If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. Brazil’s Digital ECA (Estatuto da Criança e do Adolescente Digital) took effect today, March 17, requiring nearly every tech product accessible to children to clear a long list of compliance obligations. Apps, operating systems, app stores, video games, social networks: all potentially covered, all facing fines of up to 50 million Brazilian reais (roughly US$9.44 million) or 10% of their Brazilian revenue for non-compliance. As always, the framing is child protection. The infrastructure being built is a national age verification system woven into the fabric of internet access. “Brazil has stepped forward as the first country in Latin America to pass a dedicated law to protect children’s online privacy and safety,” goes the official line. Every major technology platform operating in Brazil must now determine how old its users are and restrict what they can see accordingly. The checkbox that said “I am over 18” is explicitly banned. What replaces it costs significantly more in data. The Contradiction Written Into the Law Article 37’s sole paragraph states that regulations “may not, under any circumstances, impose, authorize, or result in the implementation of mechanisms of massive, generic, or indiscriminate surveillance.” Then Article 9 bans self-reported age. Article 12 demands “auditable” verification. The law prohibits the only mechanism that would make the law work. Auditable, non-self-declaration age verification requires collecting something real about you. The law permits a range of methods: government ID, biometric face scanning, behavioral pattern analysis that watches how you type and what you click, age inference from activity data, and educational history. Every single one of these collects sensitive personal information and creates a record. There is no method on the approved list that doesn’t involve building exactly the kind of identity infrastructure Article 37 claims to forbid. The legislators either didn’t notice the contradiction or they noticed and didn’t care. The obligation falls on platforms, not directly on every individual user. But the effect is the same. Platforms that want to comply need to verify who you are and how old you are before showing you restricted content. If you want to see it, you provide the data. If you don’t provide the data, you don’t get access. What the Law Actually Requires The Digital ECA applies to any information technology product or service intended for or likely to be accessed by minors, regardless of where it was developed, sold, or operated. The scope is deliberately broad. On January 7, Brazil’s National Data Protection Authority (ANPD) extended a deadline for 37 technology companies to submit information on their implementation progress. The names you’d expect are there: Amazon, Apple, Discord, Google, Meta, TikTok, Valve. So is Canonical, the company that makes Ubuntu Linux. Ubuntu is not a social media platform. It does not target children. Its appearance on that list tells you everything about how Brazil intends to apply this law. Any technology product with a digital presence in Brazil that could conceivably be used by a minor is now subject to regulatory oversight. That’s a definition broad enough to capture an open-source operating system used primarily by developers and IT professionals. For platforms clearly in scope, the compliance requirements stack up fast. Self-declaration is explicitly banned as an age verification method. App stores and operating systems must implement age verification systems, parental supervision tools, and share age signal data through a secure API. Social networks face no explicit age verification mandate but must suspend underage users and restrict child accounts, which they can’t achieve without some form of age determination. Users aged 16 and under must have their accounts linked to a parent or legal guardian’s account. Video game platforms must prohibit loot boxes for minors and require parental consent for any user interaction features, including chat. Providers with over one million minor users in Brazil must publish semiannual transparency reports in Portuguese. Foreign companies must maintain a legal representative in Brazil with authority to receive court orders and notifications. This isn’t a compliance checkbox. It’s a permanent legal foothold for the Brazilian state inside every major tech platform’s operations. The Law’s First Day The most concrete illustration of the law’s reach arrived before it even took effect. Rockstar Games, maker of Grand Theft Auto and Red Dead Redemption, announced that as of March 16, digital titles are “no longer purchasable from the Rockstar Games Store or Rockstar Games Launcher by our Brazilian players.” The company didn’t attempt compliance on its own storefront. It simply withdrew from it, redirecting Brazilian customers to PlayStation Store, Xbox, Steam, and Epic Games Store, platforms large enough to absorb the compliance burden themselves. Games you already own still work. New purchases through Rockstar’s own channels don’t. The company has not said whether it intends to return. Discord took a different path, and it reveals exactly what compliance costs. Starting March 9, Discord began rolling out age assurance in Brazil using a third-party vendor called k-ID. The system uses facial age estimation or identity document submission to gate access to age-restricted content and certain default settings. Discord says identity documents are “never seen by Discord.” That’s what Discord users thought would happen before October 2025, when a breach of a third-party support provider exposed approximately 70,000 government ID photos that was collected for age-related appeals. Discord didn’t hold the data directly in that case either; a vendor did. The vendor got breached and the IDs leaked. Now, Discord is building a much larger pipeline of the same category of data through a different third-party, under a law that requires the process to scale to an entire country’s user base. The promise that k-ID, the company Discord is using, won’t share the data with Discord is only as strong as k-ID’s own security practices, which Brazilian Discord users have no direct way to audit and no meaningful recourse if that promise breaks. Encryption in also in the Crosshairs The law’s content removal obligations create a separate and serious problem for encrypted messaging. Providers must put in place systems for reporting and removing content that involves exploitation, sexual abuse, kidnapping, or grooming. Article 27 establishes an affirmative duty to report such content without specifying whether that obligation is limited to material the service becomes aware of through user reports, or whether it extends to proactive scanning of messages. If Article 27 requires proactive scanning, it requires breaking end-to-end encryption. The only way to scan message content for prohibited material before it reaches a recipient is to access it before encryption activates. WhatsApp’s fundamental privacy promise, that only the sender and recipient can read a conversation, becomes legally untenable if Brazilian regulators read Article 27 that way. The law provides no exemption for encrypted services and no guidance on how they’re supposed to comply. European regulators have tried the same move. The EU’s proposed “Chat Control” law would require client-side scanning, accessing your messages on your device before encryption kicks in. Brazil’s law doesn’t go that far explicitly. It simply leaves the question open, which may amount to the same thing in enforcement. If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. The post Brazil Launches Mandatory Age Verification Law for Online Platforms appeared first on Reclaim The Net.