Brazil’s digital economy is governed by a robust set of legal and regulatory frameworks that establish ongoing compliance obligations for organisations operating in the country. The key components of this framework include the following.

Core Laws and Regulations (Hard Law)

Brazil’s Internet Law (Law No 12,965/2014)

This law sets out fundamental principles for the use of the internet in Brazil, including the following.

• Net neutrality – internet service providers must treat all data, content, and applications equally, with no discrimination or prioritisation of traffic.
• Freedom of expression – users have the right to express opinions and share information online, subject to constitutional and legal limitations.

Decree No 8,771/2016

This decree complements the Internet Law by defining rules for data protection, transparency obligations, and security standards applicable to internet service providers and application providers.

General Data Protection Law (Law No 13,709/2018 – LGPD)

Modelled closely on the EU’s GDPR, the LGPD regulates the collection, processing, storage, and sharing of personal data by both public and private entities.

It requires a lawful basis for processing (such as consent or legitimate interest) and grants data subjects rights including access, portability, and erasure.

The LGPD applies to any organisation that processes personal data belonging to individuals located in Brazil.

Consumer Protection Code (Law No 8,078/1990)

This foundational consumer rights statute applies fully to digital products and services. It establishes strict liability for defective goods and services and prohibits deceptive or misleading advertising. The law reinforces transparency and fairness across digital commercial practices.

E-Commerce Decree (Decree No 7,962/2013)

This decree sets specific rules for e-commerce, requiring clear and accessible information about products, services, pricing, and supplier identification. It also guarantees the seven day right of regret, allowing consumers to return online purchases unconditionally and receive a full refund.

Industry Codes of Conduct (Self-Regulation)

National Council for Advertising Self Regulation (CONAR)

CONAR establishes the primary standards for advertising practices across all media, including digital platforms. Although participation is voluntary, its decisions carry significant weight, as media outlets and platforms routinely remove advertisements found to be non-compliant.

Brazil’s Evolving Regulatory Landscape for the Digital Economy

Brazil’s regulatory framework for the digital economy is undergoing rapid transformation, driven by assertive judicial decisions and multiple legislative initiatives currently under consideration in Congress. The summary below outlines the key legal developments impacting digital services, digital markets, and content governance.

Platform Liability

Article 19 of Brazil’s Internet Law

Brazil is experiencing a significant shift away from its traditional safe‑harbour model. Historically, platforms were only liable for user‑generated content if they failed to comply with a court‑ordered takedown. However, following the Supreme Court’s landmark decisions in RE 1.037.396 and RE 1.057.258, Article 19 was deemed partially unconstitutional.

Under the new framework:

• Platforms may incur civil liability without a prior court order if they do not promptly and proactively remove manifestly unlawful content (eg, terrorism, child exploitation, racism, and violence against women).
• Liability also extends to paid or boosted content when platforms financially benefit and harm results.

ANATEL’s Regulation on Conformity Assessment and Homologation of Telecommunications Products (Resolution No 780/2025, RACHPT)

ANATEL has recently updated its rules governing the certification and homologation of telecommunications products. A notable change is the introduction of joint and several liability for marketplaces and digital platforms that offer non‑certified telecom products.

Regulation on User Duties (in consultation)

ANATEL is currently evaluating new obligations for “large users” of telecommunications services, including Value‑Added Service (VAS) and Over‑the‑Top (OTT) providers. As these entities are legally classified as “users” under the Brazilian Telecommunications Law, the proposal could lead to:

• increased regulatory oversight;
• additional operational and compliance obligations;
• higher transactional costs; and
• potential constraints on innovation.

Content Moderation

Youth Law (Law No 15,2011/2025)

Effective as of 17 March 2026, the Youth Law establishes a comprehensive framework to protect children and adolescents in digital environments. It applies to any digital product or service designed for minors or reasonably likely to be accessed by them.

Key obligations for digital service providers include:

• preventing access to harmful or illegal material (eg, sexual exploitation, violence, and predatory advertising);
• implementing reliable age‑verification systems and parental‑control tools; and
• publishing compliance reports and appointing a legal representative in Brazil.

MisInfo Bill (Bill of Law No 2,630/2020)

This bill aims to enhance accountability and transparency requirements for social media platforms, search engines, and messaging services with ten million or more users in Brazil, regardless of their corporate headquarters. Its goal is to curb online misinformation through stricter platform‑governance obligations.

Market Structure and Competition

Brazilian DMA + DSA (Bill of Law No 2,768/2022)

Often compared to the European Union’s Digital Markets Act, this bill targets large digital platforms perceived as holding gatekeeping power. It applies to companies generating at least BRL70 million in annual revenue from Brazilian users and imposes competitive and non‑discrimination obligations, irrespective of where the company is headquartered.

In Brazil, digital services and goods are taxed under a dual indirect tax system. Digital services fall under ISS, a municipal tax levied at 2–5% on gross income. Goods and many digital products, however, are often subject to ICMS, a state-level VAT generally applied at 18%, even when the transaction is entirely digital. Because there is no clear statutory definition separating services from goods, this structure has historically created significant uncertainty and litigation – especially in areas such as cloud computing, SaaS, streaming, and other technology‑driven business models.

At the federal level, PIS and COFINS apply to gross income from digital transactions at 3.65% or 9.25%. Cross‑border acquisitions of digital services may additionally trigger PIS/COFINS‑Importação (commonly 9.25%), CIDE‑Technology (10%) and withholding income tax (15–25%, depending on the transaction’s characterisation and where the benefit is effectively enjoyed).

Brazil’s ongoing tax reform will significantly reshape this landscape. The new dual‑VAT system (IBS/CBS) introduces a destination‑based consumption tax that replaces the traditional ISS/ICMS split. Under the reformed model, most digital goods and services will receive a unified VAT treatment. This should reduce interpretative disputes but will increase the need for accurate compliance, digital traceability and strong documentation. Although transitional rules extend until 2033, taxpayers must already adapt systems to identify taxable events, determine customer location, and integrate mandatory e‑invoicing.

Main Challenges

Brazil’s tax environment is characterised by frequent legislative changes, decentralised authorities and complex interactions between federal, state and municipal rules. This results in uncertainty for domestic and multinational businesses alike. Companies must navigate divergent interpretations among tax authorities while managing a heavy volume of ancillary obligations – including e‑invoicing, SPED reporting, digital bookkeeping and real‑time transactional controls.

Beyond the volume of obligations, taxpayers face sector‑specific rules and differing tax treatments for similar activities. The ability to take credits (for ICMS and 9.25% PIS/COFINS) often depends on supplier compliance and proper electronic validation of transactions, making continuous supply‑chain monitoring essential.

The tax reform adds another layer of structural challenge. During the transition to the IBS/CBS system, which runs until 2033, taxpayers will need to comply with both the current framework and the new VAT model simultaneously. This will require updating internal systems, managing two sets of reporting requirements, and integrating new digital compliance standards.

In this complex environment, strong tax governance, technology investment and proactive monitoring are critical for businesses seeking to manage risk and maintain compliance.

For many years, advertising activities – including digital advertising – faced significant controversy in Brazil due to a longstanding debate over whether they should be taxed as “services” (ISS) or as “communication services” (ICMS). This dispute generated extensive litigation throughout the country. The inclusion of a specific item for advertising services in the statutory ISS list ultimately resolved this jurisdictional conflict, confirming ISS as the appropriate tax for such activities.

Today, the main challenges no longer stem from the ISS/ICMS debate, but from the way digital advertising businesses structure and deliver their products. Different operational models – such as traditional advertising services, platform‑based solutions, programmatic advertising, or the licensing of digital tools – may result in distinct tax treatments. As digital advertising increasingly relies on technology, algorithms and data, correctly defining the underlying activity has become essential to ensure proper tax treatment and minimise exposure.

Ensuring Compliance

Compliance in the digital advertising sector begins with accurately characterising transactions and understanding how payments flow. While federal taxes such as PIS and COFINS generally apply across models, the nature of each activity determines whether ISS is due, whether withholding income tax applies and, in cross‑border operations, whether PIS/COFINS‑Importação and CIDE are triggered. Clear contractual drafting, detailed documentation, and consistency between contractual terms and actual service delivery are crucial to support the chosen tax characterisation.

Brazil’s tax reform adds further complexity. In addition to creating a new VAT system (IBS/CBS), which will gradually replace ISS, ICMS, PIS and COFINS, the reform introduces significant changes to ancillary obligations and to the mechanics of the non‑cumulative regime – a system that allows companies to offset VAT paid on inputs against VAT due on outputs. Under the new framework, VAT credits will only be recognised if suppliers comply with e‑invoicing rules, accurately report transactions and effectively pay the tax in the preceding stage. For digital advertising companies, these requirements will directly influence pricing, contract terms and platform operations.

Although the transition period extends until 2033, companies should begin preparing now to ensure a smooth and compliant migration to the new system.

In addition to the Consumer Protection Code (Law No 8,078/1990) and the E‑Commerce Decree (Decree No 7,962/2013) described in 1.1 Legal Framework, digital service providers must also comply with the following regulations.

Customer Service Decree (Decree No 11,034/2022)

This decree sets unified customer‑service standards across regulated sectors such as telecommunications. It requires providers to offer omnichannel support, comply with maximum waiting times, and ensure that services can be cancelled through the same channel used for contracting. For example, if a customer subscribes to a service through a mobile app, the option to cancel must also be available within the app.

ANATEL’s Regulation on Telecommunications Services Consumers’ Rights (Resolution No 765/2023)

This regulation outlines the rights of telecommunications service users, with a primary focus on B2C relationships. It may also apply in B2B scenarios when the contracting entity qualifies as a “consumer,” meaning it uses the telecom service as the end user.

To comply with these consumer‑protection standards, companies should implement strong internal procedures, including staff training, clear policies aligned with applicable regulations, and ongoing monitoring and auditing. These practices help ensure transparency, proper handling of requests, and full adherence to regulatory obligations.

Resolution of Consumer Complaints

Disputes in the digital economy are resolved under the broader consumer‑protection framework outlined in 1.1 Legal Framework. In the telecommunications sector, ANATEL administers specific procedures for handling consumer requests and complaints.

Brazil also provides several government‑managed mechanisms for resolving consumer disputes, including the following.

• Consumidor.gov.br – an official online platform that facilitates direct communication between consumers and companies for dispute resolution.
• PROCON (Consumer Protection Agencies) – state‑level administrative bodies responsible for enforcing consumer rights and mediating conflicts.
• SENACON (National Consumer Secretariat) – the federal authority responsible for co-ordinating national consumer‑protection policy and oversight.

Brazil’s crypto‑asset market is governed by Law 14,478/22, in force since June 2023, which establishes a legal and regulatory framework for virtual asset service providers (VASPs). These entities include intermediaries and custodians of virtual assets. The law defines virtual assets to include cryptocurrencies and stablecoins, while excluding instruments such as utility tokens and securities – the latter being regulated by the Brazilian Securities Commission (CVM).

The Central Bank of Brazil, as the financial services regulator, has been granted authority to regulate and supervise VASPs. In November 2025, it issued its first set of rules for VASPs (Resolutions 519 and 520), which became effective on 2 February 2026. These rules provide a 270‑day window – until 30 October 2026 – for existing VASPs to apply for licensing. Banks, foreign‑exchange brokers, and securities brokers are also permitted to offer virtual asset services without needing to obtain an additional licence.

Under Communiqué 40,874 (issued 6 November 2023), VASPs may continue operating without prior authorisation until the new rules take effect and throughout the subsequent 270‑day application period.

Brazil does not have a single, comprehensive statute dedicated specifically to cloud or edge computing. Instead, it regulates these technologies through sector‑specific rules.

Government/Public Sector

Normative Instruction No 05/2021 – Office of Institutional Affairs of the Presidency of the Republic

Establishes minimum security requirements for federal agencies adopting cloud solutions. These requirements include data classification, encryption, and formal risk‑management processes.

Normative Instruction No 08/2025 – Office of Institutional Affairs

Authorises, under strict conditions, the processing of classified government information in private or community clouds hosted in Brazil by certified providers. The use of public or hybrid clouds remains prohibited, and top‑secret data cannot be processed in any cloud environment.

Banking and Finance Sector

Central Bank Resolution No 4,658/2018

Requires financial institutions to implement a cybersecurity policy and sets conditions for contracting cloud services. This includes conducting due diligence on cloud providers and ensuring adequate business‑continuity and incident‑response procedures.

National Monetary Council Resolution No 4,983/2021

Defines governance rules for outsourcing data processing and storage, including cloud services, whether located in Brazil or abroad.

Telecommunications

ANATEL Cybersecurity Regulation (Resolution No 740/2020)

Requires telecommunications providers to use products and equipment – including cloud services – that comply with cybersecurity policies aligned with the Regulation. Providers must also undergo periodic independent audits.

Processing of Personal Data

All digital infrastructure operators in Brazil must comply with the General Data Protection Law (LGPD), which establishes strict rules for the collection, processing, storage, and transfer of personal data.

Key compliance challenges include cross‑border data transfers, data‑localisation concerns, and ensuring that companies maintain robust governance and privacy mechanisms.

The Brazilian Data Protection Authority (ANPD) has yet to issue several critical regulations needed for full implementation of the LGPD, including decisions on international data transfers and adequacy rulings for foreign jurisdictions.

On a positive note, most companies operating in Brazil already follow data‑protection practices aligned with LGPD principles and international industry standards.

AI Laws and Regulations

A comprehensive AI regulatory framework (Bill No 2,338/2023) is currently under review by the House of Representatives, following its approval by the Senate in December 2024. The Bill aims to regulate the development, promotion, and ethical use of AI, establishing principles, accountability mechanisms, individual rights, governance structures, and risk‑based classifications.

Key provisions

• Establishes national guidelines for the development, implementation, and responsible use of AI systems.
• Seeks to protect fundamental rights, ensure safe and reliable AI systems, and promote innovation and competitiveness.
• Combines a principles‑based regulatory approach with prescriptive obligations for AI stakeholders.

Sectoral guidelines

Although Brazil does not yet have a unified AI law, several sectors apply AI governance principles.

In telecommunications, AI use must comply with existing legislation and adhere to principles such as reliability, responsibility, non‑discrimination, plurality, privacy and data protection, fundamental rights, sustainability, and transparency/explainability. ANATEL is also updating telecom regulations to address AI across the service chain.

Protection of Likeness and Moral Rights, and Deepfakes

Brazil has introduced measures to address the misuse of AI‑generated content, especially in electoral contexts.

• TSE Resolution No 23,732/2024: Prohibits AI‑generated content – including deepfakes – in electoral propaganda unless it is clearly labelled. Manipulations intended to harm or benefit candidates are strictly banned.

Additional legislative initiatives aim to criminalise malicious deepfake use and protect personality rights.

Law No 15,123/2025

This law amends the Criminal Code to criminalise the creation of non‑consensual intimate content using AI. Penalties are increased when the AI‑generated content is highly realistic.

Key Laws and Regulations

National IoT Plan (Decree No 9,854/2019)

Brazil’s National IoT Plan establishes the country’s strategy for developing the IoT ecosystem. It defines IoT as an infrastructure that enables digital services and categorises it as a Value-Added Service, which allows for more flexible and streamlined regulation. The plan directs public investment and regulatory sandboxes toward four priority sectors:

• health;
• agriculture;
• industry 4.0; and
• smart cities.

Tax incentives (Law No 14,108/2020)

To support the commercial viability of IoT solutions, Brazil temporarily removed several telecommunications fees (FISTEL – TFI/TFF) that typically apply to telecom stations. This exemption significantly reduces operational costs for IoT providers and remains in effect until late 2025. Legislative proposals are currently under discussion to extend the incentives and avoid a sudden increase in deployment costs.

Data protection (Law No 13,709/2018 – LGPD)

Brazil’s General Data Protection Law applies broadly across sectors but has particular importance within the IoT ecosystem. IoT devices – such as smart home systems, wearables, and urban monitoring technologies – produce large volumes of personal data. As a result, companies operating in this space are subject to strict LGPD compliance requirements and oversight from the national data protection authority (ANPD).

Telecommunications Regulations

Regulatory licensing

To reduce bureaucratic hurdles and facilitate large-scale IoT and M2M deployments, ANATEL recently exempted stations integrated into M2M systems from requiring individual regulatory licensing (MCOM Ordinance No. 17,456/2025).

Cybersecurity and equipment homologation

IoT devices must meet ANATEL’s cybersecurity and equipment certification rules, outlined in Resolution No 715/2019, Resolution No 740/2020, and Act No 77/2021. These regulations include “Security by Design” requirements to ensure devices are secure by default and resilient to cyber threats.

Industry Codes of Conduct

ABINC and ABNT Standards

In late 2025, the Brazilian Association of Internet of Things (ABINC) and the Brazilian Association of Technical Standards (ABNT) published new technical standards focused on IoT interoperability and cybersecurity. These standards are designed to improve device compatibility, strengthen security practices, and support the development of a safer and more integrated IoT ecosystem.

Compliance Challenges for IoT Deployment

Permanent roaming

A common challenge for IoT deployments – such as connected vehicles or logistics trackers – is Brazil’s restriction on permanent roaming. ANATEL prohibits foreign SIM cards from using Brazilian networks for more than 90 consecutive days. If an IoT fleet depends on global SIMs that do not switch to a local profile, Brazilian operators are legally permitted to block those devices once the limit is exceeded.

Hardware homologation and cybersecurity

All telecommunications devices and equipment must undergo ANATEL certification and homologation before they can be used in Brazil. Cybersecurity requirements for these devices are outlined in ANATEL Act No 77/2021, which establishes obligations such as Security by Design and other measures intended to ensure robustness and resilience.

Data protection

IoT deployments typically involve large-scale processing of personal data – from smart-home systems and wearables to urban monitoring devices. As a result, they fall under the scope of Brazil’s General Data Protection Law (LGPD) and are subject to oversight by the ANPD.

Regulatory fees

M2M devices may qualify for exemptions from certain telecommunications fees under Law No 14,108, provided they meet the legal criteria for M2M classification.

Governance Frameworks

To address these compliance risks effectively, companies should adopt an integrated governance framework that includes the following.

• Technical standards – implement ABNT standards and industry best practices alongside all applicable regulatory requirements.
• Privacy management – apply LGPD principles through Privacy by Design, supported by continuous monitoring and periodic compliance audits.
• Legal oversight – manage cross-cutting legal obligations, including those related to consumer protection, intellectual property, and contractual arrangements.

Key Legal Requirements for IoT Data Sharing

All handling of personal data – including its collection, processing, storage, transfer, and deletion – is governed by the General Data Protection Law (LGPD). When sharing personal data with third parties, companies must:

• Obtain valid consent from data subjects for any third‑party sharing.
• Clearly inform data subjects about how their data will be used and the purposes of sharing.
• Rely on an appropriate LGPD legal basis for processing, such as consent, contractual necessity, or legitimate interest.
• Implement technical and administrative safeguards to prevent unauthorised access, misuse, or data breaches.

Applicability

The LGPD applies to any organisation that processes personal data when:

• the processing activity takes place in Brazil;
• the organisation offers goods or services to individuals located in Brazil or processes their data; or
• the personal data was originally collected in Brazil.

There are no minimum thresholds for applicability. Organisations that process large volumes of data or handle sensitive categories (such as health, biometric, or children’s data) must comply with stricter requirements.

Sensitive Data

The LGPD imposes enhanced protections for sensitive personal data, which includes information about racial or ethnic origin, religious beliefs, political opinions, union membership, health or sex life, and genetic or biometric data. Processing this type of data requires a specific legal basis, such as explicit consent, compliance with legal obligations, health protection, or safeguarding the life and safety of individuals.

Additional protective measures, including stricter access controls and strengthened security practices.

Broadcasting (TV and Radio)

Broadcasting in Brazil is heavily regulated under the Federal Constitution, the Brazilian Telecommunications Code (Law No 4,117/1962), and Decree No 52,795/1963.

Key requirements

Free-to-Air (FTA) TV and radio

FTA broadcasting is considered a public service provided by private companies through concessions, permissions, or authorisations granted by the Executive Branch and approved by Congress.

Programming obligations

Broadcasters must:

• prioritise educational, cultural, artistic, and informational programming;
• promote national and regional culture, as well as independent production;
• comply with regional content quotas; and
• respect ethical and social values of individuals and families.

Ownership rules

Ownership and editorial control of broadcasting and journalism companies are restricted to:

• Brazilian-born citizens;
• naturalised citizens with at least ten years of nationality; or
• legal entities incorporated in Brazil with headquarters in the country.

At least 70% of voting capital must be held by these qualifying individuals, who must also be responsible for management, editorial decisions, and programming content. These responsibilities cannot be delegated to non‑eligible individuals.

Procedures and fees

• Public bidding – licences are awarded via public tenders requiring qualification documents and technical and price proposals.
• Granting act – issued by the Communications Minister (for radio) or the President (for FTA TV), followed by congressional approval.
• Licensing – after approval, companies have 12–18 months to obtain frequency authorisation and operating licences from ANATEL and must pay applicable frequency‑use fees and FISTEL taxes
• Contract and payment – the concession contract is finalised after submission of required documents and payment of the concession fee.

Regulation of Pay‑TV

Pay‑TV services fall under the telecommunications regulatory framework, primarily Law No 12,485/2011 and ANATEL regulations.

Key requirements

Must‑carry obligations

Pay‑TV providers must include certain mandatory channels in all packages, including:

• local FTA broadcasters;
• legislative, judicial, and executive branch channels;
• educational, cultural, community, and citizenship channels; and
• municipal/state legislative and university channels.

Cross‑ownership restrictions

• Telecommunications providers cannot have more than 50% of their equity and voting capital controlled by broadcasting concessionaires, licensees, content producers, or programmers.
• Broadcasting companies cannot have more than 30% of their equity and voting capital controlled by telecom operators.
• Each type of entity is prohibited from directly offering the other’s services.

Procedure and fees

• Authorisation – companies must obtain ANATEL authorisation to provide collective‑interest telecommunications services and must notify ANATEL of the Pay‑TV offering.
• Fee – telecom service authorisation requires a fee of BRL400.00.

Digital Media: Streaming and Video‑Sharing Platforms

Video‑on‑Demand (VoD) services operate under a free‑enterprise regime and are not currently subject to the same obligations as broadcasting or Pay‑TV companies.

However, pending legislation – such as Bill No 8,889/2017 and Bill No 2,331/2022 – proposes imposing Brazilian content quotas and requiring payment of CONDECINE contributions.

Technologies and Services Covered by Telecom Regulations

Regulated services

• mobile telephony (4G/5G);
• fixed broadband (fibre‑based internet service providers);
• fixed telephony (traditional landline services); and
• pay-TV services (cable and satellite).

Non‑regulated services

• Value-Added Services (VAS) such as OTT platforms and cloud services.

Hybrid or Conditional Cases

Data centres

Data centres must obtain ANATEL certification when they operate integrated with telecommunications networks, in accordance with Resolution 780/2025.

Marketplaces

Marketplaces are not considered telecom service providers, but they can be held jointly liable when advertising or selling non‑certified telecommunications equipment, also under Resolution 780/2025.

Equipment Certification Requirements

All telecommunications equipment must be certified and homologated by ANATEL.

Certification requirements include the cybersecurity obligations set out in Act No 77/2021, which mandate:

• security by design;
• privacy by design; and
• maintenance of updated security and privacy policies.

Security Requirements

Cybersecurity

Telecom operators must audit their suppliers of software, equipment, and components to ensure compliance with ANATEL’s cybersecurity standards.

Data centres integrated into telecom infrastructure must comply with physical security and cybersecurity resilience rules.

Secrecy of communications

Brazilian law guarantees the confidentiality and inviolability of communications.

Interception is only allowed under a court order for criminal investigations, pursuant to Law No 9,296/1996.

These protections apply to telephone, computer, and telematic systems.

Legal Framework

Internet Law (Law No 12,965/2014, Article 9)

Internet service providers and telecommunications operators must treat all data packets equally, regardless of their content, origin, destination, service, device, or application.

Regulatory Decree (Decree No 8,771/2016)

The decree reinforces that traffic discrimination for commercial purposes is strictly prohibited. For example, a telecom operator cannot slow down a competing streaming service to promote its own, nor can it sell paid “fast lanes.”

Exceptions:

• Technical requirements such as spam filtering, DoS mitigation, or congestion management, provided the measures are proportional, transparent, and non-discriminatory.
• Prioritisation of emergency services is permitted.

Sector Impact

Zero‑rating

Zero‑rating offers – such as mobile plans that provide “free social media” usage – remain largely allowed. Regulators generally interpret the law as prohibiting throttling but not exempting specific apps from data caps, so long as competition is not harmed.

5G and network slicing

5G network slicing, which creates virtual network segments with guaranteed speed or latency for specific applications (such as hospital robots or autonomous vehicles), is treated as a technical capability rather than a violation of net neutrality. This is because it does not degrade other traffic.

Network fee debate

Mirroring discussions in Europe, Brazilian telecom operators advocate for a “network fee” that would require major content providers to contribute to infrastructure costs. Large global platforms oppose the proposal, arguing that it undermines net neutrality by differentiating between traffic sources. The debate remains ongoing and unresolved.

Impact of Emerging Technologies on the Legal Landscape

Regulatory expansion and new incentives

The rapid growth of 5G, IoT, AI, and related technologies has prompted significant updates across Brazil’s regulatory environment. ANATEL is transitioning from its traditional, telecom‑centric focus toward broader oversight of digital platforms and infrastructure. Its priorities now include equipment approval, cybersecurity, critical‑infrastructure resilience, sustainability requirements, and energy‑efficiency standards.

Other agencies are also expanding their authority. Law No 14,815/2024 strengthened ANCINE’s powers – allowing it to suspend or terminate the unauthorised use of both Brazilian and foreign audiovisual works. ANCINE’s current agenda emphasises restructuring the audiovisual sector and responding to the rapid rise of VoD platforms.

Under Decree No 12,622/2025, the ANPD gained new responsibilities related to protecting children and adolescents online, giving it the authority to enforce the Youth Law and issue implementing regulations.

Brazil is also moving forward with Bill No 4,675/2025, the “Fair Competition Act for Digital Markets.” This proposal seeks to introduce ex ante rules for digital platforms. It grants CADE powers to identify potential gatekeepers and impose tailored obligations on them.

Fragmented digital governance

Despite these developments, Brazil’s digital governance framework remains fragmented. Multiple entities – including Congress and agencies such as ANATEL, CADE, ANCINE, and ANPD – continue to share overlapping responsibilities, creating a complex regulatory landscape.

Artificial intelligence

AI technologies are increasingly integrated into telecom operations, supporting functions such as network optimisation, predictive maintenance, and customer service automation. ANATEL itself is using AI to modernise regulatory oversight and enhance operational efficiency.

To avoid hindering innovation, ANATEL has so far adopted a principle‑based approach to AI regulation. However, updates to its Regulatory Oversight Regulation are expected and may introduce new obligations for regulated entities, including:

• allowing ANATEL access to AI‑based equipment, systems, applications, and tools they use;
• providing ANATEL with data used to train AI models and other supporting technical documentation; and
• permitting ANATEL to employ automated processes, including AI, for monitoring and enforcement.

At the national level, Brazil is progressing on an AI Act (Bill 2,338/2023), aligned with the EU’s risk‑based model and establishing obligations based on system risk categories.

Key Legal Considerations for Companies

Data sovereignty and privacy

Companies must ensure that the collection, processing, storage, and international transfer of personal data comply with the LGPD and relevant rules on data localisation and cross‑border data flows.

Cybersecurity audits

Telecom providers and their suppliers must undergo mandatory cybersecurity audits. Hardware must also comply with security‑by‑design and privacy‑by‑design principles.

Telecom licensing

Businesses should assess whether their operations constitute regulated telecommunications services and determine which ANATEL license – if any – is required for lawful operation.

Equipment certification

Before launching, importing, or selling equipment in Brazil, companies must verify whether their devices fall under ANATEL’s certification and homologation requirements and plan for testing and approval timelines.

Monitoring a Rapidly Evolving Landscape

Given the pace of technological and regulatory change, companies operating in Brazil should closely monitor legislative developments, regulatory guidance, and enforcement trends. Proactively adjusting compliance programmes will be critical to meeting new obligations and mitigating regulatory risk.

Main Challenges in Entering Technology Agreements in Brazil

Regulatory complexity and fragmentation

Brazil’s legal landscape blends general civil law principles with numerous sector‑specific rules, such as the LGPD, the Internet Law, and ANATEL regulations. This creates practical challenges when drafting agreements for emerging technologies – including AI, cloud, and IoT – because obligations may derive from multiple overlapping regulatory regimes.

Data protection compliance (LGPD)

The LGPD imposes strict requirements on the processing, sharing, and international transfer of personal data. Technology contracts must clearly define the parties’ roles and responsibilities, establish appropriate legal bases for processing, and include safeguards for cross‑border data transfers.

Infrastructure and service classification issues

When dealing with cloud services, data centre arrangements, software, or connectivity, it is often difficult to determine whether ANATEL’s telecommunications rules apply – particularly where the services blur the line between IT and telecom activities.

Cybersecurity obligations

Multiple sectors impose mandatory cybersecurity requirements, including incident reporting, technical standards, and audit rights (eg, under ANATEL regulations). As a result, technology agreements frequently require detailed language to address these obligations.

Key Features of the Brazilian Legal Framework to Consider

Currency and price adjustment

Domestic contracts must be priced and paid in Brazilian reais (BRL), pursuant to Article 1 of Law No 10,192/2001 and Article 318 of the Civil Code (Law No 10,406/2002). International contracts involving at least one foreign party may use foreign currency under Article 13(II) of Law No 14,286/2021.

Brazil also recognises the principle of economic–financial balance in long‑term contracts, meaning certain circumstances may justify price revisions under the Civil Code, the Consumer Protection Code, or public procurement rules (where a government entity is a contracting party).

Governing law and dispute resolution

Under Article 9 of the LINDB, the law applicable to a contract is generally the law of the place where the obligation is constituted. If an agreement is formed in Brazil – or if the offeror is based in Brazil – Brazilian law will typically govern. Even where a foreign forum is selected, Brazilian courts may assert jurisdiction when obligations are performed in Brazil. Foreign law may validly govern the contract when arbitration is chosen.

Data storage and privacy (LGPD)

Brazil does not require data localisation. However, the LGPD imposes stringent rules on international transfers, including adequacy requirements, contractual guarantees, and other mechanisms to ensure protection levels consistent with Brazilian standards.

Consumer protection considerations

Certain contractual clauses – such as broad liability waivers or unilateral modification rights – may be considered abusive and unenforceable if one of the contracting parties qualifies as a consumer.

Telecommunications regulations

If the agreement touches on telecommunications or connectivity services, ANATEL may impose mandatory obligations, such as equipment certification, licensing, and cybersecurity standards.

Public procurement rules (if applicable)

Technology contracts involving public entities must comply with Law No 14,133/2021, which includes mandatory provisions relating to risk allocation, audit rights, transparency, and performance monitoring.

Intellectual property and software licensing

Brazilian software legislation (Law No 9,609/1998) affects licensing structures, liability allocation, and in some cases the registration of software‑related agreements for tax or commercial purposes.

Tax considerations

Brazil’s tax system is highly complex, and technology agreements must be drafted with attention to tax implications – including potential exposure to indirect taxes, withholding, and service classifications – to avoid unintended liabilities.

Key Elements in Telecom Agreements

Service Level Agreements (SLAs)

In Brazil, SLAs are not only commercial best practices but often align with regulatory quality indicators. Contracts should clearly define metrics such as Mean Time to Repair (MTTR) and response times. ANATEL regulations also require automatic discounts for service interruptions, meaning agreements must include strong liability and indemnity provisions.

Regulatory compliance

Telecom agreements must ensure strict compliance with the General Telecommunications Law (LGT), ANATEL’s regulatory framework, and applicable consumer protection rules.

Data protection

Contracts must include provisions compliant with the LGPD, addressing:

• technical and security measures;
• incident and breach‑notification obligations; and
• allocation of responsibilities for data‑processing activities.

Network operations and maintenance

Operational responsibilities must be clearly allocated, including:

• maintenance windows and planned outages;
• notice periods;
• fault‑reporting processes; and
• facility access and field operations.

Dispute resolution

Effective mechanisms for resolving technical and commercial disputes should be established. Common tools include escalation paths, dispute boards, and arbitration clauses.

Secrecy of communications

Agreements must ensure the confidentiality of all communications transmitted through the network, in line with Brazilian laws on the inviolability of communications.

Liability and indemnities

Contracts should establish a balanced allocation of risk, addressing:

• liability caps and carve‑outs (eg, gross negligence, data breaches, wilful misconduct);
• indemnification for regulatory penalties caused by the counterparty; and
• allocation of responsibility for service credits imposed by regulation.

Unbalanced clauses may be deemed void by the Brazilian Judiciary, which is known to intervene in private agreements.

Favourable Terms for Negotiation

• Volume and duration – higher volumes or longer commitments may justify discounts, enhanced SLAs, or waivers on exclusivity.
• Exclusivity – when appropriate, exclusivity may be leveraged to obtain better pricing and service conditions.
• Audit rights – billing audit clauses can allow withholding of disputed amounts.
• Risk allocation – liability caps should be proportionate, indemnities reciprocal, and force majeure clauses adapted to telecom realities (eg, fibre cuts, tower damage, and power failures).

Interconnection Agreements (Wholesale)

Regulatory framework

Interconnection arrangements are governed by the General Regulation of Interconnection (RGI – ANATEL Resolution No 693/2018).

Key considerations

Public offer (OPI)

Common carriers must publish an ANATEL‑approved OPI, which serves as a reference – often a ceiling – for pricing and conditions during negotiations.

Mandatory clauses

Interconnection agreements must include financial‑settlement mechanisms, fraud‑prevention measures, and well‑defined operational processes.

Anti‑competitive conduct

The RGI prohibits practices such as withholding technical information, discriminatory treatment, or imposing unreasonable contractual conditions.

Artificial traffic

Contracts must contain anti‑fraud provisions to detect and prevent robotic calling patterns, inflated traffic, or other manipulations.

Resource sharing

Parties may share equipment, infrastructure, and facilities to support interconnection. Agreements should specify technical standards, pricing structures, and operational responsibilities for such sharing.

Laws and Regulations: Trust Services and Electronic Signatures

MP 2.200‑2/2001 remains the foundation of Brazil’s digital trust framework, establishing ICP‑Brasil, the Brazilian Public Key Infrastructure.

Qualified electronic signatures (certificado digital)

Signatures supported by an ICP‑Brasil certificate carry a legal presumption of authenticity and validity.

Private electronic signatures

Article 10, Section 2 confirms that other forms of electronic signatures are valid as long as the parties agree to their use and the document’s integrity is not disputed.

Law No 14.063/2020 introduced a tiered structure for electronic signatures used in interactions with the public sector.

• Simple electronic signature – identifies the signatory and links the signature to specific electronic data.
• Advanced electronic signature – ensures authorship and integrity, is uniquely associated with and controlled by the signatory, and allows detection of any later modification.
• Qualified electronic signature – requires certification under the ICP‑Brasil infrastructure.

The ICP‑Brasil Technical Standards (DOC‑ICP) define the technical, operational, and security requirements for issuing and managing ICP‑Brasil certificates. Compliance is mandatory for Certification Authorities (CAs), Registration Authorities (RAs), and all entities participating in the trust chain.

Elements for Consideration

Cross‑border recognition (Mercosur Agreement)

Under Decree No 12.376/2025, Brazil now recognises digital signatures issued in Argentina, Paraguay, and Uruguay – and these countries reciprocate. This change enhances the execution of regional commercial and governmental agreements.

Data protection (LGPD)

Digital identity systems often use biometric data (such as facial images or fingerprints), which are classified as Sensitive Personal Data under the LGPD. Processing this data requires:

• a valid legal basis;
• strong security and governance measures; and
• appropriate incident and breach notification procedures

Brazil’s gaming industry is now regulated under a modernised framework that clearly distinguishes electronic games from gambling (“bets”), with each category subject to its own compliance obligations.

Core Laws and Regulations

Legal Framework for Games (Law No 14,852/2024)

This law establishes Brazil’s first comprehensive regulatory framework for electronic games. Its key provisions include:

• a formal definition of electronic games;
• special customs regimes that reduce import costs for development kits, VR equipment, and similar technologies, along with cultural-sector incentives;
• measures to protect children and adolescents; and
• a national age-rating system.

Bets Law (Law No 14,790/2023)

This law regulates sports betting and online gambling, drawing a clear boundary between gambling and electronic games. Any game that offers monetary prizes based on random outcomes is classified as a “bet”.

Its main provisions include:

• mandatory licensing requirements;
• ownership and financial standards for operators;
• advertising rules;
• anti–money laundering and counter-terrorism financing obligations; and
• administrative penalties, including fines and potential suspension.

The Secretariat of Prizes and Betting (Secretaria de Prêmios e Apostas – SPA) within the Ministry of Finance oversees the gambling sector. SPA’s regulations cover licensing procedures, technical standards, monitoring, sanctions, and general oversight.

Industry Self‑Regulation

CONAR

As noted earlier, CONAR sets widely respected advertising standards that apply to gaming and betting platforms. Although adherence is voluntary, compliance is effectively mandatory in practice because media outlets routinely remove non-compliant advertisements. CONAR also maintains specific standards for gambling-related advertising.

Key legal challenges

Brazil’s gaming sector faces increasing scrutiny regarding protections for minors, age restrictions, loot boxes, randomised rewards, and monetisation systems that resemble gambling. Recent laws have introduced new limitations on minors’ access to such features.

Law No 14,790/2023 already prohibits betting activities for minors, and CONAR requires 18+ warnings and bans advertising directed at children. In addition, Ordinance No 1,048/2025, approved by the Ministry of Justice and Public Security (MJSP), strengthens these protections. Companies must comply fully by 17 March 2026.

The industry must also adapt to Brazil’s broader tax reform and the introduction of the split‑payment regime, as referenced in 1.3 Digital Economy Taxation.

Primary Regulatory Bodies

Regulation of Brazil’s gaming industry is divided among several governmental authorities, each operating within its legally defined mandate. The Ministry of Finance, through the SPA, functions as the central regulator for licensed gambling and betting activities. The MJSP oversees age‑rating classifications for digital games and audiovisual content through the ClassInd system. In addition, the National Data Protection Authority (ANPD) may exercise jurisdiction over gaming operators whenever their activities involve the collection or processing of personal data.

Recent Enforcement Actions

Between late 2024 and 2025, Brazil undertook its most significant enforcement measures to date in the online gaming and betting sector. After the licensing grace period expired, the SPA released a comprehensive “Negative List” identifying more than 2,000 unlicensed gambling platforms. This list was submitted to ANATEL, triggering a nationwide operation requiring Internet service providers to block access to the domains of these non‑compliant platforms. As a result, several major international brands that had not begun the licensing process became inaccessible to users in Brazil.

This enforcement effort created a clear division within the market: a regulated “white market” composed of licensed operators authorised to use the .bet.br domain, and an unregulated “black market” made up of platforms facing access restrictions due to non‑compliance.

Common IP Challenges Faced by Game Developers in Brazil

Multiplicity of IP regimes and layered rights

A single video game usually incorporates several types of intellectual property: software (source code), audiovisual content (graphics, music, narrative), character and brand identity, and sometimes functional or technical innovations. Developers must choose which IP regimes are most appropriate – software copyright, general copyright, trade marks, industrial design, or patents.

Overlapping protection and registration uncertainty

Software is protected both under the Computer Programs Act (Law 9.609/98) and the general Copyright Law (Law 9.610/98). Other components – such as music, art, or audiovisual elements – are covered by copyright as well. Because certain elements (especially visual or design components) can potentially fall under multiple regimes, developers often face uncertainty about how to structure their registrations and safeguard each asset.

Enforcement challenges, especially with piracy

As in many countries, Brazilian developers struggle with unauthorised copying, distribution, and “modding,” including dissemination over the internet. Enforcing rights can be difficult and resource‑intensive.

Recent legal developments and resulting uncertainty

The new “Videogame Act” (Law 14.852/2024) introduces opportunities but also new questions. It creates a specific registration category for electronic games at the National Institute of Industrial Property (INPI), which may require companies to update internal compliance and administrative processes.

Rights of Creators to Protect IP in Virtual Environments

Creators are protected under both the Software Law (Law 9.609/98) and the Copyright Law (Law 9.610/98). Source code is treated as a literary work, while graphics, story elements, music, and design are protected as artistic or audiovisual works.

Law 14.852/2024 formally recognises games – including console, mobile, web, VR/AR/MR/XR formats – as interactive audiovisual works or software, strengthening their eligibility for multiple types of IP protection.

For industrial property concerns, developers may also rely on trademarks, industrial design registrations, or patents if the game involves technical innovations. Registration with INPI or other competent authorities – particularly under the new videogame‑specific registration scheme – can strengthen enforcement and evidentiary rights in licensing or litigation.

Key Considerations for Copyright in Digital and Virtual Assets

Automatic protection

Copyright protection exists from the moment a work is fixed, regardless of registration. Registration is optional but useful for proving authorship.

Duration of protection

Software is protected for 50 years (starting 1 January of the year following creation or publication) under Law 9.609/98. Other works – such as art and music – follow the standard term under Law 9.610/98.

Clear separation of elements:

To maximise protection, developers should document and separate code, audiovisual assets, narrative, character design, and other components. Consolidating rights through contracts is essential, especially when multiple contributors are involved. When possible, developers should register works at INPI or other relevant authorities.

Digital piracy risks

Given the ease of online copying, streaming, and distribution – including user‑created modifications – developers must use technical protection measures and be prepared to pursue civil or, when applicable, criminal action.

Application of Industrial Property Law to Virtual Goods and Services

Under the Industrial Property Law (Law 9.279/96), any visually perceptible distinctive sign may be registered as a trademark with INPI. This includes game titles, logos, franchise names, character names, and potentially in‑game brands.

Traditional principles still apply:

• Speciality – protection covers only the registered classes of goods/services.
• Territoriality – protection applies only within Brazil.

In global virtual environments – such as online multiplayer worlds or games hosted on international servers – these principles can create uncertainty. Developers seeking broader protection should consider trade mark registration in additional jurisdictions or use agreements and licences that address cross‑border virtual distribution.

Implications of User‑Generated Content (UGC) for IP Rights

User‑generated content (mods, custom assets, skins, levels, stories, etc.) can create complex IP issues. The base game is protected by copyright and possibly by trade marks, so derivative works may infringe unless they fall under a valid licence.

Developers should:

• Use clear EULAs, Terms of Service, and licensing agreements that specify what rights users have when creating UGC.
• Define whether commercial use is allowed, whether rights are licensed back to the developer, and how revenue (if any) is handled.

Because copyright arises automatically under Brazilian law, unauthorised derivative works or distribution may be actionable, though enforcement can be difficult in cross‑border or virtual environments.

The new videogame legislation strengthens the legal basis for asserting exclusive rights over derivative uses but does not replace the need for careful licensing and rights management.

Key Takeaways and Strategic Recommendations for Developers in Brazil

• Use multiple IP tools together – protect software and audiovisual works under copyright, register trade marks for titles and brands, and consider design or patent protection when applicable.
• Leverage INPI registration – including the new videogame‑specific category – to reinforce enforceability.
• Draft clear contracts with collaborators, artists, musicians, and other contributors to consolidate rights.
• Implement strong EULAs and licensing terms for end users, especially concerning mods and UGC.
• Actively monitor unauthorised distribution and pursue enforcement through civil or, where appropriate, criminal measures.

Laws and Regulations Relevant to Social Media in Brazil

Brazil does not yet have a single, comprehensive law regulating all social media platforms operating in the country. Instead, several key legal frameworks currently apply.

Brazil’s Internet Law (Law No 12,965/2014)

This law establishes rights, guarantees, and duties related to internet use, including rules for application providers.

Important update

In June 2025, the Brazilian Supreme Court (STF) ruled that platforms may be held civilly liable – even without a court order – if they fail to remove content that is manifestly illegal (such as terrorism, racism, or violence against women and children) or where systemic moderation failures occur.

Until new legislation is introduced, platforms must:

• remove unlawful content and fake accounts following takedown requests; and
• implement self-regulation measures such as clear notification systems, due process mechanisms, transparency reporting, and accessible support channels.

Youth Law (Law No 15.211/2025)

This law establishes broad protections for children and adolescents in digital environments. It applies to any digital product or service directed at – or likely to be accessed by – minors, including social media platforms.

Key obligations for providers include the following.

• Setting default privacy protections and preventing misuse of minors’ personal data.
• Avoiding features that encourage compulsive use.
• Moderating harmful content such as sexual exploitation, violence, cyberbullying, self‑harm, gambling, and misleading advertising.
• Removing and reporting illegal material and ensuring age-appropriate content.
• Implementing effective age verification, obtaining parental consent for app downloads, providing clear risk information, and ensuring accessible parental controls.
• Prohibiting profiling for targeted advertising and the monetisation of sexualised content involving minors.

Effective date: enacted in September 2025; enforcement begins in March 2026.

Key Legal Challenges Related to Social Media Regulation

Brazil faces several ongoing challenges in regulating social media platforms, including the following.

• Legal uncertainty regarding the new liability standards imposed by STF rulings (Themes 987 and 533).
• Balancing fundamental rights – such as freedom of expression – with the need for regulation.
• Addressing economic and competitive issues, as major platforms operate across multiple sectors where traditional regulatory models may not apply.
• Establishing effective governance and enforcement structures, given the lack of a specialised regulatory body for digital services and competing claims among different government agencies.

Regulatory Landscape for Social Media Oversight in Brazil

Brazil does not have a single, dedicated regulator for social media platforms. Instead, oversight has largely been driven by the Judiciary, which has taken an increasingly active role in ordering content removals and, in some cases, imposing service suspensions when platforms fail to comply with judicial decisions.

Judicial enforcement

An important example occurred in August 2024, when the Brazilian Supreme Court (STF) ordered a nationwide blocking of X (formerly Twitter) after repeated noncompliance with court orders. The platform was restored only after paying significant fines, appointing a legal representative in Brazil, and fulfilling directives to deactivate specific accounts.

Agencies Signalling Regulatory Intent

National Data Protection Authority (ANPD)

Since 2025, the ANPD has taken on a central role in enforcing the Youth Law (Law No 15,211/2025), which sets rules for products and services directed at minors – including social media.

The Agency has been designated as the autonomous authority responsible for safeguarding children and adolescents online.

Its responsibilities include monitoring compliance, issuing regulations, and ensuring enforcement.

Administrative Council for Economic Defense (CADE)

CADE has intensified scrutiny of digital markets since 2022, conducting investigations into anticompetitive conduct and applying precautionary measures.

In 2025, Bill No 4,675/2025 was introduced, creating an ex ante regulatory framework for digital platforms and expanding CADE’s authority in the sector.

National Telecommunications Agency (ANATEL)

Since 2021, ANATEL has broadened its regulatory focus to include digital platforms and infrastructure intermediaries.

Current initiatives aim to treat digital platforms as users of telecom networks, enabling the Agency to apply measures that promote network sustainability.

Key Data Privacy Laws and Regulations for Telecom Providers in Brazil

Primary legal framework

Brazil’s privacy landscape is grounded in several key instruments.

• Federal Constitution – ensures the fundamental right to privacy and protection of personal data.
• General Data Protection Law (LGPD – Law No 13,709/2018) – the primary data protection law applicable across all sectors, supplemented by regulations issued by the National Data Protection Authority (ANPD).
• Marco Civil da Internet (Law No 12,965/2014) – governs data collection, storage, and processing by internet and connectivity providers.

While the ANPD is the central authority overseeing privacy and data protection, ANATEL also imposes sector‑specific obligations through instruments such as its Cybersecurity Regulation and General Telecommunications Services Regulation, which require privacy‑by‑design measures and mandate prior consent for sharing subscriber data.

Key Challenges in Managing Customer Data Privacy

Telecom operators face several privacy‑related challenges.

High volume and sensitivity of data

Providers handle vast amounts of personal information – such as subscriber details, call metadata, geolocation, and browsing data – significantly raising compliance complexity and security risks.

Strict LGPD requirements

The LGPD mandates explicit consent, clear internal policies, mechanisms for data subject rights, and strong technical and organisational security controls. Achieving full compliance often requires substantial investment.

Third‑party and vendor management

Operators rely heavily on outsourced services (eg, cloud hosting, network management). Ensuring these partners maintain adequate privacy and security standards is critical.

Cybersecurity risks

Increased cyber threats require robust protective measures, including encryption, network segmentation, intrusion monitoring, and advanced firewalls.

Cross‑Border Data Transfers and Data Localisation

International transfers of personal data are regulated under the LGPD and ANPD Resolution No 19/2024. Transfers are allowed only when appropriate safeguards exist, such as the following.

• Adequacy decisions – when ANPD recognises that another jurisdiction provides equivalent data protection.
• Standard contractual clauses (SCCs) – ANPD‑approved clauses ensuring LGPD‑level protection abroad.
• Equivalent standard clauses – clauses approved by foreign authorities or international bodies that ANPD deems comparable to Brazilian SCCs.
• Specific contractual clauses – used in exceptional situations where SCCs are not suitable.
• Binding Corporate Rules (BCRs) – internal rules for multinational groups, requiring ANPD approval, to govern transfers within the same corporate group.

Balancing Lawful Interception and Privacy

Brazil’s Constitution protects the confidentiality of communications, allowing interception only through a court order for criminal investigations as defined under Law No 9,296/1996.

Telecom operators must comply while still safeguarding privacy. Common practices include the following.

• Data segregation – ensuring only the court‑mandated data is disclosed.
• Strict internal protocols and audits – tracking and controlling access to intercepted information.
• Advanced security measures – encryption and protections to shield data unrelated to the investigation.
• Governance and legal oversight – legal teams validate and monitor compliance with lawful‑interception requests to prevent misuse.

Role of Third‑Party Vendors and Cloud Providers

Telecom providers increasingly rely on external vendors and cloud services for infrastructure and data processing. ANATEL’s Cybersecurity Regulation requires suppliers to adopt privacy‑by‑design practices and to undergo independent audits, ensuring the security of the broader telecom ecosystem.

Impact of Evolving Data Privacy Regulations on Infrastructure and Innovation

Emerging regulatory demands significantly influence network design and technological innovation.

Strengthened infrastructure requirements

Operators must invest in resilient, secure networks with strong encryption, continuous monitoring, and controlled access to satisfy LGPD obligations.

Privacy‑by‑design integration

Privacy considerations must be embedded into network architecture, product development, and operational processes from the outset.

Effects on emerging technologies

Technologies such as IoT, AI, cloud computing, and big data depend on massive data flows. Privacy rules introduce additional layers of consent management, security, and governance, increasing operational complexity and costs.

Cross‑border data transfer challenges

Telecom networks routinely process international traffic. Limited adequacy decisions and ANPD’s evolving enforcement capacity create uncertainty for operators managing global data flows.

Legal and Operational Challenges in Data Privacy for Digital Media and Streaming Services

Balancing innovation and privacy

Digital media and streaming providers face a central challenge: how to innovate while managing the risks associated with intensive data use. Because regulation often develops more slowly than technology, companies must simultaneously ensure:

• full compliance with Brazilian data protection regulations; and
• a genuine ethical commitment to privacy and responsible data handling.

Achieving this balance requires a multidimensional approach that strengthens internal governance and builds external trust.

Internal Measures

Companies need to promote a culture rooted in ethics and data protection, supported by strong governance structures. Essential practices include:

Privacy-by-design and security-by-design

Integrating privacy safeguards from the earliest stages of product development, making privacy the default setting, and incorporating techniques such as encryption, anonymisation, and secure coding.

Data Protection Impact Assessments (DPIAs)

Conducting assessments for activities that present high risks to data subjects.

Transparency and user control

Ensuring users clearly understand how their data is collected, used, stored, and managed.

External Measures

Building and maintaining user trust is fundamental. Digital service providers should:

• communicate consistently and transparently about data practices;
• reduce reputational and regulatory risks through openness; and
• present privacy as a competitive differentiator in a market increasingly focused on digital ethics.

Challenges in Third-Party Data Sharing

When sharing data with advertisers, analytics companies, or business partners, providers must comply with the LGPD, which requires:

• valid consent for any third‑party data sharing; and
• clear disclosure of the purpose and scope of such sharing.

Additionally, the Youth Law (Law No 15,211/2025) prohibits the use of profiling techniques for targeted advertising directed at minors, adding further restrictions for platforms that serve young audiences.

Impact of Emerging Cybersecurity Regulations

Brazil does not yet have a dedicated cybersecurity law specifically for digital media platforms. However, national initiatives – such as the National Cybersecurity Strategy and National Cybersecurity Policy – establish guidelines applicable to all sectors. These include:

• implementing cybersecurity and risk management measures; and
• developing mechanisms to prevent, mitigate, and respond to vulnerabilities and cyber-attacks.

Future regulatory developments aligned with these initiatives may impose new obligations, such as:

• minimum security standards;
• structured risk‑mitigation processes; and
• increased operational costs for digital platforms and operators of critical infrastructure.