How can Brazilian citizens view, correct, or revoke consent for data used in their digital ID?
Executive summary
Brazil’s General Data Protection Law (LGPD) gives data subjects rights to access, correct and withdraw consent, and the national digital ID is governed by government programs (gov.br, Serpro/QuarkID) and state issuance that interact with LGPD protections [1] [2] [3]. Practical routes to exercise those rights include making Data Subject Access Requests (DSARs) to the controller, using gov.br account controls tied to digital-ID authentication levels, and, where consent was the legal basis, formally withdrawing consent under LGPD — enforced and interpreted by the national regulator ANPD [1] [2] [4].
1. How the law frames your powers — LGPD gives clear rights
Brazil’s LGPD grants individuals the right to obtain access to their personal data, request correction, and withdraw consent at any time; controllers must provide mechanisms such as DSAR forms and be able to justify their legal basis for processing [1] [5]. Legal commentary and practice guides stress that consent under LGPD is “free, informed and unequivocal” and can be revoked, which forces controllers to either stop processing or point to another lawful basis [1] [6].
2. Where to go first — the digital-ID platform and the data controller
If your information is used in Brazil’s federal digital ID ecosystem, start at the gov.br platform: it authenticates 153 million users and differentiates account levels (bronze/silver/gold) tied to verification methods (facial biometrics, bank validation, electoral records) — account settings and verification logs are the frontline place to view what’s linked to your digital ID [2]. For blockchain-based identity services like QuarkID or the Serpro-backed system, the issuing agency (state registries, Serpro or the platform operator named in rollout materials) is the controller to contact about access or correction [3] [7].
3. How to view what they hold — use DSARs and platform tools
Authors advising compliance recommend public-facing DSAR procedures (forms or portals) as standard practice; controllers should supply the full records they hold and explain processing purposes — the ANPD requires transparency and ICLG notes controllers must publish clear information on transfers and provide SCC texts on request [1] [8]. Available reporting indicates gov.br provides user dashboards and authentication logs tied to identity levels, which is a practical place to inspect linked credentials [2].
4. How to correct errors — formal requests to the controller
LGPD empowers you to demand rectification of inaccurate data; legal guides and practitioners advise submitting a signed DSAR requesting correction and, if necessary, citing specific documents that prove the error [1] [5]. Scholarly reporting on the national identity architecture documents asymmetries between state and citizen that make purposeful correction channels essential and politically sensitive — the system is complex and decentralized across states [9].
5. How to revoke consent — it’s permitted but may not stop all processing
Consent under LGPD can be withdrawn at any time, but withdrawal does not retroactively legalize prior processing nor always halt processing when another lawful basis exists [6] [1]. Legal guides stress controllers must cease processing activities that relied solely on consent, but state or legal obligations (for example, identity issuance duties) can create alternate legal bases not dependent on consent [5] [10]. Available sources do not mention a single universal “revoke” button across all digital-ID services — the mechanism depends on the specific controller and whether consent was the legal basis [1] [2].
6. When to escalate — ANPD, litigation and limits of enforcement
The ANPD is the regulator enforcing LGPD and has investigated companies for noncompliance such as failing to publish DPO/contact channels; it expects controllers to provide DSAR responses and transparency about international transfers [8] [4]. The European Data Protection Board has scrutinized Brazil’s frameworks as part of an adequacy assessment, signalling international attention to enforcement and the need to monitor ANPD practice [11]. Scholarly work warns that state asymmetries and bureaucracy can complicate redress in practice [9].
7. Practical checklist for citizens who want to act right now
1) Log into your gov.br account and review verification level, linked credentials and privacy settings [2]. 2) Identify the controller named on the service (state civil registry, Serpro, or private platform) and locate their DSAR/contact form [3] [2]. 3) Submit a formal request to view or correct data and, if consent was used, include an explicit withdrawal statement [1]. 4) If the controller fails to respond, file a complaint with ANPD or seek legal counsel — ANPD guidance and precedents are developing [8] [4].
Limitations and caveats: sources describe legal rights and platform designs but do not provide a single, consolidated step-by-step interface that applies to every digital-ID provider; procedures vary by issuing authority and whether processing relies on consent or another legal basis [9] [2] [1]. Available sources do not mention a unified national portal solely for revoking consent across all digital-ID services [2] [3].