Brazil’s ECA Digital in practice: how the law affects different sectors

Decree No. 12,880/2026, which regulates Brazil’s Digital Child and Adolescent Statute (“ECA Digital” – Law No. 15,211/2025), lays out more concrete guidelines for the law’s implementation. It introduces specific obligations for providers of certain IT products or services based on their business models and the level of risk they pose to minors.

Electronic games and fixed-odds betting

The ECA Digital requires providers of IT products or services that offer content, products or services that are improper, unsuitable or prohibited for persons under 18 (i.e., minors) to adopt effective measures to prevent access by this demographic within their services and products. In this regard, the decree lists products and services off-limits to minors, including gambling, betting, lottery and equivalents, and loot boxes in electronic games.

As a rule, these suppliers must:

• Implement effective age-verification mechanisms, including highly reliable age assurance procedures that validate the user’s age attribute in order to confirm the accuracy of the declared age or age group.
• Effectively prevent minors’ access, use or consumption by blocking their ability to create accounts and profiles, while also identifying and removing accounts operated by them.

The decree permits electronic game publishers to offer versions of their games without loot boxes to this demographic or restrict access to these features by default. In such cases, age-verification requirements will be waived.

Electronic games must also comply with Brazil’s Gaming Industry Legal Framework (Law No. 14,852/2024). Electronic games aimed at minors (or likely to be accessed by them) that include user-to-user interaction through text, audio or video messages or content exchange must comply with specific obligations concerning content moderation, protection against harmful contacts, and parental controls over communication mechanisms established in the legal framework.

Offering fixed-odds betting and other games of chance to minors in Brazil had already been prohibited under Law No. 14,790/2023 and regulations issued by the Secretariat of Prizes and Betting (SPA). The ECA Digital goes further by requiring IT product or service providers to take reasonable measures to prevent and mitigate the risk of minors’ access to, exposure to, recommendation of, or facilitation of contact with this subject matter.

The decree also requires internet app stores and operating systems to block the availability of products or services that promote, offer or enable access to any type of lottery (including fixed-odds betting) that is not authorized by the competent bodies, as well as those that do not provide age-verification solutions.

Marketplaces, delivery apps, and other e-commerce platforms

Providers that offer or intermediate the purchase and sale of products and services prohibited for minors must implement effective age-verification mechanisms under terms to be established by the Brazilian Data Protection Agency (ANPD), as follows:

• At the time of user registration, block purchases by under-18s by default – lifting this block through self-declaration is prohibited; or
• At the time of purchase, implement measures to prevent under-18s from completing the transaction.

The decree’s list of prohibited products includes weapons, ammunition and explosives; alcoholic beverages; smoking products (whether derived from tobacco or otherwise); products that may lead to dependence; and fireworks, among others.

For users who are not registered or authenticated, a default block must also be applied to the purchase of products and services in order to prevent minors from completing the transaction.

Dating apps

Services or applications whose primary purpose is to facilitate encounters or initiate sexual relationships fall within the category of services prohibited for minors. Accordingly, these providers must:

• Implement effective age-verification mechanisms; and
• Effectively prevent access, use or consumption by minors by prohibiting the creation of new accounts and by identifying and removing any accounts that may be operated by minors.

Given that offering services of this nature to minors is prohibited, the industry’s core obligations mainly concern mechanisms that ensure minors cannot access the service and any content it makes available. Note that the ECA Digital expressly prohibits relying on a user’s simple self-declaration as an age-verification mechanism, requiring platforms to resort to use more reliable and diversified methods of confirmation.

Regardless of the nature of the service, the ECA Digital requires providers to remove and report content indicating apparent exploitation, sexual abuse, kidnapping or enticement involving minors – whether detected directly or indirectly in their products or services – to the competent Brazilian and international authorities.

In Brazil, the decree designates the Federal Police as the competent authority and formalizes the creation of a National Notification Screening Center, which is responsible for receiving such reports. Providers that, by law, already submit identical reports to complaint-screening centers in other countries are exempt from notifying Brazil’s National Complaint Screening Center, provided that these reports are also available to the Brazilian authorities.

Pornographic content

The definition of pornographic content, according to the text, is a content whose predominant purpose is to depict sexually explicit acts or display nudity with a sexual connotation or purpose. The classification of content as pornographic must consider the purpose, functionality, and business model involved in providing sexually explicit videos or images, or displays of nudity with a sexual connotation or purpose. Therefore, the analysis is not limited to isolated items but to the broader context in which the content is made available.

The decree also identifies situations in which content does not qualify as pornographic, in order to safeguard freedom of expression. Examples include material presented in educational, artistic, informative or journalistic contexts, as well as content aimed at health education or violence prevention, provided that the applicable obligations are observed (including age ratings and parental control mechanisms).

In addition, interactions with systems that enable dialogues, production or exchanges (whether artificially or in an automated manner) of sexually explicit videos and images, or displays of nudity with sexual connotation or purpose, or in an erotic context, are treated as equivalent to pornographic content. The ANPD may also reassess the classification of certain content, products and services based on their predominant nature or their practical effects.

From these classifications, the following obligations apply:

• Providers that offer pornographic content – whether produced themselves or by third parties – must implement proprietary age‑verification mechanisms that ensure minors do not have access, including to previews, thumbnails, images, titles, or captions;
• Where there is no registration, when the user’s age has not been verified or the account is operated by a minor, the provider must by default hide, blur or refrain from displaying pornographic content, or require age verification to unblock it. In any case, self-declaration is not a sufficient mechanism;
• With respect to the offer or intermediation of prohibited products and services, providers must adopt effective age‑verification mechanisms that operate either by default at registration – with automatic blocking for minors – or at the time of purchase to prevent completion of the transaction. For unregistered or unauthenticated users, the block must be applied by default;
• If prohibited content, products or services are made available on social network services, the provider must take one of two approaches: either offer a version of the service that is free of such content (in which case age verification is waived) or implement effective age verification mechanisms (with self-declaration prohibited). Such restrictions also apply to users who are not logged in.

Streaming

The ECA Digital establishes a set of obligations applicable to content, products and services classified as inappropriate for minors, as well as those that are outright prohibited for them.

Under the terms of the decree, content, products or services are deemed inappropriate when they may pose risks to minors’ privacy, safety, psychosocial development, mental or physical health, or well-being, taking into account Brazil’s age-rating categories where applicable. Examples include audiovisual works featuring sexual content or violence.

To offer such content, platforms must:

• Comply with the content age-rating policy, when applicable;
• Adopt technical and organizational safety measures by design and by default, proportionate to the risks identified for the relevant age group; and
• Provide effective parental supervision tools with blocking features configurable by legal guardians, as well as other methods aimed at safeguarding minors’ digital safety.

Specifically, the decree exempts service providers with editorial control, copyrighted content previously licensed from a responsible economic agent (distinct from an end user), and musical or literary content from implementing age assurance controls, provided that they:

• Offer child accounts or profiles with content appropriate for the user’s age group, in line with Brazil’s age-rating classification when applicable; and
• Implement parental-supervision tools and systems to block or restrict minors’ access to content, respecting progressive autonomy and age-rating classification when applicable.

A ‘service with editorial control’ is defined as an internet app whose main purpose is to make previously selected content available, without the use of automated selection tools by a responsible economic agent.

In turn, ‘prohibited content, products or services’ are those whose access, availability, purchase or consumption is expressly barred by law (for example, pornography).

Making such content available on streaming platforms is subject to the following conditions:

• Implementing effective age-verification mechanisms;
• Preventing access, use or consumption by minors by prohibiting the creation of accounts and profiles by this demographic, as well as identifying and removing accounts operated by them.

As previously noted, the concept of pornography does not encompass audiovisual works presented in educational, artistic, informative or journalistic contexts and that, where subject to age-rating classification, comply with all obligations applicable to the sector and provide age-group restrictions and parental supervision mechanisms; nor does it cover the reproduction of music or other audio content.

Social media

The ECA Digital defines ‘social networks’ as internet apps whose main purpose involves users sharing and disseminating opinions and information conveyed through text, image, audio or audiovisual files on a single platform via connected or otherwise linked accounts in a way that allows users to connect with one another.

These platforms must ensure that user profiles or accounts belonging to minors up to 16 years of age are linked to the account of one of their legal guardians. Moreover, if social networks make products, services or content available to minors, they must either:

• Create free versions of such content (or related advertising), in which case age-verification requirements are waived; or
• Implement effective age-verification mechanisms, with self-declaration expressly prohibited.

For users who are not registered or authenticated, providers must offer an experience that does not allow access to content prohibited to minors.

Social network providers must also be aware of their obligations to take down and report illegal content, especially content depicting apparent sexual exploitation, sexual abuse, kidnapping and grooming.

In addition, platforms have a duty to promptly take down content that violates other rights of minors under a special notice-and-takedown procedure. Under this procedure, platforms must remove the relevant material immediately after being notified by the victim, their legal representatives or the Public Prosecutor’s Office – even without a court order.

For these purposes, the types of content considered to violate the rights of minors (in line with the age-rating classification) are referred to in Article 6 of the ECA Digital. This includes, for example, content related to systematic virtual bullying and harassment, inducement to suicide, and promotion of substances that cause chemical or psychological dependence.

Artificial intelligence

Although the ECA Digital is not a general framework for regulating AI tools and systems, it does set rules for contexts involving minors, particularly in relation to language models, conversational agents, and recommendation algorithms.

For example, Decree No. 12,880/2026 establishes that providers of IT products or services aimed at (or likely to be accessed by) minors that generate content or interact with users based on natural-language prompts must:

• Be transparent about their synthetic and automated nature when interacting with minors;
• Prevent the behavioral manipulation of minors;
• Assess algorithmic risks to the safety and health of this demographic; and
• Implement safeguards to protect physical, mental and psychosocial development.

In addition, both the ECA Digital and the decree establish certain restrictions that may impact providers’ adoption of AI tools or systems on their platforms or in their internal processes, including:

• A prohibition on using profiling techniques to target commercial advertising at minors, as well as employing emotional analysis, augmented reality, extended reality and virtual reality for this purpose. In this context, profiling is defined as any form of data processing (automated or otherwise) used to evaluate aspects of an individual and classify them into behavioral, economic, health, or preference profiles;
• Restrictions on adopting mechanisms that encourage excessive, problematic or compulsive use, as well as on manipulative, deceptive, or coercive practices in technology products aimed at (or likely to be accessed by) minors, such as choice architectures or features that interfere with the user’s decision-making autonomy or exploit cognitive and age-related vulnerabilities, including emotional pressure, manufactured urgency, biased choices or age-inappropriate stimuli that induce decisions contrary to a minor’s best interests;
• The right for parents or legal guardians to exercise control over personalized recommendation systems, including opt-out mechanisms. Providers must also take reasonable measures – by design and throughout operation – in order to prevent and mitigate the risk of recommending certain types of content and products to minors. This includes violent content, the promotion of gambling, predatory advertising practices, pornographic content, and incitement to suicide, among others.

Finally, AI is likely to play a central role in age assurance processes – defined as general procedures for verifying, estimating, or inferring a user’s age group, including documentary, biometric, and usage-pattern analysis.

The privacy of minors’ personal data must be guaranteed a high level of privacy when processed for these purposes. The ECA Digital establishes that by default and by design, providers must configure their products and services to the most protective settings available for personal data privacy and protection, taking into account the user’s progressive autonomy and development and justifying the bests interests of the minors.

For more information about the ECA Digital, please contact Mattos Filho’s Technology practice area.