Brazil’s National Data Protection Authority (ANPD) left the guidance phase behind in 2023 and entered a cycle of active enforcement. Fines, warnings and ancillary sanctions are now public reality. This article lists the most relevant LGPD cases from 2024-2026, what triggered each decision, and how your company can avoid the same fate.
TL;DR — LGPD fines in 60 seconds
- Legal cap: R$50 million per infraction OR 2% of the company’s Brazilian revenue (Art. 52, II LGPD), whichever is lower.
- Enforcement start: ANPD’s first public fine was issued in July 2023; the inspection ramp-up came in 2024-2025.
- Top reasons: breach without notification (Art. 48), processing without a legal basis (Art. 7), missing Data Officer / DPO (Art. 41).
- Small companies are NOT exempt: ANPD reaffirmed this in 2024.
- Most-inspected sectors: telecom, financial institutions, healthcare, e-commerce and marketplaces.
Who is ANPD and how does it impose fines?
The National Data Protection Authority was created by Law 13.853/2019, complementing the LGPD (Law 13.709/2018, Art. 55-A). It is a federal special-nature authority linked to the Ministry of Finance, with technical and decision-making autonomy.
ANPD’s administrative sanctioning process follows Resolution 1/2021 and runs in five stages:
- Preliminary investigation (complaint, monitoring or information request);
- Process initiation with notification to the processing agent;
- Prior defense with a 10-business-day window (extendable);
- First-instance decision with technical reasoning;
- Administrative appeal to ANPD’s Board of Directors.
Article 52 sanctions include warning (with correction deadline), simple fine (up to R$50M or 2% of revenue), daily fine capped at the same ceiling, public disclosure of the infraction, data blocking, data deletion and, in extreme cases, partial or total suspension of processing.
Top 10 LGPD ANPD cases 2024-2026
The table below combines public ANPD fines and range estimates for cases where only the administrative outcome was disclosed. Whenever the range is estimated, we mark it “(range)”.
| # | Sector / Company | Year | Amount | Main reason | Law / Article |
|---|---|---|---|---|---|
| 1 | Telekall (telemarketing) | 2023 | R$14,400 | Failure to cooperate in investigation | Art. 5, X + Art. 52 |
| 2 | Fortbrasil (financial retail) | 2023 | Warning + obligations | No DPO appointed | Art. 41 |
| 3 | Telecom operator (case 1) | 2024 | R$100K-500K (range) | Sharing without legal basis | Art. 7 + Art. 11 |
| 4 | National marketplace | 2024 | R$200K-1M (range) | Cookies and tracking without consent | Art. 7, I + Art. 8 |
| 5 | Fintech (breach) | 2024 | R$300K-2M (range) | Late incident notification | Art. 48 |
| 6 | B2C SaaS platform | 2025 | R$50K-300K (range) | Data subject rights ignored | Art. 18-19 |
| 7 | Health insurance operator | 2025 | R$500K-3M (range) | Sensitive data breach | Art. 11 + Art. 48 |
| 8 | Generative AI platform | 2025 | Investigation ongoing | Training without clear legal basis | Art. 7 + Art. 20 |
| 9 | Credit bureau | 2024-2025 | R$200K-1.5M (range) | Sharing without transparency | Art. 6, VI + Art. 9 |
| 10 | Mid-size e-commerce | 2025 | R$30K-150K (range) | Incomplete privacy policy | Art. 9 + Art. 18 |
Important: ANPD does not yet publish all decisions in consolidated format. Cases 3-10 rely on official communications, partially disclosed administrative proceedings and market analysis. Ranges reflect typical observed dosimetry (company size, severity, recidivism, cooperation). The R$50M absolute cap has not yet been applied at full scale in Brazil to date — enforcement is still maturing compared to France’s CNIL or Germany’s BfDI.
Most frequent reasons for LGPD fines 2024-2026
Five categories dominate ANPD inspections:
- Breach without proper notification (Art. 48) — delay, omission or incomplete notification to ANPD and affected data subjects. Consolidated interpretation requires communication within 72 hours of learning of the incident.
- Processing without a valid legal basis (Art. 7) — the LGPD lists 10 hypotheses (consent, contract, legal obligation, etc.). Processing data outside these bases, or with poorly documented bases, is the most common infraction in audits.
- Improper sharing with third parties (Art. 7 + Art. 11) — selling databases, transferring to partners without clear notice, or international transfer without adequate safeguards (Art. 33).
- Missing DPO when required (Art. 41) — even after the small-scale flexibility, missing DPO is still an aggravating factor in incident cases.
- Cookies and trackers without consent (Art. 7, I + Marco Civil) — invalid “continue browsing = accept” banners or analytics cookies fired before opt-in. See 37 trackers your cookie banner must block.
- Data subject rights ignored (Art. 18) — 15-day deadline to respond to access, rectification, deletion or portability requests. For qualified small companies, the deadline is doubled to 30 days.
How much can an LGPD fine cost your company?
Despite the theoretical R$50M cap, the practical dosimetry observed at ANPD in 2024-2026 suggests three risk tiers:
Tier 1 — formal or low-impact failures (R$5K - R$50K):
- Missing or outdated privacy policy
- DPO not appointed in microenterprise
- One-off delay in responding to a data subject (Art. 18)
- First-time analytics cookies without consent
Tier 2 — moderate breach or multiple failures (R$50K - R$500K):
- Breach affecting hundreds to thousands of data subjects
- Late notification (after 72h) to ANPD
- Sharing without documented legal basis
- Recidivism in Tier 1 cases
Tier 3 — serious breach, sensitive data or systemic recidivism (R$500K - R$50M):
- Sensitive data (health, biometrics, children)
- Hundreds of thousands of data subjects affected
- Willful conduct or gross negligence
- Total absence of a compliance program
Legal maximum: R$50 million OR 2% of the company’s Brazilian revenue in the last fiscal year, per Art. 52, II. Application of the cap is exceptional and has not yet been observed at full scale by ANPD as of May 2026.
5 lessons for Brazilian companies in 2026
- Implement a 72h notification process — decide today who calls the shot, who notifies ANPD, who informs data subjects and who documents. In a real incident, you have no time to improvise.
- Appoint a DPO (Encarregado) — even if you are a small company exempt from the formal obligation under ANPD Resolution 2/2022, appoint someone. The cost is low; the risk of not having one is high.
- Document Art. 7 legal basis for each purpose — build a Brazilian RoPA. For each data category: which purpose, which legal basis, retention period, who has access.
- Cookie policy + granular consent — per-category banner (necessary, analytics, marketing), real opt-in before firing, easy revocation. See LGPD privacy policy template and requirements.
- Honor data subject rights within 15 days — create a single point of contact (privacy@yourcompany), respond even if just to say “we are reviewing”, keep records. Failure to respond is itself an infraction.
How to avoid LGPD fines with WebLegal
WebLegal generates a complete LGPD privacy policy, tailored to your company, in minutes. The document includes Art. 7 legal basis, Art. 18 data subject rights, Art. 48 incident notification, DPO contact and a compliant cookie policy — all in clear legal language. If your company also operates in Europe, WebLegal delivers consistent GDPR and LGPD versions.
Start by trying our free compliance scanner to see what your e-commerce already does well — and where the risks are.
