Regulatory Compliance: The new reality of the Digital ECA

On March 17, Law No. 15,211/2025—also known as the Digital ECA—comes into force. This regulatory milestone focuses on the full protection and best interests of children and adolescents in the digital environment.

The law establishes guidelines and imposes strict duties on companies operating digital products and services targeted at children and adolescents, or those likely to be accessed by them, with the aim of ensuring the safety and privacy of minors.

“Likely access” is characterized by the probability of use, ease of access, and the degree of risk to the privacy and psychosocial development of minors. Therefore, it applies not only to general-use social networks but also to app stores and operating systems.

The integration of parental supervision is one of the most innovative aspects of the law, requiring platforms to develop transparent interfaces that allow parents to effectively monitor their minor children’s digital experience without compromising usability.

Key points required for compliance:

• Mandatory age verification and ban on self-declaration: Platforms, app stores, and operating systems must implement age-verification controls.

• Enhanced parental supervision: Implementation of parental supervision tools enabled by default.

• Prohibition of abusive advertising and commercial exploitation limits: Ban on exploitative practices, targeted advertising based on minors’ data, and algorithmic manipulation techniques, such as compulsive stimuli (e.g., autoplay, excessive gamification).

• Safety and Privacy by Design: Products and services must be designed from inception to reduce foreseeable risks, preventing exposure to violence, exploitation, sexualization, behavioral risks, and abusive data collection.

• Active removal of harmful content: Responsibility to identify and remove dangerous content regardless of a court order.

• Sector-specific rules (Games, Social Media): Ban on loot boxes, chat restrictions, functionality controls, and mandatory age ratings adjusted to risks.

Recommendations for institutional adequacy:

• Data policy review and LGPD compliance: Under the Digital ECA, minors’ data must be treated with maximum priority, requiring a re-evaluation of legal bases, privacy notices, parental consent, and Data Protection Impact Assessments (DPIAs/RIPDs).

• Technical restructuring: Age-signal APIs, security measures, and technical governance flows aligned with ANPD (National Data Protection Authority) guidelines.

• Age verification technical architecture: Joint legal and IT advisory to define solutions proportional to risk (AI, biometrics, API, document verification) while minimizing data collection.

• Reporting channels and rapid response: Implementation of active moderation mechanisms, notification flows, and content removal protocols.

• Evidence for inspections: Maintenance of auditable records, decision trails, and compliance reports to satisfy the ANPD and other authorities.

Penalties for non-compliance: The ANPD may apply sanctions depending on the infringement, ranging from warnings (with a 30-day correction period) to fines of up to 10% of the economic group’s turnover in Brazil (capped at R$ 50 million per infringement), temporary suspension, or prohibition of activities.

It is essential for companies to review their internal processes to align with these new legislative guidelines. Peck Advogados has a team of experts ready to support institutions in the regulatory transition required by this new scenario.

For more information or to schedule a meeting with our specialists, please contact us at contato@peckadv.com.br.

AUTHOR

• Bruno Oliveira
• Graziella Rosa