When Child Protection Meets Anti-Circumvention
When Brazil's Digital ECA (Law No. 15,211/2025) took effect on March 17, 2026, the policy logic seemed straightforward: require platforms to verify users' ages before allowing access to social media, adult content, and online games. Children would be protected; adults would submit identity documents or biometric scans to prove they were not minors.
What happened next revealed why age verification mandates are never just about age verification. Within 24 hours, Proton VPN reported a 250% surge in Brazilian sign-ups. Users weren't mostly trying to hide criminal activity — they were trying to avoid mandatory biometric scans, preserve their anonymity, and bypass a law many perceived as invasive. The spike was, as Proton VPN's own General Manager David Peterson acknowledged, a signal that "adult users are turning to VPNs due to growing concerns about their privacy and online security."
Brazil's National Data Protection Authority (ANPD) read that spike differently. On June 1, 2026, the agency opened a public consultation on updated age verification guidance that explicitly requires platforms to implement "anti-bypass and resilience measures" — language that signals regulators intend to close the VPN workaround, not simply build better age gates.
The Regulatory Architecture Taking Shape
The Digital ECA mandated age verification but deliberately left technical specifics to the ANPD. Decree 12.880/2026, signed on March 18, 2026, created a framework in which app stores and operating systems serve as structural gatekeepers — required to supply age signals downstream to individual platform operators.
The ANPD's preliminary guidance established six minimum requirements for age verification mechanisms: proportionality to risk, accuracy and reliability, data minimization, non-discrimination, transparency and auditability, and interoperability. The June 2026 draft guidance — open for public comment until July 9, 2026 — adds a seventh and most consequential element: systems must demonstrate the capacity to resist circumvention, with documented testing before and during implementation.
The anti-bypass requirement sits within what the ANPD calls a "digital chain of responsibility." App stores (Apple's App Store, Google Play) and operating systems must provide age signals to platform operators, who must then implement verification mechanisms that remain effective even when users attempt to route around them. According to a Data Privacy Brasil analysis of the draft, technical specifications include liveness detection and "protection against spoofing and data injection."
Non-compliance is not a small risk. The Digital ECA authorises fines up to R$50 million (approximately $10 million USD) per violation, or 10% of a company's Brazilian revenue — whichever is higher.
The Case for the Mandate
Regulators are not wrong that circumvention is a real problem. If age gates can be trivially bypassed with a free VPN download, they provide only the appearance of protection. A minor determined to reach harmful content faces at most a two-minute setup process — making the regulatory burden fall entirely on compliant adult users while protecting no one.
The Brazilian framework also attempts, to its credit, to build in privacy-preserving alternatives. The ANPD's guidance draws on the Australian Age Assurance Technology Trial and ISO/IEC 27566, explicitly preferring device-level age signals over per-session biometric collection. Rather than requiring every platform to run its own identity checks, the chain-of-responsibility model means a user's age is verified once at the device level and communicated downstream without repeated disclosure of raw identity data.
The Problem With Anti-Circumvention Infrastructure
The concern is not the goal — child protection is legitimate. The concern is the infrastructure required to enforce it.
An anti-bypass mandate logically requires platforms to identify and block circumvention traffic, or at minimum to detect when users appear to be routing around geographic or identity constraints. Neither capability can be narrowly scoped to age verification. Once a platform builds the means to detect VPN usage at scale, that infrastructure exists for other purposes: enforcing geo-restrictions on journalism, monitoring political dissent, or complying with future government demands to block specific content by origin.
Brazil is not a surveillance state, but it is a country with a recent record of platform coercion: X/Twitter was suspended by court order in August 2024 over a months-long standoff with a federal judge over content compliance. The appetite for regulatory intervention in platform behaviour has only grown since. Requiring platforms to build anti-bypass capabilities as a condition of child safety compliance creates technical infrastructure that will outlast the current regulatory moment and, crucially, the current government.
The EFF has argued in the context of US state-level social media bans that mandatory identity verification regimes "destroy our right to online anonymity — a cornerstone of our right to free expression." The EFF's framing addresses US law, but the logic travels: if adults must identify themselves to access routine internet services, and platforms must neutralise tools that allow anonymous access, anonymity becomes legally contingent on never triggering an age gate.
A Better Path Exists
The ANPD's own guidance hints at an alternative. Cryptographic age credentials — verified once, stored in a device wallet, shared without disclosing underlying identity — can provide strong age assurance without requiring per-session biometric collection or anti-VPN infrastructure. Brazil's gov.br digital identity ecosystem is, in principle, capable of issuing such credentials, giving ANPD a route to robust age assurance through privacy-preserving means.
The ANPD consultation closes July 9, 2026 — a narrow window for civil society to push for this framing before the August 2026 definitive guidelines crystallize. Full enforcement does not begin until January 2027, which means the technical specification still to be written will determine what "anti-bypass resilience" actually requires in practice.
If those guidelines are drafted narrowly — requiring platforms to ensure their own systems resist document fraud and deepfake spoofing — that is defensible and proportionate. If they are written broadly enough to require platforms to monitor and block network circumvention tools, Brazil will have traded a children's safety law for a surveillance mandate, with age verification as the entry point.
The 250% VPN surge was users voting with their downloads. Regulators owe those users a clear answer about what anti-bypass means — before the infrastructure to enforce it becomes irreversible.