Brazil’s “Digital ECA” Is Almost Law: What the Child Online Safety Bill Demands—and How It Interlocks with LGPD

Where the bill stands (and why it moved fast)

Brazil’s Federal Senate approved PL 2628/2022, sending it to President Lula for sanction. The measure had cleared the Chamber a week earlier after high-profile debates about the “adultização” of minors on social networks. If enacted, it will take effect one year after publication, giving companies a tight runway to overhaul product designs, policies, and vendor stacks.

Who is in scope?

The Digital ECA covers any tech product or service that is directed to or likely to be accessed by minors (children under 12; adolescents 12–18). That’s broader than “kids’ apps.” It explicitly reaches social networks, app stores, operating systems, electronic games, and software—and applies regardless of where the provider is based, with a requirement to appoint a Brazilian legal representative.

What you’ll actually have to do

• Age assurance & access controls. Implement reliable age checks (self-declaration alone is not acceptable) and block minors from adult-only services (e.g., pornography, gambling, alcohol). Expect to receive and honor age signals from app stores via API.
• Parental supervision by default. Provide easy-to-use parental tools configured to the most protective settings out of the box—covering direct messages, time-on-app, auto-play/notifications, recommendations, geolocation sharing, in-app purchases, and financial transactions.
• No ad profiling to minors. Prohibit profiling-based targeting to children and adolescents; you also may not use emotional analysis, AR/VR/“XR” to target ads to minors.
• Rapid removal & reporting. Remove content tied to child sexual abuse, grooming, kidnapping, or exploitation and immediately notify authorities. Provide appeal and notice mechanisms for takedowns, with safeguards against abusive reporting.
• Design & DPIAs. Bake privacy-by-design/default into minors’ experiences and complete a data protection impact assessment (DPIA) for processing children’s and adolescents’ data.
• Transparency & reporting. Platforms with >1M minor users must publish semiannual safety reports covering moderation, abuse reports, and risk management.
• Loot boxes. For minors, the Senate text restores a ban on loot boxes in games due to gambling-like mechanics.

Enforcement & penalties

The bill creates an independent administrative authority focused on children’s digital rights (to be designated by separate law), empowered to issue warnings and fines up to 10% of the economic group’s Brazilian revenue (capped at BRL 50 million per violation). Courts may suspend or prohibit operations in severe cases. Foreign parents can be held jointly liable for fines imposed on Brazilian subsidiaries. Penalty calculations may alternatively use a per-user range when revenue data is unavailable.

How it meshes with LGPD (Brazil’s privacy law)

The LGPD already sets a special regime for minors—most notably Article 14 and the best-interests standard. For children under 12, processing ordinarily requires specific and prominent parental consent; for adolescents (12–18), processing still must serve their best interests, and Brazil’s DPA (ANPD) has clarified that controllers may rely on any LGPD legal basis (including legitimate interest) if the best-interests test is genuinely met and documented. The Digital ECA adds sector-specific design and safety obligations on top of this privacy baseline—so you’ll need both valid legal bases and protective defaults.

Age-verification trendline in Brazil

Beyond the Digital ECA, lawmakers introduced a companion bill (PL 3910/2025) to harden platform responsibilities for reliable age verification—especially for adult-content services. Drafts emphasize no self-declaration, contemplate biometric-assisted checks, and push for standardized signals between app stores and apps. Think of PL 3910 as the “how” beneath Digital ECA’s “must.”

Key risks and unintended consequences to plan for

• Over-collection. Age assurance can creep into identity collection fast. Favor attribute checks (18+/13+) and zero-knowledge tokens over raw ID uploads.
• Function creep. Parental-control telemetry can morph into profiling without strict purpose controls. Lock down retention and access.
• Adtech misfires. “Contextual” systems often leak personalization. Audit for shadow profiling and disable minor-targeting in all vendors.
• UX regressions. Heavy friction for all users can backfire. Gate only what’s necessary and cache successful age checks with privacy-preserving tokens.
• Gaming mechanics. Loot-box bans for minors demand changes to game economies, not just labels. Build alternate reward loops.

What to ship in the next 90 days (size-agnostic checklist)

1. Classify your experiences. Map every surface directed to or likely accessed by minors. Flag adult-only edges and “grey zone” content.
2. Stand up age assurance. Implement a method set (attribute tokens, device-level signals, store-provided “age signals”) without raw ID storage. Block self-declaration flows.
3. Lock default protections. Turn on strict parental controls by default for minor accounts: DMs off to unknown adults, auto-play off, geolocation off, purchases restricted.
4. Kill profiling. Disable behavioral ad targeting and recommendation vectors that infer sensitive traits for minors. Document enforcement in your DPIA.
5. Wire removal & reporting. Build a rapid-takedown pipeline for CSAM/grooming content with authority notifications; publish an accessible appeals channel.
6. Refresh notices & basis. Update Brazilian notices for minors’ data; for children under 12, collect specific and prominent parental consent. For adolescents, record a best-interests analysis for any non-consent basis.
7. Vendor hardening. Amend contracts: no minor profiling, honor age signals, short retention, no secondary use; require attestations and audit rights.
8. Publish & prove. Prepare your semiannual safety report template now; add automated tests that verify suppression of ads/IDs when a user is flagged as a minor.

FAQ for counsel, policy, and product

Do we have to verify age for every user? No—but if your service is adult-only, or your features/content are inappropriate for minors, you must implement reliable verification. For mixed-audience spaces, pair risk-based assurance with protective defaults.

Is “parental consent” enough under LGPD? For children <12, parental consent is the default legal basis—but it must be specific and prominent. For adolescents, the ANPD says you may use other legal bases (e.g., legitimate interest) if you can show the best interests test is met. You still need to meet Digital ECA’s design/safety duties.

What’s the penalty exposure? Under the Digital ECA, up to 10% of Brazilian revenue (capped at BRL 50M/violation) and possible suspension/ban in extreme cases—in addition to LGPD penalties and consumer-protection actions.

Brazil Children Privacy Law Help

Brazil’s Digital ECA is the clearest signal yet that kids-first design and privacy-by-default are no longer nice-to-haves. It tightens ad, design, and safety rules while the LGPD continues to govern how you process minors’ data. Treat age assurance as a privacy feature, not a data-grab; wire parental controls to the safest defaults; ban profiling for minors; and prove your promises in code and logs. Companies that move now—before the one-year clock starts—will avoid panic retrofits and launch with trust intact.

Book a demo with our LGPD and Privacy Experts below.