Updated Brazilian Civil Rights Framework for the Internet: new Decrees expand digital platforms’ responsibilities and strengthen protection of women online

On May 21, 2026, Decrees No. 12,975/2026 and No. 12,976/2026 were published, amending the regulation of the Brazilian Civil Rights Framework for the Internet (Law No. 12,965/2014 or “MCI”) and establishing new obligations for internet application providers, particularly regarding content moderation, transparency duties, platform liability, protection of women in digital environments, and data retention – the latter also applicable to internet connection providers.

These Decrees are aligned with the Brazilian Federal Supreme Court (STF) ruling of June 2025, which declared the partial unconstitutionality of Article 19 of the MCI (General Repercussion Themes 987 and 533), establishing new parameters for platform liability regarding third-party generated content, including the duty of care and the concept of systemic failure. Previously, as a general rule, providers could only be held civilly liable upon failure to comply with a specific court order; however, there are now exceptions to this regime.

Both Decrees assign the Brazilian National Data Protection Agency (ANPD) the competence for regulation, supervision, and enforcement of violations, consolidating the agency’s role as the central authority for Brazilian digital governance. The ANPD may establish differentiated compliance criteria based on the provider’s economic size, level of interference in content circulation, and the risk involved in the service, with particular attention to small providers.

The Decrees shall enter into force 60 (sixty) days after their publication in the Official Gazette.

This newsletter highlights the main regulated aspects.

Decree No. 12,975/2026

1. New obligations: establishes specific duties for internet application providers that intermediate third-party generated content, including the obligations to:

• Establish and maintain a registered office and a legal representative in Brazil, constituted as a legal entity, with powers to respond before administrative and judicial authorities, comply with court orders, and fulfill any penalties and fines;
• Provide a permanent and easily accessible channel for receiving and processing notices of criminal or illegal content;
• Adopt measures to prevent the operation of artificial networks for the dissemination of illegal content;
• Ensure transparency and security of their services; and
• Provide competent authorities with information regarding their content moderation procedures, complaint management, transparency reports, advertising, paid content boosting, and user profiling practices

2. Liability for systemic failure to remove illegal content: establishes liability for providers in cases of systemic failure to promptly remove certain categories of illegal content, including, among others, content related to terrorism, instigation or assistance to suicide or self-harm, discrimination and hate speech, crimes against women, sexual crimes against vulnerable persons, serious crimes against children and adolescents, human trafficking, and anti-democratic acts. The isolated existence of illegal content does not, by itself, constitute systemic failure. Without prejudice to the duty of care, providers must also diligently monitor and manage the systemic risks arising from their activities or from the circulation of the content referred to above.

 

3. Notice and adversarial procedures: providers must make available an accessible notification system for reporting illegal or criminal content, with challenge and reconsideration procedures that safeguard due process and freedom of expression. Platforms must remove content that constitutes a crime, in response to notices, following a case-by-case analysis, except in the circumstances set forth in the Decree that authorize the maintenance of content, such as crimes against honor, for which liability only arises upon non-compliance with a specific court order for removal. Upon identifying criminal content, providers must forward it, together with the information necessary to determine authorship and materiality, to public authorities.

4. Advertising, paid content boosting, and misleading advertising: providers that offer, on a paid basis, advertising or content boosting tools must adopt measures to prevent the engagement of criminal or illegal content. Their liability is presumed, regardless of prior notice, when such content is disseminated through advertisements, paid boosting, or distributed through artificial networks. However, providers shall not be held liable if they demonstrate that they acted diligently and within a reasonable timeframe to remove the content. Providers must retain, for a period of 1 (one) year, information related to each advertisement or boosted content and respective advertisers. The Decree also requires the removal, upon notification, of content constituting misleading, abusive, or fraudulent advertising under the Consumer Protection Code.

5. Transparency and self-regulation: providers must diligently monitor and manage the systemic risks of their services, and must publish terms of use and other forms of self-regulation covering the notification system, due process, and annual transparency reports on notifications, advertisements, and paid content boosting.

 

6. Record retention: expands data retention obligations for both internet connection and application providers, including the retention of logical source port information associated with IP address records for terminal identification purposes in investigations, subject to the safeguards under the Brazilian Civil Rights Framework for the Internet.

 

7. Exceptions to the duty of care: the duty of care regarding criminal or illegal content, including those related to systemic failure and proactive moderation, does not apply to certain categories of services, such as e-mail services, instant messaging (regarding interpersonal communications protected by communication secrecy), and restricted-group audiovisual communications that enable meetings, calls, or videoconferences in access-controlled environments. In such cases, liability remains conditional upon non-compliance with a specific court order.

Decree No. 12,976/2026

8. Protection of women in digital environments: establishes specific measures aimed at preventing and combating violence against women in digital environments. The regulation adopts principles such as: non-discrimination based on the female sex; protection of privacy and personal data; victim-centered approach, ensuring adequate support, preservation of evidence, and accessibility of reporting channels; non-revictimization; and recognition of intersectional discrimination as an aggravating factor in digital violence.

 

9. Expanded concept of online violence against women: broadly defines “violence against women in digital environments”, encompassing practices such as cyberstalking, non-consensual dissemination of intimate content, gender-based political violence, aggravated threats, intimate deepfakes, and digital surveillance, among others.

 

10. Content removal deadlines: until specific regulations are issued, providers must, upon notification, remove the content or inform the reasons for its maintenance and the available means of challenge. For manifestly illegal content, the deadline is up to 6 hours; for other cases of violence against women in digital environments, up to 24 hours. Non-consensual intimate content must be removed within 2 hours, with removal across the entire application and automatic re-upload blocking. The regulation also establishes minimum formal requirements for notices and provides challenge and reconsideration mechanisms, balancing victim protection with procedural safeguards.

 

11. Prohibition on AI-generated intimate content: expressly prohibits the generation and modification of third-party intimate content through artificial intelligence or any other technological resource. Providers based on AI functionalities must implement technical safeguards to identify and block requests for generating such content.

 

12. Mitigation of coordinated attacks: providers must adopt proportionate technical measures to reduce the reach and visibility of coordinated attacks against women, regardless of prior notice. Priority treatment shall apply in cases of political violence against women and situations involving women with public exposure arising from their professional activities.

What changes in practice?

The new regulations significantly expand the governance, transparency, and content moderation obligations applicable to digital platforms operating in Brazil. The rules indicate a broader regulatory trend toward increased platform accountability, particularly regarding the prevention of systemic harms, protection of vulnerable groups, and mitigation of unlawful content.

In practice, technology companies, social media platforms, marketplaces, content-sharing services, and other internet application providers will need to review their moderation mechanisms, notice-and-action procedures, transparency policies, governance structures, digital compliance protocols, and advertising and content boosting policies. Special attention should be given to the establishment of a legal representative in Brazil, the implementation of reporting channels, and the adequacy of terms of use.

If you have any questions about the above, please do not hesitate to contact us.