Insights

ANPD defines regulatory priorities for the upcoming biennia (2025/2026 and 2026/2027)

In the 2025/2026 biennium and the 2026/2027 biennium, it is possible to identify the objectives and regulatory priorities of the National Data Protection Authority (ANPD) for the coming years. In this context, it is observed that organizations should be guided by the priorities established by the ANPD for the 2025/2026 biennium, as set forth in Resolution No. 31, of December 22, 2025, as well as by the priorities defined for the 2026/2027 biennium, provided for in Resolution No. 30, published on the same date.

In view of this, it becomes essential for organizations to pay close attention to the topics listed as priorities by the ANPD, in order to ensure regulatory compliance and proper alignment with personal data protection guidelines.

Priority themes and main impacts – 2025/2026 and 2026/2027 Biennium

Protection of children and adolescents
Companies that process personal data of children and adolescents must be more transparent with regard to the processing of personal data, apply stricter criteria to the purpose of processing, and companies such as streaming platforms and games must implement age verification mechanisms, as well as mechanisms for collecting consent from the legal guardian when necessary, including mechanisms for authenticity and maintenance of consent.

On 10/14/25, Technological Radar 5 – Age Verification Mechanisms was published, which is correlated with the Digital ECA (see articles 9, 10 and following).

Monitoring activities regarding compliance with the legal requirements of Law No. 15,211, of September 17, 2025, are expected to be carried out in the first half of 2026, targeting suppliers of information technology products or services aimed at children and adolescents, or likely to be accessed by them.

Artificial Intelligence
Companies that use AI for decision-making must establish stricter parameters to ensure that the rights of data subjects are not violated, in compliance with the principles of the LGPD. Decisions made via AI must be reviewed on a regular basis to eliminate any unlawful discriminatory nature of such decisions.

In 2025, a Technical Note was prepared consolidating the contributions received in the Call for Contributions on Artificial Intelligence. The first draft of the regulation is in the final drafting phase before the Coordination of Regulation.

For 2027, the execution of (at least) 20 enforcement activities related to the processing of personal data is planned.

Sensitive personal data (biometric) – in environments related to the financial system, healthcare, and condominiums
Companies that use sensitive data, especially biometric data, must be clear and transparent regarding their processing in relation to the data subject, and the processing of data for obtaining economic advantages is prohibited; periodic management of consent collection is required.

The condominium sector should be considered a priority, given that the collection of biometric data by these controllers presents particular characteristics that require specific regulation. In addition, as these are environments of daily and mandatory use, in which data subjects (residents, visitors, and service providers) often do not have viable alternatives to providing their data.

This lack of choice reinforces the need to ensure that processing is carried out based on an appropriate legal basis, respecting the principles of purpose, necessity, and proportionality set forth in the LGPD.

Security measures and minimum technical standards
Companies that carry out data processing must, at a minimum, ensure security standards and technical standards regarding the processing of personal data in order to guarantee the security of personal data against unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication, or any form of inappropriate or unlawful processing.

Pursuant to Article 46 of the LGPD, processing agents must adopt technical and administrative security measures capable of protecting personal data against unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication, or any form of inappropriate or unlawful processing. Paragraph 1 of said article establishes that the ANPD may provide for minimum technical standards to make the provisions of the aforementioned article applicable, taking into account the nature of the information processed, the specific characteristics of the processing, and the current state of technology, especially in the case of sensitive personal data, as well as the principles set forth in the law.

With disclosure still expected in 2026, the definition of the minimum technical standards required is currently in the phase of drafting the Regulatory Impact Analysis (RIA) report.

Data Protection Impact Report (RIPD)
Companies that process personal data on a large scale and of high risk must prepare the impact report (RIPD) of the activities, as a way to measure the impact of data processing activities. The objective of the ANPD is to regulate the procedure for requesting and preparing the Personal Data Protection Impact Report, pursuant to Articles 10, paragraph 3, and 38.

According to the latest update released in September 2025, the regulation is in the final stage of drafting the Regulatory Impact Analysis (RIA) report.

Personal data aggregators and legal hypotheses
Companies that perform data scraping or in some way operate personal data aggregators must ensure that they collect only what is necessary, aiming at transparency regarding collection and limiting use.

The provision by the ANPD of clear guidance regarding the transparency measures to be adopted, the appropriate legal hypotheses for the processing of personal data carried out by aggregators, and the limits on the use of public data and data made manifestly public, among other aspects, is essential to better guide processing agents and prevent abuses.

The priorities established by the ANPD reinforce the consolidation of data protection as a strategic element of governance, requiring organizations to adopt a preventive, structured posture aligned with evolving regulatory guidelines.

Monitoring regulatory developments is essential for safe and sustainable decision-making.
We continue to share analyses, briefings, and technical content on data protection, technology, compliance, and governance.

Conteúdo relacionado

Brazil’s Data Protection Authority sets guidance on age assurance under digital child protection framework

Improper use of former employee image may lead to indemnification and highlights corporate governance risks

Brazil’s Data Protection Authority becomes a full regulatory agency with enforcement powers

MENU

Fale conosco
+55 (21) 99073 4906
contato@pdka.com.br