This law is effective today — March 17, 2026. Brazil’s Digital ECA (Estatuto Digital da Criança e do Adolescente), officially Law No. 15,211/2025, is now enforceable. Every operating system, app store, gaming platform, and digital service accessible to minors in Brazil must implement age verification — or face fines of up to R$50 million ($9.5 million USD) per violation. Self-declaration checkboxes no longer count.
This isn’t hypothetical. Rockstar Games has already suspended direct sales through its own launcher in Brazil. Canonical is reviewing its legal obligations for Ubuntu. IBM’s Red Hat and Fedora teams are exploring compliance paths. And Brazil’s National Data Protection Authority (ANPD) has published a monitoring list that includes Linux distributors alongside Epic Games and Valve.
No sovereign nation has ever required age verification at the operating system level with this scope and these penalties. Today, that changes.
What the Digital ECA Actually Requires
The Digital ECA was signed into law by President Lula on September 17, 2025, following a remarkable legislative sprint triggered by viral exposés of child exploitation on social media platforms. SaferNet Brasil had documented 76,997 cases of online human rights violations between January and July 2025, with 64% involving child sexual abuse material. The legislation passed the lower house, cleared the Senate, and reached the president’s desk in under a month.
The law’s scope is unprecedented. It applies to any “information technology product or service” that is “targeted at” or “likely to be accessed” by children (under 12) or adolescents (12–18). That language is deliberately expansive. It encompasses:
- Operating systems — Windows, macOS, iOS, Android, Linux distributions, ChromeOS, SteamOS
- App stores — Google Play, Apple App Store, Microsoft Store, Steam, Epic Games Store
- Social media platforms — Facebook, Instagram, TikTok, X, YouTube, Discord
- Gaming platforms — Steam, PlayStation Network, Xbox Live, Roblox
- Streaming services — Netflix, Spotify, YouTube
- Any digital service that could host content inappropriate for minors
The phrase “likely to be accessed” is the critical legal mechanism. A service doesn’t have to target children to fall under this law — it merely has to be accessible to them. That means virtually every digital product with users in Brazil is in scope.
The Self-Declaration Ban
The Digital ECA explicitly prohibits self-declaration as an age verification method for content inappropriate or prohibited for individuals under 18. Clicking “I am 18 or older” is no longer legally sufficient. The law mandates “effective and reliable” age verification at each access attempt for restricted content.
What qualifies as “reliable” will be defined by forthcoming ANPD regulations, but the law points toward:
- Government-issued ID verification
- Biometric age estimation (facial analysis)
- Credit card or financial instrument verification
- Third-party age verification services
- Age signals transmitted from operating systems or app stores
Parental Consent Architecture
For minors aged 12–18, the law requires parental or guardian consent for app downloads. Social media accounts for users under 16 must be linked to a parent or guardian’s account. Operating systems and app stores must build the technical infrastructure to facilitate this consent workflow — a requirement that fundamentally changes how OS account setup works.
The Loot Box Ban
In a provision that directly targets the gaming industry, the Digital ECA bans paid loot boxes — randomized in-game purchases that function like gambling — in any product accessible to minors. This affects virtually every free-to-play game operating in Brazil.
The Companies Under the Microscope
Brazil’s ANPD has established a monitoring list of companies whose compliance efforts are under active scrutiny. The list includes names that underscore just how broadly this law reaches:
Canonical (Ubuntu Linux)
Canonical, the UK-based company behind Ubuntu — the world’s most popular Linux distribution — is on the ANPD’s monitoring list. Ubuntu powers millions of desktops, servers, and IoT devices in Brazil. The company has confirmed its legal team is reviewing compliance options.
Aaron Rainbolt, a Canonical developer, has been transparent about the challenge: “We’re currently looking into how to implement an API that will comply with the laws while also not being a privacy disaster.” The current proposal involves an optional D-Bus interface (org.freedesktop.AgeVerification1) that would handle age brackets locally without transmitting data externally.
But the fundamental question remains: how do you implement age verification on an operating system that anyone can download, install, and modify freely?
IBM (Red Hat and Fedora)
IBM’s open-source division faces the same paradox through Red Hat Enterprise Linux and the Fedora community distribution. Fedora developers are exploring “non-intrusive options like local APIs or configuration files populated during setup, avoiding online verification or data sharing.” Former Fedora leader Jef Spaleta characterized this as a “minimal adjustment to meet legal requirements” — not a surveillance mechanism.
Red Hat Enterprise Linux presents a different challenge. RHEL is widely deployed in Brazilian enterprises, government agencies, and data centers. While server deployments may not fall under “likely to be accessed by minors,” any desktop or workstation installation could.
Epic Games
Epic Games operates both the Epic Games Store and Fortnite — one of the most popular games among minors globally. Brazil represents a significant market for Epic, and the company faces obligations under the Digital ECA’s gaming-specific provisions including the loot box ban and mandatory age verification for age-restricted content.
Valve (Steam)
Steam is the world’s dominant PC gaming platform, with a massive Brazilian user base. Valve must implement age verification that goes beyond its current birthday-entry screen, comply with the loot box ban for games it distributes, and ensure parental controls meet the Digital ECA’s “maximum protection by default” standard.
Steam’s existing age gate — a dropdown menu asking users to enter a birth date — is precisely the kind of self-declaration mechanism the Digital ECA prohibits. Valve’s compliance path will require fundamental changes to how the platform onboards users in Brazil.
Rockstar Games: The First Casualty
Rockstar Games didn’t wait for enforcement. On March 16, 2026 — one day before the law took effect — the company suspended direct sales through the Rockstar Games Launcher and its official store for Brazilian users. The company’s titles remain available through third-party stores like Steam, PlayStation Store, and Xbox, effectively transferring the age verification compliance burden to those platforms.
This is likely a preview of how smaller publishers will respond: exit direct distribution and let the platform holders absorb the compliance costs.
The Open-Source Paradox
The Digital ECA’s application to operating systems creates an unprecedented challenge for the free and open-source software (FOSS) ecosystem. The paradox is fundamental: how do you enforce age verification on software that users can freely download, modify, and redistribute?
The Technical Reality
A Linux distribution is not an iPhone. Users can:
- Reinstall the operating system and bypass any age verification added during setup
- Install a virtual machine with a fresh OS instance and declare any age
- Use a VPN to mask their location
- Compile the operating system from source with age verification components removed
- Run a live USB session that never touches the installed OS
System76 CEO Carl Richell, whose company makes Pop!_OS and is headquartered in Colorado (which is advancing its own OS-level age verification bill), was blunt: “The child can install a virtual machine, create an account on the virtual machine and set the age to 18 or over.” He characterized the real challenge as educational rather than technical.
Diverging Distribution Responses
The FOSS community’s response has split into three camps:
Compliance-oriented distributions — Ubuntu, Fedora, Elementary OS, and Pop!_OS are exploring minimal technical implementations. The leading approach is a local D-Bus API that stores an age bracket on the device, queryable by applications, without transmitting personal data externally. This satisfies the letter of the law while preserving user privacy.
Resistant distributions — Omarchy Linux and Adenix GNU/Linux have declared they will not implement age verification at all. MidnightBSD updated its license to exclude residents of jurisdictions requiring age verification from desktop use — a symbolic protest that highlights the absurdity of applying consumer product regulations to freely distributed software.
Silent distributions — Linux Mint, Arch Linux, openSUSE, and NixOS have not issued official statements, likely waiting for upstream decisions from Canonical and Red Hat that will propagate through the ecosystem.
The Enforcement Question
The ANPD’s enforcement capacity is a critical unknown. The agency only recently achieved full regulatory body status and is still onboarding approximately 200 temporary staff. Director Iagê Miola acknowledged the constraint: “We certainly cannot monitor everything at once.” The agency has no intermediate enforcement deadlines and must independently determine priorities.
For Linux distributions with minimal commercial presence in Brazil, the practical enforcement risk may be low. But for Canonical and IBM — companies with Brazilian operations, contracts, and legal entities — noncompliance could mean fines, activity suspensions, or prohibition from operating in the country.
The $9.5 Million Question: Enforcement and Penalties
The Digital ECA’s penalty structure is designed to be punitive enough to compel compliance from even the largest technology companies:
- Fines up to R$50 million (~$9.5M USD) per violation or up to 10% of Brazilian revenue
- Temporary suspension of activities in Brazil
- Temporary prohibition from operating in Brazil
- Mandatory appointment of a Brazilian legal representative for foreign entities
- Penalties scaled based on severity, recurrence, economic capacity, and social purpose
For context, Meta’s Brazilian revenue was approximately $3.8 billion in 2025. A 10% revenue penalty would dwarf the R$50 million cap. For smaller companies, even a single R$50 million fine could be existential.
The law also requires companies with more than 1 million minor users in Brazil to publish semiannual transparency reports in Portuguese — a requirement that forces companies to quantify their minor user base, creating a documented record that regulators can use in enforcement actions.
Criminal Provisions
Beyond administrative fines, the Digital ECA amends Brazil’s criminal code. Providers of pornographic content who fail to prevent minor access face criminal liability. The mandatory reporting requirements for child sexual abuse material carry their own penalties for noncompliance.
The American Mirror: California, Colorado, and New York
Brazil is not operating in isolation. Three U.S. states have enacted or advanced legislation requiring age verification at the operating system level, creating a converging global regulatory framework.
California — AB 1043 (Digital Age Assurance Act)
Signed by Governor Newsom in October 2025 and effective January 1, 2027, California’s law requires every operating system provider to:
- Collect age information from users during account setup
- Transmit age data to app stores and developers via a real-time API
- Allow declared age to curate app store availability
The law explicitly covers all operating systems — including Linux and SteamOS. California’s market power means this effectively becomes a national standard for the United States.
Colorado — SB 26-051 (Age Attestation on Computing Devices)
Colorado’s bill, which advanced through committee in February 2026, requires operating systems to:
- Collect user birthdate or age range during device setup
- Convert data into age brackets (under 13, 13–17, 18+)
- Expose age data to applications via API
Penalties: $2,500 per minor for negligent violations, $7,500 per minor for intentional ones, enforced by the state attorney general. The bill targets an effective date of January 1, 2028.
New York — S8102A
New York’s legislation extends requirements to all “internet-enabled devices,” requiring manufacturers to conduct “age assurance” and provide a real-time API signal to any website, service, or application on the device.
The Critical Difference
There’s a key distinction between these U.S. state laws and Brazil’s Digital ECA: the American bills generally rely on self-reported age data entered during device setup. Colorado’s SB 26-051 does not require birthdate verification against government ID. A 13-year-old who enters a false date faces no technical barrier.
Brazil’s law explicitly bans self-declaration for age-restricted content. This means Brazil’s compliance burden is substantially higher — platforms must implement “reliable” verification that goes beyond what users type into a form.
| Jurisdiction | Scope | Verification Standard | Penalties | Effective Date |
|---|---|---|---|---|
| Brazil (Digital ECA) | All digital services accessible to minors | Reliable verification; self-declaration banned | R$50M (~$9.5M) or 10% revenue | March 17, 2026 |
| California (AB 1043) | All operating systems | Self-reported age at setup | TBD by AG regulations | January 1, 2027 |
| Colorado (SB 26-051) | Computing devices | Self-reported age brackets | $2,500–$7,500 per minor | January 1, 2028 |
| New York (S8102A) | Internet-enabled devices | Age assurance (method TBD) | TBD | Pending |
What Compliance Teams Must Do Today
The Digital ECA is enforceable as of today. There is no grace period. Organizations with users in Brazil should treat this as an active compliance obligation.
1. Determine If You’re In Scope
Any digital product or service “likely to be accessed” by minors in Brazil falls under this law. If your product is available in Brazil and isn’t exclusively used by verified adults in a professional context, assume you’re in scope.
2. Audit Your Current Age Verification
If your age verification consists of a checkbox, a dropdown birthday selector, or any form of self-declaration — it is noncompliant. Document the gap and begin remediation planning immediately.
3. Implement Reliable Age Verification
Engage with third-party age verification providers who operate in Brazil. Options include document-based verification (government ID scanning), biometric age estimation, and financial instrument verification. Ensure whatever method you choose complies with Brazil’s LGPD (General Data Protection Law) — age verification data cannot be repurposed.
4. Build Parental Consent Infrastructure
If minors can access your product, you need a parental consent workflow. For users under 16 on social platforms, this means account linking. For app stores and operating systems, this means download authorization workflows.
5. Review Gaming-Specific Obligations
If you publish or distribute games in Brazil, audit for loot box mechanics in any title accessible to minors. The Digital ECA’s blanket ban on paid randomized purchases applies regardless of whether the game is rated for adults — if a minor can access it, the prohibition applies.
6. Appoint a Brazilian Legal Representative
Foreign entities must maintain a legal representative in Brazil empowered to act before Brazilian authorities. If you don’t have one, engage Brazilian legal counsel immediately.
7. Prepare Transparency Reports
If you have more than 1 million minor users in Brazil, you’ll need semiannual transparency reports in Portuguese. Start building the data infrastructure to quantify your minor user base now.
8. Monitor ANPD Regulatory Guidance
The ANPD will issue additional technical requirements defining what constitutes “reliable” age verification. These regulations will materially affect compliance strategies. Subscribe to ANPD publications and engage through public comment periods.
The Bigger Picture: Digital Sovereignty and the End of Anonymous Computing
Brazil’s Digital ECA, combined with California’s AB 1043, Colorado’s SB 26-051, and New York’s S8102A, represents a coordinated global shift toward tying digital identity to device access. The implications extend far beyond child protection.
For Open Source
The FOSS movement was built on the principle that anyone can freely use, study, modify, and distribute software. Age verification requirements at the OS level challenge this foundation. When an operating system must verify who is using it before granting full access, the software is no longer truly free in the philosophical sense — it’s conditionally accessible based on identity attributes.
The practical impact may be minimal for now — a D-Bus API storing a self-attested age bracket is hardly an identity checkpoint. But the infrastructure is being built. And as System76’s Richell warned, once that infrastructure exists, “it doesn’t stay limited to restricting minors.”
For Gaming
The gaming industry faces the most immediate operational impact. The loot box ban alone requires redesigning monetization systems for one of the world’s largest gaming markets. Combined with age verification requirements that prohibit birthday dropdowns, gaming platforms must invest in verification infrastructure that didn’t exist six months ago.
Rockstar’s decision to pull its direct store from Brazil is likely the first of many such exits. Smaller publishers without the resources to build compliance systems will route everything through major platforms — further consolidating Steam, Epic, PlayStation, and Xbox as gatekeepers.
For Privacy
Every age verification system is a data collection system. Every data collection system is a future breach target. The Discord age verification breach that exposed 70,000 government IDs in 2025 demonstrated the risk. Brazil’s Digital ECA attempts to mitigate this by prohibiting repurposing of verification data, but the data must still be collected, processed, and — however briefly — stored.
The tension between child protection and privacy is real and unresolved. Brazil has chosen to prioritize the former. The long-term consequences of that choice will depend entirely on how the ANPD regulates implementation.
For Global Compliance Strategy
Companies operating internationally now face age verification requirements in Brazil, Australia, the UK, the EU (via the Digital Services Act), and a growing number of U.S. states — each with different scopes, standards, and penalties. There is no unified global standard. The compliance cost of maintaining jurisdiction-specific systems is becoming a meaningful barrier to entry for smaller companies.
The consolidation effect is already visible: Bluesky blocked all Mississippi IP addresses rather than comply with that state’s social media age verification law. MidnightBSD banned California residents from its OS. These aren’t compliance strategies — they’re capitulations by organizations that can’t afford the alternative.
What Happens Next
The Digital ECA is law. Today is day one of enforcement. But several critical developments will shape how this plays out:
ANPD Technical Standards — The agency must define what “reliable” age verification means in practice. This guidance will determine whether compliance is achievable or impossible for different classes of providers.
First Enforcement Actions — The ANPD’s initial targets will signal priorities. Will they pursue major platforms first? Operating system providers? Gaming companies? The monitoring list suggests all of the above.
Constitutional Challenges — Privacy advocates in Brazil may challenge the law’s verification requirements as disproportionate under Brazil’s constitution and the LGPD. Legal challenges could narrow or delay enforcement.
Industry Standardization — The age verification industry will develop Brazil-specific solutions. Expect rapid product launches from companies like Veriff, Yoti, and local providers.
Cascade Effects — Other Latin American countries are watching Brazil’s implementation closely. Success could trigger similar legislation across the region. Failure could provide ammunition against age verification mandates globally.
The Bottom Line
Brazil has done something no nation has done before: mandated age verification across the entire digital stack — from operating systems to app stores to individual applications — with penalties severe enough to compel compliance from the world’s largest technology companies.
The law takes effect today. The ANPD is monitoring. Rockstar has already blinked. Linux distributions are scrambling. And the age verification industry is about to experience the largest demand surge in its history.
For compliance teams, this is not a future problem. It’s a today problem. The Digital ECA’s prohibition on self-declaration, its operating system requirements, and its $9.5 million per-violation fines represent a new regulatory paradigm — one that California, Colorado, and New York are already replicating.
The era of anonymous, unverified digital access is ending. Brazil just fired the starting gun.
This article is for informational purposes only and does not constitute legal advice. Organizations subject to Brazil’s Digital ECA should consult with qualified Brazilian legal counsel regarding their specific compliance obligations.
