What the LGPD Actually Says About Sanctions
Article 52 of Brazil's LGPD (Law No. 13,709/2018) sets out a tiered system of administrative sanctions. The list is longer than most website owners expect. It starts with a formal warning and escalates all the way to a complete ban on data processing activities - a penalty that could effectively shut down a company's operations in Brazil.
The sanctions only became enforceable in August 2021. The ANPD (Autoridade Nacional de Protecao de Dados) then published its dosimetry regulation - Resolution CD/ANPD No. 4/2023 - in February 2023, setting out the methodology for calculating fines. Real enforcement began almost immediately.
The Complete List of LGPD Sanctions (Article 52)
Article 52 defines twelve possible sanctions. They can be applied individually or combined, depending on the severity of the violation.
| Sanction | Description | Maximum Limit |
|---|---|---|
| Warning | Formal notice with a deadline to adopt corrective measures | Deadline set by ANPD |
| Simple fine | Up to 2% of the company's gross revenue in Brazil (preceding fiscal year, excluding taxes) | R$50 million per violation |
| Daily fine | Accumulates for each day the violation continues | R$50 million total |
| Public disclosure | The ANPD publishes details of the violation after confirming it occurred | N/A |
| Data blocking | Personal data involved in the violation is frozen until the situation is resolved | Until regularisation |
| Data deletion | Mandatory erasure of the personal data connected to the violation | N/A |
| Database suspension | Partial suspension of the database linked to the violation | 6 months, renewable once |
| Processing suspension | The specific processing activity is halted | 6 months, renewable once |
| Activity ban | Partial or total prohibition on data processing activities | Indefinite |
The three most severe sanctions - database suspension, processing suspension, and the activity ban - can only be applied after the ANPD has already imposed at least one lesser sanction for the same case. This staged approach prevents the authority from jumping to the most disruptive measures first.
How the ANPD Calculates Fines
The dosimetry regulation (Resolution CD/ANPD No. 4/2023) introduced a structured formula for monetary penalties. The ANPD follows a multi-step process starting with severity classification.
Violations fall into three categories: minor, medium, and serious. A serious classification applies when the violation involves sensitive personal data, affects a large number of data subjects, involves children's data, or when the offender obstructed the ANPD's investigation. Medium violations significantly affect data subjects' rights without reaching the serious threshold. Everything else is minor. Each severity level carries a base rate range, which is then multiplied by the offender's Brazilian revenue to produce a base fine amount.
Aggravating and Mitigating Factors
The base amount is then adjusted upward or downward. Failing to comply with preventive measures adds 20% per measure (capped at 80%), while ignoring corrective orders adds 30% per order (capped at 90%). Recidivism - either specific (same violation within five years) or generic (any LGPD violation within five years) - also increases the penalty.
Mitigating factors can bring it down significantly. Ceasing the violation before the ANPD starts a preparatory procedure earns a 75% reduction. Demonstrating good practices and governance policies can reduce the fine by 20%. Waiving the right to appeal grants a further 25% discount.
Who Gets Fined - and Who Does Not
Private companies face the full range of sanctions, including monetary fines. Public entities are exempt from financial penalties but can still receive warnings, public disclosure orders, data blocking, deletion mandates, and processing suspensions.
This distinction has real consequences. Five of the ANPD's first seven sanctioning decisions targeted public sector bodies. The INSS (National Social Security Institute) received corrective orders after a 2022 breach that exposed data of 1.5 million civil servants. The Santa Catarina State Department of Health was sanctioned in October 2023 for four separate violations, including delayed breach notification.
Small Businesses Are Not Exempt
The ANPD's first-ever fine targeted Telekall Infoservice, a small telecommunications company. In July 2023, Telekall was fined BRL 14,400 for processing personal data without a lawful basis, failing to appoint a Data Protection Officer, and obstructing the investigation. The message was clear: compliance obligations apply regardless of company size.
Real Enforcement Actions: What the ANPD Has Done So Far
Since the dosimetry regulation took effect, the ANPD has steadily expanded its enforcement. By late 2024, it had published seven sanctioning decisions and initiated monitoring proceedings against twenty companies for DPO-related failures.
The highest-profile case involved Meta. In 2024, the ANPD ordered Meta to suspend processing personal data from Facebook and Instagram for AI training, threatening a daily fine of BRL 50,000 for non-compliance. Meta submitted a compliance plan and committed not to use children's data for AI training. The ANPD approved the plan but maintained oversight. X Corp faced similar orders in December 2024.
These actions reveal the ANPD's priorities: breach notification compliance, children's data protection, AI and biometric data, and DPO appointment.
How LGPD Sanctions Compare to GDPR Penalties
Website owners operating in both Brazil and Europe need to understand how the two regimes differ. The GDPR allows fines of up to 4% of global annual turnover or EUR 20 million. The LGPD caps fines at 2% of Brazilian revenue only, with a hard ceiling of R$50 million.
| Factor | LGPD | GDPR |
|---|---|---|
| Maximum fine percentage | 2% of Brazilian revenue | 4% of global turnover |
| Absolute cap | R$50 million (~USD 10 million) | EUR 20 million |
| Revenue base | Brazilian operations only | Global turnover |
| Public sector fines | Not permitted | Varies by member state |
| Activity bans | Yes (after prior sanction) | Yes |
| Breach notification deadline | Reasonable time (ANPD guidance suggests 3 working days) | 72 hours (Article 33) |
| DPA enforcement since | February 2023 | May 2018 |
Non-monetary sanctions under the LGPD can be more damaging than fines. A six-month ban on using a customer database, renewable once, could cripple operations entirely.
Cookie Compliance and the LGPD
Cookies are personal data under the LGPD. Article 5(I) defines personal data broadly as any information relating to an identified or identifiable natural person. Persistent identifiers like _ga, _fbp, or any cookie that tracks behaviour across sessions falls within this definition.
The LGPD provides ten legal bases for processing under Article 7, and consent is just one of them. Legitimate interest (Article 7, IX) is available but requires a balancing test. For marketing and analytics cookies, consent is generally the safest legal basis.
The ANPD's actions against Meta for using platform data to train AI without valid consent signal how seriously the authority treats inadequate consent mechanisms. If you set third-party tracking cookies before obtaining clear, informed agreement from visitors, you are exposed.
Run a scan with a cookie consent management platform to identify which cookies your site sets, categorise them, and ensure your consent banner blocks non-essential cookies until the visitor opts in.
What Happens When Things Go Wrong: Breach Notification
Resolution CD/ANPD No. 15, published in April 2024, formalised rules for security incident communication. Controllers must notify both the ANPD and affected data subjects when an incident poses relevant risk, within three working days of becoming aware.
Five of the ANPD's seven early sanctioning decisions involved failures under Article 48 - specifically, insufficient or absent breach communication. The IAMSPE case is instructive: the public healthcare institute notified 1.5 million affected individuals three months late. The ANPD ordered it to publicly disclose the breach on its website and submit a compliance report within one year.
Failing to report a breach does not just risk a fine. It triggers public disclosure of the violation, corrective orders, potential database suspension, and reputational harm that no fine amount can quantify.
How to Reduce Your Exposure
The dosimetry regulation rewards proactive behaviour. Organisations that demonstrate the following measures benefit from significant penalty reductions:
Appoint a DPO. The ANPD launched monitoring proceedings against twenty companies in 2024 for failing to appoint a Data Protection Officer or providing ineffective contact channels. This is a baseline requirement under Article 41.
Implement a breach response plan. Simulate incidents and test your three-day notification workflow. Breach communication failures are the ANPD's primary enforcement target.
Conduct a Data Protection Impact Assessment. Under Article 38, the ANPD can require controllers to produce a DPIA for high-risk processing. Having one ready signals maturity.
Document your cookie compliance. Maintain a record of processing activities that includes every cookie your site sets, its purpose, and legal basis.
Cooperate with investigations. Obstructing the ANPD is classified as a serious violation and an aggravating factor in fine calculations.
ANPD Enforcement Priorities for 2025-2026
The ANPD published its Regulatory Agenda for 2025-2026 in December 2024, prioritising data subject rights, DPIAs, minors' data, biometric data, and artificial intelligence. It also released enforcement priorities for 2026-2027 aligned with the Digital ECA (Law No. 15,211/2025) on protecting children in digital environments.
For websites collecting data from Brazilian visitors, international data transfers now require Standard Contractual Clauses under Resolution CD/ANPD No. 19/2024, with the grace period having ended in August 2025. Consent mechanisms for cookies will face increasing scrutiny.
Frequently Asked Questions
What is the maximum LGPD fine for a single violation?
The maximum fine under Article 52 of the LGPD is 2% of the company's gross revenue in Brazil for the preceding fiscal year (excluding taxes), capped at R$50 million per individual violation. Daily fines are subject to the same R$50 million ceiling.
Can the ANPD fine public sector organisations under the LGPD?
No. The LGPD does not allow monetary fines against public entities. The ANPD can issue warnings, order public disclosure of violations, mandate data blocking or deletion, and suspend processing activities - but financial penalties are reserved for private companies.
How does the ANPD classify the severity of an LGPD violation?
The dosimetry regulation (Resolution CD/ANPD No. 4/2023) classifies violations as minor, medium, or serious. Serious violations involve sensitive data, large numbers of data subjects, children's data, or obstruction of the ANPD's investigation. Medium violations significantly affect data subjects' rights without reaching the serious threshold. All other violations are classified as minor.
Do small businesses in Brazil need to comply with the LGPD?
Yes. The ANPD's first-ever fine was issued to Telekall Infoservice, a small telecoms company, for BRL 14,400 in July 2023. The LGPD applies to any entity that processes personal data in Brazil, regardless of size, though simplified rules exist for small businesses under ANPD regulations.
How quickly must a data breach be reported to the ANPD?
Under Resolution CD/ANPD No. 15 (published April 2024), controllers must notify the ANPD and affected data subjects within three working days of becoming aware of a security incident that poses relevant risk. Late notification was the most common violation in the ANPD's early sanctioning decisions.
Can the ANPD ban a company from processing personal data entirely?
Yes. Article 52 includes a partial or total prohibition on data processing activities as the most severe sanction. It can only be applied after the ANPD has already imposed at least one lesser sanction (such as a fine, public disclosure, or data blocking) for the same specific case.
Take Control of Your Cookie Compliance
If your website collects data from visitors in Brazil, the LGPD's sanctions framework applies - whether you are based in Sao Paulo or Stockholm. A free cookie scan shows exactly what cookies your site sets. Kukie.io detects, categorises, and helps you manage cookies across jurisdictions.
