Compliance Briefing — Brazil issues MP 959 to delay LGPD effective date

Executive briefing: On 29 April 2020 Brazil issued Provisional Measure 959/2020, which would postpone the Lei Geral de Proteção de Dados (LGPD) effective date from August 2020 to 3 May 2021. Although later subject to congressional debate, the measure signaled additional runway for compliance programs disrupted by COVID-19.

What changed

• The provisional measure amended LGPD’s vacatio legis period, providing a seven-month extension before obligations and penalties took effect.
• Because MPs require congressional approval within 120 days, the deferral introduced uncertainty that demanded scenario planning.
• Regulators and privacy advocates warned organizations not to halt readiness work despite the proposed delay.

Why it matters

• Controllers and processors gained additional time to complete data mapping, consent workflows, and vendor contract updates, but enforcement timing remained fluid.
• Multinationals had to align Brazil roadmaps with other 2020 privacy milestones, including CCPA enforcement and GDPR cross-border rulings.
• Boards required updated risk assessments reflecting the possibility that Congress might shorten or reject the extension.

Action items for operators

• Maintain LGPD readiness plans with milestone buffers for either August 2020 or May 2021 go-live depending on legislative outcomes.
• Continue negotiating data processing agreements and incident response procedures to avoid last-minute compliance gaps.
• Track congressional deliberations on MP 959 and communicate scenario plans to executives and regional partners.