On September 17, 2025, Brazil’s president signed into law Bill 2628/2022, known as the “Digital ECA", establishing comprehensive new rules for the protection of children and adolescence in digital environments. The bill will take effect March 18, 2026 (sooner than some anticipated), and will be enforced by the ANPD, Brazil’s Data Protection Authority.

This landmark legislation will significantly impact how digital products and services operate in Brazil, particularly regarding parental supervision, age verification, and loot box monetisation. In this article, discover how k-ID’s compliance infrastructure is designed to help you navigate and comply with these new requirements at scale, while delivering exceptional user-first experiences.

Who Must Comply?

The Digital ECA broadly applies to any provider of products or services “aimed at” or that are “likely to be accessed” by children and adolescents in Brazil, regardless of their company’s location. This means global companies with users in Brazil are included.

For clarity, “likely to be accessed” considers:

• the product’s attractiveness and probability of use by children and adolescents,

• ease of access and use by children and adolescents, and

• degree of risk to the privacy, safety or well-being/development of children and adolescents, especially if social interaction elements are involved.

For the purposes of this article, we will assume you are an in-scope provider looking to comply with the upcoming new law.

Age Verification

The Digital ECA mandates that you adopt mechanisms to provide “age-appropriate experiences”. While the law contemplates the provision of age signals by app stores and operating systems, it also makes clear that regardless of the measures adopted by the app stores and operating systems, you must implement your own mechanisms to prevent children and adolescents from unduly accessing content that is inappropriate for their age group.

Key obligations include:

• Providers of adult content: If your product or service offers access to content that is inappropriate or unsuitable for children (such as pornographic content), you must adopt “effective” and “reliable” measures to prevent access by those under 18. Self-declaration alone is expressly prohibited.

• Social media platforms: Accounts for users under 16 must be linked to a parent or legal guardian’s account.

• Profiling, targeted advertising & loot boxes: Profiling, targeted advertising and paid loot boxes are banned for those under 18.

👉 Explore our AgeKit Plus - Verification Stack in the interactive demo below, to see how k-ID’s customisable age verification solutions can help you comply.

Parental Supervision Tools

The law mandates accessible, easy-to-use parental supervision tools configured to “the highest level of protection available.” Providers must offer functionalities such as:

• time usage limits and monitoring,

• restrictions on communication with unauthorised users,

• control over resources (e.g., rewards for time of use, notifications) that may result in excessive use,

• monitoring of appropriate and healthy use of the product or service,

• control over personalised recommendation systems, including the option to deactivate them,

• restrictions and transparent notices about geolocation sharing,

• promotion of digital media education on the safe use of information technology, products or services.

Additionally, parents and legal guardians should be able to:

• visualise, configure and manage their child or adolescent’s account and privacy options,

• restrict purchases and financial transactions,

• identify the profiles of adults with whom the child or adolescent is communicating with,

• access consolidated metrics of the total time spent using the product or service,

• activate or deactivate safeguards through accessible and appropriate controls, and

• access all information and control in Portuguese.

👉 Experience the k-ID verifiable parental consent (VPC) flow below to see how it empowers parents to manage all of these important settings and protections.

Loot Boxes, Profiling & Targeted Advertising

The Digital ECA expressly prohibits paid loot boxes in electronic games accessible to children. The law defines a “loot box” as:

When configuring your product in Compliance Studio, one of the first steps is to accurately map permissions to your game features.

Under the Digital ECA, all paid loot boxes are prohibited, but in other countries, whether loot boxes are permitted might depend on whether they are paid or given for free, whether they simulate the experience of gambling, (such as chips, dice, or slot machines) whether items inside the loot boxes are primarily cosmetic (such as outfits or skins), or impact gameplay (such as better equipment or abilities), or whether the items from the loot box can be cashed out for real money. Regardless, our goal is to help you stay fully compliant with all legal requirements globally while preserving monetisation opportunities for loot boxes that fall outside the scope of restrictions.

Additionally, the Digital ECA expressly prohibits the use of profiling to target commercial advertising at children and adolescents (those under 18). The use of “emotional analysis, augmented reality, extended reality and virtual reality” for advertising is also prohibited.

👉 Learn how to configure these settings in Compliance Studio through the interactive demo below.

k-ID is continuously monitoring regulatory updates to ensure your compliance remains ahead.

Conclusion

Brazil’s Digital ECA represents a major shift in protecting children and adolescents in digital spaces, with stringent new requirements around age verification, parental supervision, and monetisation practices like loot boxes and targeted advertising. Navigating these complex rules demands scalable, reliable solutions designed with compliance and user experience in mind.

With k-ID’s robust compliance infrastructure and tailored age assurance and parental consent tools, your product can meet Brazil’s new standards confidently and efficiently, while maintaining trust and growth. Start preparing today to stay ahead of the Digital ECA and ensure seamless compliance when the law takes effect.

👉 Ready to comply with Brazil’s Digital ECA? Contact us or explore our Developer Docs to get started.