Brazil's data protection regulator has shifted gear. After a period of measured guidance, the Autoridade Nacional de Proteção de Dados (ANPD – Brazil's National Data Protection Authority) is now conducting active enforcement proceedings, issuing binding decisions, and imposing financial penalties. International companies that process personal data of Brazilian residents – whether from inside Brazil or from abroad – face direct exposure. The window for voluntary alignment is narrowing.
Brazil's data protection legislation, the Lei Geral de Proteção de Dados (LGPD – Brazil's General Data Protection Law), has been fully in force since 2020. The ANPD's enforcement powers became operational in stages, with administrative sanctions – including fines calculated as a percentage of annual turnover in Brazil – now actively applied. Every data controller and data processor handling Brazilian residents' personal data must demonstrate compliance without delay.
This alert outlines the key enforcement developments, the business categories at highest risk, and the immediate steps your organisation should take now.
What has changed: the enforcement shift and its effective date
For several years after the LGPD came into force, the ANPD focused on issuing guidance, publishing technical opinions, and building its internal capacity. That period has ended. The ANPD has now completed its first full enforcement cycle. It has concluded sanctioned proceedings, published its decisions, and signalled that further investigations are under way across multiple sectors.
Several developments mark the shift. First, the ANPD has adopted a formal sanctioning methodology. Penalties are calculated based on the severity of the violation, the volume of data subjects affected, and the degree of cooperation shown by the organisation under investigation. Second, the regulator has expanded its thematic inspection agenda. Sectors under active scrutiny include financial services, health technology, e-commerce, and digital advertising. Third, the ANPD has clarified its position on international data transfer. Organisations routing Brazilian personal data to third countries must rely on an approved transfer mechanism – either a standard contractual clause model approved by the ANPD, or evidence of equivalent protection in the destination country.
These changes are not prospective. They apply to conduct that is ongoing right now. An organisation without a functioning consent mechanism, without a documented legal basis for each processing activity, or without a valid data transfer arrangement is currently in violation – not simply at risk of future non-compliance.
For international businesses accustomed to GDPR compliance frameworks, one distinction is worth noting. The LGPD's legal bases for processing differ in scope and application from their European equivalents. Relying on a GDPR compliance posture as a proxy for LGPD compliance is a documented source of exposure. The ANPD has made clear it will not treat GDPR adherence as a substitute for local compliance.
For a detailed view of how Brazil's data protection obligations interact with AI-driven processing, see our analysis of AI and technology law in Brazil.
Who is affected: threshold criteria and business categories at risk
The LGPD applies to any processing of personal data that occurs in Brazil, that targets individuals located in Brazil, or that involves data collected in Brazil – regardless of where the processing organisation is established. There is no minimum size threshold. A foreign company with no physical presence in Brazil but with Brazilian customers, users, or employees is subject to the law.
The following business categories face the most immediate enforcement exposure:
- Financial institutions and fintech companies processing payment, credit, or identity data of Brazilian residents
- Health and pharmaceutical companies handling sensitive personal data – including genetic, biometric, or medical records
- E-commerce and retail platforms collecting behavioural, purchase, and location data at scale
- Digital advertising networks and data brokers transferring Brazilian personal data internationally
- Human resources and payroll processors managing employee data for Brazilian workforce populations
Organisations acting as a data processor – processing data on behalf of a client – are not exempt. The LGPD imposes direct obligations on processors, and the ANPD has indicated it will pursue processors as well as controllers where a violation involves shared responsibility.
Engaging a lawyer in Brazil with cross-border data protection experience is particularly important for organisations that operate across multiple legal systems. LGPD obligations have nuances that differ materially from other privacy regimes, and enforcement decisions by the ANPD are already creating binding precedent.
To receive an expert assessment of your data protection exposure in Brazil, contact us at info@ferrazwhitmore.com.
What to do now: immediate actions and compliance timeline
Organisations with exposure to Brazilian data protection rules should treat the following as immediate priorities, not scheduled items for a future compliance cycle.
Map your data flows involving Brazilian residents. Identify every processing activity that touches Brazilian personal data. This includes data collected directly from Brazilian users, data transferred from Brazilian subsidiaries or partners, and data processed on behalf of Brazilian-based controllers. The mapping exercise should document the category of data, the legal basis relied upon, the retention period, and any third-party recipients.
Audit your consent mechanism and legal bases. The LGPD permits processing on multiple legal bases, of which consent is only one. However, where consent is the chosen basis, it must be specific, informed, and freely given. Bundled consent embedded in terms of service does not meet the standard. If your organisation relies on consent, verify that your collection and recording mechanisms satisfy LGPD requirements – not merely GDPR standards.
Establish or update your international data transfer arrangements. If personal data of Brazilian residents is transferred outside Brazil, you must have a valid legal instrument in place. The ANPD has published standard contractual clauses and is developing a list of countries with adequate protection levels. Until that list is finalised, organisations must rely on contractual mechanisms or documented binding corporate rules. Transfers made without any instrument are a priority enforcement target.
Appoint or confirm a Data Protection Officer (Encarregado). The LGPD requires data controllers to appoint an Encarregado (data protection officer) who acts as the point of contact with the ANPD and with data subjects. The appointment must be publicly disclosed. Organisations that have not yet made this appointment – or whose appointment does not meet the ANPD's published guidance – should act within weeks, not months.
Review your incident response and notification procedures. The LGPD requires notification of security incidents that may result in risk or harm to data subjects. The ANPD has issued guidance on notification timelines and content. Organisations should verify that their incident response plans reflect the Brazilian standard, which differs from the GDPR's 72-hour notification rule in certain respects.
A law firm in Brazil with cross-border data protection capability can help international organisations prioritise these actions based on their specific processing profile and risk exposure. Enforcement decisions already issued by the ANPD provide concrete guidance on the violations the regulator considers most serious.
For a broader view of data protection obligations applicable to companies operating in Brazil, visit our data protection services page for Brazil. For enforcement comparisons across the Americas, our alert on data protection enforcement in the United States provides a useful parallel analysis.
About Ferraz & Whitmore
Ferraz & Whitmore is an international law firm based in Lisbon, advising business clients across 46 jurisdictions. Our team combines Portuguese civil law expertise with English common law tradition to deliver cross-border legal solutions in data protection and privacy compliance. In the Americas, our counsel supports international companies navigating LGPD obligations, cross-border data transfer arrangements, and ANPD enforcement proceedings. We have advised data controllers and data processors across financial services, technology, and health sectors on building compliance programmes that satisfy both Brazilian data protection legislation and parallel regimes such as GDPR. Our practice covers 15 areas of law, and our Lisbon base provides direct access to EU regulatory expertise relevant to companies managing data flows between Brazil and Europe. To discuss your organisation's data protection position in Brazil, contact us at info@ferrazwhitmore.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. Ferraz & Whitmore assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@ferrazwhitmore.com.