The publication of Law No. 15,211/2025, known as the Digital System for Children and Adolescents (ECA Digital), represents a new specific standard aimed at protecting children and adolescents in the digital environment, in addition to the General Regulation on the Protection of Personal Data (LGPD – Law No. 13,709/2018). The standard is scheduled to enter into force in March 2026, and appoints the National Data Protection Agency (ANPD) as the supervisory body, increasing the role of those responsible for processing personal data: date Protection officer (DPO) as a key player in helping to comply with obligations related to these standards.
According to Capital From Article 1, ECA Digital applies to IT products and services that are aimed at or potentially accessible to children and adolescents, including Internet applications, computer programs and software, terminal operating systems, application stores and networked electronic games. Mandatory measures include reliable age verification – without the possibility of self-declaration – linking user accounts up to 16 years of age to legal guardians, blocking “reward boxes” in children’s games and immediate removal of content that includes sexual exploitation or violence.
ECA Digital contains several obligations that converge with the definitions set out in the LGPD text, such as default protection settings and prevention and security principles, in line with the concept of Privacy by design and shortening; Preparing a Data Protection Impact Report (RIPD) for treatments involving minors; Risk mapping and obtaining parental consent; Compliance with the principles of minimization and necessity. The standard also prohibits profiling for the purposes of commercial advertising targeting children and adolescents, strengthening protections against discrimination.
The interaction between ECA Digital and LGPD creates complementary layers of protection for the processing of personal data of children and adolescents.
At the intersection of laws, the Data Protection Office gains a starring role by helping to prepare RIPDs; In defining procedures for administering parental consent; In preparing semi-annual reports; Mediating with the authorities in inspections, audits and responding to notifications; And conduct internal training. Therefore, companies that have a DPO on their staff, or even with the support of a DPO as a consulting service, can achieve compliance with the law more quickly.
With the entry of ECA Digital, foreign companies operating in Brazil must appoint local representatives. The executive authority will regulate the technical aspects until March 2026.
The convergence between ECA Digital and LGPD not only protects vulnerable groups, but also positions Brazil as a global reference in digital rights.
According to Renata Barizuto, digital law specialist and partner at DPO Expert, “processing agents should immediately begin adaptation processes to the provisions of the ECA Digital, as the person responsible for processing personal data (DPO) plays a central role in coordinating and implementing compliance measures.”