Brazil's National Data Protection Authority (ANPD) published on December 24, 2025 the Priority Topics Map for enforcement in the 2026-2027 biennium and the updated Regulatory Agenda 2025-2026. The documents establish enforcement and regulatory actions for obligations under the General Personal Data Protection Law (LGPD, Brazil's data protection law) and the Children and Adolescents' Digital Statute (ECA Digital), pursuing a coordinated approach that promotes greater transparency and legal certainty.
The Priority Topics Map establishes four focus areas for ANPD enforcement: data subject rights, protection of children and adolescents in the digital environment, personal data processing by the public sector, and artificial intelligence and emerging technologies in the context of personal data processing. The topics were defined based on information gathered from requests, incident reports, enforcement actions, and other inputs collected by the General Enforcement Coordination Office over the past two years, consolidated in the 2023-2025 Monitoring Cycle Report and Technical Note No. 54/2025/FIS/CGF/ANPD.
Planned enforcement activities include monitoring the secondary use of personal data for targeted commercial advertising delivery, verifying the adoption of a more protective model by design and by default regarding privacy and personal data protection, and implementing measures aimed at preventing children and adolescents from accessing improper, inappropriate, or legally prohibited content. Activities will involve monitoring, guidance, and preventive action, with a timeline that may be adjusted to ensure compatibility with the regulation required for new obligations created by Law No. 15,211 of September 17, 2025. The ANPD established that more complex topics, such as user age verification, will initially be addressed through regulatory and guidance actions, and at a later stage will be subject to enforcement and potential administrative sanctions.
The Regulatory Agenda 2025-2026 now includes three new topics related to the implementation of the Children's Digital Statute: age verification mechanisms, suppliers of information technology products or services with general scope and obligations under the Digital Statute, and enforcement and sanctioning under the Digital Statute with revision of Resolutions No. 1/2021 and No. 4/2023. The agenda also encompasses broader improvements to the agency's rules for enforcement, sanctioning, and rulemaking, including clarifications on the participation of amicus curiae and interested third parties, procedural stages and deadlines, as well as an item related to the Rulemaking Process within the ANPD to adjust regulatory practices to the Agencies Act (Law No. 13,848/2019). The remaining previously planned topics were maintained, with adjustments to the start dates of some rulemaking actions, including initiatives related to data subject rights, data protection impact reports, data sharing by the public sector, and biometric data, among others.
This post was summarized from its original version using AI, with human review.
With information from ANPD