On September 17, 2025, Law No. 15,211/2025 was enacted, originating from Bill No. 2,628/2022, thereby establishing the Digital Statute for Children and Adolescents (ECA Digital).
This new legislation introduces unprecedented parameters for the protection of children and adolescents in digital environments, with a focus on digital platforms, social networks, apps, and electronic games. The vacatio legis was set at six months, as provided by Provisional Measure No. 1,319/2025, meaning the law will come into full force in March 2026.
ECA Digital represents a significant normative update to the Statute of the Child and Adolescent (Law No. 8,069/1990), marking a historic regulatory milestone in safeguarding childhood and youth amid hyperconnectivity and contemporary technological challenges. It is further notable for being the first legislation in Latin America exclusively dedicated to safeguarding minors within the digital environment.
The law aims to mitigate digital risks such as emotional advertising, behavioral profiling, and exposure to inappropriate content. It reinforces the principle of comprehensive protection enshrined in Article 1 of the ECA and aligns with Article 227 of the Federal Constitution, which imposes on the family, society, and the State the duty to ensure, with absolute priority, the fundamental rights of children and adolescents. In the digital context, this duty translates into concrete obligations imposed upon technology platforms, which may incur liability for the undue exposure of minors.
Among the express prohibitions established by the statute are, inter alia:
- Targeted advertising based on emotional or behavioral profiling of minors;
- The use of loot boxes in electronic games aimed at children and adolescents;
- Monetization practices designed to encourage compulsive use;
- Exposure to illicit or manifestly inappropriate content, such as pornography, suicide promotion, bullying, and gambling;
- The collection of personal data without the explicit consent of legal guardians, including for age verification purposes.
Furthermore, platforms, apps, and operating systems are now legally required to implement default safeguards, such as restrictive privacy settings, age-based content classification (privacy by design), mandatory parental supervision tools, mechanisms to mitigate mental health risks, and accessible reporting and moderation channels. Parental control functionalities must be offered in an effective and user-friendly manner, allowing guardians to limit screen time, adjust recommendations, and disable sensitive features such as geolocation.
From a data protection standpoint, ECA Digital is closely aligned with the General Data Protection Law (Law No. 13,709/2018), particularly Article 14, which mandates that the processing of personal data of children and adolescents must prioritize the best interests of the data subject. The National Data Protection Authority (ANPD) has already issued interpretative statements and guidance documents reinforcing this principle, emphasizing that the best interests of the minor must prevail over any commercial purpose. Age verification, for instance, must be conducted using the minimum amount of personal data necessary, solely for verification purposes, and without reuse or sharing of the collected information.
The accountability of digital platforms is further strengthened by the provision of administrative sanctions, which may amount to BRL 50 million. The law establishes a graduated enforcement regime—from warnings to suspension of activities—and requires periodic risk and moderation reports. The regulator’s actions must preserve the balance between the protection of minors while safeguarding freedom of expression, explicitly prohibiting mass surveillance practices.
It is important to note that the General Data Protection Law (LGPD) already provided specific safeguards for the processing of minors’ data, particularly in Article 14. The ANPD’s Statement CD/ANPD No. 1/2023 further reinforces the interpretation that the best interests of the child or adolescent must prevail in any data processing operation. The ANPD’s Guide on Legal Bases for Data Processing (Feb/2024) establishes that legitimate interest may be used as a legal basis for processing minors’ data, provided that:
- A balancing test is conducted, evaluating:
- The necessity of the processing;
- The legitimate expectations of the data subject (or legal guardian);
- The fundamental rights and freedoms involved;
- The transparency and documentation of the processing activities.
- The best interests of the minor are observed, as required by Article 14 of the LGPD.
The aforementioned ANPD Guide also clarifies that legitimate interest may only be applied when there is a direct relationship between the data controller and the data subject, and provided that there are no disproportionate risks to the minor’s fundamental rights. The controller must document the analysis and, if necessary, prepare a Data Protection Impact Assessment (DPIA).
Regarding age verification, the following parameters must be observed:
- Minimal use of personal data;
- Exclusive purpose of age verification;
- Prohibition on the reuse or sharing of collected data;
- Transparency and accessible language for legal guardians.
In the event of a security incident involving the personal data of children and adolescents, the LGPD imposes strict obligations. The data controller must notify the ANPD and the data subjects (or their legal guardians) within three business days if there is a risk or significant harm. The notification must include, at a minimum, a description of the incident, the types of data affected, the number of data subjects involved, the security measures adopted, the mitigation plan, and the contact details of the controller and the designated data protection officer.
