ANPD’s age assurance mechanisms guidance: What Brazil's new risk framework means for compliance
On May 22, Brazil’s National Data Protection Agency (ANPD or Agência Nacional de Proteção de Dados) published new draft guidance on age assurance (aferição de idade) mechanisms. The guidance provides companies with their clearest picture yet of how to comply under the Digital ECA.
Part of a broader rollout of Brazil’s Digital ECA framework, the guide emphasizes risk-based proportionality and privacy by design (privacidade desde a concepção). In the past, many online platforms, websites, and services relied on simple self-attestation checkboxes (e.g., “I am over 18”). Brazil’s Digital ECA signifies a departure from that philosophy by requiring stronger assurance age methods.
With the Digital ECA now enforceable, preliminary guidance and consultations are now underway, with full enforcement activity expected to begin in 2027. In this article, we’ll discuss who ANPD’s guidance for age assurance methods applies to and what it means.
Key facts about the ANPD guide on age assurance methods
| Official title | Guia Orientativo: Mecanismos de Aferição de Idade (“Guidance Guide: Age Verification Mechanisms”). |
| Issuing authority | Brazil’s National Data Protection Authority (Autoridade Nacional de Proteção de Dados). |
| Release date | May 2026 (preliminary/public consultation version). The ANPD is in the process of soliciting feedback until July 9; a final version is expected to follow in August. |
| Timeline for four stages of Digital ECA rollout | Stage 1 (March 2026): Preliminary guidelines issued and monitoring begins for app stores, operating systems, and digital services and platforms. Stage 2 (August 2026): Final guidelines published; adaptation period begins. Stage 3 (November 2026): Administrative sanctions are scheduled to begin. Monitoring will expand to other sectors based on product and service risk levels. Stage 4 (January 2027): Full enforcement action will begin. |
| Primary objective | Establish operational guidance for “reliable” age assurance systems for services directed at, or likely to be accessed by, minors. |
| Regulatory approach | Risk-based and privacy-preserving age assurance methods. |
Who does the ANPD’s age assurance guidance apply to and what is the digital chain of responsibility?
The ANPD’s age assurance guidance applies to you if your content is likely to be accessed by users under certain age gates under Brazil’s Digital ECA. In other words, if you offer a digital product that a minor could reasonably access, the ANPD’s recommendations apply.
Central to the updated guide is the concept of a digital chain of responsibility (cadeia digital de responsabilidades). Rather than placing the entire burden for age assurance on individual apps or websites, the ANPD guide distributes responsibility across two entities:
App stores and operating systems: These platforms must perform initial age assurance at the source and send a secure signal downstream without transmitting personal identifying information (PII).
Digital services and platforms: Receiving platforms must be able to process the signals from app stores and operation systems. However, for platforms that are considered higher-risk (more detail on what that means below), that check alone is insufficient. Instead, they must implement their own validation mechanisms.
What is the ANPD's risk matrix for the Digital ECA?
The ANPD guide provides a risk matrix that classifies products and services as low, moderate, or high risk. The guide emphasizes a risk-based model: higher-risk services require stronger assurance, while lower-risk systems should use methods with less friction.
In the ANPD guide’s risk matrix, each risk tier comes with specific assurance requirements and suggested mechanisms:
| Risk tier | Definition | Example mechanisms |
| High-risk services | These services may expose minors to legally prohibited content such as pornography, betting, or games with active lootboxes. | Age signals from app stores, verifiable credentials, document verification, liveness checks, and “age estimation mechanisms, including biometric analysis”. The ANPD also recommends a multi-layered model, along with preparing a Data Protection Impact Assessment (DPIA). |
| Moderate-risk services | These services enable user interactions, algorithmic content sharing, or hosting of potentially inappropriate content. Examples include social media networks and chat apps. | Age signals from app stores, verifiable credentials, and “age estimation mechanisms, including biometric analysis.” The ANPD also recommends a multi-layered model that starts with lower-impact methods and escalates to more robust verification when needed, along with preparing a Data Protection Impact Assessment (DPIA). |
| Low-risk services | These services do not present inappropriate or prohibited content. Examples include education platforms or general utility apps. | Age signals from app stores and verifiable credentials. |
The guide also specifies where age assurance should occur in the user journey. As examples:
Electronic games with loot boxes must implement effective verification independent of app store signals before users can access box functionality.
Gambling and betting platforms must also implement their own verification methods independent of app store signals.
E-commerce and marketplace platforms selling restricted goods may need to verify age during registration or at the point of purchase.
Adult content services must block previews, captions, and content access until users complete verification.
Taken together, these guidelines help companies determine not only whether Brazil's Digital ECA applies to them, but also how to scope age assurance so that it minimizes user friction.
What are the ANPD’s six principles for age assurance systems?
The ANPD's guidance outlines six key principles that companies should follow when implementing age assurance systems:
1. Proportionality
The ANPD recommends taking a risk-based approach to compliance. To decide which verification mechanisms are appropriate, organizations should conduct a contextual risk assessment of both their service and the age-assurance technology, prioritize less invasive methods where risks are lower, and escalate to more robust methods only when necessary.
2. Accuracy
Age assurance solutions must demonstrate technical precision, resilience against multiple types of fraud (such as synthetic deepfakes), and reliability across different environments. To demonstrate these characteristics, leverage metrics such as true positive, false positive, and false negative rates, as well as mean average error (MAE).
3. Privacy and personal data protection
The ANPD guide treats privacy as a structural requirement. All age assurance systems must comply with Brazil’s General Data Protection Law (LGPD or Lei Geral de Proteção de Dados) while following the Digital ECA. This means:
Data minimization (minimização de dados): The age assurance system must only handle the age attribute required, with no extraneous or secondary data enrichment.
No secondary use: Collected data cannot be used for any other purpose, including for behavioral targeting for ads or to infer preferences or habits for behavioral profiles.
No traceability or mass surveillance: The adopted system may not conduct continuous monitoring of user activity, link user activity across websites, or engage in any surveillance.
Functional separation: Age assurance systems must operate separately from the platform’s other data processing systems, especially those dedicated to advertising, behavioral analytics, and AI model training.
Immediate and irreversible redaction: Any raw identity information must be deleted immediately after verification is complete.
Additional recommendation: The ANPD recommends conducting a Data Protection Impact Assessment (DPIA) for moderate- and high-risk platforms.
4. Inclusion and non-discrimination
Age assurance systems must be accessible and fair. For example, since not everyone has a government ID, relying on it as the sole verification method excludes a meaningful share of users. Companies must offer alternatives and choose methods that minimize bias across racial, ethnic, and gender groups.
5. Transparency and auditability
Companies must provide clear, non-technical explanations of their age assurance solution. They must also maintain secure logs to allow for independent review, such as metadata on outcomes, time stamps, and methods.
6. Interoperability
Interoperability refers to how different systems or platforms work together and recognize each other’s outputs. ANPD recommends adopting double-blind architectures where:
The age validator confirms the age attribute without knowing what platform or content the user is accessing.
The receiving platform only receives a binary yes/no on the age claim (e.g., user is over 18 or user is not over 18) and no other information.
ANPD guidance on specific age assurance methods
The ANPD’s guidance provides detailed recommendations for three types of age assurance methods. In fact, Brazil is among the first to issue in-depth regulatory guidance related to technical specifications for age assurance.
Selfie age estimation (estimativa de idade por análise facial)
Selfie age estimation (SAE) uses algorithmic models to infer an individual’s age from a selfie with no identity documents required.
SAE is not facial recognition. On the contrary, SAE only classifies the face into an age range and cannot link it to an identity. (Note that companies must ensure their solution does not involve facial recognition/identification.)
For SAE, the ANPD emphasizes:
Data privacy and minimization: Although SAE is not facial recognition, it may still be considered sensitive data processing. As such, SAE must return only the age attribute necessary to make a decision, via an age signal or cryptographic token. Any results that are linked to the user’s account on the platform must be done in a secure way to prevent unauthorized third-party access. Collected data must be redacted immediately and irreversibly.
Robustness: SAE solutions must be difficult to bypass or circumvent. The ANPD recommends configurations like blocking users after a certain number of unsuccessful attempts or directing them to a more robust step-up verification if a series of attempts yield inconsistent results. For technical security, the ANPD recommends liveness detection and protection against spoofing and data injection.
Accuracy: Depending on the risk of the service or platform, SAE should be layered into a multi-step verification process. Companies should not accept borderline or inconclusive results. Instead, the ANPD recommends establishing a buffer zone and routing low-confidence results to the next verification level (e.g., a user who appears to be 17 on an 18+ age gate could be routed to an additional check).
Fairness: Age estimation must be a prerequisite for access and applied uniformly across all users, without unfair differentiation.
Other recommendations: The guide encourages alignment with international age assurance standards, including ISO/IEC 27566-1 (identity proofing), NIST SP 800-63 (digital identity), and the W3C Verifiable Credentials Data Model.
Document verification (verificação documental)
Document verification confirms the user meets a given age requirement by reviewing an identity document issued by an authoritative source (e.g., identity card, driver’s license, passport).
Unlike selfie age estimation, document verification produces a definitive result, which makes it better suited for high-risk services. For document verification, the ANPD recommends:
Data privacy and minimization: Data collection must be limited to age-relevant information. Storing the document image, a copy, or preserving the data in any way is unauthorized. Delete the data immediately after verification.
Robustness: Verification should include authenticity checks (e.g., the document has not been tampered with). Moreover, it must be resilient against foreseeable attempts to circumvent it (e.g., a minor using their parent’s ID). Regulators and standards bodies, including ISO/IEC 27566-1, Ofcom, and Australia's eSafety Commissioner, recognize document verification combined with a selfie check as a valid method for confirming that a user is both real and the document holder.
Verifiable credentials (credenciais verificáveis)
With verifiable credentials, users present digital proof, like a derived age claim stating “I am over 18” to the receiving platform. The receiving platform can trust that claim because it was cryptographically issued by a trusted organization.
Verifiable credentials are decentralized and privacy-preserving by design. Users control what they share, allowing them to verify their age without revealing it. To implement verifiable credentials, the ANPD recommends:
Data privacy and minimization: Verifiable credentials may only contain age attributes. They may not reveal any other personal information such as data of birth. The ANPD recommends prioritizing zero-knowledge proof (ZKP) or equivalent mechanisms that allow age verification without revealing related personal data.
Accuracy: A credential’s validity should be checked every time it’s presented; it should not be trusted indefinitely. The issuing authority is responsible for confirming credential status regularly and revoking credentials that become invalid or inaccurate.
How to implement age assurance with Persona
Persona is a leading identity verification provider that helps online platforms navigate complex age assurance regulations worldwide, like Brazil’s Digital ECA, Australia's Social Media Minimum Age requirements, and the UK’s Online Safety Act.
Our age assurance platform provides configurable and flexible building blocks for creating compliant, user-friendly verification flows that align with the ANPD’s guidance and ISO 27566-1’s guidelines. Persona offers:
Automated privacy controls. With Persona, you can limit data collection, automatically redact or delete sensitive information, and maintain rigorous audit trails. Persona never stores PII from underage users or uses customer data to train models.
Double-blind architecture via Persona Relay. Through Relay, your platform never sees your user’s date of birth, name, document, or other raw age signals collected for verification purposes. In addition, Persona never sees which platform or content your user is trying to access.
A comprehensive suite of age assurance methods. For Brazil, we currently provide:
Government ID verification with selfie comparison and/or authoritative Brazil database validation
Digital identity verification
Selfie age estimation
Email-based age inference
Balance compliance with user experience. Persona’s Dynamic Flow product lets you build and launch custom age assurance flows for any jurisdiction using customizable, no-code configurations. Decide which age assurance methods to use based on user signals and risk.
Companies that must comply with the Digital ECA often face similar age assurance requirements globally. Book a consultation to learn how to design and implement an age assurance strategy that’s ready for any jurisdiction. You can also explore our age assurance solutions to see how they work.
FAQs
What is the ANPD's age assurance guidance?
Toggle description visibility
The ANPD's age assurance guidance is a risk-based framework that helps organizations choose reliable methods for determining a user's age. The guidance emphasizes that age assurance measures should be proportionate to the risks presented to minors, while also being accurate, privacy-preserving, transparent, inclusive, and compliant with Brazil's data protection laws.
What are the three risk tiers under Brazil's Digital ECA?
Toggle description visibility
Brazil’s Digital ECA uses a three-tier risk model consisting of low-, medium-, and high-risk services. The level of age assurance required increases with the level of risk that a service may pose to minors.
What is selfie age estimation under the ANPD guidance?
Toggle description visibility
Selfie age estimation uses facial analysis technology to estimate a user's age or age range from a selfie. It’s considered a form of age estimation, rather than verification, because it provides a probabilistic assessment rather than a definitive result. If you plan to use selfie age estimation, the ANPD recommends defining buffer zones and escalating uncertain results to more robust verification methods.
What is the digital chain of responsibility under Brazil's Digital ECA?
Toggle description visibility
The digital chain of responsibility distributes age assurance obligations across multiple layers of the digital ecosystem. Under the ANPD’s guidance, app stores and operating systems must perform initial age assurance and transmit a secure signal downstream. Digital services and platforms must be able to receive and process these signals. However, higher-risk platforms cannot rely solely on upstream signals and should implement additional age assurance mechanisms of their own.
Do foreign platforms need to follow the ANPD's age assurance guidance?
Toggle description visibility
Yes. Foreign platforms that offer services to users in Brazil, or whose services could reasonably be accessed by minors in Brazil, are expected to comply with the Digital ECA and follow the ANPD's guidance.