The Digital ECA: Important context for Brazil’s age assurance regulation

The Digital Statute for Children and Adolescents (Digital Estatuto da Criança e do Adolescente or Lei 15.211/2025) is a new law outlining age assurance (garantia de idade) requirements in Brazil. Also known as the Digital ECA, it was enacted in September 2025 and goes beyond self-attestation, applying to a wider range of online platforms that offer certain services. 

On March 17, 2026, the Digital ECA became enforceable. The consequences of noncompliance are steep, including service shutoff and fines of up to 50 million Brazilian reais ($9.44 million USD) or up to 10% of revenue earned in Brazil.

In the past, many companies relied on self-declaration (e.g., "I am over 18" checkboxes) to meet age-restricted content requirements. However, the Digital ECA’s guidelines are considerably stricter and require stronger safeguards. If your platform serves users in Brazil, you need to reevaluate how you verify user age to comply with the Digital ECA.

In this article, we’ll explore whether the regulation applies to you and what you need to prepare. Our findings are based on Brazil’s Technological Radar series, a collection of reports released by Brazil’s regulatory body, Agência Nacional de Proteção de Dados (ANPD). 

Editor’s note: Brazil’s Technological Radar series analyzes emerging technologies that impact data protection and regulations enforced by the ANPD, including the Digital ECA. Technology Radar vol. 5 specifically discusses a variety of age assurance methods. It references findings from the Australia Age Assurance Technology Trial, learnings from UK Ofcom’s highly effective methods, and ISO 27566, an international standard for building age assurance frameworks. 

What is Brazil’s Digital ECA?

The Digital ECA is a comprehensive regulatory framework that outlines new requirements for age assurance (garantia de idade). It’s designed to protect the privacy, safety, and digital rights of minors online. 

Brazil’s Digital ECA is the first law of its kind in Latin America and draws inspiration from milestone regulations like the UK’s Online Safety Act. Under the Digital ECA, organizations must implement age assurance and protections for children including:

• Strict safety-by-design principles, including mandatory age assurance for certain features

• Robust age assurance beyond self-attestation

• Default privacy settings

• Outright bans on targeted advertising (publicidade comportamental para menores)

• Parental or guardian approval when using certain features, such as social media

• Bans on certain exploitative features, such as loot boxes

The Digital ECA sets a global precedent for digital child safety by closing loopholes that previously gave platforms free reign over the use of children's data.

Key facts about Brazil’s Digital ECA age assurance law

• Official name: Lei no. 15.211/2025 “Estatuto Digital da Criança e do Adolescente” (Digital ECA)

• Sanctioned: September 17, 2025

• Effective date: March 17, 2026

• Primary regulator: ANPD (Autoridade Nacional de Proteção de Dados)

• Who it applies to: Companies that host adult content, advertise based on behavior, and offer gaming and/or social media features (e.g., content feed, chat functions)

• Core requirements: Enforce privacy-preserving age assurance if restricted content or features are shown (see above)

• Enforcement risk: Up to 50 million Brazilian reais or up to 10% of revenue earned in Brazil

Does the Digital ECA apply to me? 

The Digital ECA applies to you if your content is "provável de ser acessado," or likely to be accessed by users under certain age gates (e.g., 16 or 18). 

In other words, it applies to any digital product a child could reasonably access. Notably, Brazil’s Digital ECA expands the scope of other online safety guidelines, such as the UK’s Online Safety Act, which apply to services primarily targeting adults.

What counts as “likely to be accessed”? Use the questions below to determine whether the law applies to you. Answering yes to any of these means the Digital ECA applies to your organization:

• Do you offer free downloads?

• Is your service easily downloadable from standard app stores or accessible via a standard web browser?

• Do you offer social features? (e.g., chat, comments, streaming)

• Does your service use design elements that may appeal to adolescents?

• Can users sign up without a credit card?

For platforms that offer electronic games or social media, additional requirements apply: 

• Electronic games: Parents or legal guardians must consent to user interaction functionalities (e.g., chat). Loot boxes are strictly prohibited in games that primarily target minors or are likely to be accessible to them.

• Social media: If a user is 16 years-old or under, their account must be linked to a legal parent or guardian account.

Age verification (verificação etária) requirements under Brazil’s Digital ECA

The Digital ECA sets forward three major requirements for online platforms. They must:

1. Use highly effective and auditable age verification technologies rather than simple self-declaration methods.

2. Keep minors out of restricted services. While operating systems and app stores are required to have “age signals" (e.g. “user_over_18 = TRUE”) available via API, platforms themselves are the primary party responsible for preventing minors from accessing  restricted features. 

3. Apply age assurance based on certain age gates and their specific services.

To meet these requirements, here are the four technical pillars your team should keep in mind:

1. Reliable age assurance

The ANPD recommends using “reliable” methods for age assurance. These methods are commonly organized into age estimation, age verification, and age inference. Here’s what each method entails:

• Age estimation: Determines the probable age of a person based on behavioral characteristics, such as face, voice, or digital interaction patterns.

• Age verification: Confirms age using official documents or reliable services, such as government-issued ID, passport, or authentication with secure platforms (e.g., Gov.br).

• Age inference: Deduces age indirectly by analyzing context, consumption data, educational history, or online preferences. Organizations typically use this technique to complement other age assurance or verification methods.

2. Verifiable parental consent

Depending on the age of the users and the services you offer, you may need to verify consent from a parent or legal guardian. Typically, you’ll need to build a referenceable dataset of:

• Users under 16 or 18 with their approval status

• Parent or legal guardian with verification of their age and record of consent

• Relationship between minor to parent or guardian

3. Transparency report readiness

If your company serves more than one million children and adolescent users in Brazil, you may need to provide transparency reports as evidence of regulatory compliance. One way to show that evidence is in the form of audit trails.

Audit trails show how you verified specific users by recording when the user proved their age, the methods used, and any calculated circumvention risks. For example, if a child accesses prohibited content on your platform, can you prove your platform took sufficient measures to prevent access? Audit trails help document your age assurance process.

4. Data security and privacy

The ANPD enforces compliance for Brazil’s data protection law, the Brazilian General Data Protection Act or LGPD (Lei nº 13.709/2018). The LGPD imposes strict requirements for privacy, especially when processing minors’ data. 

Additionally, Brazil’s Technological Radar series reinforces that age assurance systems should follow security by design and privacy by design principles from ISO 27566-1. Important concepts from this include:

• Privacy: Treat privacy as a core component of the system’s design rather than an afterthought. Aim for the most privacy-protective settings as the default and secure data throughout the user life cycle. 

• Data minimization: Only collect the minimum data necessary for age assurance purposes. Protect data with access controls and automatically delete it after use. The system should provide the final age assurance result (e.g., "over 18") to the relying party without disclosing the underlying sensitive information, like date of birth.

• Security: Embed multi-layered information security into the age assurance system with continuous threat modeling. Use strong encryption for data at rest and in transit. To respond quickly and effectively to security breaches, the system should have traceable updates and a formal incident response plan.

Consider a risk-based approach to minimize user friction

So how do you effectively implement age assurance for the Digital ECA while balancing the user experience? After all, requiring every user to complete multiple age assurance checks will lower your conversion rate. 

Fortunately, the ANPD supports the concept of proportionality, or matching the level of age assurance to the level of risk. To illustrate, let’s say you oversee compliance for a gaming company. While you won’t need to verify age for every game in your portfolio, you will need assurance for games with unmoderated chat or other high-risk features.

In this scenario, you should consider two paths for implementing proportional age assurance:

1. Present age assurance during signup: Take this approach if your game has adult content and requires all users to be verified, or if you have loot box offers built into many areas of your game.

2. Only verify when users access certain features: To remove barriers at signup, verify to unlock certain features, such as chat. The user gets access to the feature if they successfully complete the age assurance flow.

The important thing is to decide when to check user age, based on your specific services and conversion goals.

How Persona can help you comply with the Digital ECA 

Persona helps online platforms around the world navigate complex age assurance regulations, including Australia's Social Media Minimum Age requirements and the UK’s Online Safety Act. 

Our age assurance platform provides the building blocks for creating compliant, user-friendly flows that align with ISO 27566-1 and its guidelines. We offer:

• Automated privacy controls. Our platform helps you limit data collection, redact or delete sensitive information, and maintain rigorous audit trails. We don’t ever store personal identifying information (PII) from underage users.

• A comprehensive suite of age assurance methods. For Brazil, we currently provide:

  • Government ID verification with selfie comparison or authoritative Brazil database validation

  • Mobile document verifications

  • Digital identity verifications

  • Email-based age estimation

  • Selfie age estimation

• No-code configuration for regulation-specific adjustments. Our Dynamic Flow product lets you configure age assurance methods for different jurisdictions. You can waterfall and layer methods based on user signals and risk, helping you balance compliance with user experience. 

We’re here to help you design and implement an age assurance strategy tailored to your platform's needs. Book a consultation with us to discuss your Digital ECA compliance strategy. You can also explore our age assurance solutions to see how we can help you meet the ANPD’s requirements.