Straight to the point
LGPD applies to WhatsApp customer support because a customer’s name, phone number, and conversations are personal data. For a small business, the basics are: collect only what you use, make clear what it is for, store it somewhere secure with controlled access, and delete it when you no longer need it. You do not have to become a lawyer. You need common sense with the data and an organized place for it, instead of each agent’s personal phone.
This text is a general explanation, not legal advice. For specific cases, consult a professional.
What LGPD is, in one sentence
The LGPD (Lei Geral de Proteção de Dados, Law 13.709/2018) is Brazil’s rule for how companies may collect, use, and store personal data. If you serve customers and store a name, phone number, address, or conversation history, you handle personal data and LGPD applies to you, even as a small business.
Why this matters on WhatsApp
On WhatsApp, personal data shows up all the time: the customer’s number, name, delivery address, sometimes an ID number or a photo of a document. When all of that is scattered across each agent’s personal phone, you have two problems at once: it is hard to comply with LGPD and it is easy to lose the data (or have it leak) when someone changes phones or leaves the team. Organizing your support is also the first step toward privacy.
The basics that fit a small business
You do not need a legal department. You need a few habits:
- Collect only what you need. Ask for the data you actually use to serve the customer. Do not keep a document “just in case” if you do not need it.
- Make clear what it is for. Tell the customer why you are asking for the data and how you will use it. Transparency is the foundation of the law.
- Have a legal basis. In most support, the data is used to do what the customer asked for (the order, the quote). To send promotions later, consent is usually the path.
- Store it securely with controlled access. Data should sit where only the people who need it can access it, not in every phone’s camera roll.
- Delete it when you no longer need it. Data kept forever is risk kept forever. Decide what makes sense to keep.
- Respect the customer’s requests. They can ask for access, correction, or deletion of their data. Have a way to handle that.
Consent without overcomplicating
Consent is the customer’s permission to use their data for a specific purpose, and it must be freely given, clear, and informed. In practice, day to day:
- To serve a request the customer made, you usually do not need separate consent: they came to you for that.
- To send a promotion, news, or a marketing follow-up later, ask permission in a simple way and record that they agreed. A “may I let you know when we have news?” with their reply saved is already a start.
- The customer can withdraw consent whenever they want. Make that easy, rather than hard.
Where getting organized becomes protection
Most of the privacy risk in a small business does not come from bad intent, it comes from mess: conversations on the phone of someone who left, data copied in three places, no one knowing who has access to what. When support sits in an organized inbox, with history in the business and controlled access, complying with LGPD becomes much closer to natural. It is the opposite of the scenario we describe in how to stop losing sales on WhatsApp, where everything lives on one person’s phone.
It is part of what Briva does: keeping conversations and customer data in one place, within the business, instead of scattered across personal devices. See it on the home page.
Frequently asked questions
Does LGPD apply to a small business or only a large one? It applies to anyone who handles personal data, from a sole trader to a large company. Size changes what is reasonable to expect in terms of structure, not the obligation to look after the data.
Can I keep customer conversations on my personal WhatsApp? It may happen at first, but it is the highest-risk scenario: the data sits on one person’s device, with no access control, and is easily lost or leaked. The ideal is to keep it in a place owned by the business.
Do I need a huge consent form? No. Consent must be clear and informed, not long. For marketing, a simple request and a recorded reply handle most everyday cases.
A customer asked to delete their data. Am I required to? As a rule, yes, respecting legal exceptions (such as keeping what the law requires for a set period). That is why having data organized in one place helps: you can locate it and handle the request.
Written by the Briva Team, who built the tool after living through this chaos firsthand. This content is informational and not a substitute for legal advice.