South America
This content is for informational and educational purposes only and does not constitute legal advice.
On 17 March 2026, the Bill on protection of children and adolescents in digital environments, including design requirements (Law No. 15,211) enters into force. The Law requires providers of digital products and services directed at or accessible to children to incorporate safety and well-being considerations into their design. They must conduct risk management, ensure age-appropriate content, prevent access to illegal or manifestly inappropriate material, avoid compulsive use through default settings, and clearly display the recommended age group for each service. The Act also establishes parental supervision rights. Providers must give parents, guardians and children accessible information about risks, security and privacy measures. They are required to offer easy-to-use parental supervision tools that allow account and privacy management, restriction of purchases, monitoring of contacts and usage time, and activation or deactivation of safeguards, with all options available in Portuguese. Finally, products and services used for child monitoring must include secure mechanisms to ensure the integrity and protection of images, sounds and other information collected and transmitted to parents or guardians.
On 24 February 2026, Bill establishing minimum protection duties for children and adolescents on digital platforms (Bill No. 730/2026) was introduced to the Chamber of Deputies. The Bill would require digital platforms to implement technical mechanisms to identify indications of remunerated activity and potential economic exploitation involving children and adolescents. Such mechanisms may include algorithmic detection models, monitoring systems, defined escalation flows and risk indicators, and must provide guarantees of human review and bias control. The Bill would require publication of annual transparency reports containing, at a minimum, the number of accounts signalled as maintained by minors, the number of confirmed identifications, the methodologies used for detection, the number of notifications and requests received from protection bodies, average response times, compliance metrics, and a description of human review procedures and independent audit practices. Furthermore, the Bill provides for administrative and objective civil liability for failure to adopt the required measures. It establishes sanctions including warning, administrative fines calculated in relation to gross revenue in Brazil in the previous financial year, corrective measures, temporary blocking of monetisation functionalities and temporary suspension of services. Revenue from fines would be allocated to the Childhood and Adolescence Fund.
On 24 February 2026, the Bill establishing algorithmic integrity mechanisms, limits to persuasive design, and a parental alert system in messaging environments (PL 687/2026) was introduced to the Chamber of Deputies. The Bill would amend Law No. 15.211 of 2025 (Digital Child and Adolescent Statute) and would require digital platforms to observe the principle of safety by design by adopting technical and organisational measures to prevent structural risks to the physical health, mental health, and psychosocial development of children and adolescents. The Bill would prohibit targeted engagement design techniques for minors under 18, specifically infinite scroll without a navigation interruption mark every 15 minutes, media autoplay without deliberate user action, and variable reward mechanisms such as intermittent notifications. The Bill would further mandate that end-to-end encrypted messaging applications provide Local Integrity Technical Mechanisms to process device metadata and behaviour patterns. These mechanisms would issue Technical Risk Alerts to legal guardians regarding nudity, extreme violence, grooming, or adult-majority groups without breaking communication secrecy.
On 24 February 2026, the Bill establishing algorithmic integrity mechanisms, limits to persuasive design, and a parental alert system in messaging environments (PL 687/2026) was introduced to the Chamber of Deputies. The Bill would amend Law No. 15.211 of 2025 (Digital Child and Adolescent Statute) to require recommendation systems used by digital platforms to undergo periodic risk assessments through independent technical audits. The Bill would mandate these audits focus on preventing damage to the mental health and development of children and adolescents, specifically regarding risks such as eating disorders, self-harm, body dysmorphia, and radicalisation. It would allow these audits to be conducted by accredited independent entities with multisectoral participation. The Bill would require the final reports to be public regarding general conclusions while preserving industrial secrets and source code.
On 23 February 2026, Brazil and the Republic of Korea signed an Arrangement on Trade and Productive Integration to promote trade and economic integration. The Arrangement includes measures regarding cooperation on digital trade, digital infrastructure, and emerging technologies, including artificial intelligence and related hardware. It also refers to collaboration in advanced manufacturing and digital industries, and to exchanges of practices relevant to the digital economy. The parties indicated that they will facilitate trade and investment by improving transparency and efficiency in regulatory frameworks, cooperating on standards, sharing information on trade and investment data, and addressing technical barriers to trade. The Arrangement also provides for cooperation in multilateral trade fora. Implementation will be overseen by a bilateral Commission on Economic and Trade Relations, which may establish working groups and expert meetings.
On 10 February 2026, the Bill amending the Civil Rights Framework for Internet on rules on labelling political content, algorithmic amplification, including government access to data, was introduced to the Chamber of Deputies. The Bill applies to digital platforms, including social networks, search engines, messaging services, and marketplaces that distribute or boost third-party content. The Bill governs access to platform records on political content during elections by authorities. The provision applies to digital platforms subject to the transparency and record-retention rules. The Bill imposes record-retention duties for algorithmically distributed political content during elections. It requires platforms to retain records for at least two years after the end of the electoral period. Retained data must include audit logs and metadata on political content and promotion, including content origin, account and agent identifiers, algorithmic parameters and model versions, advertising campaign details, and moderation or removal actions. Platforms must also keep technical logs sufficient to reconstruct content distribution and amplification in an interoperable, machine-readable format. The Bill also requires records to preserve integrity and enable independent technical auditing, including logs of Artificial Intelligence (AI) model changes where models were decisive. The Bill limits access to records and metadata to reasoned and specific requests from the Superior Electoral Court, the Federal Public Prosecutor’s Office, or the Federal Police. Requests must specify the investigation scope, legal basis, data sought, time period, and necessity and proportionality. The Bill also provides that platforms must provide essential data within 48 hours and full records within seven business days, subject to justified extensions or court orders. Access may be subject to investigative secrecy, and receiving authorities must apply minimisation, confidentiality, and protective safeguards, including controls on onward sharing.
On 6 February 2026, Bill (PL 385/2026) amending the Consumer Defence Code (Law No. 8.078) to prohibit discriminatory personalised pricing and establish transparency obligations for automated price formation was introduced to the Chamber of Deputies. The Bill would apply to suppliers entering into digital or electronic consumer contracts. It would amend Article 39 to prohibit the use of personal data, inferred data, browsing history, location, device characteristics or other digital surveillance elements to set different prices or commercial conditions for consumers in equivalent situations. It would also prohibit using automated systems or artificial intelligence tools to determine the maximum price a consumer would be willing to pay based on economic, behavioural or psychological profiling. Furthermore, it would prohibit raising prices where digital means detect momentary vulnerabilities, such as urgency or essential need. Furthermore, the Bill would prohibit the concealment of dynamic or automated pricing mechanisms or their general criteria. Additionally, the new Article 54-H would oblige suppliers to provide transparent and accessible information on dynamic or automated pricing, the general and objective criteria for price variation and whether automated processing of personal data determines the offered value. The Bill would prohibit the use of concealed or non-verifiable personalised criteria, and would grant consumers the right to request a human review of automated pricing decisions. Dynamic pricing based exclusively on collective market factors, including supply, demand, seasonality, logistics, time or availability, would not constitute an abusive practice if applied objectively and equally. Non-compliance would trigger sanctions under Article 56 of the Consumer Defence Code, without prejudice to Law No. 13.709. If adopted, the Law would come into force 180 days after its official publication.
On 3 February 2026, the Bill amending Law No. 15.211 to combat child sexual exploitation (PL 224/2026) was submitted to the Chamber of Deputies. The Bill would apply to suppliers of information technology products or services directed at, or likely to be accessed by, children and adolescents. Under proposed Article 28-B, such suppliers would be required to integrate a native silent alert functionality into their systems or applications to enable the automated detection of grooming patterns in digital environments. Where a risk situation is identified, the supplier would be required to notify the legal guardian and preserve a minimum technical record for evidentiary purposes. Deletion of that record by the potential aggressor would be prohibited, in accordance with applicable legislation and personal data protection safeguards.
On 2 February 2026, the Bill (PL 98/2026) amending Law No. 15,211 concerning Electronic Games was introduced in the Chamber of Deputies. The Bill requires digital platforms to prepare and maintain a Child and Adolescent Rights Impact Assessment in the Digital Environment (RIDCA) as a governance and risk mitigation instrument. According to Article 21-C, this assessment must be completed before a platform is made available or before any relevant changes are implemented in its functionalities. The RIDCA must contain a comprehensive description of algorithmic recommendation, personalisation, monetisation, and moderation systems, alongside an analysis of risks to the privacy, mental health, and bio-psychosocial development of minors. Platforms are specifically required to evaluate potential impacts on behaviour, advertising exposure, and the risks of algorithmic discrimination or profiling. Furthermore, the assessment must demonstrate compliance with the General Data Protection Law (LGPD) and describe the measures adopted to eliminate identified risks. Non-compliance with these testing requirements, including the failure to provide accurate reports of RIDCA testing to the government and public, is classified as a very serious infraction. Sanctions may include fines at the maximum level, immediate suspension of interaction functionalities, temporary blocking of children and adolescents' access to the platform, and specific regulatory intervention for compulsory adjustment. The liability of the platform will be aggravated when the omission results in repeated exposure to adult content, situations of grooming, harassment or exploitation, or collective or diffuse damage to childhood and adolescence. The Bill enters into force on the date of its publication.
On 2 February 2026, Bill PL 61/2026 was introduced in the Chamber of Deputies. The Bill amends Law No. 9.472 of 16 July 1997 to introduce design requirements for cancellation mechanisms. The Bill would require providers of telecommunications services of collective interest that offer internet applications for account management to maintain a functional mechanism enabling users to cancel contracted plans. This mechanism must be easily accessible and placed within the main menu or the account management section of the application. To ensure a streamlined interface, the confirmation process for a cancellation request must not exceed three screens or clicks. This design requirement aims to prevent complex navigation paths that could discourage or delay subscribers from terminating their service agreements. The Bill would enter into force 90 days after its publication.
On 2 February 2026, the Bill on the use and restrictions of artificial intelligence (AI) glasses, including data protection regulation, was introduced to the Chamber of Deputies. The Bill regulates the conditions, duties, and restrictions on AI glasses with audio-visual capture and data processing capabilities. The Bill applies to manufacturers, developers and suppliers placing such devices on the Brazilian market. It requires a valid legal basis under the General Personal Data Protection Law for third-party data capture, clear notice to affected individuals, and appropriate safeguards. The Bill also requires suppliers to implement privacy by design, ensure visible or audible recording signals, disable facial recognition and sensitive inference functions by default, publish technical documentation, and conduct a data protection impact assessment before commercialisation. It also provides that commercialisation is subject to a declaration of conformity and oversight by the National Data Protection Authority (ANPD). Breaches may trigger civil, administrative and criminal liability, including sanctions under the General Personal Data Protection Law.
On 8 December 2025, the Law establishing the National System for the Development, Regulation, and Governance of Artificial Intelligence (PL 6237/2025) was introduced to the Chamber of Deputies. The Law would establish a regulatory framework for artificial intelligence (AI) called the National System for the Development, Regulation, and Governance of Artificial Intelligence (SIA), composed of a newly established Brazilian Council for Artificial Intelligence (CBIA), the Brazilian Data Protection Authority (ANPD), two newly established committees composed of experts and civil society representatives, and other related public bodies. The CBIA would be responsible for establishing guidelines and principles for AI in relation to economic development, digital sovereignty, and social inclusion, advising the President of the Republic on AI policy development, and coordinating with other authorities on sectoral issues. The ANPD would become the residual regulator and supervising authority for AI, with the power to issue binding rules, including regarding incident reporting and algorithmic impact assessments, request clarification on data used to train high-risk AI in the public sector, and publish a list of high-risk AI use cases. Further, the Law would require the ANPD and sectoral agencies to define new categories for high-risk AI, based on criteria such as impact on fundamental rights, vulnerable groups, risk of systemic cybersecurity harm, and impact on the development of children and adolescents. The statement of reasons notes that Congress is already examining Bill 2338/2023, and the Executive must be prepared to implement whichever regulatory model is adopted. The Law therefore organises Brazil’s AI governance by assigning responsibilities to the CBIA, ANPD, expert and civil-society committees, and sectoral regulators to support coordinated oversight.
On 26 October 2025, the Ministry of Development, Industry, Commerce, and Services (MDIC) closes the consultation on criteria to define the list of data centre equipment eligible for the Special Taxation Regime for Data Centre Services (Redata), established by Provisional Measure No. 1,318 of 17 September 2025. The consultation invites contributions on technical specifications of hardware, software, and infrastructure equipment to be included in the exemption list, as well as on environmental sustainability criteria such as energy and water efficiency, renewable or clean energy usage, and other environmental practices required for eligibility. Redata forms part of the National Data Centre Policy (PNDC) under the New Industry Brazil (NIB), Mission 4 (Digital Transformation), linking tax incentives to research and development commitments, domestic market allocation requirements, and regional decentralisation measures that reduce counterparts for investments in the North, Northeast, and Central-West regions.
On 16 October 2025, the Bill on Influencer Activity, Advertising and Image Use (Bill No. 5234/2025) was introduced in the Chamber of Deputies. The Bill establishes that providers, defined as internet applications of social networks, search tools, or instant messaging, shall implement mechanisms of notification of illicit content and make available public reports on their moderation activities. Article 8 determines that these obligations apply to all providers operating under the scope of the law. The Bill also provides that the Executive Power shall regulate its execution and that the law shall enter into force on the date of its publication.
On 16 October 2025, the Bill defining influencer activity in electronic media and establishing rules on advertising and image use (Bill No. 5234/2025) was introduced in the Chamber of Deputies. The Bill provides that individuals or legal entities who commercially promote products, services, or causes online must identify sponsored content with clear markings such as “advertising” or “sponsored content”, in accordance with Law No. 4.680/1965, Law No. 8.079/1990, and Law No. 9.294/1996. It requires edited or artificial intelligence-generated images to include visible labels indicating “edited image” or “virtual image” and establishes penalties for non-compliance. Influencer agents must ensure contractual transparency and shared liability, while digital platforms, including social networks and search or messaging services, are required to maintain reporting mechanisms for illegal content and moderation transparency. The Executive Branch is responsible for further regulation and enforcement of the Bill’s provisions.
On 15 October 2025, the Chamber of Deputies introduced Bill No. 5226/2025, amending the General Data Protection Law to prohibit the commercialisation and improper sharing of sensitive data. The Bill forbids the disclosure, sharing, transfer, or sale of sensitive personal data except where expressly permitted by law. It regulates the processing of biometric data for access control in private areas, allowing it only when there is a specific legal basis, a legitimate security purpose, and a Data Protection Impact Assessment (RIPD). Access to judicial records containing sensitive data is limited to formal and justified requests, judicial warrants, or cases involving research, journalism, or overriding public interest, provided that anonymisation and confidentiality are maintained. The Bill also assigns the National Data Protection Authority (ANPD) the responsibility to coordinate preventive and enforcement actions with the Public Prosecutor’s Office, the Federal Police, and consumer protection authorities to combat the illicit trade in personal data. It will enter into force on the date of its publication.
On 15 October 2025, the Bill on the regulation of digital influencer activities and participation of children in audio-visual productions was passed by the Chamber of Deputies. The Bill establishes rules to ensure transparency and truthfulness in influencer marketing. It requires that sponsored content must be clearly labelled as “advertising” or “sponsored content,” and edited or Artificial Intelligence-generated images must carry visible labels including “edited image” or “virtual image.” Influencers are responsible for the accuracy of their content and must follow existing consumer protection and advertising laws. It provides that failure to comply with these standards is treated as misleading or abusive advertising and can incur criminal penalties.
On 15 October 2025, the Bill on the regulation of digital influencer activities and participation of children in audio-visual productions was passed by the Chamber of Deputies. The Bill provides that influencers, their agents, and digital platforms are required to implement clear organisational processes to comply with the law. Agents must adopt measures to ensure legal compliance, formalise contracts detailing identity, remuneration, intellectual property rights, and share liability for damages. Platforms must maintain reporting mechanisms for illegal content and publish public transparency reports.
On 15 October 2025, the Chamber of Deputies passed the Bill on the regulation of digital influencer activities and the participation of children in audio-visual productions. The Bill amends Law No. 8,069 of 13 July 1990 on Statute of the Child and Adolescents. The Bill provides that any child involved in paid audio-visual recordings must obtain judicial authorisation, which considers psychological risks, compatibility with regular schooling, and proper management of income. The measures aim to prevent exploitation, safeguard development, and ensure that participation in online promotion does not compromise well-being or education.
On 15 October 2025, the Ministry of Justice and Public Security (MJSP) opened a consultation on proposal for a methodology and minimum requirements for age verification in digital services that can be accessed by children and adolescents, until 14 November 2025. The consultation aims to collect contributions from companies, experts, civil society, and public agencies to define technical and legal parameters for implementing age verification mechanisms in Brazil under the Law for the protection of children and adolescents in digital environments (ECA Digital). The consultation, prepared in cooperation with the National Data Protection Authority (ANPD), sets out proportional application criteria and proposes privacy-preserving technologies such as digital credentials, age tokens, and Zero Knowledge Proofs (ZKPs). The consultation process foresees consolidation of results between 15 November and 15 December 2025 and the drafting of a regulatory decree by the end of 2025 to ensure compliance with the Federal Constitution’s Article 227 and the General Law on the Protection of Personal Data (LGPD).
On 15 October 2025, the Bill on cargo weight limitation for internet delivery applications (Bill No. 5197/2025) was introduced in the Chamber of Deputies. The Bill amends Law No. 12,009 of 29 July 2009 to require companies operating internet applications dedicated to the delivery of goods to restrict the weight of loads to be transported. The Bill inserts Article 6-A into Law No. 12,009/2009, obliging internet application operators providing delivery services by motorcycle to refuse transport requests for items that exceed the weight and dimension limits set by the National Traffic Council for the relevant vehicle and transport equipment. The measure seeks to ensure compliance with the National Traffic Council Resolution No. 943/2022 on the safe carriage of goods by motorcycle and to prevent unsafe operations that surpass the technical capacity of the vehicle. The Bill provides that it shall enter into force on the date of its publication.
On 15 October 2025, the Bill prohibiting use of religious image and faith for financial gain (Bill No. 5212/2025) was introduced in the Chamber of Deputies. The Bill amends Law No. 12,865 of 9 October 2013 and Law No. 7,492 of 16 June 1986, to prohibit the participation or linking of the image of spiritual or religious entities and leaders, as well as the use of faith, creed or religion, with the objective of obtaining financial or material advantage through financial institutions, payment scheme providers and payment institutions, including fintechs. The Bill inserts Section 6(6) into Law No. 12,865/2013 to forbid the use of religious representation for financial purposes, except for tithes and donations made by believers, and adds Article 24-A and Section 25(2-A) to Law No. 7,492/1986 to criminalise such practices, establishing penalties of imprisonment from one to five years and fines, and extending criminal liability to administrators, directors and managers of religious entities and financial institutions.
On 15 October 2025, Brazil's Ministry of Justice adopted an ordinance regulating the national indicative content classification system, applicable across television, films, streaming, video games, applications, and public shows. The classification system aims to protect children and adolescents by providing guidance to parents and guardians, with content rated according to thematic axes including violence, sex/nudity, drugs, and interactivity. The ordinance establishes age ratings: L, 6, 10, 12, 14, 16, and 18. It outlines two classification processes: official classification by the Ministry of Justice for works like theatrical films and physical video games, and self-classification by providers for open television, pay-television, and streaming services, which is subject to governmental monitoring. Self-classified works initially use provisional symbols until validated or changed by the Ministry, after which definitive symbols and content descriptors must be displayed. Providers of streaming and pay-television services must implement parental control blocking systems to restrict access to certain content. The ordinance requires the mandatory display of age rating symbols before and during most programmes and a verbal announcement for radio programmes. The National Secretariat for Digital Rights is responsible for the analysis, monitoring, and enforcement of the ordinance, including the power to reclassify works if self-classification is deemed incorrect. The rules also prohibit using classification to discriminate on grounds of politics, religion, or sexual orientation. Most provisions of the ordinance will take effect in November 2025, with specific rules for internet applications entering into force in March 2026.
On 15 October 2025, the Ministry of Justice and Public Security of Brazil adopted the ordinance no. 1,048 of 2025. The ordinance establishes a unified framework for the indicative age classification of audiovisual works, electronic games, public shows, and digital applications, implementing Law No. 15,211 of 2025 on the protection of children and adolescents in digital environments. It consolidates and replaces earlier MJSP ordinances on content classification. It defines six age categories: open (all ages), 10, 12, 14, 16, and 18 years, and prescribes content descriptors for violence, sex, drugs, and discriminatory language. Broadcasters, streaming services, and online platforms must display these classifications clearly and apply technical or parental controls to limit access by minors. The ordinance also extends these duties to internet services, user-generated content platforms, and AI-based applications that recommend, personalise, or interact with users. It replaces earlier MJSP ordinances on classification and enters into force on 17 November 2025, while provisions on digital and AI-related applications (Articles 48 to 57) apply from 17 March 2026.
On 14 October 2025, the National Data Protection Authority (ANPD) outlined regulatory and supervisory measures for implementing Law No. 15.211/2025, the Digital Child and Adolescent Statute (Digital ECA). The ANPD detailed that the Digital ECA complements the General Data Protection Law (LGPD) by introducing obligations for digital service providers, including age verification mechanisms, parental supervision tools, content blocking measures, prohibitions on abusive targeted advertising, and the requirement to design digital products and services with age-appropriate security and privacy standards. Pursuant to Decree No. 12.622/2025, the ANPD was formally assigned as the competent authority for supervising and regulating the Digital ECA. It announced a Priority Action Plan consisting of 25 initiatives, such as revising the regulatory agenda, updating inspection and dosimetry regulations, and preparing a public explanatory guide. The ANPD confirmed that active monitoring of large digital platforms will commence before the law’s entry into force in March 2026.
On 14 October 2025, Brazil’s National Data Protection Authority (ANPD) published the final results of Notice No. 2/2025, selecting Metatext Inteligência Artificial Ltda., Synapse Artificial Intelligence Ltda., and IA Greenworld Ltda. to participate in the Regulatory Sandbox on Artificial Intelligence (AI) and Data Protection. The sandbox applies to public and private entities developing AI systems that process personal data and provides a supervised experimental environment until December 2026. It aims to promote algorithmic transparency, privacy-by-design, and responsible innovation, with the next stage involving training participants in AI, regulation, and the sandbox methodology.
On 13 October 2025, the Vice-President of Brazil, acting as President, issued Decree No. 12,666 to enact the Investment Cooperation and Facilitation Agreement with India, signed in January 2020. The Agreement applies to investors and enterprises from both countries operating in each other’s territory, excluding portfolio investments and pre-investment expenses. It sets rules on fair treatment, protection against expropriation, and free transfer of funds. Investors must follow host country laws and promote responsible business practices. A Joint Committee and consultation process will help prevent disputes.
On 7 October 2025, the bill creating Brazil’s Significant Connectivity Statute and the National Plan for Significant Connectivity to promote digital inclusion was introduced to the Chamber of Deputies. The bill focuses on guaranteeing universal internet access, affordable devices, and the protection of personal data and privacy in technology use. It requires telecommunication providers to offer affordable, high-quality connectivity and mandates state oversight on data protection and secure digital services. It also focuses on training in digital and Artificial Intelligence (AI) literacy. The bill also seeks to fund AI and digital skills programmes for vulnerable groups.
On 7 October 2025, the Bill on the prevention and combat of human trafficking through digital means was introduced to the Chamber of Deputies. The Bill applies to digital platforms, internet application providers, influencers, and individuals involved in online recruitment or job placement. Platforms are required to detect and report content linked to human trafficking. The Bill also provides that non-compliance leads to fines ranging from BRL 10,000 to BRL 1,000,000. Individuals responsible for such content must publish awareness and prevention information.
On 7 October 2025, the Bill regulating water consumption by data centres to preserve water sovereignty and protect natural resources was introduced to the Chamber of Deputies. The Bill applies to data centres, including cloud computing, storage, and information technology (IT) infrastructure providers, especially those consuming large volumes of water. It requires prior environmental licensing with water use plans, impact assessments, and mitigation measures. Data centres must prioritise reused or alternative non-potable water for cooling. Installations are restricted in water-scarce areas, conservation buffers, Indigenous lands, and near traditional communities. Data centres must measure and annually disclose water consumption and efficiency. Violations incur administrative, civil, and criminal penalties.
On 7 October 2025, the Bill amending the Copyright Law to prohibit unauthorised use of realistic digital imitations generated by Artificial Intelligence (AI) was introduced to the Chamber of Deputies. The Bill applies to digital content creation, social media platforms, streaming services, AI-generated media, and other online platforms that host or distribute audio-visual or performative content. It prohibits public dissemination of realistic digital imitations without express consent. It defines realistic digital imitation as audio-visual, sound, or hybrid content capable of misleading the public. Exceptions are provided for caricature, parody, satire, criticism, journalism, scientific research, artistic uses, and public interest. Violations trigger civil, administrative, and criminal sanctions, including content removal, compensation for material and moral damages, and fines up to BRL 50,000 per content item.
On 4 October 2025, the Central Bank of Brazil (BCB) implemented a security measure for blocking Pix keys flagged by participating institutions as being used for scams and fraud. Pix is an instant payment system created by Brazil's Central Bank, allowing users to make bank transfers between accounts using QR codes or Pix keys.
On 3 October 2025, the Complementary Bill No. 213/2025 was introduced in the Chamber of Deputies to amend Complementary Law No. 214 of 16 January 2025 to regulate operations and service provisions relating to information security and cybersecurity. The Bill amends Article 142, II of the law to cover operations and services in these sectors when carried out by companies established in Brazil that have a legal representative in the country, as listed in Annex XI and identified according to the Nomenclature of Brazilian Services (NBS) and the Mercosur Common Nomenclature/Harmonised System (NCM/HS) classifications. The Bill removes the requirement that companies must have a minimum of 20 percent national capital participation to access fiscal benefits, replacing this with the criterion of legal establishment in Brazil, thereby ensuring full jurisdictional oversight by national authorities. The Bill clarifies that the amendment is a corrective adjustment to align with the principles of neutrality, equality, and free competition established under Constitutional Amendment No. 132/2023, which introduced the dual Value Added Tax system (IBS and CBS), and to strengthen the regulatory framework governing cybersecurity services in the Brazilian legal order.
On 2 October 2025, the Central Bank of Brazil (BCB) announced that Pix Installment Regulations will be published in the last week of October 2025. The rules will apply to financial and payment institutions offering Pix-based credit or payment deferral solutions. They will introduce a standardised definition of Pix Installments. Pix is an instant payment system created by Brazil's Central Bank, allowing users to make bank transfers between accounts using QR codes or Pix keys.
On 2 October 2025, the Bill amending Law 12965/2014 and Decree-Law 2848/1940 to prohibit early eroticisation of children and adolescents (PL 4934/2025) was introduced to the National Congress. The Bill prohibits the early eroticisation of children and adolescents by internet application providers. The Bill introduces Article 21-A to the Brazilian Civil Rights Framework for the Internet (12965/2014), which forbids internet application providers from monetising, boosting, or recommending content depicting minors in an eroticised, sexually suggestive manner, or in adult sexual contexts. Eroticisation is defined as publishing visual representations implying sexuality, erotic connotation, sensualisation, or objectification of minors, even if presented as spontaneous or humorous. Non-compliance would result in sanctions under Article 12 of the existing law and other liabilities. Furthermore, Article 21-B obligates suppliers of information technology products and services, particularly those for children and adolescents, to adopt reasonable measures from their applications' conception and throughout operation to prevent the spread of such content. The Bill also amends the Penal Code (2848/1940) by introducing Article 218-D, criminalising the promotion or facilitation of a child or adolescent's early eroticisation through erotic or sexual images, videos, audio, or texts disseminated online.
On 1 October 2025, the Bill No. 4880/2025 was introduced in the Chamber of Deputies to amend Law No. 15.211 of 17 September 2025, known as the Digital Statute of the Child and Adolescent, to establish specific technical standards for the detection of child sexual abuse material and to enhance transparency mechanisms. The Bill requires providers of information technology products and services with upload, sharing or audiovisual transmission functionalities to implement automated detection systems, including cryptographic hash comparison with recognised databases, nudity detection algorithms with age estimation based on anthropometric criteria, contextual automated analysis to identify sexual exploitation situations, and machine learning systems for emerging patterns of child sexual abuse material. These systems must be auditable by accredited third parties, with implementation deadlines of 90 days for providers with more than 10 million users, 180 days for those with more than 1 million users, and 360 days for all other providers. In addition, the Bill mandates detailed transparency reports covering detection results, average removal times, reports to authorities, algorithm precision rates, and investments in protective technologies, to be consolidated and published in an online panel managed by the autonomous administrative authority for the protection of children’s rights in the digital environment.
On 1 October 2025, the Central Bank of Brazil (BCB) implemented the Pix “dispute button”. The feature applies to all Pix users and allows digital contestation of transactions in cases of fraud, scams, or coercion. Pix is an instant payment system created by the Bank, allowing users to make bank transfers between accounts using QR codes or Pix keys. When a dispute is filed, the scammer’s bank must block funds immediately, and both banks have up to seven days to review the case, with refunds issued within eleven days if fraud is confirmed. The feature does not cover commercial disagreements, mistaken payments, or disputes involving bona fide third parties.
On 1 October 2025, the Bill to restrict the registration on online betting platforms was introduced to the Chamber of Deputies. The Bill also restricts the use of Natural Persons Register (CPF) numbers on online betting platforms by people in social vulnerability, income transfer beneficiaries, and individuals with gambling-related disorders. CPF is a unique taxpayer identification number issued by the Brazilian Federal Revenue Service to individuals. The Bill applies to online betting platforms operating in Brazil. It requires them to verify users’ CPFs in real time through a national system managed by the Ministry of Finance and integrated with the CadÚnico database. Platforms must automatically block restricted users, cancel accounts, and submit quarterly reports to the Secretariat for Prizes and Betting. The Bill also establishes a national self-exclusion list allowing individuals to voluntarily block their access to betting for at least two years. Non-compliance may result in fines of up to 10% of gross revenue, temporary suspension, or licence revocation.
On 30 September 2025, Central Bank of Brazil (BCB) Resolution No. 506 entered into force following its publication in the Official Gazette of the Union, introducing cybersecurity provisions in the Pix payment scheme. The resolution provides that Pix participants may only set transaction limits based on criteria for mitigating risks of fraud and breaches of anti-money laundering and counter-terrorism financing regulations, and requires participants to adopt minimum criteria defined by the BCB for assessing suspected fraud in Pix transactions. It also obliges participants to reject requests for Pix key registrations, portability, or possession claims when users are associated with transactional fraud notifications, and to block all transactions involving such users or accounts except for refunds. Furthermore, Pix participants are required to create and accept fraud notifications, allowing the marking of individual or corporate taxpayer numbers (CPF or CNPJ) linked to specific fraudulent Pix transactions, and the resolution provides that notifications of non-compliance, corrective action plans, and penalties, including suspension and exclusion from Pix, may be applied in cases of failure to comply with these obligations.
On 30 September 2025, the Central Bank of Brazil (BCB) Resolution No. 506, adopted by the BCB on 26 September 2025, was published in the Official Gazette of the Union and entered into force with grace periods for compliance following its publication. The resolution amends BCB Resolution No. 1 of 12 August 2020, which establishes the Pix payment scheme and its regulations, to revise authorisation criteria for payment institutions that are not authorised to operate by the BCB and that are Pix participants, to strengthen the scheme’s security mechanisms, and to adjust provisions on penalties applicable to Pix participants. It sets transitional deadlines requiring institutions that joined Pix up to 31 December 2022 to request authorisation to operate by 31 March 2025, those that joined between 1 January 2023 and 30 June 2024 to comply between 1 April and 31 December 2025, and the remainder between 1 January and 1 May 2026. The Resolution also establishes grounds for loss of Pix participant status, including liquidation or bankruptcy, non-compliance with minimum capital and net worth requirements, failure to request authorisation within deadlines, or definitive exclusion penalties, and introduces fraud-prevention measures requiring rejection of Pix key registrations, portability requests and transactions linked to users flagged for transactional fraud, with participants obliged to follow minimum fraud-suspicion criteria defined by the BCB.
On 30 September 2025, the Bill No. 4827/2025 was introduced in the Chamber of Deputies, prohibiting service providers of broadcasting of sound and images and their ancillary services from conditioning consumer access to transmitted content on the creation of personal accounts, user profiles, or the provision of personal data.
On 30 September 2025, Bill No. 4827/2025 was introduced in the Chamber of Deputies. The Bill provides that television receivers placed on the market must enable direct and complete access to broadcasting and retransmission services without requiring any external device not supplied with the product. During a ten-year technological transition period defined by the Bill, receivers must also support both existing and new broadcasting standards simultaneously, in line with the regulatory schedule set by the federal government.
On 30 September 2025, the Central Bank of Brazil (BCB) adopted the Pix “dispute button”. The feature applies to all Pix users and allows digital contestation of transactions in cases of fraud, scams, or coercion. Pix is an instant payment system created by the Bank, allowing users to make bank transfers between accounts using QR codes or Pix keys. When a dispute is filed, the scammer’s bank must block funds immediately, and both banks have up to seven days to review the case, with refunds issued within eleven days if fraud is confirmed. The feature does not cover commercial disagreements, mistaken payments, or disputes involving bona fide third parties.
On 30 September 2025, Bill No. 4827/2025 was introduced in the Chamber of Deputies. The Bill requires that the advertising and packaging of electronic devices primarily intended for audiovisual consumption or internet application access clearly and legibly indicate their compatibility with sound and image broadcasting services and related ancillary services.
On 30 September 2025, Bill No. 4827/2025 was introduced in the Chamber of Deputies. The Bill requires prior authorisation from the competent authority for the operation of shared broadcasting channels and assigns the federal government responsibility for organising frequency allocation and establishing rules for transitional use.
On 30 September 2025, the Bill No. 4827/2025 was introduced in the Chamber of Deputies. The Bill prohibits manufacturers of television receivers from favouring their own or third-party audiovisual products and services over broadcasting services and the unified communication and public services platform.
On 29 September 2025, the Bill No. 4811/2025 was introduced in the Chamber of Deputies. The Bill amends Article 628-A of the Consolidation of Labour Laws (CLT), approved by Decree-Law No. 5,452 of 1 May 1943, to add a new paragraph exempting legal entities without employees or other labour or social security obligations from mandatory registration in the Electronic Labour Domicile. The exemption applies to legal entities such as micro-entrepreneurs and companies without workers, which, under the current regulation (Decree No. 11,904/2024), are obliged to register in the DET despite not maintaining employment relations. The proposed amendment establishes that such entities will only be required to register within 30 days of the first event generating labour or social security obligations, as defined in the regulation. The justification notes that the DET was created under Law No. 14,621/2021 to streamline communication between labour inspectors and employers, but its application to entities without employees creates unnecessary bureaucratic burdens. The measure aligns the DET with practices under systems such as eSocial, which already exempts micro-entrepreneurs without employees from equivalent registration requirements.
On 29 September 2025, the Administrative Council for Economic Defence (CADE) closes the consultation on its investigation into Google for alleged abuse of dominance in the advertising sector. Originally, Google was alleged to have abused its dominant position in the advertising sector by implementing restrictive clauses into its contracts with advertisers, therefore restricting advertisers from using other search platforms, to self-preference its Google AdWords service. In 2019, CADE denied anti-competitive effects and no such restrictions. The inquiry invites civil society, including associations, class entities, third sector organisations, academics, and other interested parties, to forward technical and factual subsidies that could contribute to the analysis of the case. The points address the effects of changes in algorithms and artificial intelligence tools on news traffic, the remuneration of journalistic content, and the impact of the integration between search and digital advertising.
On 26 September 2025, the Ministry of Development, Industry, Commerce, and Services (MDIC) opened a public consultation, until 26 October 2025, to define the list of data centre equipment eligible for the Special Taxation Regime for Data Centre Services (Redata), established by Provisional Measure No. 1,318 of 17 September 2025. The consultation invites contributions on technical specifications of hardware, software, and infrastructure equipment to be included in the exemption list, as well as on environmental sustainability criteria such as energy and water efficiency, renewable or clean energy usage, and other environmental practices required for eligibility. Redata forms part of the National Data Centre Policy (PNDC) under the New Industry Brazil (NIB), Mission 4 (Digital Transformation), linking tax incentives to research and development commitments, domestic market allocation requirements, and regional decentralisation measures that reduce counterparts for investments in the North, Northeast, and Central-West regions.
On 26 September 2025, the Central Bank of Brazil (BCB) adopted Resolution No. 506, amending Resolution No. 1 of 12 August 2020 to introduce cybersecurity provisions in the Pix payment scheme. The resolution establishes that Pix participants may only set transaction limits based on criteria for mitigating risks of fraud and breaches of anti-money laundering and counter-terrorism financing regulations, and requires participants to adopt minimum criteria defined by the BCB for assessing suspected fraud in Pix transactions. It further obliges participants to reject requests for Pix key registrations, portability, or possession claims when users are associated with transactional fraud notifications, and to block all transactions involving such users or accounts except for refunds. The resolution also requires Pix participants to create and accept fraud notifications, allowing the marking of individual or corporate taxpayer numbers (CPF or CNPJ) linked to specific fraudulent Pix transactions, and establishes that notifications of non-compliance, corrective action plans, and penalties, including suspension and exclusion from Pix, may be applied in cases of failure to comply with these obligations.
Last updated: 17/03/2026