Brazil's Agencia Nacional de Proteção de Dados (ANPD) yesterday released a preliminary version of its Guia Orientativo on age verification mechanisms (Mecanismos de Aferição de Idade), launching a public consultation process known as a Tomada de Subsidios. The document, dated May 2026 and carrying administrative reference SEI 00261.003182/2026-47, sets out detailed technical and legal requirements for technology product and service providers whose offerings are directed at children and adolescents, or are likely to be accessed by them.

The guide is a preliminary, non-binding version open for stakeholder input. Its release marks a significant step in implementing Lei nº 15.211/2025, the Estatuto Digital da Criança e do Adolescente - commonly called the ECA Digital - and Decreto nº 12.880 of 18 October 2026, the implementing regulation signed into law on 18 March 2026.

A framework built on six requirements

According to the ANPD, the guide consolidates and deepens the "Orientações Preliminares - Mecanismos Confiáveis de Aferição de Idade," a shorter preliminary document the agency published in March 2026. The new guide groups the eleven subsections of Article 24 of the Decreto into six general requirements: proportionality, accuracy and robustness and reliability, privacy and personal data protection, inclusion and non-discrimination, transparency and auditability, and interoperability.

Each of these requirements reflects a distinct legal obligation. The proportionality requirement, drawn from Article 24, I of the Decreto, obliges providers to balance the accuracy and robustness demanded in a given context against the risk that the verification mechanism itself may cause adverse effects on users - particularly on privacy and personal data. According to the ANPD, providers must assess risks on three levels: the risks associated with the product or service itself, the risks arising from the specific age verification mechanism chosen, and the risks created by the operating context and environment.

The accuracy, robustness, and reliability requirement addresses how well verification systems perform. According to the ANPD, accuracy refers to the degree of precision with which a method can determine a user's age under controlled conditions, measured using metrics such as True Positive Rate, False Positive Rate, and False Negative Rate for binary results, or Standard Deviation and Mean Absolute Percentage Error for age range outputs. Robustness is defined as the capacity of a system to resist circumvention attempts, taking into account the likely user population and the technical means available to them. Reliability means the ability of a mechanism to produce correct and consistent results across different usage contexts over time, not only in development testing.

Three species of age assurance

The guide distinguishes carefully between three technical species of age determination. Verification (verificação de idade) is a high-reliability procedure that confirms the accuracy of a declared age or age range using technical or documentary means. Estimation (estimativa de idade) uses biometric or behavioural characteristics to determine a probable age range without producing an exact result. Inference (inferência de idade) deduces age indirectly from contextual signals such as consumption data, educational history, or online preferences.

A fourth method - self-declaration (autodeclaração de idade) - is explicitly excluded from the category of reliable mechanisms. According to the ANPD, self-declaration consists of a user simply providing their age or date of birth without any additional confirmation. The guide states that even supplying a Cadastro de Pessoa Fisica (CPF) number - the Brazilian individual taxpayer registry number - is equivalent to self-declaration, because it is personal data provided by the user themselves without independent verification. Self-declaration is prohibited for services offering prohibited content, pornographic content, gambling and fixed-odds betting, social networks delivering prohibited products or services, and electronic games with loot boxes (caixas de recompensa).

The digital chain of responsibilities

A central structural concept in the guide is the cadeia digital de responsabilidades - the digital chain of responsibilities. According to the ANPD, the ECA Digital distributes age verification obligations between two groups of providers: app stores and operating systems on one side, and all other technology providers on the other.

App stores and operating systems must request a self-declaration when a user creates an account, then verify age using reliable methods with a preference for verifiable credentials. They must share the resulting age signal with downstream providers through a secure, privacy-by-default Application Programming Interface (API). Critically, the API may transmit only a binary confirmation - a yes/no answer as to whether the user is over 18 - without disclosing the underlying personal data such as a date of birth, identity document, or biometric data. The same API must allow users to contest and rectify their age classification.

Downstream providers receive this age signal and must configure their product or service accordingly. However, the guide is unambiguous that receiving an age signal does not transfer responsibility: according to the ANPD, providers remain liable for the effectiveness of age-appropriate measures regardless of signals received from app stores or operating systems. Providers of prohibited content must additionally implement their own independent age verification, and in cases of divergence between the signal and their own assessment, must apply whichever result is more protective of children and adolescents, as established by Article 25, paragraph 4 of the Decreto.

Risk matrix and layered verification

The guide introduces a three-level risk matrix - low, moderate, and high - and maps each level to appropriate verification approaches. Low-risk services, defined as digital services that do not offer content classified as inappropriate or prohibited but may still cause indirect adverse effects, include educational and cultural content platforms, general-purpose productivity applications, and general internet search and browsing services. For these, the ANPD recommends mechanisms with minimal impact on privacy, such as receiving the age signal from app stores or adopting verifiable credentials.

Moderate-risk services are those with adverse effects on children's privacy, security, or health; those allowing user interaction; those exposing users to inappropriate or inadequate content; or those processing sensitive personal data. The guide lists social networks, mixed-content video platforms, electronic games with user interaction or microtransactions, general-purpose messaging services, generative AI services of general use, digital health and mental wellbeing services, and general e-commerce platforms as examples. For moderate risk, the ANPD recommends a multi-layer model in which methods with lower data impact are applied first, supplemented by more robust mechanisms only when necessary.

High-risk services are those offering content, products, or services expressly prohibited for persons under 18 - including pornographic content, gambling, betting, lotteries, loot boxes, adult companion services, and social networks that make such content available. For these, verification with high robustness, accuracy, and reliability is mandatory, regardless of the age signal received from app stores. According to the ANPD, providers in this category must also prioritise solutions that combine high accuracy with advanced privacy protection mechanisms, such as cryptographic proof architectures that confirm age without disclosing additional personal data. They must avoid any mechanism that generates continuous user tracking or behavioural monitoring.

Facial estimation and its specific risks

Section IV of the guide addresses three specific technical methods: facial estimation, documentary verification, and verifiable credentials. The treatment of facial estimation (estimativa facial) is particularly detailed because the technology carries distinct risks, including susceptibility to deepfakes and synthetic images, algorithmic bias, and discriminatory impact on vulnerable groups.

The guide draws a technical distinction that has regulatory significance: systems of facial age estimation are different from biometric facial recognition. Estimation systems classify a face into an age range and produce only an age estimate. Recognition systems convert a face image into a template and compare it against a stored reference for identification or authentication purposes. Nevertheless, according to the ANPD, facial image processing may still constitute processing of biometric data - classified as sensitive personal data under Article 5, II of the LGPD - depending on the system architecture and processing purpose. Providers adopting facial estimation must demonstrate through technical documentation, including a Relatório de Impacto a Proteção de Dados Pessoais (RIPD), that their solution does not generate or use biometric identification templates.

The guide requires that facial estimation systems transmit to the digital service only the necessary age attribute - for example, a binary token indicating "over 16" or "over 18" - rather than the captured image or exact age. Liveness detection (prova de vivacidade) is recommended to guard against photograph, video, mask, or synthetic image attacks. Systems must block access after a defined number of failed attempts, and divergent results from successive submissions by the same user must trigger escalation to a more robust verification layer.

Documentary verification and verifiable credentials

Documentary verification is characterised in the guide as a deterministic method rather than a probabilistic one. The system checks the data contained in an identity document issued by a competent authority - identity card, driver's licence, passport, or equivalent digital document - and compares the age attribute with the service's requirements. According to the ANPD, this deterministic nature gives documentary verification generally higher robustness than estimation methods.

However, Article 24, paragraph 3 of the Decreto establishes strict data minimisation rules. Any data processed from collected documents must be limited to confirming the age or age range. The image, copy, or any information from the document must be eliminated immediately and irreversibly after the necessary information is captured. Storage or retention of document images is expressly prohibited.

Verifiable credentials (credenciais verificáveis) are presented in the guide as a technically preferred approach for reducing data exposure. According to the ANPD, these credentials operate as digitally signed declarations issued by a trusted entity - for example a government authority such as Gov.Br or a certifying body - and can be stored locally on the user's device. A relying party receives only the specific attribute needed, such as confirmation that the user is over 18, without accessing the underlying identity documents or biometric data. The guide references Zero-Knowledge Proof (ZKP) techniques as an example of privacy-preserving verification, noting that they allow a user to prove an attribute from a trusted credential without revealing the underlying personal data. The W3C Verifiable Credentials Data Model v2.0, accessed by the ANPD team in April 2026, is cited as a governance reference.

Privacy requirements and the prohibition on secondary use

The privacy section of the guide identifies six minimum guarantees to be observed in any age verification solution: data minimisation, privacy protection, data security, prohibition of secondary use, prohibition of traceability, and prohibition of continuous automated and unrestricted data sharing.

Of these, the prohibition on secondary use is particularly significant for the marketing and advertising industry. According to the ANPD, data collected for age verification purposes may be used exclusively for that purpose. The prohibition explicitly covers behavioural advertising, profiling, user classification, database enrichment, and inference about habits, preferences, and browsing patterns. This applies to both the raw data collected during verification and any derived data produced by the verification system, including age signals, age range classifications, and age tokens. The guide also requires providers to separate verification systems functionally from other platform infrastructure, particularly systems for targeted advertising, behavioural analysis, content personalisation, and AI model training.

The guide additionally recommends double-blind architecture in which the third-party verifier does not know which service provider requested the verification, and the service provider receives only the verification result without access to the identity data used to generate it.

International reaction and context for advertisers

The release drew immediate commentary from international experts. Tony Allen, Subject Matter Expert on Age Assurance and editor of ISO/IEC 27566, published a LinkedIn post noting that the ANPD had "clearly avoided simplistic 'upload your ID' thinking and instead adopted a risk-based, proportional and privacy-aware framework for age assurance." Allen highlighted the guide's recognition that age assurance is not the same as identity verification, its support for layered and progressive assurance models, and its explicit recognition of reusable age signals, tokens, and interoperable credentials.

ANPD Commissioner Lorena Giuberti Coutinho - one of the document's named contributors - replied to the post, confirming that the ANPD had hosted Allen for direct briefings as part of preparing the guidance, and stating that the agency looked "forward to continuing the dialogue as the age assurance landscape evolves."

For the marketing and digital advertising community, the guide has direct operational implications. The complete prohibition on using age verification data for advertising profiling or behavioural targeting closes a potential loophole that some had anticipated. The prohibition on continuous data sharing between verification systems and advertising infrastructure means that any age verification process must be architecturally isolated from the programmatic stack. The requirement that age verification results be represented as minimal binary tokens - rather than precise birth dates or full identity data - limits the data available to platforms for audience segmentation based on verified age.

Brazil's data watchdog added child protection as a priority enforcement theme in December 2025, establishing 30 inspection and enforcement actions focused on privacy-by-default configurations and age-verification mechanisms for the 2026-2027 period. The ANPD had also been elevated to regulatory agency status in September 2025, giving it greater institutional autonomy. Its legal action against Meta over AI chatbots targeting children in August 2025 signalled the agency's willingness to move beyond guidance into enforcement, particularly on child safety matters. Meanwhile, global regulators have been converging on similar frameworks: German data protection authorities have called for enhanced GDPR protections for children, and US COPPA amendments that took effect June 2025 overhauled how children's data may be used for advertising purposes.

According to Tony Allen, providers seeking to operate in Brazil should prepare for regulators to require independently assessed performance, transparent governance, privacy and data protection by design, interoperability capability, anti-bypass and resilience measures, and alignment with internationally recognised standards. Allen specifically referenced ISO/IEC 27566-1 certification as becoming central to market access and regulatory trust.

The document was prepared by a team of 14 ANPD staff members under Director-President Waldemar Gonçalves Ortunho Junior and Directors Miriam Wimmer, Iagê Zendron Miola, and Lorena Giuberti Coutinho. The consultation is open for public submissions.

Timeline

  • 13 July 1990: Brazil enacts Lei nº 8.069, the original Estatuto da Criança e do Adolescente (ECA).
  • 14 August 2018: Brazil enacts the Lei Geral de Proteção de Dados Pessoais (LGPD), establishing the general data protection framework.
  • 17 September 2025: President Luiz Inácio Lula da Silva signs Lei nº 15.211/2025, the Estatuto Digital da Criança e do Adolescente (ECA Digital), Brazil's first law specifically protecting children's rights in digital environments.
  • September 2025ANPD is formally recognised as a regulatory agency with greater institutional and budgetary autonomy.
  • August 2025ANPD takes legal action against Meta over AI chatbots targeting children, signalling active enforcement intent on child safety.
  • 22 December 2025ANPD approves its 2026-2027 enforcement priorities map, placing child protection in digital environments as a central theme with 30 planned inspection and enforcement actions.
  • 17 March 2026: ECA Digital takes effect.
  • 18 March 2026: Decreto nº 12.880 - the implementing regulation of the ECA Digital - is published, establishing detailed requirements including Article 24 on reliable age verification mechanisms.
  • March 2026: ANPD publishes "Orientações Preliminares - Mecanismos Confiáveis de Aferição de Idade," the precursor document to the current guide.
  • 22 May 2026: ANPD published the preliminary version of the Guia Orientativo on Age Verification Mechanisms (Mecanismos de Aferição de Idade), opening the Tomada de Subsidios public consultation.

Summary

Who: Brazil's Agencia Nacional de Proteção de Dados (ANPD), led by Director-President Waldemar Gonçalves Ortunho Junior and Commissioners Miriam Wimmer, Iagê Zendron Miola, and Lorena Giuberti Coutinho, prepared the document with a team of 14 staff.

What: A preliminary 49-page guidance document - the Guia Orientativo on Mecanismos de Aferição de Idade - setting out six general requirements and specific technical standards for reliable age verification in digital products and services, opened yesterday for public consultation (Tomada de Subsidios).

When: The document is dated May 2026. It consolidates and extends preliminary orientations published by the ANPD in March 2026 and implements requirements established by the ECA Digital (Lei nº 15.211/2025, signed September 2025) and its implementing Decreto nº 12.880, published 18 March 2026.

Where: Brazil, with national jurisdiction extending to all technology providers whose products or services are directed at or likely to be accessed by Brazilian children and adolescents, regardless of the provider's location.

Why: The ECA Digital requires technology providers to adopt reliable, effective age verification mechanisms as part of a broader obligation to protect children and adolescents in digital environments. The guide operationalises the eleven subsections of Article 24 of the Decreto into actionable requirements, aiming to give regulated parties the clarity needed to implement compliant systems. The prohibition on self-declaration as a reliable mechanism and the strict limits on secondary use of verification data reflect the law's objective of preventing both inadequate age gatekeeping and mass surveillance architectures.

Share this article
The link has been copied!