The regulation of digital platforms in Brazil has taken on new contours with the publication of Decrees No. 12,975 and No. 12,976, both dated May 20, 2026. These two instruments amend and supplement Decree No. 8,771/2016, which regulates the Brazilian Internet Act (Law No. 12,965/2014), by establishing concrete obligations for internet application providers in relation to content moderation, transparency, the protection of women, and the use of artificial intelligence.
The rules will enter into force on July 20 of this year and reinforce the role of the National Data Protection Authority (ANPD) as the competent authority for regulation, oversight, and the investigation of violations. In this article, we outline the main obligations introduced and their practical impacts on technology companies.
General duties of application providers
Decree No. 12,975/2026 adds Chapter III-A to Decree No. 8,771/2016, establishing general obligations for internet application providers that process data in Brazilian territory. These obligations include establishing a headquarters and appointing a legal representative in Brazil (a legal entity with authority to respond in administrative and judicial proceedings), providing a permanent and easily accessible reporting channel, adopting measures against artificial networks used to distribute unlawful content, and ensuring the security and transparency of services.
In addition, the legal representative must be able to provide information about the platform’s operation, moderation rules, transparency reports, and profiling and advertising policies.
Duty of care and systemic failure
The concept of “systemic failure” occupies a central place in the regulation of digital platforms. A provider that intermediates third-party content may be held liable if it fails to demonstrate that it has adopted adequate measures to prevent or remove criminal content, ensure the highest levels of security, and curb the large-scale circulation of such material.
The content covered by the duty of care includes terrorist crimes, incitement to suicide, incitement to discrimination, crimes against women, sexual crimes against vulnerable persons, trafficking in persons, and crimes against the democratic rule of law. In any event, the Decree clarifies that the existence of isolated unlawful content does not, in itself, constitute a systemic failure, which arises only in the presence of repeated patterns or unchecked mass dissemination.
Providers must also monitor, identify, assess, and manage the systemic risks created or heightened by their activities.
Content notification and unavailability system
Decree No. 12,975/2026 also establishes a notification system with formal requirements, including identification of the criminal or unlawful conduct, specific identification of the content (that is, the URL or another unambiguous locator), and identification of the notifying party. Upon receipt, the provider must acknowledge the notification and assess the content, informing both the notifier and the user of the decision to remove or maintain the content, the reasons for that decision, and the available means to challenge it.
By contrast, when unlawful content is disseminated through paid ads or boosted content, the provider’s liability is presumed regardless of notification. Providers must retain information about each advertisement for one year after the end of the placement period.
Exceptions and differentiated criteria
It is worth noting that the regulation of digital platforms does not apply equally to all services. In particular, email services, instant messaging services (with respect to interpersonal communications protected by confidentiality), and restricted-group audiovisual communication services (such as videoconferencing) are excluded from the duty of care.
In addition, the ANPD may establish differentiated enforcement criteria based on the provider’s economic size, the level of interference in content circulation, the state of the art, and the level of risk involved in the assessment, with special attention to small providers.
Protection of women in the digital environment
Decree No. 12,976/2026, in turn, establishes specific guidelines to combat violence against women on the internet. The concept of digital violence encompasses conduct such as stalking, harassment, non-consensual disclosure of intimate content, AI-enabled psychological violence, and political violence against women.
In this context, the Decree introduces strict takedown deadlines. For unauthorized intimate content, for example, removal must occur within two hours, along with digital marking to automatically block reposting. For manifestly unlawful content targeting women, the deadline is six hours; in other cases, it is 24 hours.
Another important point is the express prohibition on generating or altering a third party’s intimate content through artificial intelligence or other technological means that manipulate the victim’s image or voice. Providers offering AI-based functionalities must implement technical safeguards to identify and block requests to generate prohibited content, in a phased and proportionate manner based on access volume and risk level.
Next steps for companies
In light of this new scenario, companies operating digital platforms will need to review and update their content moderation policies and terms of use, which must now include provisions on the notification system, due process, and annual transparency reports. Establishing or updating legal representation in Brazil also requires attention, as the designated legal entity must have broad authority to respond to administrative and judicial authorities.
In the area of women’s protection, reporting channels must be adapted to integrate with Dial 180, and internal procedures must reflect the new removal deadlines, which range from two hours for intimate content to 24 hours in other cases of digital violence. Providers that use AI capabilities should develop technical safeguards to prevent the generation of unauthorized intimate content, while all companies should establish governance structures for systemic risk management and advertising data retention.
With entry into force scheduled for July 20, 2026, the compliance window is short, underscoring the importance of early planning for the implementation of the safeguards required by the decrees.
*By: Carla Couto, Luiza Sato, and Miguel Carneiro, respectively partners and lawyer in the Cybersecurity & Data Privacy practice area
