionate, (3) what data you collected and from where, (4) the safeguards (suppression, opt-out, security), and (5) why a reasonable recipient would expect this contact. Keep the LIA on file and update it annually.
Data subject rights you must support
Every cold email Brazil recipient has the right to: confirm processing, access their data, correct it, anonymize or delete it, port it, and object to processing based on legitimate interest. You need a working channel - typically a privacy@ inbox - that responds within 15 days. Objection is the practical one for outbound: when someone says "remove me," you must stop and suppress within a reasonable period, which ANPD reads as immediate.
What every compliant cold email to Brazil must include
Footer requirements are not codified line-by-line in LGPD, but ANPD guidance and CDC (Consumer Code) overlap to require: sender identity (legal name, CNPJ if applicable), how you obtained the address, the lawful basis ("legitimate interest"), a one-click opt-out, and a link to the privacy policy in Portuguese. Subject lines must not deceive - no fake "Re:" threads, no manufactured urgency.
Sourcing: where you got the address matters
Scraped lists, leaked databases, and "B2B data providers" that cannot show provenance are the fastest route to an ANPD complaint. Acceptable sources: company websites' public contact pages, LinkedIn (within their ToS, manually collected), event attendee lists where attendees were told of business contact, and your own warmed inbound. Log the source URL and collection date for every contact - this is the audit trail.
Deliverability layer: UOL, Terra, and Gmail BR
Brazilian inboxes are dominated by Gmail, Outlook, UOL, and Terra. UOL and Terra are aggressive on unknown senders - they greylist heavily and accept very low complaint rates. For cold email Brazil at any volume, run dedicated IPs, SPF, DKIM, and DMARC with strict alignment, and a 4-6 week warm-up with Portuguese-language seed traffic. Route replies and opt-outs through Puzzle Inbox so suppression happens before the next step fires.
The follow-up trap
Most LGPD complaints against outbound senders cite follow-ups, not the first touch. If a recipient does not reply, you may follow up - but each step must carry the opt-out, identify the sender, and the cadence must be reasonable (three to four total touches over two to three weeks is the defensible norm). Endless "bumping to the top" sequences are the easiest enforcement target.
Practical cold email Brazil checklist for 2026
Before launch: written LIA on file; Portuguese-language footer with sender, basis, opt-out, and privacy link; sources logged per contact; suppression list synced across all sending tools and affiliates; privacy@ inbox monitored daily; warm-up complete; SPF/DKIM/DMARC aligned; complaint rate target under 0.1%. During the campaign: monitor opt-out latency (target under one hour), bounce rate, and any privacy@ replies as priority-one tickets.