When it comes to protecting its citizens’ data, Brazil is a country the rest of the world should emulate. The South American country is dead serious about protecting its citizens’ privacy.
Much of Brazil’s data privacy enforcement power steps from its General Data Protection Law, “Lei Geral de Proteção de Dados” (LGPD). Inspired by the E.U.’s GDPR, the LGPD was enacted in August 2018, and it became effective on September 18, 2020. The legislation is a part of a wide-ranging effort to regulate the collection, processing, and storage of Brazilians’ personal data by companies, both foreign and domestic.
In an effort to protect the privacy rights of Brazilian data subjects, the LGPD forces covered entities to disclose data breaches, install data privacy officers, and take precautions when accessing Brazilians’ biometrics or transferring personal data internationally to other entities.
Since the LGPD became effective in 2020, Brazil’s data privacy regulatory body, the National Data Protection Authority (ANPD), has aggressively cracked down on Brazilian entities and international tech giants alike.
Brazil’s data regulator is off to the races
The ANPD, which is an independent, public authority linked to the Brazilian Ministry of Justice, enforces the LGPD. The ANPD issues guidelines for covered entities to follow, reviews and approves these entities’ data protection impact assessments, and applies sanctions on entities that fail to comply with the law.
Failure to comply with the LGPD can result in fines up to 2% of the entity’s annual revenue—with a maximum penalty of 50 million reais per violation (roughly $9.3m USD).
Helmed by Waldemar Gonçalves, the ANPD has issued enforcement activities on over seven public government agencies and at least one private Brazilian company. Additionally, twenty large companies have been investigated and inspected for data protection officer (DPO) appointment-related issues.
Perhaps most enviable, the ANPD has shown that it isn’t afraid to go after international tech conglomerates that process Brazilans’ personal data. In fact, the ANPD has already issued preemptive and preventive measures against the likes of Meta, X, TikTok, Telegram, and Sam Altman’s Tools for Humanity project.
ANPD stops Meta and X from indiscriminately using Brazilians’ data to train AI projects
Last year, Meta and X both found themselves in the ANPD’s crosshairs, as both tech behemoths were scraping Brazilian users’ data from social media platforms and using that personal data to train generative AI systems.
In order to stop Meta from pulling Brazilians’ data from Facebook, Instagram, and Messenger and using it to train Meta’s AI systems, the ANPD issued a preventive measure on July 1, 2024. That measure suspended one of Meta’s privacy policies, “Facebook Online Services of Brazil.”
Meta was in violation of the LGPD in four different ways. Without getting into the legalese, Meta had essentially failed to (1) provide adequate disclosures, (2) enact guardrails for children, (3) give data subjects opt-out mechanisms, and (4) respect the legitimate expectations of Brazilian social media users.
If Meta were to have violated the ANPD’s preventive measure, the company would have been required to pay 50,000 reals (roughly $10,000) per breach per day. Facing this reality, Meta addressed the four noncompliance issues. Meta began providing Brazilians with notices and disclosure about how their data would be used for AI training; it allowed Brazilians to opt-out of the data collection, and it committed to not ever process the personal data of Brazilian minors for the purpose of AI training. On August 30, 2024, after Meta had made the requisite adjustments, the ANPD suspended its preventative measure.
Around the same time period, the ANPD went after X for using Brazilians’ tweets to train Grok. Much like Meta did, X made changes to its privacy policy to ensure that user consent would be obtained before X processed any user data and used it to train its generative AI systems.
The key here is transparency. Tech companies try to process our data in ways that best serve their interests; moreover, these processes are often put into practice by default. Users do not always know, as the policies are frequently buried in privacy documents. In the case of Meta and X, the ANPD has showed that it will not tolerate such behavior.
ANPD cracks down on TikTok and Altman’s Tools for Humanity
In December of 2024, the ANPD ordered TikTok parent company ByteDance to strengthen its age verification measures on the platform. Access to TikTok was blocked in Brazil if a user wasn’t registered. TikTok appealed the ruling; however, a federal court eventually ruled that ByteDance must suspend unregistered users’ access to TikTok. Additionally, ByteDance was forced to submit a compliance plan, which included age verification mechanisms.
In a legal win for the ANPD, TikTok complied with the court ruling in March, ensuring that Brazilian children and adolescents could not view content on TikTok without a registered account. The ANPD is keeping TikTok active in Brazil, while ensuring that it takes the appropriate privacy and security measures.
Via another preventive measure, the ANPD also regulated Sam Altman’s Tools for Humanity project in Brazil. If you haven’t read about it, Altman’s borderline-dystopian project involves paying users (in Worldcoin cryptocurrency) for access to their irises.
The ANPD ruled that Tools for Humanity must stop offering compensation in exchange for Brazilians’ biometric data. Also, the enforcement agency demanded that Tools for Humanity identify on its website exactly who is processing the Brazilians’ personal data. Incidentally, Spain and Portugal have also taken legal action against Altman’s project.
Other ANPD enforcement activity to date
The ANPD has issued at least seven sanctioning decisions regarding the communication of data breaches. Under Article 48 of the LPGD and the subsequent Resolution CD/ANPD No. 15 (passed in April 2024), companies must provide sufficient information about breaches to the ANPD—and to the affected data subjects themselves.
Companies must tell the ANPD within three business days after the company learns about a breach involving “risk or harm to certain forms of personal data.” The following data falls under that umbrella: all sensitive personal data, data from children and the elderly, financial data, certain authentication data, data protected by legal or professional secrecy, and large-scale data.
Data breach incidents must be communicated, not only to the ANPD, but also to the data subjects—either by phone, email, or letter.
After a breach on the INSS (Brazil’s National Social Security Institute) occurred between August and September 2022, the ANPD took enforcement action on February 1, 2024. And the ANPD’s action was affirmed on appeal on July 26, 2024.
Such enforcement of a public entity isn’t anomalous; in fact, the majority of ANPD’s early enforcement activity was directed at public entities in Brazil. Another public entity, the AMSPE (State Government Employee Medical Assistance Institute), was issued multiple warnings in 2023 for not disclosing a breach within the requisite three days.
Of course, it has gone after private entities as well. As another quick example, again in 2023, the ANPD levied a fine on Telekall Infoservice. This privately-owned telecom company incurred a small fine for processing personal data illegally and failing to appoint a DPO. Although the fine was only 14,000 reais (roughly $2,960 USD), it sent a message.
In short, the ANPD is taking its enforcement of the LPGD seriously.
Biometrics, AI, and future legislation
The ANPD is certainly focused on data breach notifications, DPO appointment issues, and international data transfer regulation. However, the enforcement agency has set its sights on biometrics and AI as well.
Currently, the ANPD has requested data protection impact assessment reports from nearly two dozen Brazilian football clubs; the concern here is the use of facial recognition software at stadiums, as well as the use of biometrics via apps that sell tickets to matches.
Again, the issue at hand is transparency. The ANPD wants to ensure that these clubs are complying with LGPD regulations related to registering and processing data. Also, there is a concern related to the collection of biometric data from fans under age sixteen.
In regard to AI, Brazil is currently trying to pass a federal legal framework; in fact, this legislation is currently in its final stages within Brazil’s National Congress. That said, ANPD President Gonçalves isn’t waiting for the new AI law to pass.
Gonçalves believes he can regulate AI via the LPGD today. At the 2025 Mobile World Congress in Barcelona, Gonçalves said,
“We are not waiting for the AI legal framework in Brazil to begin regulating. Article 20 of the LGPD already requires us to address automated decision-making. For now, we are focusing on this article. When the law is enacted, it will bring additional obligations for regulating AI in Brazil, and that will lead to further regulatory actions.”
When Gonçalves speaks at these events, he repeatedly emphasizes ANPD’s key priorities—protecting Brazilian data subjects’ rights, addressing biometrics and AI, protecting children and adolescents, and blocking tech companies from surreptitious data collection.
Gonçalves’ agency is doing a stellar job so far. While the APND has yet to levy any enormous fines, it is aggressively enforcing the LGPD by investigating covered entities–both foreign and domestic—and forcing these companies to change their behavior if they want to do business in Brazil.
The United States would be wise to take a page out of Brazil’s playbook, although that would require Congress to pass a federal data privacy law, which seems unlikely in this climate.
Until then, viva Brazil!
