Digital ECA: New Law for the Protection of Children and Adolescents in Digital Environments

On September 17, 2025, Law No. 15,211/2025 — the Digital Statute for Children and Adolescents (“Digital ECA”) — was enacted, establishing an unprecedented regulatory framework for the protection of minors in digital environments in Brazil.

Scope: The statute applies to any information technology product or service targeted at or likely to be accessed by children and adolescents, regardless of where it is developed, marketed, or operated.

Definitions: The law provides detailed definitions of key concepts such as social network, profiling, reward box, app store, operating system, parental supervision mechanism, monetization, and boosting.

Key Obligations for the Digital Sector

Protective Default Settings: Digital products and services must, by default, be configured with the highest level of protection available regarding the privacy and personal data of children and adolescents.

Age Verification: Reliable and auditable mechanisms must be implemented to prevent minors from accessing inappropriate content. Self-declaration is expressly prohibited.

Parental Supervision: Accessible and effective tools must be made available to enable parents and legal guardians to monitor, restrict, and manage the use of digital services. Providers of products or services targeted at or likely to be accessed by children and adolescents must ensure that user profiles or accounts of individuals up to 16 years of age are linked to the account or profile of a legal guardian.

Advertising and Monetization: Commercial advertising based on profiling is prohibited, as is the monetization or boosting of content that portrays children or adolescents in an eroticized or sexually suggestive manner.

Children’s Games and Loot Box Ban: The use of reward boxes (loot boxes) in electronic games aimed at children and adolescents is strictly prohibited. No form of offering or inclusion of such mechanisms is permitted in games intended for or likely to be accessed by minors.

Content Removal: Companies offering information technology products or services within Brazilian territory are required to remove and report to the competent domestic and international authorities any content that directly or indirectly indicates situations of exploitation, sexual abuse, kidnapping, or grooming identified on their platforms.

Transparency Reports
Providers with over one million underage users must publish biannual transparency reports detailing their reporting channels; the volume of content or account moderation, by type; complaints received; technical improvements implemented; and the outcomes of impact assessments, as well as the identification and management of risks to the safety and health of children and adolescents.

Legal Representation in Brazil
Foreign providers are required to maintain a legal representative in Brazil, with authority to receive service of process, subpoenas, and notifications in judicial and administrative proceedings. This representative will also be responsible for liaising with the Executive and Judiciary Branches, as well as with Public Prosecutor’s Office authorities, undertaking, on behalf of the company, all obligations before the Brazilian public administration.

Penalties and Competent Authority

Penalties: Sanctions include warnings; simple fines of up to 10% of the economic group’s gross revenue in Brazil in the previous fiscal year or, if revenue data is unavailable, fines ranging from BRL 10 to BRL 1 thousand per registered user of the sanctioned provider, capped at BRl 50 million per violation; and suspension or prohibition of activities.

Competent Authority: The Brazilian Data Protection Authority (“ANPD”) has been designated as the autonomous administrative authority responsible for safeguarding the rights of children and adolescents in digital environments.

Effective Date
The law will enter into force six months after its publication, that is, in March 2026, pursuant to Provisional Measure No. 1,319/2025.

Demarest’s Privacy, Technology & Cybersecurity and Dispute Resolution & Consumer teams remain available to provide any further clarification that may be required.