The Brazilian regulatory landscape for the digital environment underwent a structural transformation with the entry into force, on March 17, of the Digital Statute of the Child and Adolescent (ECA Digital), established by Law No. 15,221/2025 and also known as the “Felca Law”. Thirty-five years after the enactment of the original ECA, Brazil updates its legislation to address a reality shaped by algorithms, artificial intelligence, data monetization, and platforms designed for continuous engagement.
The new legal framework promotes a profound shift in regulatory logic: the State ceases to delegate the primary regulation of internet use by minors to families and begins to require preventive and structured action from platforms. Child protection moves out of the voluntary realm of good practices or ESG (Environmental, Social, and Governance) agendas and is definitively incorporated into mandatory corporate compliance.
To Whom Does ECA Digital Apply?
ECA Digital is not restricted to big techs. The rule applies to any company offering information technology products or services with probable access by children or adolescents in Brazil, such as social networks, electronic games, and advertising targeted at youth, even when provided by companies headquartered abroad.
The concept of “probable access” is central to the application of the law and is based on three fundamental criteria:
- Service attractiveness: Language, design, and functionalities that draw the attention of the youth audience;
- Ease of use and access: Low or non-existent barriers to entering the platform; and
- Risk potential: Especially in environments that allow social interaction, large-scale information sharing, and prolonged use.
From the moment there is predictability of access, the company must have designed the product already considering this possibility.
Safety by Design and Privacy by Default
ECA Digital shifts the regulatory emphasis to product architecture. In practice, this means it is not enough to react after the damage is done; the product must be born structured under the principle of security from conception (safety by design) and by default (privacy by default).
The logic of safety by design requires platforms to structure their digital environments to ensure the protection of minors, including parental supervision tools, content filters, and restrictions on open interactions. Accessible tools must be provided to allow parents and guardians to monitor and control the use by children and adolescents, with minimum functionalities such as screen time limitation, control over recommendation systems, restrictions on sensitive features (such as geolocation), and blocking of unknown contacts. The logic of the best interest of the child now guides not only data collection but the entire product architecture, including monetization strategies based on prolonged engagement and algorithmic recommendation.
One of the most sensitive points of the new legislation is the overcoming of the age self-declaration logic. The simple question “Are you over 18?” is no longer a sufficient control mechanism. Platforms now have the duty to adopt reliable age verification mechanisms at every access, especially for inappropriate content or content prohibited for minors. If it was predictable that the child would be there, the claim that they “lied about their age” does not exempt the company from liability. Although there is no technical “silver bullet” for age verification, the market discusses alternatives such as official documents, digital identities, biometrics, algorithmic estimates, and transactional data, with each service required to adopt solutions proportional to its risk.
Other changes introduced by ECA Digital include:
- Account linking: User profiles under 16 years of age must be associated with a legal guardian, enabling greater monitoring of activities.
- Prevention and combat of exploitation: Content related to abuse, exploitation, or grooming must be removed immediately, with mandatory reporting to competent authorities.
- Mitigation of excessive use: Implementation of mechanisms that discourage prolonged use, such as screen time warnings and adjustments to platform design.
- Advertising and data protection: Stricter rules for targeted advertising and reinforcement in the protection of personal data of children and adolescents.
- Age rating classification: Providers must ensure the compatibility of the product or service with the age rating classification, which must be prominently displayed at the time of access. The interface, recommendation algorithms, type of content displayed, and available functionalities must also vary according to the user’s age group.
The Central Role of the ANPD and the Sanctioning Regime
Failure to comply with the obligations set forth in ECA Digital may be penalized with warnings, fines of up to BRL 50 million, temporary suspension, and prohibition of the exercise of activities. The regulation, inspection, and application of sanctions related to ECA Digital fall under the jurisdiction of the National Data Protection Authority (ANPD), elevated to the status of a regulatory agency by Decree No. 12,622/2025.
Although the ANPD indicates that it does not expect immediate full compliance, it will require a demonstration of diligence and a structured adequacy process. The sanctions provided for non-compliance are severe:
| Sanction | Details | Limit |
| Warning | Corrective period to adjust irregular practices. | Up to 30 days |
| Fine | Based on the economic group’s revenue in Brazil. | Up to 10% of revenue (Limited to BRL 50 million per infraction) |
| Fine per User | Applicable in the absence of revenue information. | Between BRL 10.00 and BRL 1,000.00 (Limited to BRL 50 million per infraction) |
| Suspension/Prohibition | Temporary or definitive restriction on the exercise of activities. | Applicable according to severity |
Foreign companies are jointly and severally liable for the payment of the fine through their branches, subsidiaries, or establishments in Brazil in the event of recurrence of infractions provided for in the new law.
Hypervulnerability and Specific Prohibitions: Loot Boxes and Profiling
From a consumer protection perspective, ECA Digital consolidates the recognition of the child as hypervulnerable in the digital environment. This directly impacts the business model of many platforms, imposing strict prohibitions. The following stand out:
- Prohibition of Profiling: ECA Digital prohibits the use of profiling (analysis of behavioral data, automated or not) for targeting advertising to children and adolescents, as well as the use of invasive technologies such as emotional analysis, augmented reality, and virtual reality for advertising purposes directed at this audience.
- Prohibition of “Loot Boxes”: The law bans reward boxes in electronic games targeted at or likely to be accessed by the youth audience, purchased with real or virtual money, which release random rewards (skins, weapons, characters).
Where Should Companies Start?
Adequacy does not begin with the simple alteration of terms of use or privacy policies. The first step is a real diagnosis of the product or service offered to assess its framing within the criterion of “probable access” by children and adolescents. If the answer is positive, adequacy to ECA Digital may involve several fronts, including:
- Risk Diagnosis: Identify blind spots in the product or service, in communication, and in the use of AI, evaluating risks related to content, conduct, contract, commerce, and contact.
- Architecture Review: Adapt functionalities, onboarding flows, design, and default settings to the most protective level (safety by design and privacy by default).
- Implementation of Age Verification: Develop proportional and reliable technical mechanisms, eliminating self-declaration.
- Development of parental supervision tools;
- Review of advertising and monetization policies;
- Implementation of content moderation and removal systems;
- Preparation of transparency reports;
- Monitoring of additional ANPD regulations;
- Team training; and
- Internal compliance audit.
ECA Digital does not create an isolated legal system; it is a transversal normative layer that dialogues with the Consumer Defense Code, the Civil Rights Framework for the Internet (Marco Civil da Internet), and the General Data Protection Law (LGPD). In 2026, the central question that will define the reputation and sustainability of companies’ business models will be: “Was this product designed considering that children could be there?”. Under ECA Digital, ignoring the risk ceases to be an omission and becomes an infraction.
For specific guidance on the impacts of ECA Digital on your company, please contact LBM Advogados.