Lições do Brasil sobre proteção de crianças online

by Jhonathan Campos, Founder

Brazil's starting point is not platform regulation. It is child protection law. The constitutional baseline is the duty of absolute priority for children and adolescents. The family, society and the state must ensure their rights and protect them from negligence, discrimination, exploitation, violence, cruelty and oppression. This is the legal and political foundation behind the Brazilian approach to child protection, including in digital environments.

Lei nº 15.211/2025, often described as the Estatuto Digital da Criança e do Adolescente or ECA Digital, follows this same logic. It does not treat children merely as users, consumers or data subjects. It treats them as developing persons whose rights must be protected by design. The law translates ideas already central to the Estatuto da Criança e do Adolescente, especially best interests, integral protection and developmental vulnerability, into duties for digital products, online services and platform architecture.

This is why the Brazilian model is different from a narrow content moderation law. It is not only concerned with removing illegal content after harm occurs. It requires suppliers to think about children's exposure to risk from the design stage and throughout the operation of the product or service.

The timing matters for compliance. Lei nº 15.211/2025 entered into force in March 2026. Decreto nº 12.880/2026 regulates Lei nº 15.211/2025, institutes the National Policy for the Promotion and Protection of Children's and Adolescents' Rights in the Digital Environment, and authorizes the creation of the National Triage Centre for notifications. The decree also assigns ANPD regulation and supervision of the statute, without excluding the competences of other public bodies in the child rights protection system.

ECA logic, and why Brazil opted for a digital statute model

Article 1 of Lei nº 15.211/2025 applies to every information technology product or service directed to children and adolescents in Brazil or likely to be accessed by them, regardless of its location, development, manufacture, offer, commercialization or operation. This creates a broad territorial and functional scope, but enforcement still depends on procedural mechanisms, including legal representation in Brazil and action by competent authorities.

The expression "acesso provável" is central. It should not be treated as a casual phrase. It is a legal scope trigger. Article 1 defines likely access through three situations: sufficient probability of use and attractiveness to children and adolescents, considerable ease of access and use by them, and significant risk to privacy, safety or biopsychosocial development, especially for products or services designed for large scale social interaction and information sharing. A company therefore cannot rely only on its declared target audience if the service is realistically accessible and attractive to minors and creates relevant risks.

Article 2 defines an information technology product or service broadly. It includes internet applications, computer programs, software, terminal operating systems, application stores, electronic games and similar connected services. Article 2 also defines social networks as internet applications whose main purpose is the sharing and dissemination of opinions and information through text, image, audio or audiovisual files, through connected or articulately accessible accounts.

The law also draws limits. Essential technical infrastructure, such as open technical protocols and standards that enable network interconnection, is not treated in the same way as consumer facing applications or services.

A key compliance point is proportionality. Article 39 provides that several obligations must be applied according to the characteristics and functionalities of the product or service, the supplier's degree of interference over content, the number of users and the supplier's size. This matters because the statute is not designed as a flat obligation for every actor. It imposes duties according to risk, role and operational capacity.

Article 39 also creates a conditional pathway for some providers with editorial control or pre licensed copyrighted content, where they comply with age rating norms, transparency requirements, parental mediation tools and complaint channels. This should not be described as a general exemption. It is conditional and tied to specific requirements.

Article 40 requires foreign suppliers to maintain a legal representative in Brazil with powers to receive service of process, respond before administrative authorities, courts and prosecutors, and assume responsibilities in Brazil. This is one of the mechanisms that makes the statute's broad scope operational.

The statute's core innovations as concrete obligations, and what the decree adds

The statute is built around a simple premise: if children and adolescents are within the product's realistic reach, child protection must be embedded into the service, not left only to terms of use, disclaimers or reactive moderation.

Article 3 establishes the baseline duty. In scope products and services must prioritize the protection of children and adolescents, use their best interests as a parameter, and adopt adequate and proportionate measures to ensure a high level of privacy, personal data protection and security. This connects the statute directly to the ECA and LGPD frameworks.

Article 3 also frames parental involvement as part of the child's protection environment. The law recognizes the role of parents and legal guardians and refers to active and continuous care, including the use of parental supervision tools appropriate to age and development stage.

Article 4 clarifies the protected values behind the statute. It treats children and adolescents as developing persons and emphasizes safety against intimidation and violence, respect for progressive autonomy, protection against commercial exploitation, transparency and responsibility in the processing of their personal data.

Article 5 links the statute to prevention, protection, information and security duties. It requires suppliers to adopt adequate technical measures, including widely recognized security mechanisms, so families and legal guardians can prevent inappropriate access and use. Article 5 also defines best interests in the digital environment as including privacy, security, mental and physical health, access to information, freedom of participation, meaningful access to digital technologies and wellbeing.

Article 6 is one of the most important provisions. It moves the debate away from vague references to online harm and creates an enumerated risk catalogue. Suppliers must take reasonable measures from design and throughout operation to prevent and mitigate risks of access, exposure, recommendation or facilitation of contact with harmful situations. The listed categories include sexual exploitation and abuse, physical violence, cyberbullying, harassment, content that induces or assists conduct causing harm to physical or mental health, gambling, fixed quota betting, lotteries, tobacco, alcohol, narcotics or other products prohibited for children and adolescents, predatory, unfair or deceptive advertising practices, other practices known to cause financial harm to minors, and pornographic content. The catalogue should be presented as the law's listed categories, not as a loose policy example.

Article 7 turns the protective logic into a default configuration duty. Services must, from conception, guarantee by default the most protective available configuration for privacy and personal data protection, considering progressive autonomy and best interests. Where less protective settings are possible, the supplier must provide clear, accessible and adequate information so children, adolescents and their responsible adults can make informed choices. Article 7 also requires suppliers to abstain from processing minors' personal data where such processing causes, facilitates or contributes to violations of privacy or other legally protected rights.

Article 8 is the engineering and product governance provision. It requires suppliers to manage risks arising from features, functionalities and systems and their impacts on children's safety and health. It also requires evaluation of content according to age and age rating, systems and processes designed to prevent children and adolescents from encountering illegal, pornographic or manifestly age inappropriate content, design and default settings that avoid compulsive use, and extensive information to users about the indicated age group at the moment of access.

The decree operationalizes several of these duties. It defines incentives to excessive, problematic or compulsive use, including practices such as hiding natural stopping points, automatically loading new content without user request, rewarding time spent, and sending excessive notifications. It also tasks ANPD with setting minimum default security requirements and acting against manipulative, deceptive or coercive practices. These are described as choice architectures that interfere with autonomy or exploit cognitive and age vulnerabilities, including obstruction or concealment of privacy controls, parental supervision tools, consent mechanisms or permission revocation.

One of the decree's most important additions is its express treatment of natural language interactive systems, including language models, conversational agents and similar interfaces, when directed to children and adolescents or likely accessed by them. These suppliers must be transparent about synthetic and automated interaction, prevent behavioural manipulation, assess algorithmic risk to safety and health, and implement safeguards to protect physical, mental and psychosocial development. The decree assigns ANPD regulation and supervision of this provision.

Age assurance as infrastructure

Brazil chose a much more infrastructure based model than many other jurisdictions. Article 9 prohibits access by children and adolescents to content, products or services whose offer or access is improper, inadequate or prohibited for persons under 18. Suppliers must adopt effective measures to prevent that access within their products and services.

The age assurance section must be read carefully. The statute creates the legal obligation, while the decree adds implementation details. Article 9 requires reliable age verification mechanisms at each access to the content, product or service covered by Article 9, and prohibits self declaration for that purpose. This should not be generalized into a universal age check for every access to every digital service. The trigger is access to content, products or services that are improper, inadequate or legally prohibited for minors. For pornographic content, the law also requires providers of internet applications to prevent account or profile creation by children and adolescents.

Articles 10 and 11 support an age appropriate experience model and allow public authorities to regulate, certify or promote age verification solutions while respecting legality, privacy and fundamental rights. Regulation in this area must also respect social participation and transparency.

Article 12 is one of the most innovative parts of the statute. It places specific duties on app stores and operating systems. These actors must implement proportional, auditable and technically secure age estimation, enable voluntary parental supervision configuration, and provide an age signal through a secure privacy by default API for compliance purposes only. The statute also bans continuous, automated and unrestricted sharing of minors' personal data, requires parental consent for downloads by minors without presumed authorization by silence, and anticipates further regulation on transparency, security and interoperability.

The decree clarifies what age signals may and may not contain. Age signals must be limited to what is strictly necessary to confirm a minimum age. They may not include exact date of birth, civil identity or profiling data. App stores and operating systems must collect age or age band declarations at account creation and then verify age using a reliable method, preferably using verifiable credentials. The decree also requires contestation and correction mechanisms, with reasoning in a reasonable time, and measures to prevent multiple account workarounds.

The decree also introduces a privacy protective conflict rule. If a supplier's age check result diverges from the app store or operating system signal, the supplier must adopt the more protective option for the child or adolescent.

Privacy safeguards appear repeatedly. Article 13 restricts age verification data to that purpose. The decree also limits document capture processing to age or age band and prohibits storage or retention of document images or copies, requiring immediate irreversible deletion after capture.

The decree opens two policy pathways. First, the Ministry responsible for public management may provide free public age verification solutions to citizens. Second, ANPD is tasked with defining phased implementation steps to foster an interoperable ecosystem of public and private age assurance solutions that preserve user choice, issue practice recommendations and prioritize monitoring according to risk to children and adolescents.

Advertising, monetisation and games

On advertising, Brazil takes a direct statutory approach. Article 22 prohibits profiling techniques for targeting commercial advertising to children and adolescents. It also prohibits emotional analysis, augmented reality, extended reality and virtual reality for that purpose. Article 26 complements this by prohibiting the creation of behavioural profiles of children and adolescents from personal data, including data obtained through age verification, for commercial advertising targeting.

The decree reinforces these rules by requiring suppliers that offer advertising or its distribution to children and adolescents to prevent the use of profiling tools and the same immersive or emotional techniques, expressly connecting the implementation rule to Articles 22 and 26.

Article 23 addresses monetisation and boosting. It prohibits monetisation and boosting of content that portrays children and adolescents in eroticized or sexually suggestive ways or in an adult sexual context. The decree expands the operational understanding by referring to content that exposes children and adolescents to violating, vexatious or degrading situations, tying the duty back to the statute's risk catalogue.

The decree also adds a significant rule for influencer style content. When content is monetized or boosted and habitually exploits a child's or adolescent's image or routine, suppliers must require judicial authorization issued under the ECA. If that authorization is missing, the provider must remove the content. This obligation applies to monetisation or boosting that begins after the decree's transition period. The decree also anticipates institutional coordination with the Conselho Nacional de Justiça and the Conselho Nacional do Ministério Público.

Gaming receives a specific hard rule. Article 20 prohibits loot boxes in electronic games directed to children and adolescents or likely accessed by them under the applicable age rating system. This is a substantive business model restriction, not only a transparency duty.

Platform reporting, takedown duties and structured escalation

Brazil's statute mixes three enforcement styles: direct supplier duties, child protection system triggers and criminal investigation escalation.

Article 27 applies to serious violations. It requires suppliers to remove and communicate detected content indicating apparent exploitation, sexual abuse, kidnapping and grooming, to competent national and international authorities. This should not be described as a universal reporting duty for all problematic content. It is tied to specific serious categories.

Article 27 also requires retention of content and user associated data connected to reports for the period connected to the Marco Civil da Internet's application access log retention rule, with the possibility of longer retention through the applicable legal mechanism.

The decree centralizes part of this reporting pipeline. It states that the Polícia Federal is the competent authority to receive, process, triage and manage these reports, and authorizes the creation of a National Triage Centre within the Federal Police. The Triage Centre is tasked with receiving reports, validating and storing them, triaging information to identify suspects, making reports available to investigative police and producing periodic transparency statistics by supplier.

The decree also contains a cross border efficiency rule. Suppliers are exempted from duplicate reporting when they already provide identical reports to foreign triage hotlines that are available to Brazilian authorities. Once foreign triage reports are processed, validated and made available to the Federal Police, they are treated as equivalent for legal and evidentiary purposes to reports submitted directly to the national centre.

Article 28 deals with violations of children's and adolescents' rights beyond the most serious criminal categories. It requires suppliers to provide user facing notification mechanisms for violations of rights, and, where appropriate, to inform competent authorities so that investigation can be triggered under regulation.

Article 29 creates a strong notice based takedown duty in the name of integral protection. Suppliers must remove rights violating content once informed of its offensive character by the victim, representatives, the Public Prosecutor or representative entities defending children's rights, without needing a court order. This should not be described as an unlimited takedown power. It operates within a defined notification framework and subject to safeguards.

Article 29 includes safeguards against abuse. Notices must include technical identifiers for the specific content and identify the notifier. Anonymous denunciation is prohibited. Providers must make the notice mechanism publicly available and easy to access. Journalistic and editorially controlled content is excluded from this takedown procedure.

Article 30 introduces due process around takedowns. It requires notice to the poster, reasons and justification, indication of whether the decision was based on human or automated analysis, access to appeal, and deadlines for appeal and response.

The decree creates a mechanism that is functionally similar, but legally distinct from the DSA trusted flagger model. ANPD may accredit representative entities that can notify under Article 29. These entities must show experience, independence from suppliers, internal procedures ensuring quality and impartiality, and non profit status. ANPD may also disable entities for mission drift or abusive notification practices.

The statute anticipates misuse of reporting tools. Article 32 requires providers to adopt effective mechanisms to identify abusive use of reporting tools to prevent censorship, persecution or other illegal practices. Article 33 requires clear user information on misuse scenarios and sanctions, including temporary account suspension, account cancellation for repeated or severe abuse, and reporting to authorities where there is evidence of criminal conduct or rights violations.

Enforcement, penalties and the guardrail against surveillance overreach

The statute refers to an autonomous administrative authority for protection of children's digital rights. The decree assigns the role of regulation and supervision of Lei nº 15.211/2025 to ANPD, without prejudice to the competences of other public bodies in the child rights protection system.

The decree assigns concrete regulatory and supervisory tasks to ANPD. These include default security requirements, action against manipulative design, age assurance certification and anti circumvention measures, oversight of accredited notification entities and supervision of impact assessments.

The decree also creates a political and administrative coordination layer by instituting an intersectoral committee to coordinate, implement, monitor, evaluate and revise the National Policy for the Promotion and Protection of Children's and Adolescents' Rights in the Digital Environment. The committee includes representation from ANPD, the Conselho Nacional dos Direitos da Criança e do Adolescente and several ministries. This shows that Brazil is treating child online protection as a cross sector public policy, not merely a communications or platform issue.

Article 35 establishes the sanctions framework. Sanctions include warning with up to 30 days for corrective measures, simple fine, temporary suspension of activities and prohibition from operating. The fine may reach up to ten percent of the economic group's revenue in Brazil in the previous fiscal year. Where revenue is absent, the law allows a fine from R$10 to R$1,000 per registered user of the sanctioned provider, limited in total to R$50 million per infraction.

The enforcement competence must be described precisely. Warning and fine are applied by the autonomous administrative authority through an administrative process with due process, full defense and adversarial procedure. Suspension and prohibition from operating are more severe measures and must be treated with the statutory and procedural safeguards that apply to that level of intervention. This distinction matters because it prevents the article from overstating the direct sanctioning power of the administrative authority.

The statute sets criteria for sanction grading, including proportionality and reasonableness, the gravity of the violation, the reasons for the violation, the extent of individual and collective harm, recurrence, economic capacity, the supplier's social purpose and the impact on the flow of information in Brazil. For foreign companies, local entities such as branches may be jointly liable for payment of fines.

The enforcement process is linked to the ECA model for administrative infractions and penalties rather than creating a completely separate procedural code. The statute also contemplates technical enforcement of suspension and prohibition orders. If the infractor does not comply, enforcement can occur through orders directed to telecom connectivity providers, internet exchange point entities, DNS resolution providers and other agents enabling connection.

Fine revenues are channelled to the National Fund for Children and Adolescents for five years, earmarked for child protection policies and projects. This is politically important because it connects enforcement revenue to the child protection system rather than to general state revenue.

The statute also contains an important guardrail. Article 37 provides that regulation cannot impose, authorize or result in mass, generic or indiscriminate surveillance. It also forbids practices that compromise freedom of expression, privacy, integral protection and differentiated treatment of minors' personal data. This matters because the age verification model is ambitious and could otherwise create surveillance risk. Brazil's framework repeatedly insists on data minimization, purpose limitation and restrictions on age signal content.

Regulated harms and protected interests

The statute does not create a simple list of damages in the civil liability sense. It identifies protected interests and regulated harms. That distinction matters.

The protected interests include privacy, security, mental and physical health, wellbeing, access to information, participation and meaningful access to digital technologies. The regulated harms include sexual exploitation and abuse, violence, cyberbullying, self harm enabling content, gambling and age prohibited products, financial harm practices, pornographic content, compulsive use design and manipulative choice architecture.

The decree requires impact assessments for children's safety and health. These assessments must identify risks, evaluate probability and severity, define mitigation and treatment measures, and monitor the effectiveness of implementation. A summary must be published in clear and accessible language.

This is one of the strongest compliance implications of the Brazilian model. Companies cannot treat child safety as a public relations statement. They need documented risk identification, mitigation, monitoring and evidence.

Brazil versus Europe, and why the comparison matters

Europe's child online protection framework is distributed across several instruments. The Digital Services Act creates horizontal platform duties and systemic risk governance. The GDPR creates child specific data protection principles and rules on consent for information society services. The Audiovisual Media Services Directive requires measures to protect minors from harmful audiovisual and user generated video content. Consumer protection enforcement also affects gaming and virtual currency practices.

DSA Article 28 is the closest comparison point, but it is not identical to the Brazilian model. Article 28(1) requires providers of online platforms accessible to minors to put in place appropriate and proportionate measures to ensure a high level of privacy, safety and security of minors. Article 28(2) prohibits presenting advertising based on profiling using minors' personal data where the provider is aware with reasonable certainty that the recipient is a minor. Article 28(3) adds an important privacy guardrail: compliance with Article 28 must not require platforms to process additional personal data to assess whether the recipient is a minor. The Commission's 2025 guidelines on Article 28 confirm that the DSA minors duty is framed around appropriate and proportionate measures for privacy, safety and security, while preserving that no additional age data processing is required by Article 28 itself.

Brazil's law is more prescriptive in several concrete areas: age assurance, protective defaults, app store and operating system duties, loot boxes, monetisation and boosting of certain content involving minors, and reporting pipelines for serious violations. The DSA is more developed as a horizontal platform governance system, especially around notice and action, statements of reasons, complaint handling, trusted flaggers, advertising transparency and systemic risk governance.

The Brazilian advertising regime also goes further in some respects. The DSA prohibits profiling based advertising to minors where the platform has reasonable certainty that the user is a minor. Brazil prohibits profiling techniques for commercial advertising targeting children and adolescents and prohibits behavioural profiling for that purpose, including where data comes from age verification.

On interface manipulation, DSA Article 25 prohibits online interfaces designed, organized or operated in ways that deceive, manipulate or materially impair users' free and informed decision making. Brazil's decree is more child specific. It refers to practices that exploit cognitive and age vulnerabilities or obstruct access to privacy controls, parental supervision, consent or permission revocation. The two frameworks are aligned in concern, but they operate through different legal structures.

On notice, takedown and due process, the DSA is more procedurally developed. It sets notice and action mechanisms, statement of reasons, internal complaint handling and rules on misuse of reporting tools. Brazil's statute creates a child rights specific takedown duty without court order in defined cases, while also requiring notifier identification, technical identifiers, user notice and appeal rights. The Brazilian model is more directly tied to child rights protection, while the DSA model is a horizontal platform governance system.

On trusted actors, the DSA has trusted flaggers. Brazil's decree creates an ANPD accreditation mechanism for representative entities defending children's rights. These models are functionally similar, but legally distinct. The DSA model is general to platform regulation. The Brazilian mechanism is anchored in children's rights and Article 29 of the ECA Digital statute.

On legal representation, both systems require foreign providers to have a local representative. The DSA requires non EU providers offering services in the EU to designate a legal representative in the EU. Brazil's Article 40 requires foreign suppliers to maintain a legal representative in Brazil with powers to receive process and respond before courts, prosecutors and administrative authorities.

On penalties, the DSA sets maximum fines of up to six percent of annual worldwide turnover. Brazil sets fines of up to ten percent of the economic group's revenue in Brazil, subject to the statutory cap, and also provides for suspension and prohibition from operating.

The AVMS Directive is also relevant. It requires Member States to ensure video sharing platforms take appropriate measures to protect minors from programmes and user generated videos that may impair physical, mental or moral development. These measures may include reporting and flagging systems, age verification and parental control systems. The AVMS Directive also prohibits processing minors' personal data collected or otherwise generated through age verification or parental control systems for commercial purposes, including direct marketing, profiling and behavioural advertising.

In gaming, the EU has moved mainly through consumer protection enforcement, policy pressure and soft law guidance. The European Commission and the CPC network have addressed in game virtual currencies and consumer vulnerability, especially children. The European Parliament has also called for stronger action on loot boxes and randomised mechanisms that may provoke gambling like behaviour in children. But this is not the same as Brazil's statutory prohibition of loot boxes in games directed to or likely accessed by children and adolescents.

Brazil's lesson is direct. When a specific product feature is considered predictably harmful to children and adolescents, the law can prohibit it rather than only demand transparency. The tradeoff is that hard rules require careful implementation, classification and enforcement. Brazil tries to manage this through the age rating system and decree level implementation details.

Why recent US litigation matters

The global politics of children's online protection is shifting because courts are beginning to treat addictive design and safety omissions as product harm issues, not only content moderation issues.

In March 2026, a Los Angeles jury found Meta and Google negligent in a social media addiction bellwether trial involving alleged harms connected to Instagram and YouTube use by a plaintiff who was a minor during the relevant period. Reuters reported a total award of $6 million, with $4.2 million attributed to Meta and $1.8 million to Google. That verdict should be described with procedural caution because the companies indicated plans to appeal and post trial motions may affect the result.

Reuters also reported that the case is a bellwether for thousands of similar lawsuits consolidated in California state courts. A separate March 2026 jury verdict in New Mexico found Meta liable under state consumer protection law in relation to children's safety, with the New Mexico Department of Justice announcing $375 million in civil penalties. That result also should be treated as part of a developing litigation landscape rather than a final universal legal standard.

The US verdicts do not define Brazilian law. They matter because they show the same policy movement: design choices are increasingly treated as potential sources of child harm. This matters for Brazil because the ECA Digital statute already shifts the compliance question from what content was hosted to what design choices created or failed to mitigate predictable risks to children and adolescents. Brazil encodes that shift through Article 8 risk management, duties to avoid compulsive use, restrictions on profiling and monetisation, and decree provisions on manipulative choice architecture.

For compliance, the practical message is clear. Children's online safety is moving toward a combined model of product safety style governance, data protection and child rights regulation. A defensible programme should include documented risk identification, age assurance, protective defaults, parental supervision where applicable, strict limits on profiling and monetisation, clear reporting pipelines, takedown due process and evidence of continuous monitoring.

Compliance considerations for 2026

For companies operating in Brazil or making digital services realistically accessible to children and adolescents in Brazil, the first question is not whether the service was designed for children. The first question is whether children and adolescents are likely to access it and whether the service creates relevant risks to privacy, safety or biopsychosocial development.

The second question is whether the company can show evidence. The statute and decree require more than policy language. They require systems, settings, controls, risk assessments, reporting mechanisms and supervision structures.

A serious compliance programme should include a scope assessment under the directed to and likely accessed tests; a child safety and health impact assessment; age assurance design with minimization of age data; protective defaults for privacy and security; parental supervision tools where applicable; review of advertising, profiling and monetisation models; review of game mechanics, especially loot boxes; reporting and escalation procedures for Article 27 serious violations; notice, takedown and appeal procedures for Article 29 and Article 30; controls against abusive reporting; legal representative arrangements in Brazil for foreign suppliers; and evidence files showing decisions, risk assessments, settings, notices, appeals and mitigation.

The strongest feature of Brazil's model is that it does not leave child protection only to after the fact moderation. It treats design, defaults, monetisation and age assurance as part of the legal duty. That is also its biggest implementation challenge. If poorly enforced, it could become formalistic. If seriously enforced, it could become one of the most operationally demanding child online safety regimes in the world.

Appendix: Sources and bibliography

Constituição da República Federativa do Brasil, Article 227.

Lei nº 8.069/1990, Estatuto da Criança e do Adolescente.

Lei nº 15.211/2025, Estatuto Digital da Criança e do Adolescente, especially Articles 1, 2, 3, 5, 6, 7, 8, 9, 12, 13, 20, 22, 23, 26, 27, 28, 29, 30, 32, 33, 35, 37, 39 and 40.

Decreto nº 12.880/2026, especially Article 1 on regulation, national policy, the National Triage Centre and ANPD competence, and Article 11 on natural language interactive systems.

Lei nº 12.965/2014, Marco Civil da Internet.

Lei nº 13.709/2018, Lei Geral de Proteção de Dados Pessoais, especially Article 14 on children's data.

Regulation (EU) 2022/2065, Digital Services Act, especially Articles 13, 16, 17, 20, 23, 25, 26, 28 and 52.

European Commission, Guidelines on the protection of minors under Article 28 of the Digital Services Act, published 14 July 2025.

Regulation (EU) 2016/679, General Data Protection Regulation, especially Recital 38 and Article 8.

Directive 2010/13/EU, Audiovisual Media Services Directive, especially Article 28b.

European Commission and CPC Network materials on in game virtual currencies and protection of vulnerable consumers, including children.

European Parliament materials concerning online gaming, loot boxes and gambling like mechanics.

Reuters reporting on the March 2026 Los Angeles jury verdict involving Meta Platforms and Google in social media addiction litigation.

Reuters reporting on consolidated social media addiction litigation in California.

New Mexico Department of Justice materials concerning the March 2026 verdict involving Meta and children's safety.

AP, The Guardian, Courthouse News and other press reporting used only as secondary support for the litigation context, not as primary legal authority.

More articles

Before the AI Model, Anonymisation as an AI Governance Control

A practical analysis of EDPB Guidelines 02/2026 on anonymisation, and why the assessment belongs before data enters the AI training pipeline.

Read more

A governança de IA entrou na cadeia de dependências

Uma análise prática sobre por que a governança de IA agora alcança resiliência cibernética, fornecedores, infraestrutura, caminhos de recuperação e evidências operacionais.

Read more

Conte-nos sobre o seu projeto

Nosso escritório

  • Berlin
    Schöneberg, 10829