Victor Oliveira Fernandes serves as Brazil's National Secretary for Digital Rights. The analysis and opinions expressed in this article are the author's own and do not represent the official position of the Brazilian government or any of its agencies, including the National Data Protection Authority.

This March, Brazil implemented one of the world's most ambitious regulatory frameworks for addictive design. Decree 12,880/2026, which implements the country's Digital Statute of Children and Adolescents (the ECA Digital), is no aspirational document. Articles 9 and 10 ban specific design features, including infinite scroll, autoplay, time-based rewards, excessive notifications, obstruction of privacy controls and exploitation of cognitive vulnerabilities. Penalties can reach up to 10% of a company's group revenue in Brazil, capped at R$50 million per violation.

The framework is genuinely distinctive. It departs from the US approach, where addictive-design regulation has advanced primarily through state attorneys general and high-profile jury verdicts, while federal legislation remains stalled in Congress. It also differs from the European approach, where the European Commission is targeting additive design under the Digital Services Act systemic risk enforcement provisions.

By concentrating enforcement authority in a technical body, the Brazilian Model spares plaintiffs from proving individual harm and standardizes obligations across sectors. The promise, however, is not guaranteed. Whether the regime lives up to its potential will depend on the regulatory choices the National Data Protection Agency (ANPD) must make in the coming months.

A separate but equally vital question — how public enforcement will interact with private litigation, civil society and the Public Prosecutor's Office, all presupposed by Decree 12,880/2026's multi-actor architecture — deserves separate treatment. The focus here is on two foundational choices that fall to the ANPD: who the regime covers in practice, and how it will be enforced.

Who does the law cover, and how?

The first challenge is one of scope. The ANPD must decide not only which entities fall under the addictive-design prohibitions, but also how each prohibition applies to the very different services covered by the regime. In several respects, the agency will break new ground.

The ECA Digital carries a distinctive duality: It is at once more restrictive and more sweeping than other digital services legislation, such as the DSA. It is more restrictive because it aims exclusively at minors. But it is also more sweeping because it reaches beyond online intermediation platforms: the law applies to "every information-technology product or service" directed at children or to which access by children is likely, covering internet applications, software, operating systems, app stores and connected games (Article 2, Digital ECA). Article 11 of the decree 12,880/2026 extends further still, reaching large language models (LLMs), conversational agents and similar AI interfaces and imposing a duty to "prevent the behavioral manipulation" of minors.

The broad scope will produce debates in two distinct regulatory spheres. The first involves the major online platforms — such as social networks, marketplaces — already grappling with addictive-design questions before US courts and European regulators. The second involves a vast array of services that escape comparative legislation altogether, from casual games and wellness apps to AI-based conversational interfaces.

In the first sphere, the central question is whether the prohibitions extend to features primarily used by adults. Social networks are illustrative. The decree exempts age verification requirements when a platform offers versions stripped of prohibited content — the so-called teen accounts (Art. 19, I). It remains unclear whether the ban applies only to those variants or to the main product as well. The distinction is significant: A recommendation system that operates identically for all users may still produce uniquely addictive effects on minors who circumvent age barriers, and a teen account, while a poorly calibrated teen account, may reproduce the same features in a milder form.

For marketplaces, the issue takes a different form. Many deploy urgent-discount messaging, sales pressure and gamification — practices now under scrutiny in the European Commission's February DSA investigation into Shein. Read alongside Article 10 of the decree, such practices would fall within the prohibition on "exploiting cognitive vulnerabilities."

In the second sphere, the ANPD will operate largely without a comparative precedent. The prohibitions may reach services that do not appear on foreign regulators' radar at all: language-learning apps with daily streaks, meditation platforms that reward consistency, fitness apps with badges, and casual games built around retention triggers. None of these neccesarily markets itself to children, yet all are covered because access by minors is foreseeable. In most cases, gamification is not incidental — it is the offering. Mechanisms expressly banned by the decree, including "delivering new content without user request" and "rewards for time spent," are often core to the product.

AI is the most uncharted territory. Article 11 imposes specific duties on providers of language models and conversational agents, including transparency about the synthetic nature of the interaction, prevention of behavioral manipulation, and algorithmic risk assessment. The debate over what counts as addictive design in a chatbot is in its early stages, and manipulative patterns in synthetic dialogue may operate quite differently from the more visible mechanisms regulators have traditionally studied. Whatever approach the ANPD adopts here is likely to become an international reference point.

Given the heterogeneity of the services covered, cross-cutting rules are unlikely to be workable. The more viable path forward is sectoral codes of conduct.

Systemic design oversight or prescribed prohibitions?

Unlike the European model, the ECA Digital does not structure compliance around a systemic framework. There is no platform designation, no recurring systemic-risk assessments, and no ex ante compliance reporting. The ANPD may build these mechanisms over time. But in the short term, the agency faces a more immediate choice: whether to enforce the law one prohibition at a time, or assess platforms holistically? Each path opens distinct possibilities for the regime.

The prohibition-by-prohibition approach has its own advantages. Targeting each banned mechanism in standalone proceedings would produce visible, fast results. The evidentiary burden is lower: there is no need to demonstrate that the overall design is "manipulative" if a single named mechanism is in plain view. For regulated companies, predictability cuts both ways. If the ANPD defines each prohibition with operational specificity, companies can position themselves for compliance — adjusting individual features against discrete legal standards — even as broader questions about the law’s scope remain unresolved.

The systemic approach would treat platforms as integrated architectures, rather than collections of features. The European Commission has structured DSA enforcement around this premise. Its December 2025 decision against X — the DSA's first non-compliance ruling, which imposed a €120 million fine — examined the blue checkmark, the advertising repository and researcher access in a single proceeding, as parts of one architecture of opacity. Preliminary findings issued against TikTok in February analyzed infinite scroll, autoplay, push notifications and the recommendation system together. The underlying premise is that the addictive effect arises from the interaction among these elements, not from any one in isolation.

In the Brazilian context, such an approach would integrate the addictive-design prohibitions with related obligations imposed elsewhere in the ECA Digital, including: protective defaults (Art. 7), risk management of features (Art. 8), parental supervision tools (Arts. 17–18) and bans on profiling and emotional analysis for advertising aimed at minors (Art. 22). These obligations interact in subtle ways. A poorly designed parental supervision tool may itself constitute a manipulative pattern. A nominally protective default may sit inside an engagement architecture that effectively neutralizes it. A system that is formally compliant with the profiling ban may still reproduce the addictive effects through algorithmic curation of organic content. A systemic approach would catch those interactions; a feature-by-feature model might not.

A hybrid path is also plausible. For large platforms operating the integrated design ecosystems that the European Commission has been scrutinizing — including social networks, major marketplaces, video-sharing services — only a systemic approach may fully capture the mechanics of harm. For smaller, more contained applications, itemized enforcement may be more efficient and more proportionate. The ANPD could differentiate between these categories of services and calibrate supervision accordingly.

The vanguard opportunity

Brazil has entered the addictive-design debate with a distinctive regulatory instrument. The ECA Digital combines an expansive scope, codification of prohibited conduct and centralized regulatory authority — a configuration without a close parallel in comparative frameworks.

That places the country in an unusual position. The regulation now to be drafted will not only determine the domestic fate of the ECA Digital — it may also offer the international debate an original set of responses to a field that remains under construction. In an area this sensitive, Brazil has a genuine opportunity to lead rather than follow. If carefully calibrated, the choices ahead can give other jurisdictions a model worth studying.