Brazil: National Data Protection Authority issued guidelines on reliable age measurement mechanisms

On 20 March 2026, the National Data Protection Authority (ANPD) published preliminary guidelines and a monitoring schedule on reliable age verification mechanisms under the Digital Statute of Children and Adolescents (Law No. 15.211/2025 / ECA Digital), which entered into force on 17 March 2026, and Decree No. 12.880 of 18 March 2026. The guidelines apply to providers of information technology products or services intended for children and adolescents, or likely to be accessed by that audience. The guidelines establish a risk-based framework that groups the minimum requirements for age verification mechanisms into categories, based on proportionality, accuracy, robustness, reliability, privacy and personal data protection, inclusion and non-discrimination, transparency and auditability, and interoperability. The guidelines provide recommendations on conducting risk and data protection impact assessments, implementing data minimisation measures and avoiding the secondary use of age verification data and continuous automated data sharing. They also recommend delivering age signalling through secure application programming interface (API)-based solutions with privacy-by-default safeguards, in line with the General Personal Data Protection Law (Law No. 13.709/2018/LGPD), as well as adopting technical and organisational safeguards to prevent discriminatory bias and mass surveillance risks. The accompanying monitoring schedule comprises two phases. The first phase begins immediately and focuses on app stores and proprietary operating systems. The second phase will begin in August 2026, following publication of definitive guidelines, and will extend monitoring to other sectors determined by risk level under the ECA Digital. The ANPD will also update its enforcement regulations and administrative sanctions framework as part of the schedule.