The Structure of the LGPD in 2026

The LGPD is the primary data protection statute in Brazil, and its core text has been remarkably stable since enactment. What has changed is the regulatory infrastructure around it.

The ANPD as a Mature Regulator

The ANPD became fully operational in 2021 and spent its first three years building procedural capacity, issuing guidance, and running consultations. By 2024 it had moved into active enforcement, and by 2025 it had issued some of its first significant administrative fines, including against foreign platforms. The agency's posture in 2026 is closer to its European counterparts than to its earlier soft-touch period.

The 2026 Cross-Border Transfer Regulation

The most important regulatory development for foreign publishers was the ANPD's international transfer regulation, which was finalized in late 2025 and took effect in 2026. The regulation introduces an adequacy framework, model contractual clauses approved by the ANPD, binding corporate rules, and certifications, all functioning analogously to the GDPR's Chapter V mechanisms. Before this regulation, cross-border transfers operated under a much vaguer set of rules that publishers and ad-tech vendors typically navigated through bilateral commercial arrangements. The 2026 regime is substantially more workable but substantially more demanding on documentation.

Who Is Regulated

The LGPD applies extraterritorially. Any controller processing personal data of individuals located in Brazil at the time of collection, or processing data collected from Brazil regardless of where processing occurs, is in scope. Foreign publishers serving Brazilian users through localized sites or programmatic inventory bought against Brazilian IPs are clearly within reach, and the ANPD has invoked the extraterritorial provision in several 2025 cases.

What Counts as Personal Data Under LGPD

The LGPD's personal data definition is broad and closely tracks the GDPR. Personal data is information related to an identified or identifiable natural person, and the ANPD has consistently treated cookies, advertising identifiers, IP addresses, device fingerprints, and behavioral profiles as personal data when they can be tied to an individual directly or by reasonable means.

Sensitive Personal Data

The LGPD designates a broad list of sensitive categories: racial or ethnic origin, religious belief, political opinion, trade union or political organization membership, philosophical or religious convictions, health, sexual life, genetic data, and biometric data when used for unique identification. Processing sensitive personal data triggers stricter consent requirements and additional controller obligations.

Why This Matters for Cookies

A cookie that stores a routine session identifier is ordinary personal data. A cookie that feeds an audience segment touching the LGPD sensitive list — health interests, religious affiliations, political leanings — is processing of sensitive personal data and requires the heightened consent flow, not the general advertising consent. Publishers running audience segments that overlap the sensitive list should be auditing their consent flows specifically against this boundary.

Cookie Consent Under the LGPD in 2026

The LGPD permits multiple lawful bases for processing, but for cookies and similar technologies that are not strictly necessary for service delivery, the ANPD's guidance and enforcement have converged on consent as the practical baseline.

The Five Elements of Valid Consent

Consent under the LGPD must be:

• Free — given without coercion and not bundled with provision of a service the user is otherwise entitled to
• Informed — the data subject understands what data is processed, by whom, for what purpose, and with what consequences
• Unambiguous — expressed through a clear affirmative act, not inferred from silence, pre-ticked boxes, or scroll-as-consent
• Specific — tied to clearly identified purposes rather than blanket umbrella consent
• Highlighted in cases involving sensitive data, with explicit and separate consent for the specific sensitive processing

What a Compliant CMP Looks Like

A CMP configured for Brazilian traffic in 2026 should present:

• A visible banner before any non-essential cookie or tracker fires, in Portuguese (Português) by default for Brazilian users
• Equal visual prominence for Aceitar (Accept), Recusar (Reject), and Personalizar (Customize) — the ANPD has specifically called out banner designs where the Recusar action is less visible
• Granular toggles per purpose: analytics, advertising, personalization, cross-border transfer, and any sensitive-category processing
• A separate, clearly-labelled flow for sensitive personal data processing, gated behind its own action
• A persistent, easily-found mechanism to withdraw consent after the initial choice
• A Portuguese-language Aviso de Privacidade with full disclosures of controller, processors, purposes, recipients, retention, and rights

Consent Records

Controllers must maintain evidence of consent — who consented, when, to what purpose, and through which interface. The ANPD has cited inadequate consent records in several enforcement actions, and exportable timestamped logs are the baseline expectation.

The 2026 Cross-Border Transfer Regime

This is the area where 2026 looks meaningfully different from 2024. The ANPD's international transfer regulation took effect at the start of the year, and the practical implications are still being absorbed by foreign publishers.

The New Transfer Mechanisms

The regulation provides four primary pathways for legitimate cross-border transfer:

• Adequacy decisions issued by the ANPD recognizing destination jurisdictions or sectors as providing adequate protection
• Standard contractual clauses approved by the ANPD, which function analogously to the GDPR SCCs
• Binding corporate rules for intra-group transfers within multinational organizations
• Specific authorization for transfers that do not fit the standard pathways, on a case-by-case basis

The Practical 2026 Approach

For most foreign publishers, the working approach in 2026 is to execute ANPD-approved standard contractual clauses with international processors, document the transfer mechanism in the privacy notice, and supplement with consent-based authorization only where the standard mechanism does not fit. This is meaningfully simpler than the pre-2026 regime, which often relied on consent-per-transfer logic that produced unwieldy CMPs.

Adequacy Decisions to Date

The ANPD has issued adequacy decisions for a handful of jurisdictions through early 2026, and is expected to expand the list incrementally. The United States is not on the adequacy list as of early 2026, which means transfers to US-based ad-tech and analytics vendors require contractual clauses or another valid mechanism.

Data Subject Rights

The LGPD grants a robust set of rights, applied through the Brazilian framework:

• Right to confirmation of processing
• Right of access to processed data
• Right to correction of incomplete, inaccurate, or out-of-date data
• Right to anonymization, blocking, or deletion of unnecessary, excessive, or unlawfully processed data
• Right to portability of data to another service provider
• Right to deletion of data processed on the basis of consent
• Right to information about public and private entities with which the data has been shared
• Right to information about the possibility of denying consent and the consequences of denial
• Right to revoke consent
• Right to oppose processing carried out on the basis of one of the legitimate interests bases when there is non-compliance
• Right to review of decisions made solely based on automated processing

Response Timelines

Controllers must respond to data subject requests within 15 days under the regulation, with the ability to extend in justified cases. This is tighter than the GDPR's 30-day window and has been a recurring operational gap for foreign publishers tuned to the European cadence.

Penalties and Enforcement Posture in 2026

The ANPD's enforcement activity has escalated meaningfully through 2024 and 2025, and 2026 is on a similar trajectory.

Administrative Fines

The LGPD permits administrative fines of up to 2 percent of the controller's revenue from its activity in Brazil in the prior fiscal year, capped at BRL 50 million per infraction. The ANPD has used the middle of the range in several 2025 cases, including against foreign platforms, and the agency's penalty methodology was published in 2024 and is now applied consistently.

Other Sanctions

Beyond fines, the ANPD can issue warnings, require corrective measures, partially or fully suspend processing activities, and prohibit specific processing operations. Publication of the violation is a routine accompanying sanction and carries reputational weight in the Brazilian market.

Enforcement Themes

The ANPD's 2025 and early-2026 actions cluster around recurring issues: ambiguous or absent consent banners, lack of a Portuguese-language privacy notice, cross-border transfers without a valid mechanism under the new regulation, and failure to respond to data subject requests within the 15-day window. Foreign publishers have been cited in all four categories.

The DPO Requirement

The LGPD requires controllers to appoint a Data Protection Officer (Encarregado de Tratamento de Dados Pessoais) and to publish the DPO's contact information. Foreign controllers processing Brazilian data at scale need a designated DPO, and the contact information must be readily accessible in the privacy notice. The ANPD has cited missing or inaccessible DPO contact information in several enforcement letters.

Audit Checklist for Brazilian Traffic in 2026

• CMP banner is served in Portuguese with Aceitar, Recusar, and Personalizar at equal visual prominence
• Consent purposes are granular and separate any sensitive-category processing behind its own consent flow
• Privacy notice (Aviso de Privacidade) is available in Portuguese with full disclosures of controller, processors, purposes, retention, rights, and DPO contact
• Cross-border transfers rely on ANPD-approved standard contractual clauses, an adequacy decision, BCRs, or specific authorization — not on legacy consent-per-transfer logic
• Consent logs are timestamped, exportable, and retained for the processing duration plus an auditable margin
• Data subject request workflow can respond within 15 days end-to-end, in Portuguese
• DPO is designated and contact information is published in the privacy notice
• Vendor list has been reviewed for necessity, with unused or redundant vendors removed to reduce the cross-border transfer surface
• Sensitive-category audience segments are gated behind explicit, separately-captured consent

The 2026 Outlook

Brazil's privacy regime has matured from a well-drafted statute with limited enforcement into one of the more demanding regimes in the Americas. The 2026 cross-border transfer regulation closed the most consequential structural gap, and the ANPD's enforcement posture has caught up with the law's ambitions. For publishers already running a GDPR-grade consent stack, the gap to LGPD compliance is operational rather than architectural: Portuguese-language CMP and notice, ANPD-approved transfer mechanisms, the 15-day response cadence, DPO designation, and care with the broader sensitive-data list. The gap can be closed in weeks if it is prioritized — and Brazil is the largest single market in Latin America, so the prioritization typically pays back quickly. The publishers who treated Brazil as a lighter-touch market through 2024 are finding 2026 meaningfully more expensive, and the ones who delay further will find 2027 worse still.