Brazil reshapes children's data protection under the 'Digital ECA' framework

Brazil is entering a new phase in the protection of children and adolescent data. Recent developments — especially Decree No. 12.881/2026 and Law No. 15.211/2025 — are not isolated changes. They reflect a broader regulatory shift that has been building over time.

Law No. 15.211/2025 — known as the Digital Child and Adolescent Statute — establishes a substantive framework for protecting children and adolescents in digital environments, while Decree No. 12.881/2026 operationalizes these principles with expectations for preventive measures, risk management and accountability when children's data is involved. 

The shift was already signaled by Brazil's data protection authority, the Agência Nacional de Proteção de Dados, in its Statement No. 1/2023, which clarified that the processing of children's data may rely on any legal basis under the General Data Protection Law, provided the best interests of the child prevail in the specific case.

In practical terms, this marked the beginning of a move away from consent as the primary compliance anchor in children's data protection.

For many organizations, compliance in this area has been built around one key idea: parental consent. That logic is now evolving.

The current model does not eliminate consent, but it clearly reduces its importance. In its place, it introduces a stronger and more demanding standard: the best interests of the child.

This is not a cosmetic adjustment. It represents a structural change in how compliance is assessed, shifting from formal validity to substantive accountability.

Consent is no longer enough

Under this approach, having parental consent is not sufficient to justify data processing involving minors. Organizations are expected to demonstrate that their activities align with the best interests of the child or adolescent, regardless of the legal basis used.