Digital Statute for Children and Adolescents: law on the protection of minors in digital environments is sanctioned

On September 17, the Presidency of the Republic sanctioned Law No. 15,211/2025, which creates rules for the protection of children and adolescents regarding the use of applications, electronic games, social networks, and computer programs. The text establishes obligations for suppliers of technology products and services, including internet applications, computer programs, operating systems, app stores, electronic games, and similar.

General obligations

In accordance with the Law, suppliers of technology products and services must:

• Adopt appropriate technical measures to prevent inappropriate access and use by children and adolescents;
• Ensure, from the design of their products and services and by default, the most protective configuration available for privacy and the protection of personal data;
• Not process the personal data of children and adolescents in a way that causes, facilitates, or contributes to the violation of their privacy or any other rights;
• Assess content available to children and adolescents by age group, ensuring compatibility with the respective content rating;
• Offer systems and processes designed to prevent children and adolescents from accessing, through the product or service, illegal or pornographic content, as well as other content manifestly inappropriate for their age group; and
• Design from conception and adopt by default configurations that avoid the compulsive use of products or services by children and adolescents.

Content removal

Suppliers of technology products or services available in Brazil must remove content that appears to involve exploitation, sexual abuse, kidnapping, or enticement (grooming) detected in their products or services and report it, directly or indirectly, to the competent national and international authorities.

Age verification and parental supervision

The Law provides that suppliers of technology products or services directed at or likely to be accessed by children and adolescents must adopt mechanisms to verify the age or age group of users. Adolescents will only be permitted to download apps with the consent of a parent or legal guardian. In addition, information about risks and adopted security measures, including privacy and data protection, must be made available to parents, legal guardians, children, and adolescents.

In addition, suppliers must:

• Provide accessible and easy-to-use settings and tools that support parental supervision, considering the available technology and the nature and purpose of the product or service;
• Provide, in an easily accessible place, information to parents or legal guardians regarding the existing tools for the exercise of parental supervision;
• Display clear and visible notice when parental supervision tools are in place and which settings or controls have been applied; and
• Offer features that allow limiting and monitoring the time of use of the product or service.

Advertising and monetization

In addition to the other provisions in the Law, the use of profiling techniques to target commercial advertising to children and adolescents is prohibited, as is the use of emotional analysis, augmented reality, extended reality, and virtual reality for this purpose. In addition, internet application providers are prohibited from monetizing and boosting content that portrays children and adolescents in an eroticized or sexually suggestive way or in a context specific to the adult sexual universe.

Social media

Providers of products and services that are directed at or likely to be accessed by children and adolescents must ensure that users or accounts of children and adolescents up to 16 years of age are linked to the user or account of one of their legal guardians.

Loot boxes  

The Law fully prohibits the use of loot boxes in electronic games aimed at children and adolescents, as well as any offer or inclusion of these boxes in electronic games aimed at this audience or likely to be accessed by them.

Reporting and representation in Brazil

The Law requires providers of internet applications directed at or likely to be accessed by children and adolescents that have more than 1,000,000 registered users in this age group, with internet connections in Brazil, to prepare semiannual reports, in Portuguese, to be published on the provider’s website.

The reports must contain:

• The channels available for receiving complaints and the systems and processes for investigation;
• The number of complaints received;
• The number of content moderation actions or accounts, by type;
• The measures adopted to identify children’s accounts on social networks;
• Technical improvements for the protection of personal data and privacy of children and adolescents;
• Technical improvements to validate parental consent; and
• Details of the methods used and the results of impact assessments, and the identification and management of risks to the safety and health of children and adolescents.

Suppliers must maintain a legal representative in Brazil authorized to receive, among others, service of process, subpoenas, or notifications in any lawsuits and administrative proceedings, as well as to respond to bodies and authorities of the Executive Branch, the Judiciary, and the Public Prosecutor’s Office, and to assume, on behalf of the foreign company, their responsibilities before public administration bodies and entities.

National authority

The Law creates an autonomous administrative authority for the protection of the rights of children and adolescents in the digital environment, which will be responsible for monitoring compliance throughout Brazil and may issue supplementary rules to regulate its provisions.

By Decree No. 12,622/2025, this function was assigned to the National Data Protection Authority (ANPD). In addition, Provisional Measure No. 1,317/2025 converts the ANPD into the National Data Protection Agency, expressly including it in the list of regulatory agencies provided for in Law No. 13,848/2019.

Time to adapt to the new rules

According to Provisional Measure No. 1,319/2025, suppliers will have a period of six (6) months to comply with the operational obligations and procedures established by the new Law, with this period expected to end in March 2026. It is important to note that the Provisional Measure still depends on approval by the National Congress.

For more information on this topic, please contact Mattos Filho’s Technology, Data Protection and Cybersecurity practice.