International Data Protection Day: How the ANPD’s enforcement activity has evolved in recent years and expectation for 2026

With the significant evolution of the ANPD’s enforcement activity, 2026 emerges as a key year for the strategic prioritization of data protection governance within organizations.

Today, January 28, we celebrate International Data Protection Day. The date, established in 2006 with the aim of promoting global awareness on the subject, gained prominence in Brazil with the entry into force of the General Data Protection Law (Law No. 13,709/2018 – LGPD) and the establishment of the National Data Protection Authority (ANPD), in 2020.

A few years after the start of the ANPD’s activities and following its consolidation as a regulatory agency in 2025, it is now possible to identify certain enforcement patterns, regulatory priorities, and trends that highlight strategic fronts deserving attention and a concentration of data protection governance efforts in 2026.

What has changed in the ANPD’s enforcement activity?

Transformation into a regulatory agency

In its early years, the ANPD’s activities were naturally focused on institutional structuring, the issuance of non-binding guidance, and the gradual development of regulatory instruments. This scenario began to change more consistently from 2023 onwards, particularly in 2024 and 2025.

A representative indicator of this shift is that, as of November 2025, the number of supervisory proceedings initiated by the ANPD was three times higher than the total recorded throughout the entire year of 2024.

In addition, in the second half of 2025 the ANPD was granted regulatory agency status (Provisional Measure No. 1,317/2025), with the authorization for 200 new permanent positions.

This institutional reinforcement is expected to translate into increased operational capacity and intensified enforcement as early as 2026, especially with respect to matters addressed in the Priority Topics Map and the 2025–2026 Regulatory Agenda.

Mutual adequacy decision between Brazil and the European Union

The mutual adequacy decisions between Brazil and the European Union also deserve special attention, not only for enabling the reciprocal free flow of personal data, but also for signaling regulatory convergence between these jurisdictions.

The adequacy decision issued by the ANPD (Resolution No. 32/2026) expressly provides for the possibility of institutional cooperation between the ANPD, the European Commission, and European data protection authorities, including the exchange of information on the application and interpretation of their respective legislation, as well as the harmonization and sharing of regulatory practices.

This provision points to a trend toward progressive equivalence in the authorities’ enforcement approaches. In this regard, it is worth noting that European data protection authorities have historically adopted a more assertive enforcement posture, including the imposition of significant sanctions and a strict interpretation of governance, transparency, and accountability obligations.

As a result, guidance, decisions, and resolutions issued by European authorities tend to assume an increasingly strategic role as interpretative references in Brazil.

However, beyond normative and institutional developments and international standards, it is particularly relevant to observe how the ANPD has acted in practice in recent years, as this offers important indications of the tone, priorities, and level of rigor that are likely to characterize its enforcement activity.

Oversight and enforcement activity

The ANPD’s recent activity demonstrates sector-diversified enforcement, with an increasing focus on higher-risk data protection issues, especially those involving sensitive data, children and adolescents, and new technologies.

Oversight or sanctioning proceedings: affected sectors

According to data published by the ANPD, organizations in the following sectors currently have ongoing supervisory or sanctioning proceedings:

Topics under ongoing monitoring and oversight proceedings

Monitoring and oversight proceedings are conducted under confidentiality. Nevertheless, it is possible to identify key topics reflected in the information disclosed by the ANPD to date:

• Digital Child and Adolescent Statute (Digital ECA): monitoring aimed at mapping the level of compliance of sectors that offer digital products or services targeted at children and adolescents, or that are likely to be accessed by this audience, in the context of the implementation of the Digital ECA (Law No. 15,211/2025).

• This monitoring is not sanctioning in nature and is primarily intended to gather technical information to support future regulatory decisions, taking into account the current level of compliance maturity of the affected economic sectors. Given the complexity of the legal requirements, the ANPD extended the deadline to February 13, 2026 for the 37 monitored organizations to submit information on the technical and organizational measures already adopted.

• Data Protection Officer (DPO): ongoing monitoring following the conclusion of a supervisory proceeding related to the absence of appointment, identity, or contact information of the data protection officer and/or deficiencies in the communication channel, involving 20 organizations from different sectors. The supervisory proceeding resulted in corrective measures imposed by the ANPD, and a monitoring proceeding was initiated to track their implementation.

• Children and adolescents: ongoing oversight to verify compliance with personal data processing involving children and adolescents in general.

• Data sharing: ongoing oversight regarding data sharing for:

• verification of compliance in the sharing of personal data between public bodies;
• verification of compliance in data sharing among companies within the same corporate group;
• verification of compliance in the sharing of personal data for the offering of payroll-deductible loans.

• Artificial intelligence: oversight proceedings involving different organizations to verify compliance of personal data processing carried out through Generative Artificial Intelligence.

• Consent: ongoing oversight to investigate the validity of consent for the collection and processing of biometric data.

• Legal basis and transparency: oversight involving transparency issues, biometric data collection, and review of legal bases, as well as monitoring corrective measures related to irregularities identified in the processing of personal data collected by pharmacies.

• Biometric data: ongoing oversight proceedings to:

• verify compliance of the processing of children’s and adolescents’ biometric personal data through Facial Recognition Technology (FRT);
• investigate the processing of biometric data at sporting events, including data of children and adolescents, in the context of compliance with legal obligations.

• General compliance verification: ongoing oversight proceedings with a generic compliance verification scope involving organizations focused on anti-fraud solutions, data collection and enrichment, telephony, and social media.

Topics under ongoing enforcement action

The sanctioning proceedings currently underway address the following situations:

• Security incidents: failure to notify data subjects of a security incident; absence of security measures (public body).

• Children and adolescents: conduct that fails to observe the best interests of children and adolescents.

• Profiling for targeted advertising: behavioral profiling based on sensitive personal data without proper legal basis, for the purpose of offering targeted advertising in exchange for financial consideration (monetization of sensitive personal data).

Complaints and petitions from data subjects 

Another noteworthy element in the evolution of the ANPD’s activity is the significant growth in the number of requests submitted by data subjects to the Authority, including complaints and petitions:[1]

• Second half of 2024: 3,413 requests (an increase of 454.17% compared to the previous semester);
• First half of 2025: 4,956 requests.

Over the entire analyzed period (2023–2025), the ANPD received 9,629 requests, approximately 70% of which were deemed admissible.[2]

The ANPD has indicated that the volume of data subject complaints and petitions by topic is a relevant criterion for prioritizing the opening of oversight proceedings. In other words, an organization’s ability to adequately respond to data subject rights may be a central factor in mitigating regulatory risk.

Expectation for 2026

In the context of the ANPD’s increasing maturity, organizations are called upon to reassess the effectiveness and demonstrability of their data protection governance programs, strategically prioritizing the issues most critical to their business models and risk profiles. It is especially recommended to review:

• processing activities related to high-risk and priority topics under the ANPD’s Priority Topics Map, particularly sensitive data, data relating to children and adolescents, and the use of new technologies;
• procedures for identifying, notifying, and recording information security incidents;
• channels and procedures for handling data subject requests.

Beyond formal compliance with legal obligations, there is a clear emphasis on effective, risk-based, and demonstrable governance programs, reinforcing data protection as a key pillar of regulatory maturity and institutional governance.

This International Data Protection Day represents an opportunity for strategic recalibration, focused on the ANPD’s concrete enforcement activity and on responsible and preventive anticipation of upcoming oversight cycles.

Our team specialized in Technology, Intellectual Property, and Data ProtectionIntelectual closely follows the regulatory developments impacting the market. For further clarification on this topic, or any other matter of interest, please contact our professionals.

[1] ANPD – Complaints or Petitions by Data Subjects.

[2] ANPD – 3rd Monitoring Cycle Report (Second Half of 2023 – First Half of 2025).