The ANPD Has Stopped Educating and Started Enforcing
For its first few years, Brazil's data protection authority, the Autoridade Nacional de Proteção de Dados (ANPD), favoured guidance over punishment. It published orientation documents, held public consultations, and gave organisations time to adapt. That phase is over.
Starting in late 2024 and accelerating through 2025, the ANPD began issuing administrative sanctions under the dosimetria regulation — the penalty-calculation methodology it finalised in February 2023. By early 2026, the enforcement trajectory is clear: the ANPD is running targeted sector audits, issuing fines for specific consent violations, and making examples of companies that treat the LGPD as a paper exercise rather than a technical one.
If your website reaches Brazilian visitors and you haven't revisited your consent setup since you first deployed it, this is the year it catches up with you. This guide covers what the ANPD is actually targeting, how the fines work, and what your cookie banner needs to look like to survive an audit. For a broader overview of Brazil's data protection law itself, see our LGPD Compliance Guide.
What the ANPD Is Targeting in 2026
The ANPD's enforcement actions haven't been random. A pattern has emerged from its published decisions and its regulatory agenda for 2025-2026. The authority is focusing on violations that are visible, widespread, and easy to verify — which puts cookie banners squarely in the crosshairs.
Pre-ticked consent boxes
The single most common enforcement trigger. The LGPD requires consent to be a free, informed, and unambiguous act (Article 5, XIV). A cookie banner that loads with analytics or marketing toggles already switched on — or that treats continued browsing as implied consent — fails this test on its face. The ANPD has cited this violation repeatedly, and it's one of the easiest for auditors to check: load the page, inspect the banner, see if toggles are on by default.
Grouped consent without purpose-specific options
Banners that bundle all non-essential cookies under a single "Accept" button, with no option to consent to analytics separately from advertising, violate the LGPD's requirement for purpose-specific consent. Article 8, §4 is explicit: consent given for generic or overly broad purposes is void. The ANPD has made clear that a compliant banner must let visitors choose which processing purposes they agree to, not force an all-or-nothing decision.
Missing or inadequate transparency
The ANPD expects the consent interface to explain who is processing data, for what specific purposes, and how to withdraw consent later — before the visitor makes a choice. Banners that say "we use cookies to improve your experience" with an accept button and nothing else are the ANPD's low-hanging fruit.
No consent withdrawal mechanism
Article 8, §5 states that consent can be revoked at any time through a free, simple procedure. If your banner collects consent but provides no standing way for visitors to change their mind — no preferences icon, no settings link, no second layer — you're non-compliant on a point the ANPD explicitly checks.
Consent That Fires Before the Click
The most technically damaging violation isn't a banner design issue — it's a banner enforcement issue. If your analytics and advertising tags fire on page load before the visitor interacts with the banner, consent is your legal basis and the processing happened without it. The ANPD's technical auditors check this. A banner that doesn't actually gate the scripts is worse than no banner at all, because it creates a false record of compliance. See our guide on blocking scripts until consent for the implementation that makes consent real.
The Portuguese Language Requirement
This is the compliance point that catches the most international companies off guard. Brazil's consumer protection code (Código de Defesa do Consumidor) and the LGPD's transparency obligations together create a practical mandate: consent interfaces serving Brazilian visitors must be available in Portuguese.
There's no explicit "language clause" in the LGPD text. The requirement flows from multiple provisions: consent must be "informed" (Article 5, XIV), transparency must be accessible to the data subject (Article 9), and the ANPD's cookie guidance reinforces that transparency materials should be "clear, adequate, and provided in Portuguese" when directed at the Brazilian public.
An English-only cookie banner shown to a visitor geolocated to Brazil undermines the "informed" component of consent. The ANPD hasn't issued a standalone fine purely for language, but it has cited inadequate transparency where Portuguese was absent — and the dosimetria regulation treats vulnerability of the affected population as a penalty factor.
The practical implication: your consent management platform needs to detect Brazilian visitors and serve Portuguese-language text. Not Spanish. Not an English banner with a Google Translate link. Portuguese.
How LGPD Differs from GDPR Where It Matters for Enforcement
If your consent setup was built for the GDPR, you're partially covered — but the gaps are exactly where the ANPD's enforcement actions land. For a full comparison, see our LGPD Compliance Guide. Here are the three differences that matter most in an enforcement context.
Legitimate interest is narrower
Article 10 limits legitimate interest to processing for "legitimate purposes, based on specific situations," with a balancing test weighted toward the data subject's reasonable expectations. The ANPD has narrowed this further: legitimate interest is much harder to use for analytics or marketing tracking under the LGPD than under GDPR case law. If you're relying on it for non-essential cookies, you almost certainly need to switch to consent.
DPO requirements are broader
The LGPD required an encarregado for all controllers, though the ANPD later introduced proportionality exceptions for small processing agents. For most companies with meaningful Brazilian traffic, an encarregado is required — and the ANPD has started asking for DPO contact details during audits.
Penalty structure favours cumulative enforcement
The headline fine is 2% of Brazilian revenue, capped at R$50 million (approximately US$10 million) per infraction. Lower than the GDPR's ceiling in absolute terms, but the per-infraction structure means repeated violations compound. The dosimetria regulation weights aggravating factors: repeat offences, failure to cooperate, and vulnerability of affected data subjects all increase the multiplier.
LGPD vs GDPR: Where Enforcement Diverges
| Enforcement Aspect | LGPD (Brazil) | GDPR (EU) |
|---|---|---|
| Legitimate interest for cookies | Narrowly interpreted; ANPD guidance pushes analytics/marketing to consent basis | More flexible; some DPAs accept legitimate interest for basic analytics |
| DPO requirement | Broadly required for all controllers; limited proportionality exceptions | Required only for specific processing types or scales |
| Consent language | Portuguese mandatory for Brazilian audiences under transparency obligations | Must be in a language the data subject understands; no single language mandated |
| Fine structure | 2% of Brazilian revenue, capped R$50M per infraction; dosimetria regulation details calculation | 4% of global turnover or €20M; per-authority enforcement across 27+ DPAs |
| Cookie-specific regulation | No dedicated cookie law; general consent rules plus ANPD guidance documents | ePrivacy Directive provides explicit cookie-consent rules alongside GDPR |
| Enforcement maturity | Active since 2023; dosimetria in force; targeted audits escalating in 2025-2026 | Mature since 2018; established case law and cross-border enforcement mechanisms |
Beyond Fines: The ANPD's Full Enforcement Toolkit
The dosimetria regulation (Resolution CD/ANPD No. 4) classifies infractions as light, medium, or severe, and adjusts penalties based on severity, cooperation, economic advantage obtained, and whether the controller has documented compliance mechanisms in place. Controllers with a functioning CMP, documented privacy programme, and internal policies face lower multipliers — which makes having proper consent infrastructure a direct financial defence.
But fines aren't the ANPD's only lever. It can also order the publicisation of the infraction — naming your company in a published enforcement decision — plus blocking of the data until the irregularity is corrected, and deletion of the personal data involved. The publicisation power is underrated: a listing on the ANPD's website is a lasting reputational cost that no fine amount captures.
The ANPD's initial sanctions targeted smaller companies, a pattern typical of young regulators building case law. By 2025-2026, the scope has expanded to sector-specific audits of e-commerce, ad-tech, and data brokers, with cooperation agreements signed with European DPAs.
Technical Requirements for LGPD-Compliant Banners
Surviving an ANPD audit isn't about having the right legal text on your website. It's about the technical implementation behind the consent layer. Here's what your banner setup needs:
1. Opt-in by default
All non-essential cookies and tracking technologies must be blocked until the visitor affirmatively consents. This means your tag management — whether client-side GTM, server-side GTM, or direct script injection — must integrate with the consent signal. Tags fire only after consent is recorded, not before.
2. Purpose-specific consent controls
The banner must present separate toggles or options for each processing purpose: analytics, marketing, personalisation, and any other non-essential category you use. Each purpose maps to a set of scripts and cookies that are independently gated. Accepting analytics doesn't mean accepting advertising.
3. Symmetric accept/reject
A "Reject all" option must be as prominent and accessible as "Accept all." The ANPD follows the same logic as the CNIL on this point: making acceptance one click and rejection three clicks is a dark pattern that undermines the freedom of consent.
4. Portuguese-language interface
The banner text, purpose descriptions, button labels, and privacy notice links must be in Portuguese for visitors detected as being in Brazil. This isn't optional localisation — it's a compliance requirement.
5. Persistent withdrawal mechanism
A visible, always-available link or icon (cookie settings, privacy preferences, or equivalent) must let visitors reopen the consent interface and change their choices at any time. The mechanism should be as easy to use as the original consent interaction.
6. Consent logging
Every consent event — acceptance, rejection, partial selection, and withdrawal — must be logged with a timestamp, the visitor's identifier (anonymous), and the specific purposes consented to. This log is your evidence if the ANPD audits you. Without it, you can't demonstrate that consent was obtained.
7. Google Consent Mode integration
If you run Google Ads or GA4 for Brazilian traffic, your consent signal must feed into Consent Mode v2 so Google's tags respect the visitor's LGPD choices.
2026 LGPD Enforcement Readiness Checklist
All non-essential tags blocked until affirmative opt-in
Load the page, open the network tab, verify no analytics or marketing requests fire before consent.
Purpose-specific toggles for each cookie category
Analytics, marketing, and personalisation each have independent controls — no all-or-nothing.
Reject All button with equal prominence to Accept All
Same layer, same size, same number of clicks. Asymmetry is the most-cited violation.
Banner text and controls fully in Portuguese for Brazilian visitors
Geolocation-triggered, not a language toggle buried in settings.
Persistent consent withdrawal mechanism visible on every page
Cookie settings icon, footer link, or floating button — always reachable.
Consent log recording purpose-level choices with timestamps
Your proof of compliance. Without it, the banner is decoration.
Encarregado (DPO) contact published and accessible
The ANPD asks for this during audits. Name and email or contact form.
LGPD legal-basis mapping documented separately from GDPR register
Ten bases, not six. The mapping shouldn't be a copy-paste.
Consent Mode v2 configured for Google tags
Ensures GA4 and Google Ads respect LGPD consent signals.
How CookieBeam Handles LGPD Compliance
CookieBeam's regional consent system maps directly to the requirements above.
Automatic regional detection. CDN-edge geolocation identifies Brazilian visitors and applies the LGPD framework preset — opt-in mode with all non-essential categories defaulting to off. No reliance on the visitor self-selecting their jurisdiction.
Portuguese translations. CookieBeam ships with Portuguese translations for all banner elements. When the regional system detects a Brazilian visitor, Portuguese text is applied automatically. You can override any string through the translation override system if your legal team prefers specific phrasing.
Purpose-level script blocking. Each cookie category maps to a set of scripts gated independently. Consenting to analytics doesn't unlock marketing. This is the ANPD's purpose-specific consent requirement implemented as a technical gate, not just a UI toggle.
Consent logging with purpose detail. Every consent event is logged with purpose-level choices and timestamps — the audit trail the ANPD expects as proof that consent was specific, informed, and recorded.
What to Do Right Now
If you've been treating LGPD as a lower-priority GDPR, 2026 is the year that changes. The ANPD has the regulatory infrastructure and is using it.
- Audit your current banner for Brazilian visitors. Use a VPN or geolocation override. Is it in Portuguese? Are toggles off by default? Is there a reject button?
- Verify scripts are actually blocked. Open dev tools, clear cookies, load as a Brazilian visitor, check the network tab before interacting with the banner. If analytics or advertising requests fire before consent, your banner is decorative.
- Check your consent log. Can you produce a record showing which purposes a visitor consented to and when? If the ANPD asks for proof, can you deliver?
- Appoint and publish your encarregado. Name and contact details on your privacy page. The ANPD checks this during audits.
- Map your legal bases under the LGPD specifically. Ten bases, narrower legitimate interest, broader DPO threshold. It can't be a GDPR copy-paste.
The fines are real, the audits are targeted, and the technical bar is specific enough that non-compliance is verifiable. Building the right consent setup now costs a fraction of fixing it after a sanction.
Further Reading
For the broader LGPD framework, start with our LGPD Compliance Guide for Websites. For the technical implementation behind consent enforcement, see How to Block Scripts Until Cookie Consent and How Cookie Scanners Work. To understand how Consent Mode ties into Brazilian traffic, read Google Consent Mode v2.
For primary sources, see the ANPD's official site, the full text of the LGPD (Lei 13.709/2018), and the dosimetria regulation (Resolution CD/ANPD No. 4).