Digital ECA: The New Regulation on Child Protection

Following the entry into force of the Digital ECA, the President sanctioned three important Decrees on Wednesday (18th) regarding the regulation of this new legislation.

Additionally, the National Data Protection Agency (ANPD), established in its new regulatory role for the protection of children and adolescents, presented its preliminary guidelines on age verification mechanisms.

The Decrees 12.880, 12.881, and 12.882/2026:

• Regulate mandatory measures for the protection of children and adolescents in digital environments;

• Create the National Policy for the Promotion and Protection of Children’s and Adolescents’ Rights in the Digital Environment; and

• Authorize the creation of the National Notification Triage Center, responsible for handling reports and illegal content, under the responsibility of the Federal Police.

The new regulation also introduced important definitions for content categories:

• Inappropriate or unsuitable content: poses risks to privacy, safety, health, or psychosocial development.

• Prohibited content: access by minors is prohibited by law.

• Pornographic content: predominantly sexual in nature.

The text consolidates the fundamental principles of comprehensive protection for children and adolescents in the virtual environment, such as guaranteeing access to age-appropriate content/services, protection and safety, shared responsibility between the Public Authority and the family in protecting minors, privacy, and reducing structural inequalities in digital environments.

Providers of information technology products or services targeted at children and adolescents or likely to be accessed by this audience must make available to users accessible and free notification mechanisms regarding violations of children’s and adolescents’ rights.

Furthermore, Decree 12.880 reinforces concerns about protecting minors in electronic games and digital applications, emphasizing the distinction between the informational nature of age ratings and the restrictive nature of age verification mechanisms.

Transparency and accessible communication about the content of these applications are actions already provided for in Article 14, §6º of the LGPD regarding the processing of personal data of children and adolescents, but also highlighted in this Decree.

The Decree states that providers offering or intermediating the purchase and sale of products and services prohibited for children and adolescents must implement effective age verification mechanisms, as established by the ANPD, either at registration or at the time of product or service acquisition.

Regarding age verification mechanisms, the ANPD’s preliminary guidelines outline the duty to evaluate the compatibility of the chosen tool based on risk, particularly with respect to the following requirements:

• Proportionality: between the chosen solution and the level of risk associated with the service.

• Accuracy, robustness, and reliability: accuracy as to the degree of precision in determining age, robustness as to resistance to bypass or fraud attempts, and reliability in consistently producing correct and appropriate results in a verifiable manner.

• Privacy and Personal Data Protection: assessment of LGPD requirements, such as data minimization, security, and safeguards of the adopted tool, transparency, etc.

• Inclusivity and non-discrimination: tools must not create excessive barriers that exclude or discriminate against children and adolescents, considering Brazil’s diverse socioeconomic contexts.

• Transparency and auditability: provision of clear, precise, and easily accessible information on the operation and purpose of the age verification tool, as well as the tool’s capacity to be examined, including independently, regarding its components, procedures, operations, and records throughout its lifecycle.

• Interoperability: although a specific point of ANPD regulation (Article 12, §3º of the Digital ECA), interoperability refers to the ability of technological systems to communicate with each other, enabling integration and reducing redundant procedures.

Decree 12.880/2026 also addresses that, until specific regulation by the ANPD, manufacturers and importers of personal electronic devices with internet access to content targeted at children and adolescents must, within 30 days from the date of publication of the Decree, include an informational disclaimer directed at legal guardians about the need to protect children and adolescents from access to websites with inappropriate or unsuitable content—except for devices manufactured and imported up to the date of the Decree’s publication.

Although the ANPD’s initial guidelines did not specify types of age verification tools, the manual provided by the ANPD offered, on a non-mandatory basis, a suggestion on solutions that allow a user to prove a specific attribute from a credential issued by a trusted source, without the service receiving or retaining additional information, resulting in minimal exposure of personal data—these are tools based on verifiable credentials and zero-knowledge proof cryptographic techniques (Zero-Knowledge Proofs – ZKP).

In this regulatory scenario, it is crucial for companies to review their internal processes and effectively implement Privacy by Design to put in place risk mitigation measures, ensuring the rights of children and adolescents.

For more information or to schedule a conversation with our specialists, contact us at contato@peckadv.com.br.

Prepared by: Dra. Graziella Rosa, Digital Advisory Manager, and Dr. Bruno de Oliveira, Digital Advisory Lawyer.

AUTHOR

• Bruno Oliveira
• Graziella Rosa