The ANPD, an independent and specialized data protection authority, enforces LGPD in Brazil.
Depending on the violation, a simple fine of up to 2% of the revenues of a private legal person, group, or conglomerate in Brazil, for the prior financial year, excluding taxes, up to a total maximum of BRL 50,000,000 per infraction may be issued.
If the infraction continues, daily fines going up to BRL 50,000,000 per infraction may be issued, along with blockage of the personal data to which the infraction relates until it is brought within conformity of the law. The data can also be limited.
Partial suspension of the operation of the database and activity being exercised for a period of 6 months can also be enforced. The suspensions can be extended by a further 6 months.
Under LGPD, government agencies cannot be sanctioned with administrative fines.
The Attorney General Office which enforces CCPA can take civil action, which includes imposing an injunction and a civil penalty of $2,500 for each violation. If the violation is considered to be intentional in nature then this can increase to $7,500 for each violation.
There is also a private legal action which consumers can take if their unredacted or unencrypted personal information is breached. Damages between $100-750 or actual harm incurred (whichever is greater) can be recovered.
CCPA has no upper cap on penalties, and amounts can accumulate to well over any fine paid under LGPD or GDPR.
The monetary penalties collected through civil actions under CCPA form the Consumer Privacy Fund, which funds the activities of the Attorney General in this sector.