As digital services continue to expand their reach, the protection of children’s personal data has become a central regulatory priority. In Brazil, this shift is reflected in the Digital Statute of the Child and Adolescent (Digital ECA), which enters into effect on March 17, 2026. The law introduces a new framework addressing how children’s and adolescents’ data is processed online.
Together with Brazil’s LGPD, or Lei Geral de Proteção de Dados, the Digital ECA sets a higher bar for organizations operating digital products and services that are accessed by minors.
Much like other recent privacy developments globally, Brazil’s approach signals a move toward stronger, more proactive protections, and a clearer expectation that organizations build compliance into how digital services are designed and operated.
Why regulators are prioritizing children’s data protection
Brazil already has a comprehensive data protection framework under the LGPD, enforced by the Brazilian data protection authority, the ANPD. The LGPD establishes principles, legal bases for processing, and individual rights across sectors. The Digital ECA reflects a growing regulatory view that children and adolescents require additional safeguards in online environments.
Similar approaches have emerged globally, including the UK Age Appropriate Design Code and state-level initiatives in California, Texas, Vermont, and South Carolina. The shift is clear: when minors engage with digital services, regulators expect stronger protections and clearer accountability.
Digital ECA: Strengthening Brazil’s privacy framework
The Digital ECA does not replace the LGPD. Instead, it builds on it by introducing targeted obligations for online processing involving minors.
This layered structure mirrors a broader pattern in privacy regulation. General laws establish baseline rules for all personal data, while additional frameworks address higher-risk contexts. In this case, the higher-risk context is children interacting with digital services.
How the Digital ECA interacts with the LGPD
The LGPD remains Brazil’s primary data protection law. It governs controllers and processors across industries and sets out principles, enforcement mechanisms, and rights.
The Digital ECA focuses specifically on online environments and digital services that involve minors. In practice, this means organizations must assess whether their digital platforms are likely to be accessed by children or adolescents and whether their data processing aligns with heightened safeguards.
For example, if an online platform is attractive to minors, easily accessible, and likely to be used by them, the organization cannot rely solely on standard consent flows designed for adults. The Digital ECA expects additional care in how data is processed, disclosed, and used.
Why the Digital ECA is relevant for marketers
The Digital ECA applies not only to services explicitly designed for children or adolescents. It also captures digital platforms where access by minors is likely based on criteria such as probability of use, attractiveness to children, ease of access, and associated risk.
As a result, organizations offering online platforms, applications, or digital services in Brazil should consider whether minors are part of their user base and how that affects their compliance posture at the design stage. A gaming platform, social feature, or mobile application that is appealing to adolescents may fall within its scope even if it was not originally positioned as a children’s service.
Compliance considerations begin at the design stage. Organizations should evaluate whether minors are part of their user base and whether advertising, profiling, and data collection practices align with the Digital ECA’s restrictions. OneTrust can help organizations adopt this proactive stance, and build in principles central to ensuring privacy by design.
Children's data: raising the compliance bar
While the LGPD already regulates consent as a legal basis for processing personal data, the Digital ECA goes further by emphasizing that children’s data requires additional care and scrutiny.
Rather than relying on general consent mechanisms alone, organizations are expected to align their practices with the Digital ECA’s protective objectives, ensuring that any processing of minors’ data reflects heightened safeguards and regulatory expectations.
Importantly, the Digital ECA fully prohibits the use of profiling techniques to target commercial advertising to children and adolescents. It also prohibits the use of emotional analysis, augmented reality, extended reality, and virtual reality for advertising purposes.
This means that practices such as building behavioral profiles to serve personalized ads to minors are not permitted. Even advanced immersive or emotion-driven advertising tools cannot be used for commercial targeting when minors are involved.
Organizations must also ensure that disclosures about how minors’ personal data is used are provided in a way that is understandable to them and presented before or at the time services are offered.
What organizations should focus on now
Organizations operating in Brazil should start by identifying whether their digital services process the personal data of children or adolescents. This assessment should not be limited to stated target audiences but should also consider actual usage patterns and product design.
Existing LGPD compliance programs should be reviewed to determine whether they sufficiently address minors’ data. Consent mechanisms designed for adults may not meet the Digital ECA’s expectations when minors are involved.
Key focus areas include:
- Understanding whether digital products or services process the personal data of children or adolescents
- Assessing how existing LGPD compliance programs address minors’ data
- Monitoring guidance and enforcement activity from the ANPD related to children’s data protection
- Ensuring disclosures about the use of minors personal data are given in a way that is understandable by minors, before or at the time services are provided.
- Preventing the processing of minors' personal data for targeted advertising, profiling, and other prohibited purposes.
Supporting parental consent and identity verification
OneTrust helps organizations operationalize parent–child identity relationships within Collection Points. By configuring OneTrust Hosted Web Forms or API-based Collection Points to capture a parent identifier, organizations can link parent and child identities into a single data subject group and manage those relationships centrally. Consent is attributed accurately, and Double Opt-In and preference communications can be routed to the appropriate parent identifier, supporting consistent and auditable consent management.
Beyond consent collection, OneTrust supports identity verification through integrations with external identity providers using OpenID Connect (OIDC) and the OneTrust ID Verification API. These options allow organizations to verify identities using approaches such as score-based authentication, one-time passcodes, and knowledge-based authentication, while maintaining control over workflows and minimizing unnecessary data exposure.
Together, these capabilities help marketers and digital service providers collect children’s data responsibly, verify identities when needed, and manage parental consent in line with evolving regulatory expectations.
Preparing for stronger enforcement and global alignment
Brazil’s Digital ECA reflects a broader global trend toward stronger protections for children in digital environments. By reinforcing and expanding on the LGPD, the law makes clear that children’s data protection is a core compliance priority.
For organizations operating in Brazil, preparation requires structured assessment, updates to consent and advertising practices, and ongoing monitoring of regulatory developments. Expectations in this area are unlikely to remain static, and global alignment around children’s data protection continues to evolve.
Key questions about Brazil’s Digital ECA
What is Brazil’s Digital ECA and when does it take effect?
The Digital Statute of the Child and Adolescent introduces specific rules for the online processing of children’s and adolescents’ data in Brazil. It enters into effect on March 17, 2026, and complements the LGPD by adding heightened safeguards for minors in digital environments.
Does the Digital ECA apply only to services designed for children?
No. The law also applies to digital services where access by minors is likely, based on probability of use, attractiveness to children, ease of access, and associated risk. Organizations must evaluate actual user behavior and product design, not only intended audiences.
What advertising practices are prohibited under the Digital ECA?
The Digital ECA prohibits profiling techniques used to target commercial advertising to children and adolescents. It also prohibits the use of emotional analysis, augmented reality, extended reality, and virtual reality for advertising purposes involving minors.
How should organizations adjust consent and disclosure practices for minors?
Organizations should ensure disclosures about minors’ personal data use are understandable and provided before or at the time services are offered. Consent mechanisms should reflect heightened safeguards, and parental consent workflows and identity verification should be structured to support accurate and auditable records.
