Eight months after President Luiz Inácio Lula da Silva signed Law 15.211/2025 — popularly dubbed the ECA Digital, an online extension of Brazil's storied Child and Adolescent Statute — the statute is moving from political symbol to operational reality. The trigger was unambiguous: in August 2025, influencer Felca's investigative video Adultização, exposing the sexualisation of minors on mainstream platforms, racked up tens of millions of views in days and forced Congress to fast-track a bill that had been drifting since 2022. By September, Lula had signed it into law. In 2026, the harder work begins.
The Autoridade Nacional de Proteção de Dados (ANPD) and the Ministry of Justice are now drafting the implementation regulations that will determine whether ECA Digital becomes a global benchmark for proportionate child-safety regulation — or another cautionary tale of well-meaning law colliding with engineering reality.
What ECA Digital Actually Requires
The law layers new duties onto digital service providers that are likely to be accessed by minors. The core obligations include:
- Age assurance: platforms must deploy mechanisms to identify whether a user is a minor, with heightened protections for under-13s.
- Parental controls: services must offer accessible tools for guardians to manage minors' accounts, screen time, and exposure to certain features.
- Design duties: dark patterns, addictive engagement loops, and targeted advertising aimed at minors are restricted.
- Content moderation: platforms face stricter takedown timelines for material involving sexualisation, grooming, or self-harm content targeted at children.
- Reporting and transparency: regular reports on enforcement actions affecting minors must be filed with regulators.
The statute draws explicit lineage from the UK's Age-Appropriate Design Code, the EU's Digital Services Act provisions on minors, and Australia's now-watershed under-16 social media ban. It is, in other words, part of a global wave — and like that wave, it carries familiar risks alongside its undeniable goods.
The Proportionality Question
Brazil's existing legal architecture already gives it considerable tools. The Marco Civil da Internet (Law 12.965/2014) governs intermediary liability; the LGPD (Law 13.709/2018) regulates personal data, including a specific consent regime for minors; and Article 227 of the Federal Constitution enshrines an absolute priority for children's rights. Layered onto this base, ECA Digital is less a revolution than a sectoral specification.
That makes the regulatory question one of execution, not principle. Three drafting choices will determine whether the law protects children or simply burdens the open internet:
1. Age assurance, not age verification
The text wisely speaks of "mechanisms" to determine age rather than mandating government-ID checks. The ANPD should hold that line. Document-based verification at the platform level would force every Brazilian — adult and minor alike — to hand identity documents to private companies, expanding the attack surface in a country still recovering from the C&M cyber heist and a string of credential-stuffing incidents. Probabilistic age estimation, parental attestation flows, and device-level signals (as proposed in Apple's and Google's recent age-assurance APIs) are less intrusive and, by recent academic estimates, sufficient for the vast majority of cases.
2. Scope-by-risk, not scope-by-size
The duties should track actual risk to minors — a video platform serving algorithmic recommendations to teens is not the same as a B2B SaaS tool. Applying uniform duties to every "likely accessed" service will crush smaller Brazilian startups while large incumbents absorb compliance costs. A tiered framework, similar to the DSA's distinction between intermediary services and Very Large Online Platforms, would be more honest about where harms cluster.
3. Due process for takedowns
Marco Civil's Article 19 — Brazil's constitutional anchor for free expression online, currently under reinterpretation by the Supreme Federal Tribunal — requires judicial orders for most content removal. ECA Digital's faster takedown obligations must not become a backdoor around that principle for content unrelated to child sexual abuse material, where notice-and-takedown is already settled global practice.
What Could Go Wrong
The cautionary tales are not hypothetical. The UK's Online Safety Act has produced what Ofcom itself acknowledges is a chilling effect on small forums. France's age-verification regime has been challenged in court for forcing porn-site users through identity checks that leak metadata to third parties. Utah and several US states have seen their child-safety laws enjoined on First Amendment grounds.
Brazil should learn from these stumbles. ECA Digital's success criteria should be measurable reductions in documented harms — grooming, CSAM, exposure to self-harm content — not aggregate compliance theatre.
The best child-safety regime is one that targets specific, evidenced harms with the least intrusive means available — not one that turns every Brazilian into a verified subject of the platforms they use.
The Window for Good Rules
The ANPD's draft regulations are expected through 2026, with public consultations to follow. Civil society groups including IRIS, Coding Rights, and InternetLab have already signalled engagement. Industry — both global platforms and Brazil's growing local ecosystem of social and creator-economy apps — has a narrow window to push for technically grounded, risk-proportionate rules.
Brazil has a real chance to write the Global South's first credible child-safety code. Whether it seizes that chance depends less on the statute Lula signed in September than on the regulatory craft of the next twelve months.