Brazil Builds Its Own Scanning Lab

When Brazil builds its own scanning lab

This week, the operational scaffolding behind Brazil's gambling enforcement got a name and a number. The Secretaria de Prêmios e Apostas (SPA), working with telecoms regulator Anatel, confirmed that its dedicated scanning laboratory has identified and submitted blocking orders for more than 41,000 unlicensed gambling sites since launch. Apple, in a separate but synchronized move, started enforcing a requirement that any gambling app served to Brazilian users hold a current SPA license, with non-compliant apps pulled from the local App Store.

For operators reading these stories as separate, they look like Brazilian housekeeping. For operators reading them together, they are the same story most other markets have already written: a regulator stops chasing creatives one by one and starts running an industrial scanning surface, while platforms collapse the distance between licensing status and distribution. Brazil is now operating that template at scale.

What actually changed

Three operational shifts sit underneath the 41,000-site headline:

• A dedicated scanning lab. SPA-Anatel's joint laboratory is no longer a pilot. It runs continuously, ingests automated crawls, and produces blocking orders in volume. The cadence is built for industrial output, not case-by-case enforcement.
• Platform-layer gating. Apple's enforcement of SPA licensing as an App Store gate means an unlicensed operator no longer reaches Brazilian players through one of the two dominant distribution platforms, before any regulator opens a file. Google Play has been operating a similar gate since the licensed market opened in January.
• Joint and several affiliate liability. Ordinance 1,231 makes the licensed operator jointly liable for advertising conducted by affiliates, influencers, and third-party platforms under its brand. With the SPA now operating at scanning-lab cadence, every affiliate creative becomes part of the operator's compliance surface in a way that is provable from outside the operator's own logs.

The combined effect is that the visible Brazilian affiliate window narrowed substantially in the last week, even though the underlying rulebook did not change.

Why this looks like the rest of 2026

Brazil's scanning lab is not an outlier in the global pattern. The shape repeats across regulators that have moved from policy authorship to industrial operation:

• The Dutch KSA blocked more than 1,200 unlicensed domains in Q1 2026 and submitted 4,600+ Meta reports in April alone.
• Spain's DGOJ issued €10.29M in advertising-related sanctions across nine rulings in Q1 2026, including the Make Money Now case that pulled affiliate-style content off Instagram, Kick, X, and Discord.
• The UK Gambling Commission ran 9,700 compliance actions in 2024/2025 and has confirmed a dedicated head of illegal markets role to coordinate the scanning surface for the next twelve months.
• Australia's ACMA has blocked more than 1,500 offshore sites and recently issued its first enforcement notice against a payment facilitator.

Brazil is now plugged into that pattern with its own infrastructure. The scanning lab is the visible part. The Apple and Google Play gates are the invisible part. The licensed operator sits in the middle, with affiliate liability that scales to the size of the scanning surface above it.

Where the operator exposure actually lives

The temptation, again, is to read this as an unlicensed-operator story. The exposure on licensed operators is structural and worth naming.

First, the SPA-Anatel laboratory does not stop at the 41,000-site blocking list. The same scanning infrastructure that surfaces unlicensed brands surfaces affiliate creatives that promote licensed brands non-compliantly. Ordinance 1,231 makes the licensed operator responsible for those creatives whether the operator served them directly or an affiliate did.

Second, Apple's enforcement raises the cost of being briefly out of compliance. An app that loses its slot in the Brazilian App Store does not recover overnight. For an operator whose affiliate creatives are catching SPA attention, the upstream platform consequence is measured in distribution lost, not just fines paid.

Third, Brazil's licensed affiliate market is young enough that audit muscle is still forming. Operators with established affiliate compliance programs in Europe are running parallel programs in Brazil that often rely on screenshots, monthly QA samples, and a vendor's quarterly report. None of that holds up against a scanning lab running continuously.

Where text-only compliance falls short of the Brazilian shape

A compliance stack built around static URL scans was designed for a slower, more siloed enforcement world. Under SPA-Anatel cadence, three gaps surface immediately:

• Visual evidence. The lab anchors its enforcement decisions to rendered creatives, video frames, and social overlays. A text scanner reading HTML cannot see what an automated screenshot stack is seeing.
• Cross-platform attribution. Affiliate spend in Brazil routes heavily through TikTok, YouTube, Instagram, Kick, and Twitch. A compliance program that audits only affiliate websites misses where most of the live creative actually lives.
• Geographic rendering. A page served to a São Paulo player is not the same page served to a Lisbon QA seat. Without rendering from inside Brazil, on Brazilian IP, the operator cannot see what the SPA sees.

How kaspero matches the Brazilian cadence

kaspero was built for the surface the SPA-Anatel lab is now operating on at scale. Continuous rendering of affiliate pages from inside Brazil. Frame-by-frame analysis of influencer video and short-form social. Brand, logo, and bonus-claim detection across creatives served by external networks. Time-stamped, geographically tagged visual evidence per asset, exportable in the format the SPA, or Apple, or Google Play, would actually request.

The point is not that text scanning is wrong. The point is that a regulator with a dedicated scanning laboratory and a distribution gate above the operator's own marketing stack describes a single compliance reality: the affiliate window in Brazil is now narrower, faster, and watched from more angles than the one operators were auditing in April.

Three audits worth running this week

Regardless of tooling, three reviews follow directly from the Brazilian shape:

1. Render from inside Brazil. Pull your top ten Brazilian affiliates. Render each page from a Brazilian IP. Compare to your QA snapshot. Anywhere they diverge, the SPA is already looking.
2. Map your affiliate footprint on Brazilian social platforms. List every compensated influencer and affiliate creative running on TikTok, YouTube, Instagram, Kick, and Twitch under your brand. Confirm you have a current visual screenshot for each. The ones you cannot evidence are exposure today.
3. Time your platform-gate response. If Apple or Google Play opened a query tomorrow about a specific affiliate creative associated with your app, how long would it take to produce time-stamped visual evidence? If it is more than an hour, the gap is structural.

Closing thought

The 41,000-site blocking number is the visible part of Brazil's new enforcement posture. The harder part for licensed operators is what the same scanning lab does to affiliate creative surfaces that point at licensed brands. The window narrowed quietly. Apple closed one edge of it. The SPA-Anatel laboratory will close the others on a schedule no operator gets to set.

The licensed operators who keep treating Brazil as a young market with light enforcement will find out, on the regulator's timing, that the scanning surface has already lapped them. The ones who can produce the same evidence the lab produces, from inside Brazil, continuously, will keep their licenses and their App Store slots.