Compliance GuideDigital ECAStep by StepIn effect March 17, 2026

Brazil Digital ECA Compliance Guide: How to Comply with the FELCA Law (2026)

Q: Do I need to verify age at every login or just at sign-up?

For most platforms, a one-time verification at registration is sufficient — you record the verification result and do not repeat it on each login. For high-risk platforms such as adult content sites, re-verification may be advisable after extended periods of inactivity. Check with your legal team for your specific use case.

Q: What about foreign users without a Brazilian CPF?

The Digital ECA applies to Brazilian users. For foreign users accessing your platform from Brazil, the law allows equivalent age verification methods — typically a passport or national ID from their country of origin. In practice, many platforms detect Brazilian IPs and trigger CPF verification for those users.

Q: Can I rely on Apple or Google age signals to comply?

App store age signals (such as Apple's Declared Age Range API) are one layer of compliance. However, the Digital ECA places direct responsibility on the platform — app store signals supplement but do not replace your own verification obligation. You must implement platform-level verification regardless of what app stores provide.

Q: What records do I need to keep for ANPD audits?

For each verified user, log: the verification timestamp, the method used (CPF check, liveness, etc.), the CPF hash (SHA-256 — never the raw CPF), and the result (adult/minor). Store this log for at least 5 years. This creates the paper trail needed to demonstrate compliance during an ANPD investigation.

Q: What should I show users who fail age verification?

Display a clear message explaining that the platform is restricted to adults and that their age could not be confirmed. Do not create the account or grant access. You may suggest they contact support if they believe there is an error. Do not retain any personal data from the failed verification.

Q: Is there a grace period for non-compliance?

No. The Digital ECA took effect on March 17, 2026, with no additional grace period. ANPD can open investigations against non-compliant platforms from that date. However, enforcement tends to prioritize the largest platforms first — smaller services have some practical buffer, but no legal protection.

Q: How does LGPD interact with the Digital ECA?

Both laws apply simultaneously. The Digital ECA mandates age verification; LGPD governs how you collect, process, and store the data used for that verification. Key rules: collect minimum necessary data, do not store CPF numbers (store hashes only), obtain appropriate consent, and apply extra protections to any data related to minors.

Brazil's Digital ECA (FELCA Law, Law 15.211/2025) is now in force. This guide covers everything a developer or product team needs to implement compliant age verification — from choosing the right method for your platform type to integrating the API and logging for ANPD audits.

Brazil Digital ECA compliance guide — age verification implementation

⚠️

Law in force — March 17, 2026

Platforms without compliant age verification are subject to fines of up to BRL 50 million or 10% of Brazil annual revenue, service suspension, and permanent bans.

Quick Reference: What Verification Do You Need?

Platform Type	CPF Age Check	Face Liveness	Risk Level
Social media / community apps	✅ Required	⚪ Optional	🟡 Medium
Online games (16+/18+)	✅ Required	⚪ Optional	🟡 Medium
Sports betting / gambling	✅ Required	✅ Recommended	🔴 High
Streaming with adult content	✅ Required	✅ Recommended	🔴 High
Adult content platforms	✅ Required	✅ Required	🔴 Critical
E-commerce (alcohol/tobacco)	✅ Required	⚪ Optional	🟡 Medium
Fintech / financial services	✅ Required	✅ Recommended	🔴 High

Step-by-Step Implementation

Add a CPF field to your registration form

Add a CPF input to your sign-up form. In Brazil, users are accustomed to providing their CPF — it is requested by banks, utilities, and most services. Display a brief explanation: "Required by Law 15.211/2025 for age verification."

UX best practices:

→ Auto-format CPF as the user types: 000.000.000-00
→ Validate the check digits client-side before sending to API
→ Show a small lock icon with "Secure — we don't store your CPF"
→ Explain why you are collecting it (legal requirement)

Call the FlagCheck Age Check API

On form submission, call the FlagCheck API with the CPF before creating the user account. The API returns within 2 seconds — fast enough that users don't notice the extra step.

// server-side (Node.js) — never call client-side

const verify = await fetch(

"https://api.flagcheck.com.br/api/felca/age-check",

{

method: "POST",

headers: {

"X-API-Key": process.env.FLAGCHECK_API_KEY,

"Content-Type": "application/json"

body: JSON.stringify({ cpf: req.body.cpf })

}

)

const { success, data } = await verify.json()

if (!success || !data.is_adult || data.document.valid === false) {

return res.status(403).json({

error: "Age verification failed. Platform restricted to adults."

})

}

Security note: Always call the API server-side, never from the browser. Exposing your API key client-side allows bypassing the verification.

Log the result for ANPD compliance audits

Store the verification result in your database. Never store the raw CPF — store only a SHA-256 hash. This log is your proof of compliance if ANPD investigates.

const crypto = require("crypto")

// Hash the CPF — never store raw

const cpfHash = crypto

.createHash("sha256")

.update(cpf.replace(/[.-]/g, ""))

.digest("hex")

// Store compliance log

await db.query(`

INSERT INTO age_verification_log

(user_id, cpf_hash, result, method, verified_at)

VALUES (?, ?, ?, ?, ?)

`, [userId, cpfHash,

data.is_adult ? "adult" : "minor",

cpf_check",

result.meta.timestamp])

What to log per user:

→ cpf_hash — SHA-256 of the CPF (no raw CPF)
→ result — "adult" or "minor"
→ method — "cpf_check" or "cpf_liveness"
→ verified_at — ISO 8601 timestamp from API
→ cpf_status — "regular", "suspended", etc.

Block or allow — and handle edge cases

Handle all result scenarios explicitly:

is_adult: true + status: regular

Allow registration

is_adult: false

Block. Show: "This platform is for adults only." Do not create account.

status: suspended or cancelled

Block. CPF is invalid. Ask user to contact support.

(High-risk platforms) Add face liveness verification

For sports betting, adult content, fintech, and other high-risk categories, add a face liveness step after the CPF check. This prevents minors from registering using a parent's or sibling's CPF.

Liveness flow:

User passes CPF age check (Step 2–4 above)
Prompt user to take a live selfie via webcam/camera
Send selfie + CPF to FlagCheck liveness endpoint
API returns match score and liveness confirmation
Allow registration only on successful match

Common Mistakes to Avoid

❌ Wrong

Relying on "I am 18+" checkbox or unvalidated date-of-birth

✅ Correct

Explicitly banned by the Digital ECA. Replace with CPF age check immediately.

❌ Wrong

Calling the verification API from the browser (client-side)

✅ Correct

Exposes your API key and allows bypass. Always call server-side.

❌ Wrong

Storing raw CPF numbers in your database

✅ Correct

Store SHA-256 hashes only. Raw CPFs are sensitive personal data under LGPD.

❌ Wrong

Assuming app store age signals are sufficient on their own

✅ Correct

The Digital ECA requires platform-level verification — app store signals are supplementary.

❌ Wrong

No audit log of verifications

✅ Correct

Without logs, you cannot prove compliance to ANPD. Log every verification event.

Related Guides

FELCA Law Brazil 2026 — Complete Overview

What the law is, who it affects, penalties and enforcement by ANPD.

Age Verification API Brazil — FlagCheck

CPF age check, face liveness, background check — full API reference and code examples.

FELCA Law in effect — March 17, 2026

Ready to Implement? Start in Minutes.

Get your FlagCheck API key and follow this guide. FELCA Age Check (CPF → is_adult) and FELCA Selfie (face liveness) — both endpoints production-ready and LGPD-compliant.

FELCA Age Check

CPF → is_adult in < 2s

FELCA Selfie

Face liveness + biometrics

LGPD Compliant

No CPF stored · Audit logs

Talk to a Specialist →View API Docs →Login / Create Account →

Frequently Asked Questions

Do I need to verify age at every login or just at sign-up?▼

For most platforms, a one-time verification at registration is sufficient — you record the verification result and do not repeat it on each login. For high-risk platforms such as adult content sites, re-verification may be advisable after extended periods of inactivity. Check with your legal team for your specific use case.

What about foreign users without a Brazilian CPF?▼

The Digital ECA applies to Brazilian users. For foreign users accessing your platform from Brazil, the law allows equivalent age verification methods — typically a passport or national ID from their country of origin. In practice, many platforms detect Brazilian IPs and trigger CPF verification for those users.

Can I rely on Apple or Google age signals to comply?▼

App store age signals (such as Apple's Declared Age Range API) are one layer of compliance. However, the Digital ECA places direct responsibility on the platform — app store signals supplement but do not replace your own verification obligation. You must implement platform-level verification regardless of what app stores provide.

What records do I need to keep for ANPD audits?▼

For each verified user, log: the verification timestamp, the method used (CPF check, liveness, etc.), the CPF hash (SHA-256 — never the raw CPF), and the result (adult/minor). Store this log for at least 5 years. This creates the paper trail needed to demonstrate compliance during an ANPD investigation.

What should I show users who fail age verification?▼

Display a clear message explaining that the platform is restricted to adults and that their age could not be confirmed. Do not create the account or grant access. You may suggest they contact support if they believe there is an error. Do not retain any personal data from the failed verification.

Is there a grace period for non-compliance?▼

No. The Digital ECA took effect on March 17, 2026, with no additional grace period. ANPD can open investigations against non-compliant platforms from that date. However, enforcement tends to prioritize the largest platforms first — smaller services have some practical buffer, but no legal protection.

How does LGPD interact with the Digital ECA?▼

Both laws apply simultaneously. The Digital ECA mandates age verification; LGPD governs how you collect, process, and store the data used for that verification. Key rules: collect minimum necessary data, do not store CPF numbers (store hashes only), obtain appropriate consent, and apply extra protections to any data related to minors.

Quick Reference: What Verification Do You Need?

Step-by-Step Implementation

Add a CPF field to your registration form

Call the FlagCheck Age Check API

Log the result for ANPD compliance audits

Block or allow — and handle edge cases

(High-risk platforms) Add face liveness verification

Common Mistakes to Avoid

Related Guides

Ready to Implement? Start in Minutes.

Frequently Asked Questions

Brazil Digital ECA Compliance Implementation Guide