16.1 Introduction
As a result of the broad digital transformation process, e-commerce is a commercial modality conducted over the internet and may occur between businesses and consumers (B2C), businesses and businesses (B2B), or between consumers (C2C).It is a form of commercialization in which the purchase and sale of products or services, as well as financial transactions, are carried out entirely online through electronic devices such as computers, smartphones, or tablets.
This practice is regulated in Brazil by a set of various laws which, collectively, establish the applicable rules for e-commerce, with a special focus on B2C relationships (i.e., between businesses and consumers). Among these rules, the following deserve special mention: (i) the Consumer Protection Code (Law No. 8,078/90); (ii) Decree No. 7,962/2013, which regulates electronic commerce contracting; (iii) the Brazilian Internet Bill of Rights (Law No. 12,965/2014), which sets forth the rights and obligations of internet users and service providers in the country; (iv) the General Data Protection Law – LGPD (Law No. 13,709/2018); (v) the Civil Code (Law No. 10,406/2002); and (vi) regulations, rules, and technical notes issued by consumer protection authorities, in particular the National Consumer Secretariat – SENACON, linked to the Ministry of Justice and Public Security.
We will detail below the provisions mentioned above and their context within e-commerce.
16.2 Brazilian Legislation
16.2.1 Consumer Protection Code (CDC) and Decree No. 7,962/2013
The Consumer Protection Code (“CDC”) establishes rules for the protection and defense of consumers applicable to all types of commerce and service provision, including activities carried out online. Its purpose is to ensure good faith in consumer relations and to prevent harm to consumers. Among its main principles and guarantees are: (i) the principle of the supplier’s objective good faith, which means that the commercial establishment must provide, in good faith, all relevant information to the consumer in order to enable an informed choice; (ii) the supplier’s liability for any defect and/or flaw in the purchased product and/or service; (iii) the supplier’s obligation to comply with the exact terms of the offer, under penalty of the consumer being entitled to demand fulfillment of the advertised conditions; and (iv) the presumption of consumer vulnerability in relation to the supplier, as the weaker party in the relationship and, therefore, entitled to differential treatment in case of dispute or litigation.
Complementing the CDC, Decree No. 7,962/2013 — known as the E-commerce Law — specifically addresses e-commerce and sets forth additional guidelines for the contracting of products and services over the internet. Among the main obligations imposed on online suppliers are: (i) providing physical and electronic addresses on their websites; (ii) clearly displaying their full identification in a prominent and easily accessible location; (iii) presenting, at a minimum, a summary of the contract to be concluded between the parties before finalizing the transaction, and the full document after completion; (iv) maintaining an efficient customer service channel; and (v) informing consumers of their right of withdrawal and ensuring this right is enforceable.
In addition to these requirements, CDC and the Decree prohibit contractual clauses that unduly exempt or limit suppliers’ liability, reinforcing contractual protection for consumers.
This legal framework provides broad protection to end consumers in Brazil, including in the digital environment, ensuring ethical, transparent, and clear treatment regarding information.
This is especially relevant in B2C relationships, where there is technical and economic asymmetry between the parties.
16.2.2 Decree No. 10,271 of 2020 (Mercosur)
In March 2020, Decree No. 10,271 was enacted, subjecting Brazilian jurisdiction to compliance with GMC Resolution No. 37/19, which applies to all consumers and suppliers who are domiciled, established, or commercially active within specific domains of the internet in Mercosur countries.
Guarantees such as the right to withdraw and the availability of commercial information about the supplier, among others, must be observed by these suppliers. This harmonizes the minimum consumer protection obligations in e-commerce across the four Mercosur Member States (Argentina, Brazil, Paraguay, and Uruguay), by establishing a standard level of protection.
Furthermore, the decree strengthens consumer protection by: (i) reaffirming the supplier’s duty to present a summary of the contract to be executed, highlighting the most relevant clauses for the consumer; (ii) explicitly providing for cooperation among national consumer protection authorities; and (iii) mandating the adoption of online dispute resolution (ODR) mechanisms that are fast, fair, transparent, and low-cost, so consumers can effectively resolve their complaints.
In Brazil, some online dispute resolution platforms already exist, such as “consumidor.gov”, in addition to traditional mechanisms such as mediation, negotiation, and arbitration. These methods have now returned to the digital environment with legal backing, driven by the need to ensure security for online consumers. For this reason, compliance with such mechanisms has become imperative for companies operating in this market.
It is worth noting that implementing ODR mechanisms has proven to be a challenge for companies, which must develop innovative, user-friendly, and practical solutions to enhance consumer experience. A good example is the system adopted by platforms like Amazon, which combines automated and, when needed, personalized support.
Finally, the decree also includes several articles that guide the drafting of Terms and Conditions, serving as a solid framework for what these documents should cover in Brazil and other countries. In summary, it is essential to ensure that consumers are clearly and adequately informed about the conditions of the offer, as well as their rights, with companies facilitating the exercise of such rights through accessible customer service channels and clear guidance on how to reach them.
16.2.3 Brazilian Civil Rights and the Brazilian General Data Protection Law (LGPD)
Regarding internet regulation in Brazil, two key pieces of legislation deserve special attention: the Brazilian Civil Rights (Law No. 12,965/2014 – “MCI”) and the Brazilian General Data Protection Law (Law No. 13,709/2018 – “LGPD”).
The MCI establishes principles, guarantees, rights, and obligations for the use of the internet in Brazil, serving as a foundational legal framework for digital relations. The law reaffirms the applicability of consumer protection rules to relationships established via the internet, provided that a consumer relationship is characterized between the parties.
In addition, the MCI addresses topics directly related to e-commerce operations, such as the protection of privacy and personal data, the retention of access logs, and the liability of internet service and application providers.
Complementarily, the LGPD, enacted in 2018, strengthened citizens’ control over their personal data and established clear rules on the collection, use, storage, and sharing of such information. The law applies to any personal data processing operation, broadly defined as any activity involving data related to an identified or identifiable natural person, including but not limited to collection, use, access, reproduction, classification, deletion, and sharing.
In the context of e-commerce, the LGPD imposes several obligations on data processing agents, especially regarding the requirement of a legal basis for the processing of personal data. As a general rule, except in cases expressly provided by law, data cannot be collected without the data subject’s consent. Such consent must be obtained in advance and in a clear, transparent, and adequate manner regarding the purposes of the processing, in accordance with the principle of transparency.
The LGPD also ensures various rights for data subjects, granting them greater control over their personal data and allowing them to request from data controllers or processors: (i) confirmation of the existence of data processing; (ii) access to the personal data held by the company; (iii) correction of incomplete, inaccurate, or outdated data; (iv) anonymization, blocking, or deletion of unnecessary, excessive, or unlawfully processed data; (v) portability of the data to another service or product provider; (vi) deletion of data; (vii) information about who the data has been shared with; and (viii) information on the possibility of denying consent and the consequences of such refusal.
It is important to emphasize that the LGPD does not prohibit the collection and/or use of personal data but instead establishes criteria and safeguards to ensure that data subjects are aware of, have control over, and feel secure about how their data is processed.
Therefore, it is essential for companies operating in the e-commerce of products and services to adapt their practices and operations by the requirements of both the MCI and the LGPD. Doing so ensures greater clarity and transparency in relationships with customers and consumers, while mitigating risks and reducing exposure to the penalties established by the legislation.
16.2.4 SENACON
In Brazil, the National Consumer Secretariat (Secretaria Nacional do Consumidor – SENACON) was created in 2012 by Decree No. 7,738/2012, as part of the Ministry of Justice. Its purpose is to oversee the planning, development, coordination, and execution of the National Policy on Consumer Relations, specifically aiming to: (i) ensure the protection and enforcement of consumer rights; (ii) promote harmony in consumer relations; (iii) encourage the integration and joint actions of the members of the National Consumer Defense System (Sistema Nacional de Defesa do Consumidor – SNDC); and (iv) participate in national and international bodies, forums, commissions, or committees that deal with consumer protection and defense or matters of consumer interest, among other responsibilities.
- COMBATING PIRACY
As part of its activities, SENACON has been implementing several initiatives to combat the trade of illegal products, particularly in the digital environment. These initiatives include the issuance of ordinances, technical notes, and even simple recommendations regarding repressive and preventive measures to be adopted by e-commerce platforms in the fight against piracy.
Examples of such measures include the requirement for the selection and registration of suppliers to allow greater control by websites over the products being sold, as well as the obligation to report the trade of illegal products to the competent authorities—such as the National Council to Combat Piracy (CNCP) and SENACON—as soon as such activity is identified, along with updates on actions already taken.
The agency also points out that platforms that fail to act may be held liable for damage caused to consumers and are not exempt from legal obligations.
In addition, SENACON has published the Guide of Best Practices and Guidelines for E-commerce Platforms, which aligns with the Draft Recommendation on Consumer Product Safety issued by the Working Party on Consumer Product Safety of the OECD.1
This document applies to and covers “the entire supply chain, including manufacturers, retailers, online platforms that allow third parties to sell products to consumers, as well as fulfillment centers.” Therefore, both direct e-commerce platforms and indirect platforms (marketplaces) must remain attentive to and in compliance with these guidelines.
The document also provides for sanctions and recommendations, while encouraging the adoption of policies, notification procedures, reporting systems, consumer feedback mechanisms, monitoring of offenders, cooperation with public authorities, and the implementation of listed preventive measures.
Although it is not binding, adherence to the rules outlined in the Guide is recommended, as it promotes a digital business environment based on good faith and self-regulation—one that is healthy, competitive, and free from illegal products, whether pirated, smuggled, or in any way infringing rights (consumer rights or intellectual property rights). Such adherence demonstrates the commitment of participants to combating these practices.
2. RECALLS
As expressly provided by the Consumer Protection Code (CDC), the supplier must guarantee the safety of the products and services it offers to consumers and is obliged to report any defects discovered after such products or services have been placed on the market. The rule establishes that products or services made available for consumption must not pose risks to the health and safety2 of those who purchase them, except, of course, for risks that are considered normal and foreseeable due to their nature and intended use.
The recall process aimed at repairing and/or replacing a defective product and/or service placed on the market (i.e., Recall Campaign) is regulated by Ordinance No. 618/2019 issued by the Ministry of Justice, with oversight and enforcement support provided by SENACON.
According to this regulation, if a supplier becomes aware of the possibility that harmful or hazardous products or services have been introduced into the Brazilian consumer market, they must notify the National Consumer Secretariat (SENACON) within twenty-four hours of the start of the investigation.
If the investigation confirms the harmfulness or hazardousness of the product or service, the supplier must notify SENACON and the relevant regulatory or supervisory authority within two business days from the decision to initiate a recall.
This communication must be submitted in writing, preferably through the Electronic Information System (SEI) or another system implemented by SENACON, and must contain the following information: (i) full identification of the supplier (corporate name, trade name, business activity, CNPJ – Brazilian corporate taxpayer number, business address, among others); (ii) detailed description of the product or service and the defective component, with all necessary identification characteristics, especially: brand, model, batch, serial number, chassis number, start and end dates of manufacture, and photo; (iii) detailed description of the defect along with the technical information needed to clarify the facts, including the exact date (day, month, and year) and the manner in which the harmfulness or hazardousness was detected; (iv) a description of the measures already taken and the proposed actions to resolve the defect and eliminate the risk; (v) a media plan to inform affected consumers; and (vi) a customer service plan, among other required elements.
Further information can be found in the Safe Consumption and Health Guide published and made available by SENACON at the following link: https://www.justica.gov.br/seus-direitos/consumidor/Anexos/PerguntaseRespostasVF1.pdf.
2 Decree No. 7,962 of March 15, 2013, specifically lists the following: essential characteristics of the product or service, including any risks to consumers’ health and safety; itemized pricing of any additional or ancillary charges, such as delivery or insurance fees; full conditions of the offer, including payment methods, availability, and the manner and timeline for service performance or product delivery or availability; and clear and prominent information regarding any restrictions on the enjoyment of the offer.
16.2.5 Domain Name
For an e-commerce business to operate in Brazil, it is possible to register a domain name under the “.br” category through Registro.br. The domain name may be registered under either an individual or a legal entity.
For foreign companies wishing to register a domain name in Brazil, it is necessary to have a legal representative (attorney-in-fact) in the country who can act on their behalf for this type of service. Furthermore, if the foreign company has not yet established a legal entity in Brazil, it must sign a letter stating that within a twelve (12)-month period, it will incorporate a company in Brazilian territory, begin operations in Brazil, and establish a physical address in the country.
Domain names are registered without prior verification of potential conflicts with third parties. Therefore, in the event of a domain name dispute, the CGI.br has implemented an administrative body responsible for resolving domain name conflicts3.
A domain name may be challenged when used in bad faith, and in the following cases:
- It is identical or confusingly similar to a trademark that is already registered or filed in Brazil before the domain name registration.
- It is identical or confusingly similar to a well-known mark, even if not registered in Brazil; or
- It is identical or confusingly similar to another domain name, company name, family name, known pseudonym, artistic name, etc.
The administrative body, upon reviewing the dispute, may decide to maintain, cancel, or transfer the domain name. However, its decisions may not impose penalties and may be challenged in court.
3 In the event of a dispute involving domain names under “.br”, Registro.br implemented, as of October 1, 2010, the SACI-Adm (Administrative System for Internet Conflicts), an extrajudicial mechanism for resolving conflicts related to domain name ownership. This system applies only to domain names registered from that date onward and allows trademark holders to challenge registrations deemed abusive or in violation of previously established rights.
16.2.6 Establishing an Online Store
Any company is free to operate through e-commerce in Brazil as long as it is duly incorporated and established by the law and conducts lawful activities. Therefore, all the requirements applicable to a traditional (non-digital) business are, in principle, fully appropriate to electronic commerce. However, specific rules related to e-commerce must be observed on websites or apps, particularly due to the digital nature of the operation.
First and foremost, the online store must visibly display the company’s information, such as its name, physical and electronic addresses, taxpayer registration number (CNPJ), as well as clear, precise, direct, and prominent information about the products and services offered—such as price and payment methods, quantity, specifications and characteristics, and any other relevant information for the consumer’s understanding and use.
It is also important to emphasize that the terms and conditions related to the purchase of products or services, as well as the website’s terms of use, privacy policies, and any other binding documents, must be accessible before the completion of the transaction and must be included on the website in a way that makes them easily found and accepted.
Additionally, the online store must have a reliable and secure system for recording purchases and processing payments, requiring the user’s informed consent for the use of their personal data, and allowing consumers to review and confirm their information, correct errors, and cancel the transaction, if they choose, before it is finalized. In this regard, best practices commonly adopted in European e-commerce are generally sufficient to provide both consumer and business security.
Moreover, the online store must provide customer service for inquiries, complaints, and requests related to the suspension or cancellation of purchases or services, available both by phone and email via the website4. The company is also required to register customer service requests with tracking numbers and allow customers to follow up, responding to inquiries or complaints within five (5) business days.
Given this, in some instances, it may be advisable to separate the e-commerce platform intended for Brazilian customers from that targeting customers in other countries, due to the specific requirements of Brazilian consumer protection law. In such cases, separation by IP address blocks and country-code top-level domains (ccTLDs such as “.br”), registered through Registro.br (Brazil’s official domain registry managed by the Brazilian Internet Steering Committee), may be used. The rules of Registro.br are generally aligned with international standards, such as those adopted by ICANN.
There is no general prohibition against a foreign company selling its products in Brazil through an online store hosted and operated abroad. However, any product shipped from outside the country will be treated as an import. Importantly, Brazilian laws on consumer protection, internet user rights, and personal data protection will still apply fully to such companies, and any resulting responsibilities or penalties may be enforced—even in these cases—particularly if the company is established in Brazil or has a branch, subsidiary, or representatives in the country.
4 Articles 7, VII to X, 10, 11, and 12 of the Brazilian Civil Rights (Marco Civil da Internet), and Articles 43 and 44 of the Consumer Protection Code (Código de Defesa do Consumidor – CDC).
16.2.7 Online Sales
In Brazil, except in special cases, purchase and sale agreements do not require specific formalities to be considered valid. Thus, e-commerce can operate in a functional and straightforward manner when it comes to executing sales, by collecting buyer information—such as name, Brazilian taxpayer identification number (CPF), and address—and confirming the buyer’s acceptance of the terms of sale through standard contract terms. The product is then delivered after payment and has been confirmed through the selected method, along with other standard provisions applicable to contracts of this nature.
In this context, consumer protection rules and regulations apply to consumer relationships established over the internet5. However, there is a particular provision in Brazilian law that guarantees consumers residing in Brazil a seven (7)-day period after delivery to cancel the purchase and return the product purchased online6 without needing to justify the reason. The consumer is entitled to receive a full refund, either via chargeback or bank transfer7.
Regarding the sale of products over the internet, the legality of each product offered for sale in Brazil must be verified on a case-by-case basis, including any restrictions on its sale—such as the requirement for registration with public regulatory agencies like Inmetro, Anatel, Anvisa, or MAPA—or age restrictions and special purchase authorizations. The verification and enforcement of such requirements must be operationalized according to the specifics of each business.
In the case of the sale of licenses for video games and software, movies and music, e-books, and other intellectual goods, Brazilian copyright law (Law No. 9,610 of February 19, 1998) also applies. In the case of films, the regulations issued by the National Film Agency (ANCINE) must be observed. In addition, license terms must be provided and accessible to consumers before the conclusion of the sale. They may not be unilaterally modified unless explicitly permitted or preceded by prior notice.
5 Article 7, XIII of the Brazilian Civil Rights (Marco Civil da Internet).
6 There are still controversies regarding how to uphold this right in the case of purchases of virtual goods without digital rights management mechanisms (e.g., downloads, printable tickets for events).
7 Article 49 of the Consumer Protection Code and Article 5 of Decree No. 7,962 of March 15, 2013.
16.2.8 Liability
The rules on liability for defects and harmful events related to products and services sold by online stores are the same as those applied to merchants operating through physical stores. Under the Consumer Protection Code (CDC), both sellers and manufacturers are liable for any defects a product or service may present, as well as for any delays or failures in delivering products or providing services. By law, regardless of the granting or sale of extended warranties, sellers and manufacturers are jointly liable for ensuring their products are free from defects. The standard legal warranty period is thirty (30) days from the date of delivery or the discovery of the defect for non-durable goods, and ninety (90) days for durable goods8.
In the event of a defect in a product or service, the law grants a thirty (30)-day period for repair9. If the defect cannot be remedied within this timeframe, the consumer is entitled to choose between a price reduction, a replacement, or a refund of the full amount paid.
Additionally, it is important to note that a company operating an e-commerce platform may be held liable for unlawful acts committed by consumers or other users of its platform if it is unable to cooperate with Brazilian authorities in identifying the person responsible for infringing third-party rights through its service.
Therefore, it is recommended that access and activity data of consumers and other users of the website be stored for at least six (6) months, in accordance with the Brazilian Civil Rights (Marco Civil da Internet), or even for a longer period in specific cases as provided by sectoral legislation10. This data collection and storage must be disclosed to users in the privacy policy and any applicable consent forms, as must be the case for other personal data processing activities.
Furthermore, with respect to the collection of consumer and user data on e-commerce platforms, the provisions of the General Data Protection Law (LGPD) must be observed. This is because, in the event of a violation of the LGPD resulting from personal data processing, the controller11 or the processor may be held liable—jointly or separately—and required to remedy the violation. In this sense, both the controller and the processor must maintain records of personal data12 processing operations in case a violation of the LGPD is later identified.
Brazilian case law has increasingly recognized the possibility of holding Brazilian branches, subsidiaries, or agents of foreign companies liable, even when the parent company is based abroad. In exceptional cases, lower court rulings have ordered the blocking of foreign internet services in Brazil by telecommunications operators due to the companies’ refusal to comply with court orders.
8 Articles 26 and 27 of the Consumer Protection Code. It is worth noting, however, that there are scattered court decisions seeking to extend this legal warranty to cover the entire useful life of the product, in the case of goods with greater durability.
9 Except for products or services considered essential, in which case repair or replacement must be immediate. There is no clear definition of which specific services are deemed essential, so the matter must be assessed on a case-by-case basis—product by product or service by service—where a cautious approach is recommended.
10 For example, in cases where there is a specific request from a competent authority to extend this period with respect to certain data.
11 Article 5, VI, of the General Data Protection Law (LGPD):”Controller: natural person or legal entity, under public or private law, who is responsible for making decisions regarding the processing of personal data.”
12 Article 37 of the General Data Protection Law (LGPD):”The controller shall keep records of the personal data processing operations it carries out, especially when based on legitimate interest.”
Authors: Pedro Szajnferber De Franco Carneiro and Gabriela Ongari
Spiewak, Carneiro, Barbosa, Carvalho e Maia Sociedade de Advogados
Al. Campinas, 1.077 – 12th floor
01404-001 São Paulo – SP
Phone: (11) 2039-0130
www.splaw.com.br