Public Consultation (Tomada de Subsídios) by ANPD regarding the Guidance on the Digital ECA

Guidance for Providers of Information Technology Products or Services
Submission window: April 30 to June 15, 2026, exclusively via the Brasil Participativo Platform, as per ANPD news release

In summary

On April 30, 2026, the Brazilian Data Protection Agency (ANPD) launched a public consultation to discuss the draft of the Guidance for Providers of Information Technology Products or Services, within the scope of Law No. 15,211/2025 (“Digital ECA”) and Decree No. 12,880/2026 (“Decree”).

The Guidance is advisory in nature and aims to establish interpretive position of the key concepts of the Digital ECA and to provide predictability and legal certainty. It addresses two core questions: (i) who is covered by the Digital ECA; and (ii) the meaning and implications of the duties of prevention, protection, information, and security.

Scope of Application: who is covered?

The Guidancee adopts a broad, functional, and technology-neutral approach. The Digital ECA applies to providers of information technology products or services that are:

• Directed to children and adolescents; or
• Likely to be accessed by children and adolescents, even if not formally intended for that audience.

The Guidance highlights, among other examples, social networks, internet app stores, operating systems, services with editorial curated services (as is typically seen in the case of streaming platforms) and providers of copyrighted content previously licensed, electronic games, e-commerce platforms that intermediate the purchase and sale of products and services prohibited for children and adolescents, and generative artificial intelligence systems, without prejudice to other digital services that, due to their specific operational characteristics, may pose significant risks to children and adolescents.

Foreign providers offering products in Brazil are also subject to the law, regardless of where they are headquartered.

Classification does not depend on the provider’s self-designation, business model, or location. The assessment focuses on how the service operates in practice, its effects, and its risks, and the ANPD may adopt a different interpretation from the provider’s.

The Guidance also clarifies that the provider’s own classification does not bind the ANPD.

Core Concpet: “Likely to be accessed by children and adolescents”

The concept of “likely to be accessed by children and adolescents” expands the Digital ECA reach to services that, although not directed to children and adolescents, may in practice be used by that audience.

According to the Guidance, a service is “likely to be accessed” only if the following criteria are cumulatively present:

• sufficient likelihood of use and attractiveness of the service to children and adolescents;
• considerable ease of access and use by that audience;
• a significant degree of risk to privacy, safety, or biopsychosocial development.

The Guidance details these criteria with explanations and evaluation factors (attractiveness, ease, and risk), emphasizing a contextual and cumulative assessment. In this assessment, the concrete conditions of use should be considered, including indicators such as child-appealing design, content of interest to minors, similarity to services already covered by the law, and evidence of actual  use by children and adolescents.

The Guidancee also recognizes a legal presumption of “likely to be accessed” for certain categories, which may be rebutted only exceptionally and with proper justification.

Finally, the Guidancee sets forth that this assessment must be conducted in accordance with the principle of the best interests of the child and adolescent.

Provider obligations: the duty of prevention

The Guidance clarifies that the Digital ECA regulatory model is risk-prevention oriented, structured around the duty of prevention as the central basis for interpreting legal obligations. This duty unfolds into four interconnected dimensions:

• Prevention (in the strict sense) – proactive measures throughout the product or service lifecycle;
• Protection –protective-by-default settings and age-appropriate mechanisms;
• Information – transparency and accessible language, aligned with the LGPD;
• Security – risk management and protection against misuse.

The Guidance emphasizes that implementation should consider proportionality, a risk-based approach, provider’s size, and the provider’s degree of influence over content and users, as indicated in the Guidancee.

Other points from the Guidance

For ECA Digital purposes, the Guidance states that an “information technology product or service” requires, cumulatively: remote provision, electronic means, and provision upon an individual request.

As a general rule, services provided with simultaneous physical presence between provider and recipient, broadcasting services (transmissions to an undetermined audience, without an individual request), and telemarketing services are excluded from the scope of the law. The absence of direct payment by the user does not, by itself, exclude a service from scope – services funded by advertising or other forms of indirect monetization of data may still be covered.

The Guidancee clarifies that classification of app stores and social networks depends on the service primary function and its operational characteristics, distinguishing these categories from ancillary features and private communication services/closed environments.