How to Comply with Brazil’s Age Verification Law – Lei 15.211

Brazil passed its age verification law (Lei 15.211) on September 17 2025. Exactly after six months, on March 18, 2026, the Autoridade Nacional de Proteção de Dados (ANPD) was fully authorized to enforce it through Decree No. 12,880. After the publication of the decree, the law became enforceable without any grace period or phased implementation for different sectors.

Those platforms that fail to replace self-declaration checkboxes with auditable age verification software risk facing fines that reach BRL 50 million per violation, or up to 10% of their Brazilian annual revenue. Compliance officers and product leads at different sectors like gaming companies, adult content services, social media platforms, and fintech companies that operate in Brazil need to understand exactly what the law requires, what it means in practice, and what a defensible online age verification implementation looks like.

Quick Takeaways

• Lei 15.211 (Digital ECA Brazil) is enforceable as of March 18, 2026, after publication of Decree No. 12,880.
• Under Article 9 of the law, self-declaration (“I am over 18”) is banned.
• Fines reach BRL 50 million per violation. For repeat offenses, the ANPD can order service suspension, and courts can impose platform bans under Article 18 of Lei 15.211/2025.
• Accepted online age verification methods include document verification, biometric age estimation, and CPF-based database checks for Brazilian nationals.
• Platforms with over one million minor users in Brazil must publish semi-annual transparency reports in Portuguese.
• The law applies regardless of where the platform is headquartered, provided Brazilian users can access the service.
• Foreign providers must maintain a legal representative in Brazil empowered to act before Brazilian authorities.

What Is the Digital ECA Brazil (Lei 15.211)?

The Digital Statute for Children and Adolescents, known as the Digital ECA or Lei 15.211/2025, is Brazil’s online safety law for minors. It was enacted in September 2025 and is enforceable from March 17, 2026. It updates Brazil’s foundational child protection statute from 1990, the original Estatuto da Criança e do Adolescente (ECA), so that it addresses challenges of digital environments. Brazil is the first Latin American country with a dedicated digital child safety law of this scope.

The law was passed rapidly following national outrage after an influencer exposed that YouTube channels were profiting from sexualized content that involved children. SaferNet Brasil documented 76,997 online human rights violations between January and July 2025, with 64% involving child sexual abuse material. The legislation cleared Brazil’s lower house, the Senate, and reached the president’s desk in under a month.

That origin matters for compliance teams. The Digital ECA does not treat digital platforms as neutral infrastructure. It imposes affirmative obligations on platforms toward the children who use them, requiring prevention of access rather than removal of content after it appears.

Who Needs to Comply With Brazil’s Age Verification Law?

The scope is deliberately wide. The Digital ECA applies to any information technology product or service targeted at or likely to be accessed by children (under 12) or adolescents (12 to 18), as defined in Article 2 of Lei 15.211/2025. This covers operating systems, app stores, gaming platforms, video games, and social networks, as well as platforms hosting adult content, behavioral advertising, and services with chat or content feed features.

“Likely to be accessed” is what makes the scope unusually broad. If a child could reasonably land on a platform, the law applies to the platform operator, regardless of whether the product was designed for adults.

The consequences arrived immediately after enforcement began. Rockstar Games suspended direct sales through its own launcher in Brazil, redirecting customers to PlayStation Store, Xbox, Steam, and Epic. The ANPD published a monitoring list that includes Linux distributors alongside Epic Games and Valve. Canonical reviewed its legal obligations for Ubuntu under the same framework.

Foreign companies are not exempt. Providers must maintain a legal representative in Brazil empowered to act on behalf of the company before Brazilian authorities. Companies with more than one million minor users must publish semi-annual transparency reports in Portuguese, a requirement that forces platforms to quantify their minor user base and creates a documented record that regulators can use in enforcement.

Why Self-Declaration Fails Under Brazil’s Age Verification Law?

Every platform that has shown an “I confirm I am 18 or over” checkbox has been relying on self-declaration. Article 9 of Lei 15.211 explicitly bans it.

Self-declaration offered low cost and minimal data handling. Because it provided no objective means of verification, it could be bypassed by anyone who could click a button. France’s CNIL and the UK’s Ofcom classify self-declaration as appropriate only for low-risk online services, not for age-restricted content. Brazil takes an even more strict approach under the Digital ECA; self-declaration is prohibited in all service categories covered by the law, not just high-risk ones.

The ANPD’s published requirements for platforms are three: use a highly effective and auditable age verification system rather than self-declaration, keep minors out of restricted services, and apply age assurance calibrated to age thresholds needed in specific situations and each platform’s service model.

What is Age Assurance vs Age Verification under ANPD Guidance?

Age assurance is the term the ANPD uses in its Technology Radar series to describe any mechanism that provides confidence about a user’s age group without necessarily confirming an exact date of birth. Age verification is a subcategory of that wider age assurance process, and it confirms age against a reference document or database record.

Any ambiguity in these two terms will have a direct impact on the operations of a business. A gaming platform that provides restricted access to an unmonitored chat may satisfy the law with age assurance, specifically, facial age estimation confirming the user is likely over 16. An adult content provider preventing account creation by minors needs age verification, meaning document or biometric confirmation tied to a legal identity. The ANPD’s proportionality principle, set out in Decree No. 12,880/26, governs which approach fits which risk level.

The ANPD’s Technology Radar outlines three approaches for age assurance

1. age estimation that determines probable age from biometric or behavioral signals
2. age verification that confirms age against a reference source
3. and age inference that uses activity and behavioral data to estimate age range.

The distinction among these methods basically depends on the level of accuracy and the type of information they rely on.

Accepted Online Age Verification Methods in Brazil

The Digital ECA requires “reliable and auditable” age verification methods. Based on the ANPD’s published guidance and Decree No. 12,880/26, the accepted approaches fall into three categories.

CPF-based verification uses Brazil’s individual taxpayer identification number (Cadastro de Pessoas Físicas). A single API call with the CPF number returns the holder’s date of birth from official Federal Revenue records, with response times under 500 milliseconds. For foreign nationals accessing Brazilian platforms, equivalent document verification using a passport or national identity card is accepted.

Document verification with liveness checks a government-issued identity document against issuer templates, with a biometric liveness check confirming the submitting person matches the document. This approach covers Brazilian and non-Brazilian users, produces a strong audit record, and closes the gap that CPF-only checks leave open. A minor using a parent’s CPF number passes a CPF-only check with no friction. Pairing CPF with a biometric age verification liveness check closes that gap and produces a stronger audit trail for ANPD review.

Biometric age estimation uses facial analysis to estimate probable age from physiological characteristics, without requiring identity document submission. This is the approach Discord deployed in Brazil on March 9, 2026. It is recognized in the ANPD’s Technology Radar, aligned with ISO 27566-1, and is appropriate for lower-friction, lower-risk gating.

App stores and operating systems must provide age signals to platforms via API, free of charge, without disclosing exact dates of birth. Platforms remain responsible for implementing their own verification processes regardless of what signals the operating system supplies.

What Is Risk-Based Age Verification in Brazil?

ANPD does not ask for the same level of intensity for every feature a platform user can use. Decree No. 12,880/26 explicitly sets criteria for age-assessment mechanisms, which include multiple considerations like it should be proportional to risk, use only that amount of data that’s really needed, it should be non-discriminatory and transparent, and must not use personal data for purposes other than age verification.

Verification at signup suits platforms where users can encounter adult material throughout the product experience, or where gambling mechanics are accessible in most of the products. Therefore, every user completes age assurance before accessing anything.

Verification at feature access fits platforms with mixed content. Users register normally but must complete age verification before unlocking restricted features such as live chat, age-gated content, or in-app purchasing with gambling mechanics. This model protects conversion rates while satisfying the law’s requirements.

The ANPD also requires that platforms document which path was chosen and why. A risk assessment explaining the verification method selected for each feature or content type is not optional. Choosing a proportionate approach without documenting the logic does not satisfy the auditability requirement.

Sector-Specific Age Verification Requirements

Platforms that provide adult content are required to implement technical measures that can effectively stop anyone under 18 from accessing their services. Simple disclaimers or self-certification are expressly prohibited. Providers who fail to prevent minor access not only face administrative fines, but they can also be held criminally liable under amendments to Brazil’s criminal code.

Social media platforms are obliged to maintain that accounts of children below 16 are linked with a parent or guardian’s account. Businesses covered in Digital ECA are required to have reporting systems and user-friendly parental controls available in Portuguese.

Gaming platforms must adopt measures to prevent minor access to gambling, betting, lottery equivalents, and loot boxes in electronic games. Pay-to-win mechanics that provide unfair gameplay advantages through purchases are banned in any product accessible to users under 18.

Fintech platforms accessible to minors are covered under the same framework. Age-gated financial features, including credit products and gambling-adjacent mechanics, require the same online age verification standard as other restricted content.

As per the Decree No. 12,880/26, platforms that use AI to generate content or interact with users based on natural-language prompts are required to be transparent about how their synthetic and automated content is when interacting with minor users. Decree No. 12,880/26 also requires these platforms to have in place measures to protect physical, mental, and psychosocial development.

Advertising across all platforms: Decree No. 12,880/26 deems abusive any advertising that exploits a child’s lack of judgment, and providers must prevent profiling and the use of emotional analysis, as well as augmented reality techniques to target minors.

Enforcement is led by the ANPD alongside a National Notification Screening Center operated by the Federal Police, which centralizes receipt and forwarding of reports about criminal content on digital platforms. Platforms should remove prohibited content immediately upon identifying it and notify the Screening Center without a prior court order, at the same time preserving what’s necessary for investigative purposes.

Brazil has demonstrated it will use platform bans. When X failed to comply with court orders in 2024, Brazilian authorities suspended its operations for over a month. The Digital ECA gives regulators the same authority in a child protection context.

What are the ANPD Expectations about Biometric Age Verification?

The ANPD’s Technology Radar details how biometric age verification should meet ISO 27566-1, taking inspiration from approaches used internationally, like Australia’s Age Assurance Technology Trial and the UK’s Age Appropriate Design Code. These standards specifically address four dimensions:

First is accuracy, which requires the system to demonstrate low false acceptance rates (for example, letting minors pass through) and acceptable false rejection rates (blocking legitimate adults).

Second is anti-spoofing, which means age estimation systems can be deceived by photographs, video replays, or deepfake media. Shufti’s liveness detection covers 56+ types of spoofing attacks, which include AI-generated deepfakes, 3D masks, and injection attacks, with iBeta Level 1 and Level 2 certification.

Third is privacy, about which the ANPD’s guidance specifies that systems should follow ISO 27566-1’s security-by-design and privacy-by-design principles, as well as only use data that is necessary for legitimate business purposes. In other words, only collects what is necessary for age assurance purposes and automatically deletes it after use.

The last and fourth one is auditability. The ANPD’s guidance specifies that audit trails should record when the user proved their age, which method was used, and if circumvention risks were calculated. It is important because if a child accesses prohibited content, a platform can demonstrate that it took sufficient preventive measures to avoid it.

Building an ANPD-Compliant Online Age Verification System

The compliant age verification system will need four things to work simultaneously: a choice of the correct method of verification as per risk, records that can be audited, compliance with LGPD (Lei Geral de Proteção de Dados) data handling requirements, and a documented reason or rationale that backs every compliance decision.

1. The first step is mapping risk exposure. Identify every feature or content category that triggers an age gate under Lei 15.211. Document which thresholds apply (under 12, under 16, under 18) and whether verification at signup or at feature access is the appropriate model for each.
2. The second step is choosing a verification method that matches the risk category. For lower-risk features where a registered Brazilian user base is expected, CPF verification against Federal Revenue records may satisfy proportionality requirements. For high-risk access, including adult content, unmoderated chat, or financial products with gambling-adjacent mechanics, pair CPF and document verification with a biometric liveness check.
3. The third step is building audit trails into the system architecture. Every age check must be logged with the method used, the outcome, and a timestamp. If the ANPD requests proof that a specific user was prevented from accessing restricted content, then the system should be able to produce that record on demand.
4. The fourth step is documenting the logic that was applied to determine proportionality. That is the reasoning behind each verification method for each risk tier, which must be written down and defensible. If a platform uses facial age estimation for general signup and document verification only for adult content access, that decision must be captured. The ANPD looks for this documentation during enforcement inquiries.
5. The fifth step is applying data minimization. Systems should provide only the final age assurance result, such as “over 18,” to the relying party without disclosing underlying sensitive information like date of birth, and automatically delete data after use. Storing raw identity documents longer than necessary creates LGPD liability and breach risk in equal measure.
6. The sixth step is appointing a Brazilian legal representative. Foreign platforms must have a named representative in Brazil with authority to respond to ANPD requests. This requirement has no exemption.

How Shufti Helps Platforms Build Auditable Brazil Age Verification Before the ANPD Investigates?

The gap most platforms underestimate is not the verification check itself. It is the documentation layer behind it. Passing a user through an age gate is the technical minimum. Producing a timestamped audit trail, a documented risk-tier rationale, and a proportionality assessment that holds up under ANPD review is what differentiates defensibility from liability.

Shufti’s age verification software combines CPF and document verification, along with certified biometric liveness detection and structured audit logs built to the ANPD’s auditability specifications. Integration runs via a single REST API with SDKs for iOS, Android, and Web, with quick deployments. The documentation layer, covering risk tier mapping, proportionality rationale, and LGPD data minimization compliance, is where the implementation work actually lives.

Talk to a compliance specialist to explore a custom-built age verification system that meets the risk exposure of your business and is compliant with Brazilian regulations.