What Is the ANPD?
The Autoridade Nacional de Protecao de Dados (ANPD) is Brazil's national data protection authority, created by the LGPD (Law No. 13,709/2018) to oversee, regulate, and enforce compliance with the country's data protection framework. It sits at the centre of Brazil's privacy regime in much the same way the CNIL operates in France or the ICO in the United Kingdom.
Article 55-A of the LGPD established the ANPD as a federal body with technical and decision-making autonomy. Its headquarters are in Brasilia, in the Federal District. For the first few years of its existence, the ANPD operated with limited staff and budget, relying on seconded civil servants from other government departments. That changed significantly in September 2025.
From Authority to Agency: The 2025 Institutional Upgrade
On 18 September 2025, Provisional Measure No. 1,317/2025 officially transformed the ANPD from a standard federal autarchy into an independent regulatory agency. The name shifted from "Authority" to "Agency," though the acronym ANPD remained unchanged.
This is not a cosmetic rebrand. The upgrade grants the ANPD functional, technical, decision-making, administrative, and financial autonomy - placing it on equal footing with established Brazilian regulators such as Anatel (telecommunications) and Anvisa (health surveillance). The Provisional Measure also created 200 permanent positions for Data Protection Regulation Specialists, to be filled through public examinations, giving the agency a dedicated technical workforce for the first time.
These new specialists carry police-like enforcement powers: the ability to order establishments to cease operations, seize equipment, and request police assistance when their functions are obstructed. The Provisional Measure was approved by the Chamber of Deputies in February 2026 and awaits final Senate approval to be converted into permanent law.
Organisational Structure Under the LGPD
Article 55-C of the LGPD defines the ANPD's internal composition. The agency comprises several bodies, each with distinct responsibilities.
The Board of Directors is the highest governing body, consisting of five directors including the Director-President. Members are appointed by the President of the Republic after approval by the Federal Senate, and they serve four-year terms (Article 55-D). Directors can only be removed through resignation, a final judicial conviction, or dismissal following a formal disciplinary proceeding (Article 55-E). This structure is designed to insulate the Board from political pressure.
The National Council for Personal Data and Privacy Protection is an advisory body of 23 representatives drawn from government, civil society, academia, business, and labour organisations (Article 58-A). It proposes strategic guidelines, prepares annual reports evaluating privacy policy implementation, and conducts public consultations. Council members serve two-year terms and may be reappointed once.
Supporting Bodies
Beneath the Board and Council sit several operational units: the Disciplinary Board Office, the Ombudsman's Office, the Office of Legal Affairs, and specialised administrative units. The General Coordination of Inspection (CGF) handles enforcement investigations, while the General Coordination of Standardisation produces regulatory guidance. The General Coordination of Technology and Research provides technical analysis - it was this unit that conducted preliminary assessments in the ANPD's cases against Meta and TikTok.
| Body | Role | LGPD Basis |
|---|---|---|
| Board of Directors | Highest decision-making body; five members, four-year terms | Art. 55-C, 55-D |
| National Council | Advisory; 23 members from government, civil society, business | Art. 58-A |
| Disciplinary Board Office | Internal disciplinary proceedings | Art. 55-C |
| Ombudsman's Office | Public complaints channel | Art. 55-C |
| Office of Legal Affairs | Legal counsel and advisory opinions | Art. 55-C (amended) |
| General Coordination of Inspection (CGF) | Enforcement investigations and sanctioning proceedings | Internal bylaws |
Regulatory and Supervisory Powers
Article 55-J of the LGPD grants the ANPD an extensive list of 24 specific responsibilities. These break down into three broad categories: rulemaking, supervision, and enforcement.
On the rulemaking side, the ANPD issues regulations, technical opinions, and guidelines that shape how organisations comply with the LGPD. It has already published resolutions on topics including sanction dosimetry (Resolution No. 4/2023), security incident notification (Resolution No. 15/2024), the Data Protection Officer role (Resolution No. 18/2024), and international data transfers (Resolution No. 19/2024). Every regulation must be preceded by public consultation and a regulatory impact assessment (Article 55-J, Paragraph 2).
For supervision, the ANPD can request information from any processing agent - public or private - at any time, conduct audits, and demand data protection impact assessments. It can issue supplementary technical reports and coordinate with other sector-specific regulators. It also acts as the central body for interpreting the LGPD across all of Brazil (Article 55-K).
The enforcement powers are where the ANPD's teeth show. Under Article 52 of the LGPD, the agency can impose warnings with corrective deadlines, simple fines of up to 2% of the company's gross revenue in Brazil (capped at R$50 million per infraction), daily fines, public disclosure of infractions, data blocking or deletion, partial suspension of database operations, and full prohibition of data processing activities.
How the ANPD Has Used Its Powers So Far
Enforcement started slowly. The ANPD spent its first years building institutional capacity and publishing foundational regulations rather than pursuing sanctions. The Regulation on Dosimetry and Application of Administrative Sanctions (Resolution No. 4, February 2023) was a turning point - it established the methodology for calculating fines and classifying offence severity, removing the final procedural barrier to enforcement action.
The first sanction came on 6 July 2023, when the ANPD fined Telekall Infoservice, a small telemarketing company, R$14,400 (roughly US$3,000). The violations were basic: no lawful basis for processing personal data (Article 7), failure to appoint a Data Protection Officer (Article 41), and non-cooperation with the authority's investigation. The fine amount was small because it represented 2% of the company's annual revenue - the maximum allowed under the law.
Since then, the ANPD has issued multiple sanctions against public entities. Brazil's National Social Security Institute (INSS) was penalised for failing to notify data subjects of a 2022 security breach. The Ministry of Health received two warnings for a similar incident. The Santa Catarina State Department of Health was sanctioned for inadequate security measures and delayed breach notification.
High-Profile Enforcement Against Tech Companies
The ANPD's most visible actions have targeted major technology platforms. In July 2024, it ordered Meta to immediately stop using personal data from its social media platforms to train artificial intelligence systems. In December 2024, it ordered X Corp (formerly Twitter) to suspend data processing from children's and adolescents' accounts for AI training purposes. It has also opened proceedings against TikTok (Bytedance Brasil) over practices inconsistent with children's data protection, and against Tools for Humanity (Sam Altman's World project) over the collection of biometric data in exchange for compensation.
The ANPD also launched monitoring proceedings against 20 large companies that had failed to appoint a DPO or provide effective communication channels - a signal that the agency views these as non-negotiable baseline requirements.
Interaction with Other Regulators
Article 55-J, Paragraph 3, requires the ANPD to coordinate with other government regulators in their respective sectors. It must maintain a permanent communication forum with bodies responsible for specific areas of economic and governmental activity (Paragraph 4). This means the ANPD works alongside, rather than in competition with, agencies like Anatel, Anvisa, and the consumer protection authorities (Procons).
Article 55-K is explicit: the ANPD holds exclusive authority to apply sanctions under the LGPD, and its powers prevail over related powers of other entities when it comes to personal data protection. It is the central body for interpreting the law and setting implementation rules. Other regulators with overlapping mandates - a bank regulator dealing with customer data, for instance - defer to the ANPD on data protection questions.
This coordination model mirrors the approach taken in the EU, where GDPR supervisory authorities work alongside sector regulators. The difference is that Brazil has a single national authority rather than the EU's network of 27+ national DPAs, which can simplify consistency but concentrates regulatory risk in one institution.
ANPD's Expanding Mandate: Children's Digital Safety
The September 2025 transformation gave the ANPD a significant new responsibility: overseeing the Digital Statute for Children and Adolescents (ECA Digital, Law No. 15,211/2025). Decree No. 12,622/2025 designated the ANPD as the autonomous administrative authority for protecting minors in digital environments.
Under this mandate, the ANPD can regulate minimum security standards for platforms used by children, set rules for age verification, establish criteria for parental control tools, and coordinate court-ordered blocking of inappropriate digital content - working with Anatel and the Brazilian Internet Steering Committee (CGI.br).
The ANPD's regulatory agenda for 2025-2026 confirms that children's data and AI governance are top priorities, alongside revisions to its own enforcement and sanction rules.
International Data Transfers and the ANPD's Global Role
The ANPD also regulates international data transfers from Brazil. Resolution No. 19/2024, effective from August 2025, introduced mandatory Standard Contractual Clauses (SCCs) for any organisation transferring personal data out of the country. The ANPD has not yet issued any adequacy decisions recognising other countries' data protection frameworks - making SCCs the only viable mechanism for now.
Brazil is widely expected to seek an EU adequacy decision under the GDPR, and the ANPD's institutional upgrade strengthens that case. An independent, well-resourced regulator with clear enforcement powers is precisely what the European Commission looks for when assessing whether a third country provides adequate protection.
What This Means for Website Owners Targeting Brazil
If your website collects personal data from visitors in Brazil - through cookies, analytics tools, contact forms, or any other mechanism - the LGPD applies to you regardless of where your company is based (Article 3). The ANPD is the body that will investigate complaints, conduct audits, and impose sanctions if something goes wrong.
Practical steps to stay on the right side of the ANPD include: ensuring you have a lawful basis for every category of data processing, appointing a Data Protection Officer (or documenting why one is not required), implementing a breach notification process that meets the three-business-day reporting deadline under Resolution No. 15/2024, and running a cookie scan to identify exactly what data your site collects and which third parties receive it.
The ANPD's enforcement track record shows it is willing to act against organisations of any size - from micro-enterprises to global technology platforms. With 200 specialist enforcement staff being recruited and police-like powers now formalised, the capacity to investigate and sanction will only increase.
Frequently Asked Questions
What does ANPD stand for?
ANPD stands for Autoridade Nacional de Protecao de Dados (National Data Protection Authority). Following the September 2025 institutional upgrade, the full name shifted to Agencia Nacional de Protecao de Dados (National Data Protection Agency), but the acronym ANPD was retained.
Can the ANPD fine companies outside Brazil?
The LGPD applies to any organisation that processes data of individuals located in Brazil, regardless of where the company is headquartered (Article 3). The ANPD can impose sanctions on foreign companies, though cross-border enforcement depends on international cooperation agreements and the presence of a local representative.
What is the maximum fine the ANPD can impose?
Under Article 52 of the LGPD, the ANPD can impose a simple fine of up to 2% of the company's gross revenue in Brazil for the preceding fiscal year, excluding taxes, capped at R$50 million (approximately US$10 million) per infraction. Daily fines are also possible and subject to the same cap.
How does the ANPD differ from the EU's data protection authorities?
Brazil has a single national authority covering its entire territory, while the EU operates through a network of independent supervisory authorities in each member state, coordinated by the European Data Protection Board (EDPB). The ANPD combines rulemaking, supervision, and sanctioning powers in one body, whereas EU DPAs typically share interpretive functions with the EDPB.
Does the ANPD require websites to have a cookie consent banner?
The LGPD requires a lawful basis for processing personal data, and cookies that collect personal data generally require consent. While the ANPD has not yet issued cookie-specific guidance equivalent to the EU's ePrivacy Directive, the consent requirements under Articles 7 and 8 of the LGPD apply to cookie-based data collection. A properly configured consent banner is the most practical way to meet these requirements.
Is the ANPD's transformation into a regulatory agency permanent?
Provisional Measure No. 1,317/2025 took immediate effect on 18 September 2025. It was approved by the Chamber of Deputies in February 2026 and is pending Senate approval. If ratified, the transformation becomes permanent law. If not ratified within the required timeframe, the measure would lose legal force - though this outcome is considered unlikely given broad legislative support.
Get Your Website Ready for LGPD Compliance
If your site attracts visitors from Brazil, understanding the ANPD's growing enforcement capacity is not optional - it is a compliance requirement. Kukie.io scans your website for cookies and tracking technologies, categorises them according to their purpose, and helps you present a consent banner that meets LGPD requirements across all regions you operate in.
