Pular para o conteúdo principal
Close
Security

ANPD Becomes an Agency: Claro Sanction, 21 Silent Companies, and the End of the Advisory Model

Gabriel Ferraresi· CEO | Tech86July 8, 20264 min
securitylgpdanpdclaroserasaprivacyenforcementzero-trust

For six years, the ANPD existed as a body within the Presidency, without its own career, without an independent budget. In that period, it applied only R$14,400 in fines, against Telekall Infoservice, a microenterprise telemarketing company. The remaining cases were against public bodies, which by law do not receive monetary fines, only warnings and corrective measures. An advisory agency, without teeth. We followed this transition closely and the signal is clear: the advisory model is over.

The institutional shift: Law 15.352/2026 and police power

This changed in February 2026. Law 15.352/2026, enacted on February 25, transformed the ANPD into an autarchy linked to the Ministry of Justice. It gained financial autonomy, its own career (200 positions, public exam on June 24, 2026), and police power: interdiction and seizure of assets. The transition from an advisory model to a sanctioning model is institutional, not rhetorical.

It is no longer an agency that advises. It is an agency that interdicts and seizes. The difference between warning and interdicting is the difference between a memo and a stop order. For those who treat LGPD as a compliance checklist, this changes the risk calculus. For those who treat it as architecture, it changes the priority calculus.

The first case: Claro, Serasa, and the three violations

The first sanction case against a large private company came on June 8, 2026. The ANPD opened an administrative sanctioning process against Claro and a new inspection process against Serasa Experian. Claro shared more than 100 different data points per client with Serasa. Three violations: excessive sharing (Art. 6º, III), lack of transparency with data subjects (Art. 6º, VI and Art. 9º), and ineffective DPO channel (Art. 41).

The contract ended in 2023, but inspection continued. Potential fine: up to 2% of revenue in Brazil, capped at R$50 million per violation. Claro also received a warning regarding contracts. Important: this is an administrative sanctioning process, not a conviction. But the signal to the market is unambiguous — the ANPD now processes large private companies, not just microenterprise telemarketing firms or public bodies.

56 agents, 27 complied, 8 with pending issues, 21 silent

On June 25, the ANPD concluded compliance monitoring of DPO and communication channels. It monitored 56 agents. The 27 that fully complied were archived: inspection works as correction, not punishment. The 8 with pending issues, including Google and iFood, have 10 business days to regularize. Even big techs have gaps.

The 21 that did not respond were forwarded for sanction. Not responding to the ANPD now is obstruction, not silence. The logic has changed: in the advisory model, not responding was tolerable omission. In the sanctioning model, not responding is evidence of non-compliance. The inspection that comes does not warn — and those who do not respond when warned lose the chance to correct.

What changes in practice: DPO, necessity, incidents, and AI

What this changes for those who operate infrastructure and data: the DPO is not a ceremonial position, it is an effective communication channel with data subjects. Data sharing needs documented necessity assessment. Incidents must be notified to the ANPD within 3 business days. The Priority Map 2026-2027 prioritizes 75 actions across four axes over any inspection. The ANPD is also preparing to regulate AI (PL 2338).

The architecture that survives is Zero Trust from design, with least privilege and security for AI. This is what we implement at Tech86. It is not about reacting to inspection — it is about designing so that inspection does not find what it is looking for. Least privilege reduces the scope of any incident. Micro-segmentation contains lateral movement. MFA on all admin access eliminates the vector that has compromised the most infrastructure in the last 12 months.

The Priority Map 2026-2027: 75 actions across four axes

The ANPD's Priority Map 2026-2027 prioritizes 75 actions across four axes over any one-off inspection. This means inspection is not reactive — it is planned and systematic. The four axes cover everything from data governance to information security, from data subject rights to data internationalization. Those who operate infrastructure need to understand that the ANPD is not looking for a single case — it is building a continuous inspection program.

The difference between the previous model and the current one is structural. Previously, the ANPD responded to complaints and incidents. Now, it defines annual priorities, allocates the 200 career positions, and executes. The public exam on June 24, 2026 is not symbolic — it is the operational base for 75 inspection actions. Those who wait for inspection to knock on the door to prepare are already at a disadvantage. Preparation must come before the Map, not after the sanction.

Conclusion: the cost of not being ready is no longer theoretical

We repeat: the inspection that comes does not warn, and the cost of not being ready is no longer theoretical. The ANPD went from R$14,400 in six years to a potential fine of R$50 million per violation. The advisory model is over. The sanctioning model has arrived with the power of interdiction and seizure. The 21 companies that did not respond discovered this too late.

At Tech86, we help companies design architecture that survives inspection — Zero Trust from design, least privilege, effective DPO, incident workflow within 3 business days, and preparation for AI regulation. Before the sanction, not after.

blog.cta_consulting_title

blog.cta_consulting_subtitle

LGPD and Privacy Consulting

Frequently Asked Questions

Law 15.352/2026, enacted on February 25, 2026, transformed the ANPD into an autarchy linked to the Ministry of Justice. The agency gained financial autonomy, its own career (200 positions, public exam on June 24, 2026), and police power: interdiction and seizure of assets. The transition from an advisory model to a sanctioning model is institutional, not rhetorical.

The ANPD opened an administrative sanctioning process against Claro on June 8, 2026. The three violations: excessive sharing (Art. 6º, III) — more than 100 different data points per client passed to Serasa; lack of transparency with data subjects (Art. 6º, VI and Art. 9º); and ineffective DPO channel (Art. 41). The contract ended in 2023, but inspection continued. This is an administrative process, not a conviction.

On June 25, 2026, the ANPD concluded compliance monitoring of DPO and communication channels. It monitored 56 agents. The 27 that fully complied were archived. The 8 with pending issues, including Google and iFood, have 10 business days to regularize. The 21 that did not respond were forwarded for sanction. Not responding to the ANPD now is obstruction, not silence.

The potential fine is up to 2% of revenue in Brazil, capped at R$50 million per violation. In the previous six years as an advisory body, the ANPD applied only R$14,400 in fines, against Telekall Infoservice. The remaining cases were against public bodies, which by law do not receive monetary fines. The model has changed — the inspection that comes does not warn.

The ANPD is preparing to regulate AI (PL 2338). The Priority Map 2026-2027 prioritizes 75 actions across four axes over any inspection. Companies should map AI workloads, document training and inference data, implement guardrails and bias testing, and adopt Zero Trust from design with least privilege. The architecture that survives is the one that assumes inspection comes without warning.

Blog — Get in Touch

Have a question about our articles or services? Our team is ready to help.

Schedule a Meeting

Book a time slot.

Schedule Now

Email

Send us a message.

[email protected]

WhatsApp

Quick conversation.

Address

Avenida Paulista, 1636 - São Paulo - SP - 01310-200

Tech86 Specialist

Online now

Hello! How can we help scale your business today?

Tech86 Engineering

We Value Your Privacy

We use cookies and similar technologies to optimize your experience, analyze site traffic, and personalize content. By clicking "Accept All", you agree to the use of all cookies. Read our Privacy Policy.