Which topic would you like to know more about?
What is the legal age of adulthood/ majority in your jurisdiction? Are all persons below this age considered a child/ minor?
The Law No. 8,069/199o (ECA) as amended, stipulates 18 years old as the legal age of adulthood. Children are considered those under 12 years-old; and teenagers are those between 12 and under 18 years-old, according to Article 2 of the ECA.
Has the UNCRC been directly incorporated into national law in your jurisdiction?
Yes.
Brazil ratified the UNCRC on September 24, 1990, under the Decree No. 99,710/1990.
Is there an ombudsperson/ commissioner for children in your jurisdiction?
Yes.
The Guardianship Council is an autonomous and permanent body established by Law No. 8,069/199o, under Article 131, to protect the rights of children and adolescents. The public administration of each Brazilian Municipality and Administrative Region of the Federal District must have at least one (1) Guardianship Council.
If there is an ombudsperson/ commissioner for children in your jurisdiction, do they have any responsibility for upholding children’s rights in the digital world or does the relevant regulator have sole competence?
Yes.
The Law No. 8,069/199o (ECA) sets forth general preventive measures and administrative infractions to any threats or violations to child and adolescents’ rights, which may materialize in any digital means. Penalties for crimes against children’s and adolescents’ sexual dignity through the Internet or applications are also set out in the ECA.
Each Guardianship Council may initiate procedures to impose administrative penalties, forward to Public Prosecutor’s Office or other judicial authorities penal or administrative cases under their competence, amongst others things under the ECA.
Is there any standalone requirement to collect the consent of one or both parents when processing a child’s personal data (irrespective of any other obligations, e.g. the requirement to have a legal basis for processing)?
No.
Legal guardian or parent consent is no longer a mandatory requirement for processing children’s personal data (i.e., those under the age of 12).
In the CD/ANPD Statement 01/2023, the Brazilian DPA legitimized the processing of minors’ personal data under other legal bases of Law No. 13,709/2018 (LGPD), provided that minors’ best interests are accounted for, as defined in Article 227 of the Brazilian Federal Constitution.
At what age can children legally consent to the processing of their own personal data, such that parental permission/ consent is not required?
As a general rule, an individual can legally consent to the processing of their data personal with the age of 18 years old, when the majority is reached under the Brazilian Civil Code, Article 5º and ECA, Article 2º.
Are there specific requirements in relation to collection and/or verification of parental consent/ permission concerning the processing of a child’s personal data?
Yes.
There are specific requirements on the collection and/or verification of parental consent or permission. The National Council for the Rights of Children and Adolescents (CONANDA) issued Resolution No. 245/2024 to address the rights of children and adolescents in the digital environment. Although in line with the provisions of Law No. 13,709/2018 (LGPD), on the matter, the CONANDA Resolution No. 245/2024 sets forth additional requirements concerning parental consent.
Children’s and adolescents’ parents’ or legal guardians’ consent must be obtained freely, specifically and prior to the processing, for specific purposes, . Whenever possible, and considering the level of maturity and understanding, the child or adolescent should also actively provide their consent. The consent provided by the child or adolescent may be withdrawn at any time, and the decision must be respected by parents, caregivers, and other responsible parties (CONANDA Resolution No. 245/2024, Article 14).
Regarding regulations or guidelines by the Brazilian DPA, rules on the matter are soon expected as follows. The Brazilian DPA previously launched a public consultation on the processing of children’s personal data. The public consultation did not comprise techniques for gauging consent or verifying the users of internet applications age. However, other parental permission or consent-control collection and requirements were properly addressed. The public consultation final deadline was on August 18, 2024. The latest Brazilian DPA regulatory agenda has indicated that guidelines or a regulation on the processing of minors’ data and other specific parental control requirements is scheduled to be issued within the next year.
Are there any particular information or transparency requirements concerning the processing of children’s personal data?
Yes.
Suppliers of products or services are prohibited from taking any advantage of consumers’ weakness or ignorance, considering their age, health, knowledge, or social condition, to impose their products or services. Such practices fall under the abusive practices which the Brazilian Consumer Code (CDC) establishes in its Article 39.
Transparency requirements concerning minors aim at avoiding the abusive practices under the CDC, amongst others. Controllers must publicise which personal data of minors they collect, inform how it is processed, and the procedures in place for data subjects to exercise their rights, as set forth in Article 14 of the Law No. 13,709/2018 (LGPD).
Furthermore, children’s information must be provided in a simple, clear and accessible manner, considering the physical-motor, perceptive, sensorial, intellectual and mental characteristics of the user. When appropriate, controllers must adopt audiovisual resources to ensure transparency to parents or legal guardians, and in a way that is comprehensive to minors (LGPD, Article 14, §6º).
Can children directly exercise their rights in relation to their personal data without the involvement of their parents?
No.
Children are not able to directly exercise their rights as data subjects (Law No. 13,709/2018 (LGPD), Article 18). Minors under the age of 16 are incapable of personally exercising acts of civil life, under the Brazilian Civil Code, Article 2º. Individuals over 16 years old and under 18 are relatively incapable of certain acts (Brazilian Civil Code, Article 4º).
Adolescents could, in theory, exercise their rights as data subjects without the presence of a legal guardian or parent. In relation to the rights which data subjects can exercise against controllers, adolescents are not bound by any obstacles hindering them from acting directly (LGPD, Article 18). However, to act diligently and comply with applicable regulations, controllers should implement procedures to confirm not only users’ identity, but also age (see more information here). In the case of minors, the involvement of parents or legal guardians should be mandatory.
Can children make complaints on their own behalf directly to your national data protection/ privacy regulator(s)?
No.
While data subjects have the right to petition against the controller of their personal data before the Brazilian DPA (Law No. 13,709/2018 (LGPD), Article 18, §1º), children are deemed incapable under Brazilian legislation. This means that complaints on their own behalf would have no legal grounds.
This is because the Brazilian Civil Code considers minors under the age of 16 as incapable of personally exercising acts of civil life (Article 2º). Relative incapacity applies to those over 16 years old and under 18 (Brazilian Civil Code, Article 4º).
Nonetheless, the Brazilian DPA’s procedures to initiate a complaint do not have any age-verification mechanisms. As the Brazilian DPA accepts anonymous complaints, in theory, children and adolescents could directly initiate complaints before the Brazilian DPA; however, these would be unlikely to have any legal standing. Note that the Brazilian DPA has not issued any guidelines concerning complaints from adolescents.
Are there any particular requirements/ prohibitions related to:
a. processing specific types of children’s personal data;
b. carrying out specific processing activities involving children’s personal data; and/ or
c. using children’s personal data for specific purposes.
Yes.
Note that the principles set out in Law No. 13,709/2018 (LGPD), which are quite similar to those of the GDPR, must be respected. In line the with the LGPD, the National Council for the Rights of Children and Adolescents (CONANDA) Resolution No. 245/2024 provides that only the minimum amount of personal data necessary for the digital service use must be collected, and its storage should last until the purpose of the processing is accomplished. Children’s and adolescents’ privacy must be also respected and protected by default in all digital environments and services (CONANDA Resolution No. 245/2024, Article 12).
Against this backdrop:
a. processing specific types of children’s personal data;
Controllers are advised to follow certain specific requirements. When processing personal data of minors based on legitimate interest, controllers should carry out a legitimate interest balancing test. A record endorsing the reasoning of the data processing activity shall also be kept, according to the Brazilian DPA Legitimate Interest Guide. Separately, when consent legitimizes the processing activity, the provision of personal data beyond what is strictly necessary for the activity must not condition children’s participation in games, internet applications, or other activities (LGPD, Article 14, § 4º).
The Brazilian legal framework sets forth some prohibitions on the processing of specific data from minors. Disclosing, in whole or in part, without due authorisation, by any means of communication, the name, act, or document of the police, administrative, or judicial proceedings related to a child or adolescent to whom an infraction is attributed is a crime under Law No. 8,069/199o (ECA), Article 245.
The same applies to the display or transmission of images, videos, or video streams of a child or adolescent involved in an infraction or other illicit act, in a way that allows their identification (ECA, Article 245).
b. carrying out specific processing activities involving children’s personal data; and/ or
N/ A (see the response to (c) below)
c. using children’s personal data for specific purposes
Using minors’ personal data for commercial purposes is prohibited by the CONANDA Resolution No. 245/2024. This concept of commercial purposes encompasses creating and defining behaviour profiles, consumption and marketing segmentation, directing advertising or expanding its reach (CONANDA Resolution No. 245/2024, Article 15).
Has there been any enforcement action by your national data protection/ privacy regulator(s) concerning the processing of children’s personal data? In your answer, please include information on the volume, nature and severity of sanctions.
Yes.
Although there are relevant cases involving enforcement actions by the Brazilian DPA, no sanctions have been imposed yet. The processing of minors’ personal data has been addressed in three (3) cases involving technology companies:
- Social Media Company: the Brazilian DPA assessed the platform registration procedure used to collect children’s and adolescents’ personal data. The age verification mechanism was considered ineffective (self-declaration of the complete date of birth). The Brazilian DPA ordered the registration practices be reviewed and the implementation of a more robust method. The Social Media Company was also required to redraft its Privacy Policy to disclose the differences between processing activities involving minors’ and adults’ personal data. In a subsequent analysis, the Brazilian DPA asserted that the Social Media Company failed to demonstrate the effectiveness of the technical measures adopted to prevent unauthorized access of children and adolescents to its platform (ineffective age verification mechanism). Among other issues raised, the Brazilian DPA decided that the "feed without registration" feature allowed the massive processing of children’s and adolescents’ personal data without taking their best interests into account as the LGPD determines (Article 14). The Brazilian DPA also alleged that the processing was not grounded on an adequate legal basis and made without a legitimate, explicit, and informed purpose. The suspension of the "feed without registration" feature was then ordered, along with the development of a compliance plan. The Brazilian DPA concluded the monitoring procedure and initiated an enforcement proceeding against the Social Media Company. The enforcement proceeding is currently ongoing.
2. Technology Platform Company: the processing of personal data of users for AI training was the subject of this enforcement action. The Privacy Policy did not provide for the processing of minors’ personal data for AI training. The Brazilian DPA alleged that minors’ personal data could still be collected through images posted on the platform. The Technology Platform Company relied on its legitimate interests as the legal basis for processing. The Brazilian DPA held that, based upon its assessment of the legitimate interests’ legal pre-requisites, the necessary safeguards for the processing of minors’ data had not been properly adopted. A preventive measure to suspend the processing of personal data for the purposes of AI training was issued against the Technology Platform Company. In August 2024, the Technology Platform Company concluded the implementation of the compliance plan-approved measures. Upon the conclusion, the Technology Platform Company was able to resume the activities concerning the processing of personal data for AI training, provided that the Brazilian DPA-imposed restrictions are strictly followed.
3. Communication Platform Company: sharing users’ personal data with other companies of the same economic group was among the Privacy Policy provisions, which had last been updated in 2021. After an extensive investigation, the Brazilian DPA, among other measures, ordered the Communication Platform Company to carry out a data protection impact assessment (DPIA), to include an analysis of the processing activities involving minors’ personal data and the technical mechanisms in place or that would be implemented.. The mechanisms adopted should be able to prevent users qualified as children and adolescents to improperly use the application, as well as the illegal processing of their personal data. The Brazilian DPA also proposed some specific measures to ensure the Communication Platform Company’s conformity with the Law No. 13,709/2018 (LGPD). The proposed measures were implemented and the Brazilian DPA concluded the Privacy Policy evaluation-phase.
4. Soccer Clubs : The Brazilian DPA initiated a monitoring procedure to oversee 23 Soccer Clubs (“Soccer Clubs”) due to alleged irregularities in the collection of biometric identification (facial recognition) in stadiums. In the Technical Note nº 5/2025/CGF (please refer to pages 52 and 53), the Brazilian DPA held, among other things, that the Soccer Clubs were collecting biometric data from children and adolescents under 16 years old without an adequate legal basis, and that the biometric registration of this vulnerable group of data subjects could result in risks so high that they would not justify the adoption of the measure.
5. On the issue of legal basis, Technical Note No. 50/2025/CGF indicates that adopting the contract performance legal basis may be inadequate when the data subjects implicated are children or adolescents. In this specific case, the monitored company argued that its Terms of Service constitute a valid contract with its users, but the Brazilian DPA disagreed. The adhesion contract disclosed was intended for adults, and failed to meet the LGPD and ECA requirements, impairing the understanding of the adolescents who use the platform. Accordingly, the Brazilian DPA held that, since the data subjects involved were under 18 years-old and, therefore, incapable of validly entering into a contract under the Brazilian legislation, the performance of a contract was not the adequate legal basis to legitimize the processing activity (please refer to page 6).
Are there specific rules concerning electronic direct marketing to children?
Yes.
The Brazilian DPA has not issued any guidelines concerning electronic direct marketing to children yet. Still, persuasive direct advertising and marketing communications to children and adolescents fall under the abusive practices under the CONANDA Resolution No. 163/2014.
The National Council for Advertising Self-Regulation (CONAR) Code, also condemns, in its Article 37, any merchandising or indirect advertising that uses children, elements of the children's universe and other mechanisms implied with the purpose of capturing the attention of child audiences.
Are there specific rules concerning the use of adtech tracking technologies, profiling and/or online targeted advertising to children?
No.
There is no specific regulation concerning the use of adtech tracking technologies, profiling or online targeted advertising to children. Any type of surveillance of children and adolescents or digital monitoring mechanisms used in relation to them, associated with automation tools and personal data processing, must respect privacy and not be used indiscriminately and in unjustifiable manners.
The least invasive security mechanisms measures must be prioritised, and the child or adolescent must be made aware of their functioning and given the right to object, considering their level of maturity and understanding (the National Council for the Rights of Children and Adolescents (CONANDA) Resolution No. 245/2024, Article 16).
The Brazilian Consumer Code (CDC) prohibits any abusive practices towards consumers, including imposing products or services in detriment of consumers’ age or knowledge (Article 39). The CONANDA Resolution No. 163/2014 considers persuasive direct advertising and marketing communications to children an abusive practice. The CONANDA Resolution No. 163/2014, together with the CDC provisions may therefore have the effect of classifying certain uses of adtech tracking technologies, profiling or online targeted advertising aimed at children as abusive practices.
Are there specific rules concerning online contextual advertising to children?
Yes.
Directing advertising to children and adolescents to persuade them to consume any product or service is considered an abusive practice and is, therefore, prohibited.
The use of characters or children's programme presenters; childish language, special effects and excessive colours; distribution of prizes or collectible gifts are among the persuasive practices deemed as abusive (the National Council for the Rights of Children and Adolescents (CONANDA) Resolution No. 163/2014, Article 2º).
The National Council for Advertising Self-Regulation (CONAR) Code, also condemns, in its Article 37, any merchandising or indirect advertising that uses children, elements of the children's universe and other mechanisms implied with the purpose of capturing the attention of child audiences.
Furthermore, magazines aimed at children and adolescents may not contain advertisements for alcoholic drinks, tobacco, weapons, or ammunition (Article 79 of the Law No. 8,069/199o (ECA)). The ECA provides for a general prohibition comprising these types of advertisements to children and adolescents regardless of the context.
Has there been any regulatory enforcement action concerning advertising to children? In your answer, please include information on the volume, nature and severity of sanctions.
Yes (judicial)
While there has been no regulatory enforcement actions concerning advertising to children, nevertheless, over the years there have been many judicial enforcement actions by Brazilian competent authorities based on the Brazilian Civil Code (CDC) and the National Council for the Rights of Children and Adolescents (CONANDA) Resolution No. 163/2014.
By way of example, the State of São Paulo Court of Justice (TJSP) ruled in proceeding No. 1006476-43.2021.8.26.0053 that a specific commercial with children as target audience was abusive.
The TJSP upheld held that an advertisement aimed at children, broadcasted on TV and social networks, which was about fast food and plush toys as gifts, would fall within the abusive practices the CDC prohibits. The TJSP alleged that the CDC forbids any advertising campaigns that use or manipulate children. The CONANDA Resolution No. 163/2014 classification of direct advertising and marketing communication to persuade children and adolescents as an abusive practice was also brought into light by the TJSP as argument to the case.
At what age does a person acquire contractual capacity to enter into an agreement to use digital services?
Users acquire contractual capacity to enter into agreements at the age of 18. Individuals under the age of 18 do not have legal capacity to enter into agreements by themselves (Brazilian Civil Code, Article 4º).
Those under 16 years old must be represented by their parents or legal guardians, and aged 16 and 17 years- must be assisted by their parents or legal guardians, according to the Brazilian Civil Code, Article 1.690.
See also point (4) here.
Do consumer protection rules apply to children?
Yes.
A consumer is any natural or legal person who acquires or uses a product or service as the final recipient, under Article 2º of the Brazilian Civil Code (CDC). Minors are consumers when acting as the final recipient of a product or service. Under such circumstances, children and adolescents fall within the remit of CDC rules.
Are there any consumer protection rules which are specific to children only?
Yes.
Rules specific to children relate primarily to the consumption of internet video and movie content. The promotion of audiovisual works in movies, soap operas, games and other formats of exhibition is based on consumers age-rating. Parents are presented with minimum information to decide in advance which content their children can access and consume.
In Brazil, content is classified as free; not recommended for under 10 years-old; and successively divided by age groups (e.g., not recommended for 11, 12, 13 years old and so on), up to not recommended for individuals under 18 years-old. The content restriction for each age group varies according to exposure to violence (with firearms or sexual violence), sexual content, consumption of alcohol and illicit drugs, amongst others.
The Law No. 14,852/2024 (Electronic Games Legal Framework) provides that in-game purchase mechanisms must restrict, by default, purchases and other commercial transactions by children. Gaming platforms must deploy appropriate tools to ensure that those with appropriate authority have properly authorised a child’s purchase or transaction (Article 17).
Has there been any regulatory enforcement action concerning consumer protection requirements and children’s use of digital services? In your answer, please include information on the volume, nature and severity of sanctions.
Yes.
Over the years there have been many regulatory and judicial enforcement actions concerning consumer protection requirements and children’s use of digital services.
São Paulo State Court in proceeding No. 1003224-26.2021.8.26.0152, for example, placed upon electronic games companies the responsibility to develop and implement mechanisms to deter unauthorised user purchases. The São Paulo State Court alleged that the target audience for electronic games are mainly children and adolescents, most of whom do not yet have sufficient discernment and are easily induced to consume products and services.
Due to gaming consumers being mostly children and adolescents, the São Paulo State Court held that online purchase platforms should display default designs that create obstacles to unauthorised purchases. This decision came after the plaintiff requested cancellation and reimbursement of purchases made by her underage son. The minor made several unauthorised purchases of electronic products using a credit card registered in the electronic games company's system.
Are there any age-related restrictions on when children can legally access online/ digital services?
Yes.
Certain advertising and content placement rules consider the age of the consumer group. Children and adolescents must not be the target audience of campaigns advertising alcoholic beverages and cigarettes, for example.
Alcoholic beverage brands’ websites must display default access mechanisms preventing minors from browsing them (National Council for Advertising Self-Regulation (CONAR) Advertising Self-Regulation Code, Annex A-2).
Furthermore, a Ministry of Justice and Public Security Guide with indicative classification for the consumption of certain products and content, such as films or electronic games was published in 2021. The age rating varies from 10 to 18 years-old, depending on the exposure to violence, sexual content, and illicit drug use.
The Brazilian DPA considers that age restriction to digital products and services must be bound by the best interests of the child principle. However, the appropriate age for registration and use of digital platforms is not addressed in the Brazilian DPA’s Technical Note nº 6/2023/CGF
Are there any specific requirements relating to online/ digital safety for children?
Yes.
There are several requirements in the Brazilian regulatory framework regarding online/ digital safety for children. Amongst other things, companies must make widely available and publicise easily accessible channels in simple and plain understandable language to enable dialogue with children and reporting of harmful or illegal content. The right for decisions to be reviewed, as well as access to information on content moderation procedures are further guaranteed (Article 21 of the National Council for the Rights of Children and Adolescents (CONANDA) Resolution No. 245/2024; Article 15 of the Law No. 14,852/2024 (Electronic Games Legal Framework).
Moreover, digital service providers are responsible for guaranteeing the rights of children and adolescents who use their services and so must identify, measure, evaluate, and diligently mitigate real or foreseeable risks. Algorithmic discrimination, excessive exposure of children and adolescents’ images, hate speech, dissemination of inappropriate content, and sexually exploitative content-related risks are among those which must be accounted for and mitigated against.
Companies must also adopt mechanisms to promote the safe use of digital environments through the participation of parents or legal guardians (Articles 20 and 22, CONANDA Resolution No. 245/2024; Article 16, Electronic Games Legal Framework, Article 16).
Regarding the provision of illegal content, companies must prohibit in their terms of use the posting of illegal or improper content involving minors and set out the respective sanctions applicable to offenders. Mechanisms for content moderation and electronic notification of inappropriate content involving or directed at children and adolescents must also be put in place. If content is found to be illegal, companies are required to make it unavailable (Article 24 of the CONANDA Resolution No. 245/2024; Article 16 of the Electronic Games Legal Framework).
As regards transparency measures, digital service providers must regularly disclose the number of reports received and categories of offences and violations. Moreover, the moderation and governance methods applied, assessment reports and the eventual application of sanctions must also be made publicly available (Article 21, CONANDA Resolution No. 245/2024; Article 16, Electronic Games Legal Framework). Furthermore, digital service providers must publish transparency reports on their operational services encompassing (i) governance measures adopted in the design, development, and use of their systems; (ii) details of the methods used to prevent and mitigate risks; (iii) details of the sanctions applicable to offenders; and (iv) efforts made to educate and promote the rights related to and adequate use of digital environments and services (Article 28, CONANDA Resolution No. 245/2024; Article 16, Electronic Games Legal Framework).
Are there specific age verification/ age assurance requirements concerning access to online/ digital services?
Yes.
Effective age verification mechanisms in digital services and environments accessible to children and adolescents must be made available to prevent access to platforms, products, services and content that are illegal or incompatible with the ages of children and adolescents (Article 19, the National Council for the Rights of Children and Adolescents (CONANDA) Resolution No. 245/2024).
The Brazilian DPA has not issued any guidelines or regulations on age assurance requirements, or on the appropriate age verification-mechanisms.
Nonetheless, the Brazilian DPA Technical Note No. 6/2023/CGF refers to both the French CNIL, and the UK ICO guidelines to illustrate examples of what might be considered to be adequate methods to confirm identity and age. Controllers should engage reliable third parties with the capacity to (i) validate payment cards; (ii) confirm the legitimacy of credentials previously authenticated by other third parties; (iii) corroborate information through submitted IDs or facial recognition; (iv) use age inference mechanisms or others provided by public authorities. Please see further information here.
Are there requirements to implement parental controls and/or facilitate parental involvement in children’s use of digital services?
Yes.
Companies providing digital environments and services must make parental mediation mechanisms available and actively recommend the participation of legal guardians, as a way of promoting the safe and healthy use of their services in the digital environment (Article 20 of the National Council for the Rights of Children and Adolescents (CONANDA) Resolution No. 245/2024).
Parental mediation mechanisms to protect and promote safety in the digital environment must be continuously improved based on evidence. The families and school community of children and adolescents, public authorities, and other responsible parties shall also be provided with widely accessible and free parental-control mechanisms (CONANDA Resolution No. 245/2024, Article 21).
Has there been any regulatory enforcement action concerning online/ digital safety? In your answer, please include information on the volume, nature and severity of sanctions.
Yes.
There have been many enforcement actions by the competent regulatory authorities over the years. Please see more information here.
Are there any existing requirements relating to children and AI in your jurisdiction?
No
Although not exclusively related to AI, the National Council for the Rights of Children and Adolescents (CONANDA) Resolution No. 245/2024 applies to the rights of children and adolescents in the digital environment. The concept of digital environment encompasses certain “information and communication technologies”, including artificial intelligence (Article 1, sole paragraph). Thus, all the provisions of the CONANDA Resolution No. 245/2024 apply to AI technologies aimed at children and adolescents and/or which process children's and adolescents' personal data.
Are there any upcoming requirements relating to children and AI in your jurisdiction?
Yes
Bill No. 2338/2023, approved by the Federal Senate on December 10, 2024, establishes general standards for responsible governance of AI systems in Brazil. The responsible development of AI systems protecting children and adolescents is at the core of Bill No. 2338/2023 (Article 3, XVII). Similar to the EU Artificial Intelligence Act, in Bill No. 2338/2023 AI systems that enable the production or dissemination, or facilitate the creation of sexual abuse or exploitation materials involving children and adolescents, are classified as excessive-risk systems and are, therefore, prohibited (Article 13, I, d). Bill No. 2238/2023 has been sent to the House of Representatives for deliberation.
Bill No. 3821/2024, approved by the House of Representatives on February 19, 2025, criminalizes AI-manipulated sexual content. Individuals who manage, produce, or disseminate false content of nudity or sexual acts generated by AI technology or other technological means may face a prison sentence of two to six years. If the victim is a child or adolescent, the sentence increases by one-third to half. Bill No. 2807/2024, currently under deliberation by the House of Representatives, pertains to the protection of children's images. It prohibits the use of photos of children to feed artificial intelligence tools without the express consent of their parents or legal guardians. According to Bill No. 2807/2024, any company or natural person that uses photos of children to feed artificial intelligence tools, must prove that they have obtained the consent from the parents or legal guardians. Failure to do so will result in civil and criminal liability. The Brazilian DPA is expected to issue rules on children and AI soon. On November 06, 2024, the Brazilian DPA launched a public consultation on artificial intelligence and automated decision-making. One of the issues addressed was the processing of children’s and adolescents’ personal data by AI systems. The public consultation raised the question of whether there should be any specific safeguards and restrictions on the processing of children’s and adolescents’ personal data by AI systems. The final deadline for contributions was January 24, 2025.
Has there been any other regulatory enforcement activity to date relevant to children’s use of digital services? In your answer, please include information on the volume, nature and severity of sanctions.
No.
Are there any other existing or upcoming requirements relevant to children’s use of digital services?
Yes.
Article 9° of the National Council for the Rights of Children and Adolescents (CONANDA) Resolution 245/2024, establishes the development of a national policy for the protection of the rights of children and adolescents in the digital environment. The national policy has not been published yet; however, once published we expect that it might provide for upcoming requirements that would be deemed relevant to children’s use of digital services.
Bill 2628/2022, which was approved by the Federal Senate n November 2024 provides for the protection of children and adolescents in digital environments. While under the original Bill it was proposed to prohibit children (users under 12 years-old, as per Law No. 8,069/199o) from opening personal accounts, the final version allows children (under 12 years old) to open social network accounts, as long as those accounts are linked to accounts or profiles of one of their legal guardians or parents. Bill No. 2628/2022 also prohibits the use of profiling techniques to target advertising at children and adolescents.
Contributors
Felipe Palhare
BMA Avogados
Fernanda Villela Viana
BMA Avogados
Fernanda Golgato Polloto
BMA Avogados
