De’Onna Nixson, Associate Member, Immigration and Human Rights Law Review
I. Introduction
“Brazil has stepped forward as the first country in Latin America to pass a dedicated law to protect children’s online privacy and safety.”[1] As technology evolves faster than regulations, children have been left vulnerable in online spaces.[2] The COVID-19 pandemic brought this issue to light.[3] As classrooms moved online, many parents did not realize that the price of their children’s education was often their privacy, as educational technology platforms quietly collected students’ data, often without parental consent.[4] Additionally, some artificial intelligence (AI) training companies have repurposed seemingly harmless photos of Brazilian children—without their consent—to train AI tools.[5] Children’s privacy is routinely compromised when legal frameworks are weak or outdated.
In response, Brazil’s Senate passed the ECA Digital law in August 2025, and President Luiz Inácio Lula da Silva quickly signed it into law the following month.[6] The statute targets technology companies with services likely to be used by children and aims to curb harmful practices such as invasive tracking and exploitative data use.[7] This blog highlights two key provisions: (1) prohibiting the misuse of children’s personal data in ways that violate their rights, and (2) banning behavioral advertising based on children’s online activity.[8]
The Convention on the Rights of the Child (CRC) is an international treaty that recognizes children’s rights to privacy, dignity, and protection of their best interests.[9] Accordingly, safeguards are meant to ensure not only that a child’s personal information is shielded from arbitrary or unlawful interference, but also that the child’s development and well-being remain at the center of all decisions that affect them.[10] Brazil’s new ECA Digital law represents a significant step in protecting children’s rights in the digital space. It advances long-overdue safeguards against harmful practices such as online profiling and AI data exploitation, while signaling a broader commitment to children’s well-being in digital spaces.[11]
II. Background
While the ECA Digital signals a turning point, Brazil’s commitment to children’s rights predates 2025.[12] For decades, Brazil has adhered to international and domestic legal frameworks that recognize the need to protect children’s privacy and well-being.[13] For example, Brazil ratified the CRC in 1990, creating an international obligation to safeguard children’s privacy rights.[14]
More specifically, Article 16 of the CRC protects children from arbitrary or unlawful interference with their privacy, family, home, or correspondence.[15] Under this provision, the CRC Committee has recommended that states take steps to safeguard children’s personal data.[16] Governments must also establish measures to prevent parties who are not authorized by law from accessing or misusing children’s information and guarantee that both children and parents have the right to access, correct, or delete data that is inaccurate or obtained without consent.[17] In addition, Article 3 requires that the best interests of the child be a primary consideration in all actions that affect them, placing a duty on entities like businesses that provide services to or are used by children to ensure their practices respect and protect children’s privacy and well-being.[18] These human rights are undermined when children are subjected to invasive data collection, intrusive online surveillance, and other harmful digital practices that disregard their privacy and best interests.
Domestically, Brazil has developed measures to help ensure these international commitments. In 1990, Brazil enacted the Statute of the Child and Adolescent (ECA), which guarantees children special care and protection, including rights to education, health, dignity, and safety.[19] The National Council for the Rights of Children and Adolescents (CONANDA), created under the ECA, is a federal body responsible for overseeing the implementation of these special protections.[20]
In April 2024, CONANDA adopted Resolution No. 245 to address challenges children face in digital spaces.[21] Resolution No. 245 upholds children’s rights, including their right to privacy, freedom of expression, and access to information, while also recognizing that their best interests must always come first.[22] To ensure these rights are protected, the resolution requires technology companies to implement safeguards, such as age verification systems and content controls.[23]
Despite these domestic measures, protections proved insufficient in protecting children’s privacy rights online.[24] In June 2025, the U.N. Committee on the Rights of the Child criticized Brazil for inadequate protections for children on digital platforms.[25] The Committee urged Brazil to strengthen safeguards for children’s personal data, ensure effective implementation of Resolution No. 245, prohibit the use of children’s data in training AI systems, and swiftly pass proposed legislation targeting AI-generated pornographic content.[26]
III. Discussion
The ECA Digital addresses the shortcomings of its prior digital safeguards and strengthens its commitment to children’s privacy online.[27] The rapid expansion of AI and the integration of education into digital platforms exposed significant gaps in Brazil’s previous efforts to safeguard children’s privacy.[28] Weak oversight and enforcement, like behavioral tracking and unauthorized use of images in AI training, have allowed both public and private entities to collect and misuse children’s personal data.[29] While the ECA Digital addresses Brazil’s previous shortcomings regarding children’s privacy online, there are still concerns about its enforcement and overlap with other children’s rights.[30]
A. Profiling Children Online
During the COVID-19 pandemic, many children worldwide had no choice but to continue their education online.[31] What seemed like a neutral or even helpful adaptation to remote learning came at an unexpected cost: children’s privacy.[32] School tracking a student’s location or activity during school hours might not appear too concerning. However, in Brazil, some educational websites monitored a child’s virtual movements across various apps and devices throughout the day, transmitting this data to third parties.[33] These trackers did not stop at students’ browsing behavior.[34] In some cases, the trackers reached further into devices, extracting contact lists and collecting data about family members and friends to map social connections and how children are influenced.[35]
Education secretariats in Minas Gerais and São Paulo owned and operated educational websites that engaged in this type of data sharing.[36] According to Human Rights Watch, these state-run educational sites “sent children’s data to third-party companies, using tracking technologies designed for advertising.”[37] Children using the states’ official online education portals risked having their personal information collected and used for commercial purposes, despite the states endorsing these platforms for educational purposes.[38]
A particularly concerning example was Escola Mais, an educational website endorsed by São Paulo for elementary and high school students.[39] Escola Mais permitted third-party companies to monitor and record user behavior on their site, but the surveillance extended beyond basic metrics.[40] These third-party companies collected data by surveilling children’s personalities and preferences to create profiles and build behavioral predictions.[41] During the investigation, Human Rights Watch learned that the platform utilized keylogging software: technology that captures everything a user types, including names and passwords.[42] Companies have used keylogging to deanonymize children, linking them to real names and postal addresses before they had an opportunity to consent.[43]
For children, whose digital literacy is still developing, this surveillance represents a serious violation of both privacy and trust in online education platforms. While the use of surveillance in educational websites revealed how children’s day-to-day activities could be harvested and profiled, the risks extended even further.
B. Misuse of Children’s Personal Data
Another alarming consequence of weak digital protections is the use of children’s photos to train AI tools.[44] Human Rights Watch reported that LAION-5B, a massive open-source dataset developed to train AI models, included images of Brazilian children without their knowledge or consent.[45] Once included in this dataset, a child’s photo is no longer just an isolated image; it becomes part of a larger dataset.[46] These pictures could often be linked back to identifying details such as the child’s name, the time the photo was taken, and even the location where it was captured.[47]
Moreover, the documented history of AI models leaking identical images and private information from their training data raises additional concerns.[48] Malicious actors are already exploiting these capabilities to generate nonconsensual explicit material, misappropriate likeness, and create harmful deepfakes.[49] Children’s likenesses are treated as free, unregulated training material for technologies that extend far beyond the context in which the photo was shared initially.[50] Children’s right to privacy is supposed to receive special protection, but the nonconsensual inclusion of their images in AI datasets represents a significant failure to safeguard their dignity and safety.
The scale of this problem highlights the limits of current protections. Human Rights Watch found 170 identifiable photos of children from at least ten Brazilian states on LAION-5B.[51] Yet these photos represent only a fraction of the dataset.[52] Out of 5.85 billion images included in LAION-5B, just 0.0001 percent were reviewed.[53] Consequently, an overwhelming majority of the data remains unchecked. Recognizing the risks posed by uncontrolled data practices, Brazil has turned to legislative reform in 2025 to enhance the protection of children’s privacy.[54]
C. 2025 Bill: Closing the Gaps
The examples above highlight how previous protections have failed to prevent serious intrusions into children’s privacy. The ECA Digital addresses these failures by banning the profiling of children for behavioral advertising and prohibiting online services from using children’s personal data in ways that violate their rights.[55] Its ban on profiling children for behavioral advertising prevents websites from continuing to use invasive behavioral advertising techniques that target children.[56] Moreover, the law also creates a duty for companies to remove content that violates children’s rights when the victims or officials notify them.[57] The new law establishes clearer guidelines for how technology companies can handle children’s data privacy and prioritize the child’s best interests at the center of digital governance.[58]
By restricting invasive data collection, prohibiting behavioral profiling, and requiring companies to safeguard children’s personal information, the law reinforces the protection against unlawful interference with a child’s privacy under Article 16 of the CRC.[59] At the same time, its focus on placing the child’s well-being at the center of the digital governance aligns with Article 3’s requirement that the best interest of the child be a primary consideration in all actions that affect them.[60]
However, questions remain about the effectiveness of the ECA Digital.[61] While the new law advances privacy protections, its effectiveness will depend on how well Brazil enforces compliance and oversight management.[62] Moreover, implementation challenges may arise in balancing privacy with other rights of the CRC.[63] For example, if companies fail to meet the law’s standards, they could face restrictions that unintentionally limit children’s access to educational or social platforms, potentially conflicting with Article 17 of the CRC, which recognizes a child’s right to have access to information.[64]
Similarly, the ECA Digital will require companies to review their policies regarding age verification and end-to-end encryption to comply with the law.[65] End-to-end encryption, which ensures that only the sender and recipient can access the content of private messages, could be undermined if entities are obligated to monitor or scan communications for potential violations.[66] Additionally, stricter age-verification measures may lead to excessive data collection, opening children up to new risks of privacy breaches and misuse.[67] Ultimately, the ECA Digital is an excellent step in the right direction, but there are still concerns regarding enforcement and finding the balance between protecting children’s privacy and technological realities.
IV. Conclusion
Brazil’s past legal frameworks offered safeguards for children in the digital space but failed to prevent serious intrusions into children’s privacy, from classroom surveillance to AI data misuse.[68] The ECA Digital closes these gaps by banning behavioral advertising targeting children and restricting the misuse of children’s personal data.[69] To comply with the ECA Digital, companies must review their policies to meet regulatory requirements, including updates to age-verification systems, privacy policies, and parental control or reporting mechanisms.[70]
The law is a significant step toward protecting children’s digital rights, but its success depends on enforcement against powerful technology companies. Brazil now has the opportunity to lead by example in the global effort to safeguard children’s privacy.
[1] Brazil Passes Landmark Law to Protect Children Online, Hum. Rts. Watch (Sept. 17, 2025 5:30PM EDT), https://www.hrw.org/news/2025/09/17/brazil-passes-landmark-law-to-protect-children-online [https://perma.cc/HGE5-K54R] [hereinafter Landmark Law].
[2] Hye Jung Han, Brazil One Step Away from Protecting Children Online, Hum. Rts. Watch (Aug. 27, 2025 5:50PM EDT), https://www.hrw.org/news/2025/08/27/brazil-one-step-away-from-protecting-children-online [https://perma.cc/JL2A-LWUS]; Fernando Bousso & Matheus Botsman, Inside Brazil’s child online safety bill, IAPP (Sept. 3, 2025), https://iapp.org/news/a/inside-brazil-s-child-online-safety-bill [https://perma.cc/L95W-YS8A].
[3] Brazil: Online Learning Tools Harvest Children’s Data, Hum. Rts. Watch (Apr. 4, 2023), https://www.hrw.org/news/2023/04/03/brazil-online-learning-tools-harvest-childrens-data [https://perma.cc/L5D6-PX3S] [hereinafter Online Learning Tools].
[4] Id.
[5] Brazil: Children’s Personal Photos Misused to Power AI Tools, Hum. Rts. Watch (June 10, 2024), https://www.hrw.org/news/2024/06/10/brazil-childrens-personal-photos-misused-power-ai-tools [https://perma.cc/B87B-H9TG] [hereinafter Photos Misused to Power AI Tools].
[6] Han, supra note 2; Landmark Law, supra note 1.
[7] Landmark Law, supra note 1.
[8] Id.
[9] G.A. Res. 44/25, Convention on the Rights of the Child (Nov. 20, 1989) [hereinafter CRC].
[10]General comment No. 25 on children’s rights in relation to the digital environment, at ¶ 13, U.N. Doc. CRC/C/GC/25 (Mar. 2, 2021).
[11] Landmark Law, supra note 1.
[12] Ellen Nemitz, The 30 Years of Childhood Protection In Brazil, Fair Planet (July, 14, 2020), https://www.fairplanet.org/editors-pick/the-30-years-of-childhood-protection-in-brazil/ [https://perma.cc/C9JM-3M6W].
[13] Id.
[14] CRC, supra note 9.
[15] CRC, supra note 9, at art. 16.
[16] John Tobin & Sarah M Field, Article 16. The right to Protection of Privacy, Family, Home, Correspondence, Honour, and Reputation, 2019 Oxford Comment. Int’l L. 555, 571.
[17] Id.
[18] CRC, supra note 9, at art. 3.
[19] Statute of the Child and Adolescent (ECA), Law No. 8,069, of July 13, 1990, Official Gazette of the Union [D.O.U.], July 13, 1990 (Braz.).
[20] Thamy Pogrebinschi, National Council for the Rights of Children and Adolescents, LATINNO (2017) https://www.latinno.net/en/case/3101/ [https://perma.cc/55LY-A4W2].
[21] Resolution No. 245 of Apr. 5, 2024, National Council for the Rights of Children and Adolescents (Brazil), Official Gazette of the Union [D.O.U.], Apr. 5, 2024.
[22] Id.
[23] Id.
[24] Han, supra note 2.
[25] U.N. Comm. on the Rights of the Child Press Release CRC/25/2025, Committee Publishes Findings on Brazil, Indonesia, Iraq, Norway, Qatar and Romania (June 5, 2025).
[26] Id.
[27] Han, supra note 2; Landmark Law, supra note 1.
[28] Landmark Law, supra note 1; Online Learning Tools, supra note 3.
[29] Id.
[30] Mariana Olaizola Rosenblat, How Brazil’s ECA Digital Can Protect Kids Without Compromising Encryption, (Sept. 24, 2025), https://bhr.stern.nyu.edu/quick-take/how-brazils-eca-digital-can-protect-kids-without-compromising-encryption/ [https://perma.cc/6BK2-Y9XZ]; CRC, supra note 9, at art. 17.
[31] Online Learning Tools, supra note 3.
[32] Id.
[33] Id.
[34] Id.
[35] Id.
[36] Id.
[37] Id.
[38] Id.
[39] Id.
[40] Id.
[41] Id.
[42] Id.
[43] Id.
[44] Photos Misused to Power AI Tools, supra note 5.
[45] Id.
[46] Id.
[47] Id.
[48] Id.
[49] Id.
[50] Id.
[51] Id.
[52] Id.
[53] Id.
[54] Han, supra note 2.
[55] Landmark Law, supra note 1.
[56] Id.
[57] Brazil enacts new law to protect children and adolescents in digital environments, Vella Pugliese Buosi Guidoni (Sept. 19, 2025), https://www.vpbg.com.br/en/insights/articles/2025/september/19/brazil-enacts-new-law-to-protect-children-and-adolescents-in-digital-environments [https://perma.cc/NSW9-U4SH] [hereinafter Law to Protect].
[58] Id.
[59] Tobin, supra note 16.
[60] United Nations Child. Fund [UNICEF], The children’s rights-by-design standard for data use by tech companies, Issue 1, Nov. 2020, at 5, https://www.unicef.org/innocenti/media/1096/file/%20UNICEF-Global-Insight-DataGov-data-use-brief-2020.pdf [https://perma.cc/7EA6-CHHG].
[61] Rosenblat, supra note 30.
[62] Brazil: Digital ECA (Brazil’s Child and Adolescent Statute) – A new framework for online protection of children and adolescents, (Sept. 22, 2025) https://insightplus.bakermckenzie.com/bm/data-technology/brazil-digital-eca-brazils-child-and-adolescent-statute-a-new-framework-for-online-protection-of-children-and-adolescents_2 [https://perma.cc/MP44-RYLJ].
[63] CRC, supra note 9, at art. 17.
[64] Id.
[65] Rosenblat, supra note 30.
[66] Id.
[67] Alana Murray, Huma Chhipa & Johnathan Yerby, Cyber risk, privacy, and the legal complexities of age verification for adult content platforms, 26 Int’l Assoc. for Comput. Info. Sys., 332. (2025).
[68] Landmark Law, supra note 1.
[69] Han, supra note 1.
[70] Law to Protect, supra note 53.
