Brazil’s digital regulator invites comment on updates to age verification guidance

Brazil has opened a period of public consultation on its guidance document covering age verification mechanisms, including biometric methods. Per a release from the ANPD, Brazil’s digital regulatory authority, contributions can be submitted until July 9th, through the Brasil Participativo platform.

The consultation sees Brazil continuing to move fast on online safety regulations, by providing input for an update to the Preliminary Guidelines published in March 2026. These aim to provide “general instructions regarding the application of reliable age verification mechanisms by suppliers of information technology products or services directed at children and adolescents, or likely to be accessed by this public.”

The new guidance, informally the Age Verification Guide, introduces additional content addressing key concepts related to age assurance, and lays out the chain of responsibilities and specific requirements for the use of technical solutions such as biometric facial age estimation, document verification, facial matching and other methods.

Superintendent of Regulation at ANPD Lucas Borges de Carvalho calls the Guide “an important milestone for the implementation of the Digital ECA (Statute of Children and Adolescents),” which formalizes regulatory conditions for guaranteeing the rights of youth in the digital environment, and to “provide greater predictability and legal certainty in the implementation of the new rules.

Age assurance is an ecosystem

The document (accessed in machine translation) establishes several important considerations for online age assurance. It should not be treated as the only way to keep kids safe online, but “as a legal obligation that enables, integrates with and interacts with other measures.” This is in keeping with the idea, familiar to the age assurance community, that there is no silver bullet in child online safety: this is an ecosystem of interconnected efforts.

The Guide emphasizes that age assurance “should always be interpreted in light of its legal purpose” – which is to say, it must always prioritize the best interests of children.

It also explicitly states that “age verification should not be confused with identity verification,” since “the legal and operational purposes of the two practices differ.”

And it notes the relevance of data minimization principles, and how tools like Zero Knowledge Proofs (ZKP) and age tokenization can support privacy preserving age assurance.

Responsibilities span the digital supply chain

The “digital chain of responsibilities” established in the guide once again underlines the interconnectedness of the age assurance ecosystem, and the need for “coordinated action between various agents.” This includes app stores and operating systems, which have a mandatory duty to offer an established age signal to sites and platforms, delivered through APIs built according to the principles of privacy by design.

Platforms then have a duty to ensure the content they are offering is suitable for the declared age signal provided by the app store.

Those providing content that’s prohibited for children must adopt their own age verification measures. As such, sites hosting pornography (for example) cannot rely on an age signal provided by an app store or OS. There are specific obligations by sector, with higher-risk activities, like the sale of prohibited items, facing higher verification thresholds.

On the question of social media, the Guide says effective age verification must be offered “when necessary,” especially to make parental controls more effective, and accounts of users under 16 must be linked to an adult parent or guardian’s account.

Risk-based approach favors proven solutions

In general, the Guide aims to enshrine proportionality, a risk-based approach and multi-layered risk management as core principles. The most harmful sites and services should take the most care in gaining assurance that their users are old enough to enter.

Privacy must remain a paramount concern, and age assurance tools cannot themselves violate privacy laws. Verifiable credentials that preserve privacy and minimize data sharing are preferred. Sites must conduct thorough risk assessments and develop governance instruments to ensure compliance.

Solutions must cut the mustard on accuracy, and prove it with audits and testing results. The Guide does not say hard evaluative evidence is mandatory, but urges organizations to avoid providers that cannot produce trusted evaluations of its products. Generally, a provider should be able to show, through documentation, that their offering is trustworthy. Continuous testing and monitoring is recommended.

Brazil ‘substantially aligned with emerging international best practice’

Much of what’s to be found in the guide will be familiar from other landmark age assurance documents, such as the final report of Australia’s Age Assurance Technology Trial or the new ISO/IEC standard on age assurance.

But in orchestrating all of the concerns, considerations and elements, Brazil has produced what Tony Allen, chief executive of the Age Check Certification Scheme, calls “one of the more mature and balanced regulatory approaches we have seen emerge globally.”

“What is particularly encouraging is that the ANPD has clearly avoided simplistic ‘upload your ID’ thinking and instead adopted a risk-based, proportional and privacy-aware framework for age assurance,” Allen writes in a post on LinkedIn.

Among highlights, Allen lauds the Guide’s distinction between age assurance and identity verification; its explicit recognition of reusable age signals, tokens and interoperable credentials; and the broader “digital chain of responsibility” model involving app stores, operating systems and downstream services.

“The guidance also repeatedly references the need for robust and reliable mechanisms; internationally recognised technical standards; auditability; interoperability; demonstrable safeguards around privacy, bias, security and anti-circumvention measures.” That could be a recipe for the soup du jour at the age assurance cafe, which has been filled of late with calls for hard evidence.

“Providers will increasingly be expected to demonstrate independently assessed performance, transparent governance, privacy and data protection by design, interoperability capability, anti-bypass and resilience measures and alignment with internationally recognised standards frameworks,” Allen writes. “In practical terms, this means certification, conformity assessment and independently evidenced assurance are becoming central to market access and regulatory trust.”

Article Topics

Age Check Certification Scheme (ACCS)  |  age verification  |  ANPD  |  biometric age estimation  |  biometrics  |  Brazil  |  Digital ECA  |  facial age estimation (FAE)  |  regulation