Brazil LGPD + ANPD AI Guidance in 2026 — Voice Agents, Generative AI, and PL 2338
ANPD's 2024 Generative AI study and 2026 sandbox guidance turn LGPD principles into concrete voice and chat compliance steps. PL 2338 is moving through Congress. Penalties reach R$50M per infraction.
Brazil's LGPD has been in force since 2020 and ANPD has matured into a peer of CNIL and ICO. The 2024 Generative AI study, the AI sandbox in 2026, and the pending PL 2338 give voice and chat a clear playbook.
What the law says
Lei Geral de Proteção de Dados (LGPD, Lei 13.709/2018) governs personal-data processing in Brazil. Ten lawful bases echo the GDPR plus a "legitimate interests" basis with required balancing. Sensitive personal data — racial origin, religion, political opinion, union membership, health, sex life, genetic, biometric — needs specific consent or a narrow exception. ANPD's enforcement powers include warnings, daily fines, suspension, and fines up to 2% of group turnover in Brazil capped at R$50M per infraction. Article 20 grants a right to review of decisions made solely on automated processing that affects interests, including profiling — analogous to GDPR Article 22 but explicitly retained even after the Constitutional Court limited the original full-explainability text.
ANPD's November 2024 study Inteligência Artificial Generativa (Technological Radar) sets expectations: legal basis must be documented per processing operation; legitimate interests requires a three-step test; data subject rights apply to outputs; cross-border transfers need a basis under Articles 33–36. Brazil's Plano Brasileiro de Inteligência Artificial 2024–2028 funds Portuguese-language foundation models and a regulatory sandbox. PL 2338/2023, the AI Bill, is moving through the Senate and would establish a risk-based AI regime.
Hear it before you finish reading
Talk to a live CallSphere AI voice agent in your browser — 60 seconds, no signup.
What AI voice/chat must do
Voice agents serving Brazilian residents need a documented LGPD lawful basis per processing operation, a privacy notice in Portuguese with the controller's identity and DPO contact, and an Article 20 review pathway for any solely automated decision that affects the data subject. Sensitive-data processing — biometric voiceprints, health intent — needs specific consent. Cross-border transfers go via Standard Contractual Clauses (Brazilian model adopted in 2023), specific consent, or adequate jurisdiction. ANPD-reportable breaches must move quickly. Generative-AI deployments document training-data provenance per the 2024 ANPD study.
CallSphere posture
CallSphere — 37 agents, 90+ tools, 115+ DB tables, 6 verticals, 50+ businesses, 4.8/5, HIPAA and SOC 2 aligned — ships Portuguese-language voice notices, an LGPD lawful-basis matrix per workflow, an Article 20 review trigger that hands solely-automated decisions to a human, and ANPD-aligned breach-response runbooks. SCC-equivalent transfer documents are generated automatically. The 2024 ANPD GenAI checklist is built into the model-onboarding flow. Pricing $149 / $499 / $1,499; 14-day trial; 22% affiliate; see /pricing and /contact.
flowchart LR
A[BR Caller] --> B[Voice Agent\nPT-BR]
B --> C[LGPD Basis Map]
B --> D[Art 20 Review]
D --> E[Human Reviewer]
B --> F[ANPD Breach\nRunbook]
F --> G[Cross-Border\nSCC]
Compliance checklist
- Map every processing operation to one of the ten LGPD lawful bases with written justification.
- Publish a Portuguese privacy notice naming the controller, DPO (encarregado), and rights.
- Build an Article 20 review pathway for solely-automated decisions that affect the data subject.
- Capture specific consent for sensitive data, including biometric voiceprints.
- Apply ANPD's GenAI study checklist before launching any LLM-backed feature.
- Document cross-border transfers with the relevant Article 33 basis.
- Stand up an ANPD breach-response runbook and reasonable timing.
- Conduct a Relatório de Impacto à Proteção de Dados (RIPD/DPIA) for high-risk processing.
- Localise data subject request workflows in Portuguese.
- Track PL 2338 progress; align voluntarily with high-risk obligations.
FAQ
Is consent the default basis? No — LGPD has ten bases. Consent is one. Contractual necessity, legitimate interests, and legal obligation are common alternatives.
Are voice biometrics sensitive? Yes — biometric data for unique identification is sensitive and requires specific consent or another Article 11 exception.
Still reading? Stop comparing — try CallSphere live.
CallSphere ships complete AI voice agents per industry — 14 tools for healthcare, 10 agents for real estate, 4 specialists for salons. See how it actually handles a call before you book a demo.
Does ANPD recognise GDPR DPIAs? A GDPR DPIA is a strong starting point but should be re-papered as an LGPD RIPD.
Can we skip Portuguese in B2B? The notice should be in the language the data subject understands; Portuguese is the safe default.
Is there a cure period? ANPD often issues warnings before fines but is not obligated to. Treat warnings as fast-onset.
Sources
- ANPD — Autoridade Nacional de Proteção de Dados: https://www.gov.br/anpd/pt-br
- LGPD — Lei 13.709/2018 (Planalto): https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm
- ANPD GenAI Study Nov 2024 (FPF coverage): https://fpf.org/blog/brazils-anpd-preliminary-study-on-generative-ai-highlights-the-dual-nature-of-data-protection-law-balancing-rights-with-technological-innovation/
- IAPP ANPD GenAI Expectations: https://iapp.org/news/a/what-brazil-s-anpd-expects-from-companies-using-generative-ai
- ANPD AI Sandbox — US Trade.gov: https://www.trade.gov/market-intelligence/brazil-it-anpd-ai-sandbox-participation
Try CallSphere AI Voice Agents
See how AI voice agents work for your industry. Live demo available -- no signup required.