By Marcus Julius Zanon
Curitiba, 17/03/2026.
IP Lawyer • Compliance Officer
On 17 March 2026, Brazil’s Estatuto Digital da Criança e do Adolescente — widely referred to in public discussion as “Lei Felca” — entered into force. The statute was created by Law No. 15,211/2025, and its start date was fixed for 17 March 2026, with the federal government also highlighting the ANPD’s strengthened role in its regulation and enforcement environment.
This is not a general AI law. But for companies operating platforms, apps, marketplaces, adtech, healthtech, edtech, streaming, gaming, search, recommendation systems, or age-gated digital products, it may be just as important. The reason is simple: the new statute directly affects how digital services handle children’s and adolescents’ access, data, profiling, content exposure, and age-verification flows.
The entry into force of Lei Felca does not happen in isolation. In late 2025, the ANPD formally identified four priority enforcement themes for 2026–2027: data-subject rights, protection of children and adolescents in digital environments, personal-data processing by the public sector, and AI and emerging technologies in the context of personal-data processing.
That combination is highly significant. It means Brazilian regulators are no longer looking only at privacy in the abstract. They are now signaling a more integrated enforcement model focused on how digital products are actually designed, deployed, and monetized — especially where vulnerable users, algorithmic systems, or behavioral influence are involved. This is an inference from the ANPD’s published priorities and updated agenda, which expressly connect children’s digital protection, AI, age assurance, and broader regulatory modernization.
According to the federal government’s official summary, from today onward the new legal framework prohibits simple self-declaration of age for websites and digital products restricted to persons under 18 in the relevant situations covered by the law. It also requires age checks or blocking measures in contexts such as alcohol, cigarettes, erotic products, betting platforms, and other restricted environments.
Official summaries also indicate that the law reaches beyond traditional e-commerce. The public guidance mentions impacts on marketplaces, delivery apps, betting services, social networks, streaming platforms, search engines, and adult-content environments, all of which may need to revisit user onboarding, access controls, and exposure logic.
In practical terms, this means that many digital businesses can no longer treat children’s protection as a narrow “content moderation” issue. It is becoming a product governance issue — involving registration architecture, default settings, access restrictions, recommendation logic, advertising flows, and evidence of compliance by design. That conclusion follows from the statute’s implementation focus and the ANPD’s own regulatory priorities.
Some companies may assume that because Brazil still lacks a comprehensive horizontal AI statute in force, their AI-based systems remain outside a stricter compliance perimeter. That is a dangerous assumption. The ANPD has expressly prioritized “artificial intelligence and emerging technologies in the context of personal data processing” for its 2026–2027 oversight cycle.
For businesses serving or potentially reaching minors, this matters immediately. Recommendation systems, content ranking, automated moderation, targeted advertising, age-estimation tools, identity checks, and personalization engines may all trigger scrutiny if they influence the digital experience of children or adolescents, especially where personal data is involved. This is a legal-risk inference grounded in the ANPD’s stated priorities and the operational themes added to the regulatory agenda.
One of the clearest signals in the updated ANPD agenda is the inclusion of themes tied to the ECA Digital, including age-assurance mechanisms and general obligations for IT product and service providers. The agenda also points to future work on oversight and sanctions connected to the digital protection of children and adolescents.
That is why the real compliance question is no longer “Do we collect children’s data intentionally?” The better question is: Could our product realistically be accessed by minors, influence their behavior, expose them to restricted content, or use personal data in ways that regulators will view as unsafe, opaque, or disproportionate? The enforcement lens is moving toward foreseeable risk, not only declared business intent. This is an inference from the official priority map and agenda updates.
A sensible first step is to run a focused review in five areas.
1. Age assurance and access controls.
Check whether your product still relies on weak self-declaration where stronger controls may now be expected.
2. Product scope and child exposure.
Map whether minors can access, view, register for, or interact with your service even if they are not your intended audience. This follows from the broad implementation focus described in official summaries.
3. AI and recommendation logic.
Review recommendation, ranking, targeting, and automated decision-support features that shape content exposure or commercial pressure. The ANPD has already placed AI and children’s digital protection on its enforcement map.
4. Documentation and accountability.
Document legal basis, risk analysis, safeguards, default settings, and internal decision-making. While official summaries do not yet prescribe every operational detail, the regulatory direction clearly favors demonstrable governance, not informal assurances. This is an inference from the ANPD’s agenda and institutional role.
5. Cross-functional governance.
Legal, privacy, product, engineering, trust & safety, and marketing teams should not treat this as a siloed issue. Lei Felca will likely be enforced at the intersection of content, data, design, and commercial architecture. That is a strategic conclusion drawn from the scope of the official announcements.
Brazil has now moved into a new phase of digital regulation. With Lei Felca in force as of 17 March 2026, and with the ANPD publicly prioritizing both children’s protection in digital environments and AI in personal-data processing, companies should expect compliance expectations to become more concrete, more design-oriented, and more evidence-based.
For digital businesses, the message is clear: this is no longer only about privacy notices or terms of use. It is about whether your product architecture, age-gating, recommendation systems, ad logic, and governance model can withstand scrutiny in a regulatory environment that is rapidly becoming more specific and less tolerant of weak safeguards. That forward-looking assessment is an inference, but it is strongly supported by the direction of the official measures already published.
In short:
Lei Felca may not be Brazil’s general AI law — but for companies building digital products that touch minors, it is already a major AI-and-compliance event.