The wave of online safety regulation is continuing to surge, with Brazil’s recent enactment of Law No. 15,211/2025—the Digital Statute for Children and Adolescents (Digital ECA)—as the latest addition.
Effective on March 17, 2026, the law introduces a comprehensive and robust framework for the protection of minors online. It is part of a broader global movement, joining laws such as the EU’s Digital Services Act and the UK and Australia’s respective Online Safety Acts, all of which have already set new standards for online providers. As companies continue to adapt to these evolving requirements, the Digital ECA adds a new layer of complexity, particularly for providers operating across multiple jurisdictions.
To Whom Does It Apply?
The Digital ECA applies broadly to any online product or service that is either directed at minors or “likely to be accessed” by them, regardless of where the provider is located. There are specific obligations that apply to online social networks and electronic games as well. “Likely to be accessed” is determined under the law by the sufficient probability of use and attractiveness to minors, considerable ease of access and use for minors, and whether a significant degree of risk to privacy, safety, or biopsychosocial development exists.
What Are the Core Principles?
- The Digital ECA is anchored in the principle of prioritizing the best interests of the child. Providers are required to guarantee the priority protection of minors and implement adequate and proportionate measures to ensure a high level of privacy, data protection, and security for minors.
What Are Key Compliance Obligations?
The Digital ECA sets out a series of detailed obligations for online providers in addition to risk mitigation, including:
- Risk mitigation. Providers must implement robust strategies to prevent and mitigate risk of access, exposure, recommendation, or facilitation of contact with categories that include sexual exploitation and abuse, violence and harassment, self-harm, age-inappropriate products, unfair advertising practices, and pornographic content.
- Age verification. Providers must adopt reliable age verification mechanisms, and the law expressly prohibits self-declaration as a method.
- Parental controls. Providers must offer user-friendly parental control tools in Portuguese and ensure that the highest protection settings are enabled by default (subject to certain minimum requirements). Parents must be allowed to, among other things, restrict purchases and financial transactions, limit/monitor usage time, and identify adult profiles communicating with the minor. Providers must display a clear and visible notice when parental supervision tools are active and indicate which settings or controls have been applied.
- Reporting, removal, appeals, and preservation. Providers must offer user reporting for specific content categories; promptly report detected sexual exploitation, abuse, or grooming to the appropriate national and international authorities; and preserve associated content and user data for at least six months. For certain content takedowns, users whose content is removed must be notified and given the right to appeal.
- Transparency. Providers with more than one million minor users in Brazil must publish semi-annual transparency reports in Portuguese that, for example, must detail the channels for receiving complaints and how complaints are investigated, the number and types of moderation actions taken, and the measures adopted to identify and address risks to minors.
The law also requires providers to develop and adopt standard configurations to prevent the compulsive use of products/services by minors, and providers are prohibited from using profiling, emotional analysis, and augmented or virtual reality to target minors with commercial advertising. Social media services must inform users when services are inappropriate for minors, and electronic games are prohibited from offering loot boxes.
How Will the Law Be Enforced and What Are the Penalties for Noncompliance?
The Brazilian National Data Protection Authority will enforce compliance and is empowered to issue binding regulations under the law. The penalties for violations are significant, including fines of up to 10% of a company’s Brazilian revenue or BRL 50 million per violation (approximately $9.4 million) as well as the possibility of service suspension and permanent bans in cases of repeated noncompliance.
What Should Services Do Now to Prepare?
Given the breadth and depth of the Digital ECA’s requirements, online services should act now to assess whether they fall under the scope of the law and, if so, take steps to assess their readiness and identify any gaps in their current policies, technical controls, and procedures.
Services that operate globally should consider mapping cross-jurisdictional obligations in order to efficiently leverage resources for compliance across Brazil, the EU, the UK, Australia, and other key markets.
