The Brazilian Data Protection Authority (ANPD) has become an autonomous regulatory agency with expanded powers under Provisional Measure No. 1.317/2025 and Decree No. 12.622/2025. It now oversees digital protections for children and adolescents, including enforcing court orders, setting security standards, and coordinating with other agencies. The ANPD can issue regulations, supervise entities, and ensure proportional obligations for tech providers, prioritizing children’s rights and data protection in digital environments.

On 5 September 2025, the European Commission published the Draft Adequacy Decision recognizing Brazil as a country that ensures an adequate level of protection for personal data, pursuant to Article 45 of the General Data Protection Regulation (GDPR). This proposal marks the beginning of the formal procedure to authorize the transfer of personal data from the European Union to Brazil without the need for additional safeguards, effectively treating such transfers as equivalent to those occurring within the EU.

On 30 July 2024, the National Consumer Secretariat published Technical Note No. 2/2024/Gab-DPDC/DPDC/SENACON/MJ, providing for the Ads Quality Criteria and Data Quality Criteria, as transparency parameters to be adopted and complied with by digital platforms in Brazil. The recent Technical Note established transparency criteria applicable to platforms, mentioning the need to comply with dignity, health, safety, protection and harmony within consumer relations.

The Brazilian Data Protection Authority (ANPD) published Resolution CD/ANPD No. 19, which creates the procedures and rules for recognizing the suitability of other countries or international bodies to carry out international personal data transfer operations, as well as approving the standard contractual clauses that may be used by processing agents to legitimize the international transfer of personal data.

The Brazilian Data Protection Authority (ANPD) has published Resolution CD/ANPD No. 18, which creates additional rules for the appointment of the Person in Charge (similar, although not equivalent, to the Data Protection Officer under the GDPR).
As background, according to Law No. 13.709/18 (Brazilian Data Protection Law (LGPD)), data controllers must appoint a Person in Charge. The “Person in Charge” has the primary role of serving as a communication liaison between the data controller, data subjects and ANPD, as well as providing training and guidance to the controller’s employees, and complying with any other instructions that controller may give.

On 6 May 2024, the Federal Government published Federal Law No. 14.852/2024, which established the Legal Framework for the Electronic Games Industry in Brazil. The new law sets out the basic principles and rules for the development and sale of electronic games in Brazil. It establishes guidelines on the manufacture, import, marketing, development and commercial use of electronic games, in addition to providing that the State must establish the indicative age classification. Therefore, it provides a specific framework for this sector in Brazil and ensures the protection of its consumers and users.

On 26 April 2024, the Brazilian Data Protection Authority (ANPD) published the Resolution CD/ANPD no. 15 which approved the Regulation on Notification of Security Incident (“Regulation”). Such Regulation sets forth the mandatory procedures that data controllers must follow when notifying security incidents to ANPD and personal data subjects.
According to Law No. 13,709/18 (Brazilian General Data Protection Law, or LGPD), the controller must notify the occurrence of a security incident that may give rise to relevant risk or damage to data subjects not only to ANPD, but also to the data subjects.

The proposed law which regulates the use of Artificial Intelligence in Brazil considers a risk-based approach inspired by the EU AI Act and looks at high, medium and low risk obligations and liabilities.

The Brazilian Data Protection Authority opened on 16 August 2023, a public consultation regarding the Preliminary Study on the personal data processing legal basis of legitimate interest. The consultation will be open for 30 days (until 15 September) on the Participa Mais Brasil platform.

On 15 August 2023, the Brazilian Data Protection Authority launched a public consultation on the regulation of international transfer of personal data, which will be available for 30 days (until 14 September 2023) on the Participa Mais Brasil platfom. The draft under public consultation sets forth the Resolution of the Regulation of International Transfers of Personal Data and the Standard Contractual Clauses template, establishing provisions for the international transfer of personal data according to the Brazilian General Data Protection Law.