Brazilian government issues decree to regulate online protections for minors

On March 18, 2026, Decree No. 12,880/2026 was published in Brazil to regulate the Digital Child and Adolescent Statute (ECA Digital – Law No. 15,211/2025).

The decree provides more concrete guidance on implementing the ECA Digital, establishing specific obligations for providers of certain information technology products or services based on their business models and the level of risk posed to minors. It also creates the National Policy for Protecting the Rights of Children and Adolescents in the Digital Environment, aimed at ensuring the coordinated development of policy and action on this issue within Brazil’s federal administration.

In parallel, on March 20, 2026, the Brazilian Data Protection Agency (ANPD) published a guide titled ‘Reliable Age Assurance Mechanisms’ (Mecanismos Confiáveis de Aferição de Idade), which provides preliminary guidance on the age assurance mechanisms established under the ECA Digital and the decree itself.

For more information on the main obligations established by the ECA Digital, please click here to view a one-pager previously published on Único.

Content categories

The decree provides that any content, products or services that pose risks to minors’ privacy,  security, psychosocial development, mental and physical health, or overall well‑being (as determined under the applicable content rating system, where relevant) are considered ‘inappropriate or unsuitable for minors’. It clarifies that prohibited content, products, or services are those that minors are expressly forbidden by law from accessing, purchasing or consuming – a list that includes weapons, alcoholic beverages, tobacco and non-tobacco smoking products, gambling and betting, pornographic content, and applications whose primary purpose is to facilitate romantic encounters or initiate sexual relationships.

The decree further clarifies obligations for each content category. Providers offering inappropriate or unsuitable content must comply with content rating requirements, adopt safety‑by‑default measures, and provide tools for parental supervision. Providers offering prohibited content, in turn, must implement effective age verification mechanisms and effectively prevent minors from accessing or consuming such content.

The definition of ‘pornographic content’, for example, considers the purpose, functionality, or business model of services involving sexually explicit images or videos, or nudity displayed with sexual connotation or intent. Providers of information technology products or services that allow users to view media containing pornographic content must, by default, conceal the content from users who are not logged in or who have not completed age verification.

Age assurance

Age assurance (aferição de idade) encompasses procedures designed to directly or indirectly verify, estimate, or infer a user’s age or age range, including through methods such as document analysis, biometric methods, usage pattern analysis, or other technically reliable means. Age verification (verificação de idade), in turn, is a more robust method for confirming the accuracy and veracity of the user’s stated age or age range through technical or documentary mechanisms.

Decree No. 12,880/2026 establishes that:

• Providers offering content, products, or services prohibited for minors, including those that sell or intermediate the purchase and sale of such products or services (e.g., alcoholic beverages), as well as social media networks or electronic games featuring loot boxes, must implement age verification mechanisms;
• Service providers with editorial control that offer pre-licensed copyrighted content from a rights holder other than the end user, as well as musical, literary, journalistic or sports content not subject to content rating requirements, are exempt from implementing age assurance mechanisms, provided they offer child‑specific accounts or profiles with age‑appropriate content and implement parental supervision tools, as applicable;
• App stores and operating systems must provide age signals to IT product and service providers free of charge. Transmitting exact dates of birth, civil identity data, or user profiling data is expressly prohibited;
• The decree provides that the ANPD will regulate minimum transparency, security, and interoperability requirements for age assessment and parental supervision mechanisms. To initiate this regulatory process, the agency has published the Reliable Age Assurance Mechanisms guide, along with a schedule for rolling out the age assurance solutions.

The guide organizes the general principles and requirements established in Decree No. 12,880/2026 (particularly in Article 24) into six categories:

• Proportionality;
• Accuracy, robustness, and reliability;
• Privacy and personal data protection;
• Inclusion and non-discrimination;
• Transparency and auditability; and
• Interoperability.

It then sets out recommendations and best practices for providers to support age assurance implementation, including:

• Proportionality: Identify and assess the risks inherent to using the product or service, and assess potential age assurance mechanisms in order to select ones whose adverse effects (e.g., excessive collection of data from children and adolescents) are proportionate to the risks;
• Accuracy, robustness, and reliability: Assess the accuracy (degree of precision) of the adopted age assurance mechanisms, with periodic testing to ensure they are robust (i.e., able to withstand circumvention or fraud), and verify the reliability of each mechanism by confirming that it performs consistently under real operating conditions;
• Privacy and personal data protection: Integrate the age assurance mechanisms with the obligations set out in the Brazilian Data Protection Law (LGPD) by default – only processing data or age attributes as strictly necessary – and implement measures to prevent improper personal data processing;
• Inclusion and non-discrimination: Assess in advance whether the chosen age assurance mechanisms may create barriers to access or produce discriminatory effects on particular groups (especially vulnerable populations) and implement alternatives where necessary;
• Transparency and auditability: Disclose the purpose for using the age assurance mechanisms, as well as the data processed and the parties involved. Provide channels and procedures for age correction, and ensure the integrity, traceability, and auditability of any operations associated with the mechanisms;
• Interoperability: Establish an interoperability framework that only permits age attributes to be shared when absolutely necessary, avoiding the exposure of personal data of minors used for age confirmation.

The implementation schedule is structured around three stages:

• Stage one: Beginning immediately, the ANPD will focus on monitoring and engaging in dialogue with app stores and proprietary operating systems to gather relevant information in support of its definitive guidance on certain topics. Starting in April 2026, the ANPD is expected to submit a guide for public consultation titled ‘IT Product and Service Providers: Scope and General Obligations under the ECA Digital’ (Fornecedores de produtos ou serviços de tecnologia da informação: escopo e obrigações gerais do ECA Digital);
• Stage two: Scheduled to begin in August 2026, the ANPD is expected to publish definitive guidelines and regulatory parameters on age assurance mechanisms. A period for adaptation running from August through November 2026 will be granted to age assurance solution providers in order to give regulated entities time to comply with the new rules;
• Stage three: Beginning in January 2027, the ANPD will commence a series of monitoring and oversight cycles, as set out in its Priority Topics Map.

Preventing excessive or problematic use

Under the decree, providers subject to the ECA Digital must implement mechanisms to prevent minors from excessive, problematic, or compulsive use of their products or services. Practices deemed to incentivize such use include concealing natural stopping points, auto-triggering new content without user action, rewards tied to time spent on the service, and excessive notifications.

The ANPD will regulate the minimum safety‑by‑default requirements and take action to curb manipulative, deceptive, or coercive practices.

Combating serious violations against minors in the digital environment

The decree designates the Brazilian Federal Police as the authority responsible for centrally receiving, processing, screening, and managing reports of content indicating potential crimes or juvenile offenses involving the apparent exploitation, sexual abuse, kidnapping, or grooming of minors.

Providers legally required to submit identical notifications to foreign reporting clearinghouses accessible to Brazilian authorities are exempt from filing duplicate notifications with Brazil’s National Notification Screening Center, in order to avoid redundant reporting.

Under Article 27 of the ECA Digital, a provider may be held liable for failing to comply with content removal and reporting obligations relating to apparent exploitation, sexual abuse, kidnapping, or grooming where recurrent failures in the provider’s content moderation mechanisms are identified. In determining whether such recurrent failure exists, negligence or inadequate response mechanisms to serious digital violations against minors will be taken into account.

These obligations will be further regulated by the Brazilian Ministry of Justice and Public Security.

Other provisions

• Content rating system: Although not the decree’s primary focus, it includes provisions related to Brazil’s Content Rating Policy, reinforcing the authority of the Ministry of Justice and Public Security. Electronic games and apps available in digital stores must display appropriate age ratings based on the presence of inappropriate, unsuitable, or prohibited content, as well as risks associated with interactive features, loot boxes, microtransactions, and impacts on security and health, among other features;
• Artificial intelligence: Providers of IT products or services likely to be accessed by minors and that are capable of generating content and interacting with users through natural language (e.g., chatbots) must be transparent about their synthetic and automated nature, prevent behavioral manipulation, assess algorithmic risks, and implement safeguards to protect the physical, mental, and psychosocial development of minors;
• Artistic activities involving minors: The decree requires providers of information technology products or services to demand proof of judicial authorization to monetize or promote content that habitually depicts the image or routine of a child or adolescent. This obligation applies only to content whose monetization or boosting begins after the ninety-day period following the publication of the decree;
• Personal electronic devices with internet access: Until further regulation by the ANPD, manufacturers and importers of such devices whose presentation, packaging, or marketing is exclusively targeted at minors must, within thirty days of the decree’s publication, include the following notice, in Portuguese, on the device’s packaging: “Este produto permite acesso à internet. Conteúdos da internet podem apresentar riscos a crianças e adolescentes. O uso do produto requer supervisão parental.”
  .
  (English translation: “This product provides access to the internet. Internet content may pose risks to children and adolescents. Use of this product requires parental supervision.”).

For further information on this subject, please contact Mattos Filho’s Technology practice area.