The implementation of the Prohibited Players API ('API de Impedidos') by the Secretariat of Prizes and Betting (SPA/MF) marks a significant milestone in regulatory compliance for fixed-odds betting operations in Brazil.
The mechanism will allow real-time identification of users legally prohibited from betting, such as beneficiaries of the Bolsa Família Program and other categories defined by Law No. 14.790/2023 and complementary regulations.
Direct operational impact
The API will become a mandatory verification layer within KYC, due diligence, and anti–money laundering flows, resulting in:
* immediate blocking of prohibited users;
* reduction of irregular registrations and mitigation of regulatory risk;
* greater alignment with integrity and social protection requirements;
* auditable traceability for SPA oversight.
This process reduces operators’ exposure to administrative sanctions and increases regulatory predictability in onboarding, ensuring protection of vulnerable groups identified by the Federal Government.
Data protection considerations and legal limits
Because it involves queries to government databases, the API requires strict adherence to the principles of the Brazilian General Data Protection Law (LGPD), especially:
* Purpose: exclusive use for verifying impediments established by law or regulation;
* Necessity and minimization: processing only data strictly required;
* Transparency and governance: operators must maintain logs, access controls, and audit trails;
* Non-discrimination: processing cannot generate restrictions beyond those defined by SPA.
Any interpretative expansion by the operator may constitute a violation of the LGPD, generating administrative or civil liability.
Required regulatory guidelines
To ensure legal certainty and interoperability, the SPA must define minimum technical specifications, including:
- authorized query parameters;
- categories and granularity of returned data;
- auditing and event logging requirements;
- data retention and disposal rules;
- query limits to prevent abusive use.
The absence of these parameters could create legal uncertainty and risk of liability for operators, platforms, and integrators.
Conclusion
The Prohibited Players API is an important step toward raising integrity and compliance standards in the Brazilian iGaming market, aligning it with international best practices. Its adoption, however, requires technical and legal rigor: transparency, proportionality, robust controls, and strict compliance with the LGPD and SPA regulations.
For operators, preparation must begin now — adjusting systems, onboarding flows, audit trails, and governance structures to ensure a secure integration fully aligned with regulatory requirements.
Hugo Ribeiro
Legal Manager at Cactus Gaming
