Brazil’s National Data Protection Authority (ANPD) has published draft guidance on age assurance strategies under the country’s new Digital Statute for Children and Adolescents (Digital ECA), marking another significant step in the global evolution of online age assurance regulation.
The consultation provides one of the clearest indications yet of how Brazil intends to approach age assurance implementation across digital platforms and age-restricted services, while also reinforcing a number of broader international regulatory trends around privacy, proportionality and child safety online.
The guidance follows the introduction of Brazil’s Digital ECA framework, which came into force earlier this year and introduced new obligations for digital services likely to be accessed by children and adolescents.
A layered approach to age assurance
One of the most notable aspects of the ANPD’s proposed framework is its layered approach to age assurance responsibilities.
Under the draft guidance, app stores and operating systems would be expected to verify the age of account holders using reliable mechanisms and pass age-related signals downstream to apps and digital services. The ANPD highlights approaches such as verifiable credentials and privacy-preserving architectures as preferred models within this ecosystem.
However, the guidance also makes clear that certain higher-risk services cannot rely solely on upstream signals. Platforms hosting or facilitating access to prohibited content for minors would still be expected to implement their own independent age verification measures.
This reflects a growing international regulatory position that age assurance should be proportionate to risk, with stricter obligations applied to services that present elevated risks to children.
High-reliability age verification for higher-risk services
The ANPD identifies a number of service categories that would require mandatory high-reliability age verification mechanisms, including:
- Pornographic content
- Gambling and betting services
- Escort and sexual encounter platforms
- Loot box gaming environments
- E-commerce involving age-restricted products such as alcohol
- Social networks facilitating access to prohibited content
Importantly, the draft guidance explicitly rejects self-declaration as a sufficiently reliable approach for higher-risk services.
The ANPD also notes that simply requesting a CPF number (Cadastro de Pessoas Físicas – Brazil’s national taxpayer registry identification) would not, on its own, constitute a reliable age verification mechanism.
This aligns with a wider global shift away from self-attestation models and toward stronger, more robust forms of age assurance.
Strong focus on privacy and data minimisation
As with other emerging age assurance frameworks globally, the Brazilian guidance places significant emphasis on privacy-by-design principles.
The ANPD repeatedly references data minimisation, proportionality and purpose limitation throughout the consultation. Biometric data used during age verification processes should be deleted immediately after the verification process is completed, while personal data collected for age assurance purposes should not be repurposed for advertising, profiling or unrelated commercial activities.
The guidance also highlights privacy-preserving technologies such as zero-knowledge proofs and verifiable credentials as examples of architectures capable of supporting effective age assurance while minimising unnecessary data exposure.
This reflects the increasingly common regulatory position that effective age assurance and strong privacy protections are not mutually exclusive, but should instead operate together as part of a proportionate safeguarding framework.
AI services remain under regulatory scrutiny
The draft guidance also addresses artificial intelligence systems and generative AI services.
General-purpose AI services, including chatbots, are currently categorised as moderate-risk services under the framework, meaning they would not automatically trigger mandatory age verification requirements.
However, the ANPD makes clear that services capable of generating prohibited or harmful content could face additional obligations and potentially be reclassified as higher-risk environments.
The regulator also retains broad powers to require age verification measures where a service presents risks to the health, safety or wellbeing of children and adolescents.
Facial age estimation, liveness and anti-circumvention requirements
The consultation also provides further clarity around technical expectations for age assurance systems.
The ANPD notes that facial age estimation systems should incorporate liveness detection mechanisms, while document verification systems should assess authenticity and validity rather than simply capturing identity information.
The guidance additionally stresses that age assurance systems should be designed to resist circumvention attempts by children themselves – another increasingly common expectation across emerging global regulatory frameworks and a core factor built into all of Verifymy’s age assurance methods.
Brazil joins growing global momentum around age assurance
Brazil’s Digital ECA framework is widely viewed as one of the most significant online child protection developments in Latin America to date and continues a broader global trend toward stronger age assurance requirements.
The ANPD’s consultation follows similar regulatory developments across jurisdictions, including the UK, the European Union and Australia, where regulators are increasingly emphasising robust, privacy-preserving and proportionate approaches to age assurance.
While the guidance remains under consultation, it already provides a strong indication of the direction of travel for digital platforms operating in Brazil.
For organisations operating globally, the message continues to become clearer: regulators increasingly expect age assurance measures that are technically reliable, privacy-preserving and capable of standing up to real-world circumvention risks.
As age assurance regulation matures internationally, frameworks such as Brazil’s Digital ECA further reinforce the growing expectation that child safety, user privacy and proportionate implementation must all form part of the same conversation.
