Brazil’s National Data Protection Authority opens public comment on definitions and obligations under the ECA Digital

On April 30, 2026, Brazil’s National Data Protection Authority (ANPD) launched a public comment period for its draft guideline “Providers of Information Technology Products or Services: Scope and General Obligations Under the ECA Digital.”  This effort is part of the ANPD’s 2025–2026 Regulatory Agenda and aims to gather stakeholder input to refine the document.

The ECA Digital (Law No. 15,211/2025) is a recently enacted law that sets rules to protect children and adolescents in digital environments. With the law now in effect, the ANPD is working to promote greater predictability and legal certainty for regulated parties and other stakeholders by setting out its interpretive positions and recommended best practices.

To that end, the guideline addresses two central questions: who is subject to the ECA Digital and what the duty of prevention entails for regulated parties. The key topics are highlighted below.

Scope of application: providers of information technology products or services

The guideline explains that the concept of an “information technology product or service” is defined by three elements, each of which must be evaluated in light of the specific characteristics of the offering and how it is actually used:

• Remote provision — the product or service is delivered at a distance, without requiring the parties to be physically present at the same time;
• Electronic means — the product or service relies on equipment and networks for data processing or transmission, particularly through internet-based applications; and
• Individual request — use of the product or service is initiated by an individual user’s own action or request.

Based on this definition, the guideline identifies several categories of providers:

• Social networks. These are platforms that facilitate user-generated sharing and dissemination of opinions and information, enabling structured connections and interactions among accounts. They are oriented toward open social interaction, with public contact among users and broad content circulation, without significant restrictions on who can view or receive the content. Private messaging or communication services, closed meeting platforms, and corporate or institutional applications—where open interaction among unrelated users is not a defining feature—fall outside this definition.
• App stores. These are platforms that distribute applications and facilitate end-user access, acting as intermediaries between users and developers or providers.  App stores should not be confused with the individual applications they distribute, nor with in-app purchase features embedded within games or digital services (for example, games that allow users to buy extensions, cosmetic items, maps, or other add-ons).
• Operating systems.These are the software layer that connects a device’s hardware to the applications the user accesses, manages the device’s overall operation, and enables other applications to run in an integrated manner. The guideline notes that operating systems built on collaborative or free/open-source software models—typically used within technical communities and unlikely to be accessed by children and adolescents—are not subject to the same obligations as proprietary operating systems with broad consumer adoption, particularly among minors.
• Services with editorial control and copyrighted content. These services offer content that the provider has previously selected and organized through human curation, without relying on automated selection tools. This distinguishes them from platforms where content is published directly by end users. They typically offer licensed, copyrighted content, as is the case with streaming services.

Scope of application: likely access

The guideline clarifies that the concept of “likely access” extends the ECA Digital’s reach beyond services explicitly designed for or marketed to children and adolescents. A product or service is considered to involve “likely access” when all three requirements are met simultaneously:

• Probability of use and appeal to children and adolescents. This assesses whether the design, content, and presentation of a product or service make it attractive to minors—even if it is not formally targeted at them or is expressly restricted to adults. Relevant factors include language, visual aesthetics, themes, characters, reward systems, gamification, use of influencers, engagement dynamics, and other features that make the product or service emotionally compelling to younger users.
• Considerable ease of access and use for children and adolescents. This refers to the technical, operational, and contextual conditions—such as technological architecture, interface design, distribution mechanisms, and overall user experience—that lower barriers to entry and make it easy for minors to access and use the product or service.
• Significant risk to children’s and adolescents’ privacy, security, or biopsychosocial development. This assesses whether the product or service could cause meaningful negative effects, considering both the likelihood and the severity of potential harm. Under the ECA Digital, there is a legal presumption of significant risk when an application enables social interaction and large-scale information sharing. The word “significant” signals that routine risks inherent in everyday life or ordinary technology use are not sufficient to trigger the law.

The presence of only one or two of these criteria is not sufficient to bring a product or service within the scope of the ECA Digital.  For example, a service that is both appealing and easily accessible to minors but does not pose significant risks to their privacy, security, or biopsychosocial development would not be covered. That said, the guideline emphasizes that—consistent with Brazil’s constitutional and statutory principle of the melhor interesse da criança e do adolescente (best interests of the child), a foundational concept in Brazilian child-protection law—this three-part test must not be used as a pretext to improperly narrow the law’s application, particularly where significant risks to minors have been identified.

In addition, certain categories of information technology products and services are legally presumed to be targeted at or likely to be accessed by children and adolescents and are therefore subject to specific obligations under the ECA Digital. These include social networks, app stores, operating systems, editorially curated content services, electronic games, adult content providers, generative AI systems, and e-commerce platforms that intermediate products or services prohibited for this audience.

Duty of prevention

The guideline identifies the duty of prevention as a cornerstone of the ECA Digital’s regulatory framework, aimed at preventing harm and ensuring the comprehensive, priority protection of children and adolescents in digital environments. This duty requires providers to act proactively and diligently, under a responsibility model that focuses on anticipating risks throughout the entire lifecycle of a product or service. Providers must adopt appropriate and proportionate measures to prevent or mitigate the risk of rights violations.

Deadline for submissions

Stakeholders interested in participating in this collaborative process may submit comments via the Brasil Participativo platform—a federal government digital platform for public participation—by June 15, 2026.

For more information on this topic, please contact Mattos Filho’s Technology practice.