Age Verification on Digital Platforms (Lei 15.211/2025) — An API Implementation Guide

The ECA Digital (Lei nº 15.211/2025 — Brazil's digital child protection law), also known as the "Lei Felca" — a reference to influencer Felipe Bressanin's exposé on how easily children could access sexual exploitation content on social media — came into force on March 17, 2026, and brought a structural change to Brazil's digital landscape: platforms offering content, products, or services unsuitable for minors under 18 are now required to implement reliable age verification mechanisms. Simple self-declaration — that "enter your date of birth" field — is no longer enough.

In this article, we explain what the law requires, which companies are affected, what penalties apply, and why age verification via CPF (Brazilian individual taxpayer ID) API is one of the most practical and affordable ways to comply.

What is the ECA Digital

The ECA Digital updates Brazil's Statute of the Child and Adolescent (Lei nº 8.069/1990) for the online world. Signed into law on September 18, 2025, it establishes a dedicated regulatory framework to protect children and teenagers on digital platforms — social networks, video games, marketplaces, betting apps, streaming services, and any technology product accessible to minors.

The law applies to any digital service accessible in Brazil, regardless of where the company is headquartered. Enforcement falls to the ANPD (Brazil's national data protection authority), which published preliminary guidance and the official implementation timeline on March 20, 2026. Decreto nº 12.880/2026, published on March 18, regulates the law and details additional obligations, such as a ban on manipulative design (infinite scrolling and video autoplay) for underage audiences.

ECA Digital timeline — from enactment to enforcement

Who needs to comply

The law's scope is broad. If your platform offers content, products, or services whose sale or access is inappropriate, unsuitable, or prohibited for minors under 18, the age verification obligation applies. In practice, that includes:

  • Social networks — accounts of users under 16 must be linked to legal guardians
  • Betting and iGaming platforms — a total ban for minors, with mandatory verification at signup
  • Adult content sites and apps — verification on every access
  • Video games — especially titles with purchase mechanics, loot boxes, or violent content
  • Marketplaces — for age-restricted products (alcohol, tobacco, weapons)
  • Video and audio streaming — for content rated as unsuitable
  • Delivery apps — for categories such as alcoholic beverages
  • EdTechs and fintechs — when they collect data from minors

A recent study by Brazil's Internet Steering Committee (CGI.br) and the Brazilian Network Information Center (NIC.br) analyzed 25 of the digital services most used by children in the country and found that 84% did not verify age at account creation before the law came into force. Most relied exclusively on self-declaration. A preliminary version of the study was presented at the ECA Digital Seminar in Brasília on March 18, 2026.

84% of platforms did not verify age before the ECA Digital

What the law prohibits and requires

Article 9 of Lei 15.211/2025 is blunt: providers must adopt "reliable age verification mechanisms" for restricted content, and self-declaration is expressly prohibited.

Beyond age verification, the ECA Digital establishes other significant obligations:

  • Parental supervision: control tools for parents and guardians must be available by default, not as an optional feature buried in advanced settings
  • Privacy by design: digital products aimed at children and teenagers must build in security and privacy from the ground up
  • Ban on behavioral profiling: creating behavioral profiles of minors for targeted advertising is prohibited
  • Ban on manipulative design: infinite scrolling, video autoplay, and other patterns that drive excessive use are prohibited for minors (Decreto 12.880/2026)
  • Removal and reporting: child sexual exploitation or abuse content must be removed immediately and reported to the authorities

Penalties

The sanctions are severe and follow an escalating scale:

  1. A warning with a 30-day deadline to comply
  2. A fine of up to 10% of gross annual revenue in Brazil
  3. An alternative fine of R$ 10 to R$ 1,000 per registered user (for companies with no declared revenue in Brazil)
  4. A cap of R$ 50 million per violation
  5. Temporary suspension of operations in Brazil (imposed by the courts)
  6. Permanent ban from operating in the country for repeat offenses (imposed by the courts)

Need to implement age verification on your platform? Meet our CPF-based verification API — free sandbox →


How age verification via CPF works

Among the accepted age verification mechanisms, CPF validation via API stands out as one of the most efficient approaches for the Brazilian market. The reason is simple: the CPF registry at the Receita Federal (Brazil's federal tax authority) contains the holder's date of birth. By querying a CPF through an API, you can confirm whether the user is an adult or a minor without requiring physical documents, selfies, or facial biometrics.

The typical flow looks like this:

  1. The user provides their CPF at signup or access
  2. The platform calls the CPF lookup API
  3. The API returns the holder's date of birth and computed age
  4. The platform checks whether idade >= 18 and grants or blocks access

This method has clear advantages over the alternatives:

Method Advantage Limitation
CPF via API Fast (<2s), frictionless, official Receita Federal data Only for CPF holders
Identity document Broad coverage Requires upload, OCR, and manual or AI validation
Facial biometrics No document required High cost, LGPD concerns (sensitive data), racial bias
Credit card Presumes adulthood Not an age verification mechanism
Self-declaration Frictionless Prohibited by the ECA Digital

For foreign users without a CPF, the platform must offer alternative methods (passport, home-country ID). But for the Brazilian audience — the vast majority of users on platforms operating in the country — the CPF is the natural path.

The ANPD's guidance

On March 20, 2026, the ANPD published a set of preliminary guidelines for implementing age verification mechanisms. Rather than mandating a single technical solution, the agency defined six minimum requirements that should guide the choice:

  1. Proportionality — the mechanism must fit the risk and context of the service
  2. Accuracy and reliability — it must effectively confirm the age bracket
  3. Privacy and data protection — data minimization, with no unnecessary retention
  4. Inclusion and non-discrimination — it cannot create disproportionate barriers for vulnerable groups
  5. Transparency and auditability — the process must be documented and traceable
  6. Interoperability — it must be compatible with app store age standards and signals

CPF verification via API meets all of these requirements: it is proportionate (it queries a piece of data the user already has), reliable (the official Receita Federal registry), data-minimizing (returns only what is needed), inclusive (the CPF is universal in Brazil), transparent, and easily auditable.

The guidelines also mention emerging technologies such as verifiable credentials and zero-knowledge proofs — approaches that confirm an age attribute without exposing additional data. While those solutions are still maturing, CPF lookup already operates on the same logic: it confirms the age bracket without requiring full documents to be shared.

The ANPD's published timeline has three phases: the current phase (guidance and monitoring of app stores and operating systems), a second phase starting in August 2026 (definitive technical guidance), and active enforcement starting in 2027. That means the time to comply is now — anyone waiting for enforcement to knock on the door will already be behind.

How to implement it with FonteData

FonteData integration — age verification via CPF

FonteData offers a CPF lookup API that returns the data you need for age verification. Integration takes minutes, with API Key authentication and JSON responses.

Sample request:

curl -H "X-API-Key: SUA_CHAVE" \
  "https://app.fontedata.com/api/v1/consulta/cadastro-pf-basica?cpf=00000000000"

Sample response (fields relevant to age verification):

{
  "cpf": "000.000.000-00",
  "nome": "MARIA APARECIDA SANTOS",
  "dataNascimento": "14/08/1995 00:00:00",
  "idade": 30
}

Note: The API returns a full set of registry data (addresses, phone numbers, emails, and more). For age verification, your application only needs to consume the idade (age) field — the rest can be discarded immediately, in line with the data minimization principle of the LGPD (Brazil's data protection law).

Data minimization — LGPD principle

The idade field comes pre-computed by the API — your application only needs to check whether idade >= 18 to grant or block access. No date parsing on your side.

There is no need to store the CPF beyond the moment of the lookup — just record the verification outcome (adult/minor) and an audit identifier for compliance purposes.

Why use FonteData for age verification:

  • 100+ data sources aggregated into a single REST API
  • Real-time responses — no queues or async processing
  • Prepaid model — no monthly fee, you pay only for what you use
  • Frictionless — the user provides only their CPF, no document uploads
  • LGPD compliant — operates under the legitimate interest legal basis (Art. 7, IX)
  • Complete documentation — integrate in minutes with examples in cURL, Python, Node.js, and more

Conclusion

The ECA Digital is not a future possibility — it is an obligation that has been in force since March 17, 2026. Platforms still relying on age self-declaration are out of compliance. The penalties are severe (up to R$ 50 million per violation or 10% of revenue), and the ANPD has already published preliminary guidance and started monitoring — active enforcement with sanctions is scheduled for 2027.

Age verification via CPF is the most practical, fastest, and most affordable solution for the Brazilian market. FonteData provides the infrastructure to implement this verification in minutes, without complexity and in full regulatory compliance.

Start now: try the age verification API for free → — R$ 50 in credits, no credit card, no commitment.

Try the FonteData API

Query Brazilian company and individual data via API — CNPJ, CPF, KYC, compliance and more. R$50 in free credits to test.

Create free account →
Share: LinkedIn Twitter / X
R$ 50 in free credits Create free account