Brazil Just Turned Its Child Protection Statute Into a Privacy by Default Rulebook for the Whole Internet—And Parental Consent Is No Longer Enough

What Brazil Just Did

On May 15, 2026, the International Association of Privacy Professionals published its analysis of the operational framework that Brazil's data protection authority, the ANPD, finalized for Law 15.211/2025—better known as the Digital ECA, short for Digital Child and Adolescent Statute. The underlying law had passed in September 2025. Decree 12.881/2026, which became effective April 8, supplies the part the law could not: a working compliance framework that defines what platforms have to actually do.

The structural move at the center of the framework is the one regulators in the EU and the US have spent years trying to articulate: parental consent is no longer the compliance anchor. A platform cannot rely on a checkbox saying "I am the parent and I agree" to justify processing a minor's data. The legal basis is necessary but not sufficient. The platform must also demonstrate that the activity aligns with "the best interests of the child," and the ANPD gets to decide what that means.

What the Framework Bans

The Digital ECA's operational rules name specific behaviors that platforms can no longer deploy when their services are aimed at minors or are reasonably likely to be accessed by them. The big four:

• Targeted advertising using profiling, emotional analysis, or immersive technology. The ad targeting that powers every social media platform's revenue model is illegal when it touches a minor.
• Advertising that exploits children's underdeveloped judgment. The classic "buy this with mom's credit card" creative is now a compliance violation, not a marketing tactic.
• Manipulative, deceptive, or coercive design patterns. Mechanisms that hide stopping points, trigger unsolicited content, or push for engagement past natural session boundaries are banned. Autoplay queues that never end, dark patterns in opt out flows, and infinite scroll on accounts identified as minor accounts all fall into the category.
• Criminal content. Providers must remove identified criminal content immediately and notify Brazil's Screening Center. The reporting obligation makes platforms liable not just for what stays up but for whether the takedown happened fast enough.

The framework also requires "privacy and security by default" for any service used by minors. The default settings on a new minor account must be the most protective configuration the platform offers. The user can turn protections off, but the platform cannot ship with them off and require them to opt in.

The Age Verification Question

Every children's privacy framework eventually runs into the same problem: how does a platform know who is a minor? The Digital ECA does not punt on this the way COPPA did. The decree requires age assessment and age verification mechanisms with specific criteria—proportionality to risk, data minimization, security, non discrimination, and transparency—but it leaves the precise technical specification to the ANPD's forthcoming regulations.

App stores get a specific role. Google Play, the iOS App Store, and any other distribution layer must provide "limited age signals" to service providers without disclosing exact birthdates. This is the part of the framework that mirrors what the EU is asking Meta to do under the DSA—deploy age assurance at the platform layer rather than at the individual service layer.

Services with editorial control over content and bundled parental supervision—the kid focused YouTube Kids type apps—can get a partial exemption from age verification. The reasoning is that they are designed for children by construction, so the question of whether a particular user is a child is moot. The exemption only applies if the parental supervision tooling is real and the content is genuinely age appropriate.

The 50 Million Real Penalty

Penalties under the Digital ECA escalate in tiers. The ANPD can issue a warning. It can fine a violator up to 50 million reais per violation (about 9 million dollars at current exchange rates). It can order a temporary suspension of the service. It can prohibit the company from operating in Brazil entirely. The 50 million per violation cap is per individual violation, which means a sufficiently large incident can stack penalties.

For comparison, the EU's GDPR caps fines at 4 percent of global revenue, which for a Meta sized company is in the billions of euros. The Brazilian cap is lower in absolute terms, but the suspension and prohibition powers are the more interesting lever. The threat of being barred from operating in Brazil—a market of 215 million people—is enough to focus the attention of any global platform.

The penalties also stack with the existing LGPD, Brazil's general data protection law. A platform that profiles minors for targeted advertising can be fined under the Digital ECA for the children's law violation and under the LGPD for the underlying privacy violation. The ANPD has been explicit that it will run parallel enforcement.

Who Has to Comply

The scope is broader than COPPA's "directed to children" test and broader than GDPR's "information society services offered directly to a child" trigger. The Digital ECA applies to any organization that processes the data of children or adolescents in digital environments. Two flavors of platform are in scope:

• Services explicitly aimed at children or adolescents.
• Services likely to be accessed by them.

The "likely to be accessed" criterion is the same expansive language the UK's Age Appropriate Design Code uses, and it has the same consequence: every major social platform, every messaging app, every gaming platform, every video sharing service, and every general consumer product that minors might plausibly use falls under the rules. The platform's claim that "we are not targeting kids" does not get them out. If kids are reasonably likely to be on the platform, the rules apply.

For US headquartered platforms, this is the second consecutive year where the rest of the world's children's privacy frameworks are tightening while the US debate remains stuck on whether COPPA needs to be amended. The FTC's COPPA update that took effect April 22 made modest changes. The Brazilian framework is operating in a different category.

The Anti Consent Argument

The most consequential part of the Digital ECA is the conceptual one. The framework explicitly de centers consent as the compliance device for children's data. The phrase the ANPD has used is that "having parental consent is not sufficient to justify data processing involving minors." A platform that obtains valid parental consent can still violate the law if the underlying processing is not in the best interests of the child.

This is a meaningful departure from the global pattern. COPPA in the US is a consent regime: get verifiable parental consent, and most processing is allowed. GDPR-K in Europe is a consent regime with a higher bar. The Digital ECA replaces the consent regime with a best interests regime. The platform has to make a substantive judgment about whether the activity benefits the child, document the analysis, and stand behind it. The ANPD reviews the analysis.

For platforms that have built their compliance posture around "we got a consent form, we are fine," the shift is structural. Their lawyers can no longer point to a click through agreement and call the matter closed. They have to actually think about whether the processing is in the child's interest. And the platforms that have made the same calculation in other jurisdictions know what the honest answer often is.

What This Means for the Global Pattern

Brazil is the largest single market to fully operationalize a "best interests of the child" framework in digital services. The country has 50 million people under 18, all of whom use the same platforms American and European children use. The Digital ECA forces those platforms to choose between three options: build a Brazil specific compliance posture, build a global compliance posture that satisfies Brazil, or exit the Brazilian market.

The third option is not viable for any major platform. The first option is operationally expensive. The second option is what most companies will eventually pick, which means the Digital ECA's substantive standards will quietly become the global baseline for how big platforms handle minors. The same dynamic played out with GDPR after 2018 and will play out with the Digital ECA between 2026 and 2028.

For the regulators in the US who have been arguing for a similar framework, Brazil's enforcement record will be the proof of concept. If the ANPD pushes a 50 million real fine through and gets it past appeal, the playbook becomes exportable. If the ANPD blinks, the framework becomes a paper tiger. The next eighteen months are going to be defining for the global posture on children's online privacy.