Speaking as a brazilian resident, the law will not be enforced. No such laws are ever enforced here. Everybody openly pirates everything, people sell retro gaming systems preloaded with thousands of ROMs openly online and in physical shops, and the government doesn’t even have 1% of the surveillance infrastructure needed to make enforcement attractive. The law is just electoral posturing and lip service to please evangelical idiots… but I repeat myself.
The law will most likely be enforced where it matters: smartphones from companies that “manufacture” them in Brazil (which is like 90% of market share of smartphones in Brazil).
So both Android and iOS will most likely start requiring some official ID to be provided or facial recognition to setup the device and/or to access both Play Store or App Store, which yeah, seems a bit concerning.
Also, if you read the law: https://www.planalto.gov.br/ccivil_03/_ato2023-2026/2025/lei/L15211.htm, or in this PDF in English: https://www.gov.br/mdh/pt-br/assuntos/noticias/2025/novembro/brasil-apresenta-avancos-em-seguranca-digital-da-infancia-e-lanca-eca-digital-em-ingles-durante-cupula-social-do-g20-na-africa-do-sul/eca-digital-ing-v2.pdf?ref=itsfoss.com, you can see the only thing an operating system (that does not come with under 18 age improper content, like pornographic content, in it’s installation media) really needs to implement is a self-declaration of being “age appropriate” to use the system, otherwise deny the installation of the OS.
Art. 12. Os provedores de lojas de aplicações de internet e de sistemas operacionais de terminais deverão:
I – tomar medidas proporcionais, auditáveis e tecnicamente seguras para aferir a idade ou a faixa etária dos usuários, observados os princípios previstos no art. 6º da Lei nº 13.709, de 14 de agosto de 2018 (Lei Geral de Proteção de Dados Pessoais);
II – permitir que os pais ou responsáveis legais configurem mecanismos de supervisão parental voluntários e supervisionem, de forma ativa, o acesso de crianças e de adolescentes a aplicativos e conteúdos; e
III – possibilitar, por meio de Interface de Programação de Aplicações (Application Programming Interface – API) segura e pautada pela proteção da privacidade desde o padrão, o fornecimento de sinal de idade aos provedores de aplicações de internet, exclusivamente para o cumprimento das finalidades desta Lei e com salvaguardas técnicas adequadas.
§ 1º O fornecimento de sinal de idade por meio de APIs deverá observar o princípio da minimização de dados, vedado qualquer compartilhamento contínuo, automatizado e irrestrito de dados pessoais de crianças e de adolescentes.
§ 2º A autorização para download de aplicativos por crianças e adolescentes dependerá de consentimento livre e informado dos pais ou responsáveis legais, prestado nos termos da legislação vigente, respeitada a autonomia progressiva, vedada a presunção de autorização na hipótese de ausência de manifestação dos pais ou responsáveis legais.
§ 3º Ato do Poder Executivo regulamentará os requisitos mínimos de transparência, de segurança e de interoperabilidade para os mecanismos de aferição de idade e de supervisão parental adotados pelos sistemas operacionais e pelas lojas de aplicativos.
The part where the operating system must implement age verification is here:
Art. 12. Os provedores de lojas de aplicações de internet e de sistemas operacionais de terminais deverão:
I – tomar medidas proporcionais, auditáveis e tecnicamente seguras para aferir a idade ou a faixa etária dos usuários, observados os princípios previstos no art. 6º da Lei nº 13.709, de 14 de agosto de 2018 (Lei Geral de Proteção de Dados Pessoais);
Which has been officially translated in the PDF to :
Art. 12. Providers of internet application stores and terminal operating systems shall:
I – take proportional, auditable, and technically secure measures to ascertain the age or age range of users, subject to the principles provided for in Art. 6 of Law No. 13,709, of August 14, 2018 (Brazilian Data Protection Law);
The II there, that states:
II – allow parents or legal guardians to configure voluntary parental supervision mechanisms and to actively supervise the access of children and adolescents to applications and content; and
Is totally optional, there’s no way any judge in Brazil could enforce that as mandatory to be implemented in all OSes and punish any OS that denies installation for under 18 age citizens of Brazil and does not provide such parental supervision mechanisms.
Now, for any digital media or computer application that either contains or provides direct access to age restricted content from the internet I suppose article 9 applies:
Art. 9º Os fornecedores de produtos ou serviços de tecnologia da informação que disponibilizarem conteúdo, produto ou serviço cuja oferta ou acesso seja impróprio, inadequado ou proibido para menores de 18 (dezoito) anos de idade deverão adotar medidas eficazes para impedir o seu acesso por crianças e adolescentes no âmbito de seus serviços e produtos.
§ 1º Para dar efetividade ao disposto no caput, deverão ser adotados mecanismos confiáveis de verificação de idade a cada acesso do usuário ao conteúdo, produto ou serviço de que trata o caput deste artigo, vedada a autodeclaração.
§ 2º Para os fins desta Lei, consideram-se impróprios ou inadequados para crianças e adolescentes os produtos, serviços ou conteúdos de tecnologia da informação que contenham material pornográfico, ou quaisquer outros vedados pela legislação vigente.
§ 3º Os provedores de aplicações de internet que disponibilizarem conteúdo pornográfico deverão impedir a criação de contas ou de perfis por crianças e adolescentes no âmbito de seus serviços.
So, yeah, if you are providing an operating system that itself comes with any age restricted content as Brazilian law stipulates (such as pornographic content), I think self-reporting of age would be damned insufficient due to § 1º there:
Art. 9. Providers of information technology products or services that make available content, products, or services whose offer or access is improper, inadequate, or prohibited for persons under 18 (eighteen) years of age shall adopt effective measures to prevent their access by children and adolescents within the scope of their services and products.
§ 1. To effectuate the provision of the caput, reliable age verification mechanisms shall be adopted for each user access to the content, product, or service referred to in the caput of this article, with self-declaration being prohibited
If there’s anything I’m missing here please point out.
… Are you going to argue the current state of affairs in Brazil where international multibillion-dollar companies directly earn money from child exploitation done in their “social networks” and don’t want to collaborate with Brazil’s judicial system most of the times, or argue they can’t do anything, or that they can’t be liable for the user generated content… is all fine?
This law mainly intends to create judicial means to make those companies that control big social networks that are widely used in Brazil more responsible towards previous existing laws, by making them liable to implement mitigatory measures to restrict access of children (or any person under 18) to content forbidden by Brazilian law (deemed as inappropriate for such ages).
Also, I don´t know what the hell do you think, but like, Brazil is not the USA where the federal government does not have info on all citizens.
Here in Brazil virtually 100% of citizens already have official government IDs, where the person “biometry” is collected (fingerprints and user facial photo), which contains basically associates a person’s very sensitive info (full name, local and date of birth, affiliation, photo, fingerprints) with a government unique ID (CPF). Brazilians are basically obliged to get such ID at birth. There are laws (LGPD) that force the federal government to be very careful whilst storing and handling such data, and give citizens rights to sue anyone, private companies or the government itself, if their data is mishandled or collected and used for different means of what the person allowed for such data to be used. Also, there already exists the “gov.br” app, which stores citizens facial 3D info for more than like, half of the population.
So, if anything, you are like, 30 years late into government “controlling” people in Brazil.
If that’s your concern, be sure the government already possess all this data, but, unlike the USA, there are government workers here at multiple levels that would be a big barrier for such misuse of the data like Elon Musk did with DOGE, collecting data of the US citizens for personal use in a few weeks. First anyone to do that would have to get rid of “stability” of the public servants, so all public servants at such positions in Brazil could be replaced by people politically aligned to the government, and/or all public companies that handle sensitive data for the government, like DATASUS and SERPRO, would have to be privatized.