Doing Business in Brazil

16. E-commerce


16.1. Introduction 

As a result of the broad process of digital transformation, electronic commerce, or e-commerce, is the commercial modality conducted through the internet, which can take place between companies and consumers (b2c), companies and companies (b2b), or between consumer and consumer (c2c).

The figures related to e-commerce are impressive, and continue to grow year after year. The industry had revenues of approximately R$ 75 billion in 2019, with turnover growing by 22.7% during that same year¹. It is worth noting a growth of at least 30% in number of on-line stores only in the first half of March², mainly due to the COVID-19 pandemic.

The activity is regulated in Brazil by different legislation that, as a whole, establish the rules applicable to electronic commerce with a special focus on B2C relations (that is, companies and consumers). Among such rules, we highlight the following: (i) the Consumer Protection Code – CDC (Law No. 8,078/90), Decree No, 7,692/2013, which regulates contracting in electronic commerce, (iii) the Civil Framework of Internet (Law No. 12,965/2014), which establishes the reciprocal rights and obligations of Internet-related users and service providers in the country; (iv) General Data Protection Law (Law No. 13,709/2018), (v) the Civil Code (Law No. 10,406/2002), and (vi) ordinances, rules and technical notes issued by the support and consumer protection agencies, including Secretaria Nacional do Consumidor (the National Consumer Secretariat) – SENACON, which is part of the Ministry of Justice and Public Security.

Recently, more precisely on March 6, 2020, Brazil has incorporated, through Decree No. 10.271, GMC Resolution No. 37/19 as adopted by Grupo Mercado Comum (the Common Market Group) on July 15, 2019, which provides for consumer protection in e-commerce transactions. Part of the concepts, obligations and provisions provided by the rule are already supported and established in the above-mentioned local rules, especially the CDC. We will detail below these provisions and context in the scope of e-commerce.

16.2. Brazilian Legislation

16.2.1. CDC and Decree 7,962/2013

The CDC establishes consumer protection and defense rules applicable to all types of commerce and service provision transactions, among which the most important are the following: (i) the principle of the supplier’s objective good faith, which means that the establishment is responsible for providing, in good faith, all information to consumer in order to ensure their best choice, (ii) the supplier’s responsibility for any defect and/or malfunction to the purchased product and/or service; (iii) the supplier shall be binding to the exact terms of the offer, under penalty of consumer being able to demand compliance with the offered conditions; and (iv) the premise of the consumer’s vulnerability vis-à-vis supplier, as the most fragile part of the relationship and which, therefore, shall be subject to different treatment in the event of dispute or litigation.

In turn, Decree 7,962/2013 regulates the CDC, and specifically deals with electronic commerce by providing for, among others, the following obligations to suppliers of on-line products and/or services: (i) to inform on the websites their physical and electronic addresses; (ii) to keep their complete identification in a prominent and easily accessible place; (iii) to submit at least a kind of summary of the agreement to be entered into between the parties, before the closing of the transaction, and the entire document after completion; (iv) to maintain an efficient customer service channel; and (v) to inform and enforce the consumer’s right to repent.

Contractual rules, as provided for by the CDC and enforced in the Decree, are also applicable, such as those that prevent supplier from setting a section exempting or mitigating suppliers’ liability.

In addition to these specific provisions, this legal framework brings several guarantees and provides protection to final consumers of products in Brazil, including on the internet, against possible abuses by companies that may be in a position of greater economic or technical control in the relationship, especially in the B2C market (business-to-consumer, intended for the final consumer). 

In general, both the CDC and the Decree aim at consolidating the culture of ethical, transparent treatment, with greater clarification in relation to information, and facilitating the corporate accountability in cases of irregularities or defects in their products or services.

Considering that, at the national level, any commercial relations established on the Internet are subject to these same rules and principles, a proper document with the “Terms of Use” and well-designed “Policies” which also reflect these consumer guarantees are important instruments that must be used to build the reliance on e-commerce in the market. 

16.2.2. Decree 10.271/2020 (Mercosur)

In March 2020, Decree 10.271/2020 was issued, subjecting the national jurisdiction to compliance with GMC Resolution No. 37/19, which applies to all consumers and suppliers, whether based, established or with commercial operation under some of their domains on the Internet in Mercosur countries.

Guarantees such as right of repentance, provision of supplier’s commercial information, among others, must be observed by such suppliers, which harmonizes the minimum consumer protection obligations in electronic commerce between the four State Members of Mercosur (Argentina, Brazil, Paraguay and Uruguay), through a common level of protection.

In addition, the decree extends the consumer protection, since it: (i) reiterates the duty of suppliers to submit in advance a summary of the agreement to be entered into, with an emphasis on the material sections for consumer; (ii) expressly provides for cooperation between national consumer protection bodies; and (iii) determines the adoption of on-line, expedite, fair, transparent and low-cost dispute resolution mechanisms, so that consumers can be satisfied with their complaints’ resolutions.

In Brazil, there are already some conflict resolution platforms (ODR – Online Dispute Resolution), such as “”, in addition to institutes such as mediation, negotiation and arbitration, but the fact is that they return to the digital sphere, supported by legislation due to a need to ensure security for consumers that operate online, requiring companies to act accordingly. 

It is noted that the structuring of ODR mechanisms has been a challenge to be faced by companies, in order to make them viable in an innovative, smooth and effective way, in order to improve the consumer experience. Good examples are the mechanisms already adopted today through platforms such as Amazon, which operates between automatic and personal customer service, if needed.

Finally, in the document it is also possible to note several articles that guide the elaboration of the Terms and Conditions, as a good framework of what should be observed in Brazil and other countries. In summary, good and clear instructions to consumer on the offer conditions have to be ensured, as well as the rights related thereto, with the guarantee of their exercise facilitated by e-commerce companies, either through proper customer service channels or by clear provisions on how to access them. 

16.2.3. Civil Framework and LGPD

With regard to the Internet regulation in Brazil, the Civil Framework of Internet (Law No. 12.965/2014) (“MCI”) and the General Data Protection Law (Law 13.709/2018) (“LGPD”) are worth mentioning. 

The MCI is a law that establishes general parameters about principles, warranties, rights and duties for the use of the Internet in Brazil. The wording thereof is quite clear by reaffirming the application of the consumer protection rules in this context, as long as a consumer relationship between the parties is determined. 

In addition, such Law also deals with other transactions conducted by electronic commerce establishments, including, without limitation, collection and processing of personal data and other issues involving the protection of privacy, provided that its rules and principles have implications in all relationships established through the Internet, including electronic commerce.

The LGPD, approved four years after the Civil Framework of Internet, strengthens the citizens’ power over the control of their personal data and information.

In general, the LGPD will have deep effects on electronic commerce transactions, and the way personal data shall be processed (i.e., “processing” shall mean, in a broad sense, any transaction performed using personal data, including collection, storage, access, reproduction, among others). In spite of the uncertainties regarding the beginning of effectiveness of the LGPD, companies will be required to observe principles³ and events for the processing of personal data provided for by the legislation, in order to lawfully use and process personal data.

For e-commerce, except in exceptional cases and as provided for in the LGPD, as a general rule, no personal data – information related to an identified or identifiable natural person – may be collected without consumer or user consent4, and provided they have been previously and clearly informed, subject to the principle of transparency5, in detail the reason for the collection, use and sharing of their data. 

The LGPD also provides for the rights of personal data6 subjects that give them greater control over their data, and make it possible for controllers or operators to request to process personal data: (i) confirmation of the existence of personal data processing, (ii) possibility of verifying what data the company holds about the subject, (iii) possibility of correcting incomplete, inaccurate or outdated data; (iv) anonymization, blocking or exclusion of unnecessary, excessive data or treated in non-compliance with the LGPD, (v) data portability to another service or product provider; (vi) exclusion; (vii) information about any parties with which their data was shared, and (viii) information about their right of not giving consent and the consequences of the refusal.

It should be noted that the LGPD does not prohibit the collection and/or use of personal data, but provides rules and guidelines for the subject to have knowledge and control over them.

Therefore, it is essential that companies with activities for electronic commerce of products and services adjust their practices and operations under the scope and requirements of both the Civil Framework and the LGPD, thus ensuring greater clarity and transparency in relationships with their clients and consumers, mitigating risks and reducing their exposure to the penalties provided for in that legislation. 

16.2.4. SENACON

In Brazil, the National Consumer Secretariat (Senacon) was created in 2012 as part of the Ministry of Justice, with the purpose of concentrating the planning, preparation, coordination and execution of the National Consumer Relations Policy, specifically with the objective of: (i) guaranteeing the protection and exercise of consumers’ rights; (ii) promoting harmonization in consumer relations; (iii) encouraging the integration and joint action of SNDC members; and (iv) participating in national and international bodies, forums, boards or committees dealing with consumer protection and defense, or with matters of interest to consumers, among others.


Within the scope of its activities, SENACON has been performing several actions to fight trade of illegal products, such as the issue of ordinances, technical notes and even mere recommendations for punitive and preventive measures to be observed by electronic commerce establishments with a view to fighting piracy.

In 2019, for example, the agency, in a supervisory measure, ordered several of these establishments to submit their anti-piracy policies. Based on the information obtained by 20 of them, the result was a study that listed the main difficulties and made recommendations for greater protection for consumers, and, as a consequence, for intellectual property owners. 

Examples of measures resulting therefrom are the obligation to select and register suppliers, aiming at greater control of websites over which the trade is made, and the need to inform the trade of illegal products to the proper bodies – such as Conselho Nacional de Combate à Pirataria (the National Board for Fighting Piracy (CNCP) and Senacon as soon as they are identified, as well as inform actions already taken.

The agency also establishes the possibility of making non-compliant platforms liable for damages caused to consumers and not being exempt from legal obligations. 

Also, SENACON published the Good Practices Guide and Guidelines for Electronic Commerce Platforms7, which observes and is in line with the Draft Recommendation on Consumer Product Safety, elaborated by the OECD Working Party on Consumer Product Safety.

Such document applies and covers “the entire supply chain, including manufacturers, retailers, online platforms that allow third parties to sell products to consumers, as well as call centers”. Therefore, it is crucial that direct electronic (e-commerce) or indirect (marketplace) establishments are attentive and observe these guidelines.

The document also provides for sanctions and reinforces the aforementioned directions arising from the 2019 inspection, in addition to encouraging the adoption of policies, notice procedures, reporting system, feedbacks, monitoring of offenders, cooperation with the government, and the adoption of listed preventive measures. 

Although not binding, the adhesion to the rules provided for in the Guide is recommended in order to promote a healthy, competitive digital business environment based on good faith and self-regulation, and free from illegal products, whether due to piracy, smuggling or otherwise, in violation of rights (of consumer or intellectual property), showing the commitment of the members in their fight.


The CDC requires Suppliers to guarantee to consumers the safety of products and services provided by them. This includes but is not limited to the obligation to report any defect after the entry of such products or services to the market. 

The rule establishes that products or consumables may not pose a risk to the health and safety8 of those who purchased them, except of course those deemed as normal and predictable due to their nature and use.

The recall process aiming at repairing and/or replacing a defective product and/or service placed on the market (i.e., Recall Campaign) is regulated by Ordinance No. 618/2019 issued by the Ministry of Justice, which inspection and support to compliance is also the responsibility of SENACON.

According to the rule, any supplier that becomes aware of the possibility that harmful or dangerous products or services have been introduced into the Brazilian consumer market shall, within twenty-four hours, notify the National Consumer Secretariat about the beginning of the investigations. 

If the harmfulness or dangerousness is verified in the aforementioned investigations, supplier shall notify the fact to SENACON and to the proper normative or regulatory body, within 2 business days from the decision to make the recall.

Such notice shall be made in writing, preferably through Sistema Eletrônico de Informações (the Electronic Information System) – SEI, or another system introduced by SENACON, and shall contain the following information: 

(i) the full identification of supplier (corporate name, trade name, economic activity involved, CNPJ, address of the establishment’s head office, among others); (ii) a detailed description of the product or service and the defective component, with the characteristics required for its identification, especially: brand, model, batch, series, frame number, start and end date of manufacture and photo; (iii) a detailed description of the defect, together with technical information required to clarify the facts, as well as the date, specifying day, month and year, and the way in which the harmfulness or dangerousness was verified; (iv) information on the measures already taken and proposed to be taken to resolve the defect and remedy the risk; (v) a media plan to inform the affected consumers; (vi) a customer service plan, among others.

Further information can be obtained in the Safe Consumption and Health Guide issued and disclosed by Senacon through the link

16.2.5. Domain Name

For an e-commerce to operate in Brazil, it is possible to register the domain name under the “.br” category with The domain name may be registered in the name of an individual or a legal entity.

For foreign companies willing to register a domain name in Brazil, it is necessary to have a representative in the country who can represent them for this kind of service. Furthermore, in case the foreign company does not yet have a company organized in Brazil, it is necessary to sign a letter, in which it is established that, within a period of twelve (12) months, the foreign company will organize a company in Brazilian territory to conduct activities in Brazil, with physical address in the country.

Domain names are registered without review of potential conflict with third parties. Therefore, in the event of a dispute involving a domain name, has established an administrative body responsible for resolving such disputes9.

The domain name may be challenged when used in bad faith, and in case it is:

  1. Identical or similar capable of causing confusion with a trademark already registered or filed in Brazil before such domain name registration;
  2. Identical or similar capable of causing confusion with a well-known trademark, even if not registered in Brazil; or
  3. Identical or similar capable of causing confusion with another domain name, business name, family name, known alias, artistic name, etc.

The administrative body, after analyzing the dispute, will decide to maintain, cancel or transfer the domain name. However, such decisions may not impose penalties and may eventually be challenged before the judiciary branch.

16.2.6. Establishing an Online Store

Any company is free to operate through e-commerce in Brazil, as long as it is regularly organized and established in accordance with legislation and conducts lawful activities. Thus, all the necessary requirements for a traditional (non-online) operation are, in theory, fully applicable to electronic commerce. However, specific rules applicable to e-commerce have to be observed for websites or applications, especially due to their digital nature.

First, a virtual store is required to prominently present the company’s data such as corporate name, physical and electronic addresses, registration number with the Brazilian Federal Revenue Service, as well as clear, accurate, direct and prominent information about services and products offered, such as price and methods of payment, quantity, specifications and characteristics, as well as other information that may be relevant to their use and enjoyment by consumer.

In this regard, it is important to highlight that the contractual terms of the purchase of product or service, as well as terms of use of the website, privacy policies and other documents binding on the consumer shall be accessible before the consummation of the deal, and included in the website so that they are easily found and accepted.

In addition, an online store must have a reliable and safe system for registering purchases and payments, and shall request user to give their informed consent to use their data, and make easier for consumer to confirm the data, correct errors, and withdraw from the transaction, if they wish, before its registration. In this regard, the good practices of e-commerce generally adopted in Europe are usually sufficient to provide security to consumers and companies in e-commerce.

In addition, any virtual store must have a customer service for information, questions, complaints, and suspension or cancellation of purchases or services, both by phone and email, which shall be provided on the webpage15. The company will also have the duty to register calls with protocol numbers and facilitate their follow-up by consumer, being required to give an answer within five (5) days to their questions or complaints.

Therefore, in certain situations, it may be recommended that e-commerce for Brazilians be segregated from that for nationals of other countries, due to the peculiarities of the Brazilian consumer legislation. In this case, it is possible to use a separation by IP  (internet protocol) numbering groups and domain names with Brazilian top-level domain (ccTLD .br), registered directly by the service of the Internet Steering Committee in Brazil, and subject to its rules, which are very similar to those adopted internationally by ICANN.

There is no generic prohibition for a foreign company to sell its products in Brazil through an online store hosted and operated abroad, provided that the delivery of the product from abroad shall be treated as an import. However, the Brazilian legislation for protection of consumers, internet users and their personal data shall be fully applicable to such company, and any liabilities and penalties may be applicable even in this case, especially if the company is established in Brazil, or if it has a branch, agency or representatives in the country.

16.2.7. Internet Sales

In Brazil, except in special cases, purchase and sale agreements do not require specific formalities to be valid. Thus, electronic commerce may operate in a functional and direct manner with regard the making of sales, upon collecting data from buyers such as name, registration number with the Brazilian Federal Revenue Office, and address, and confirmation that buyers accept the conditions of sale under the terms of an standard agreement, with delivery of the goods after confirmation of payment by the method selected, among other standard provisions for such agreements.

In this regard, the consumer protection and security rules are applied to consumer relationships conducted on the Internet11. There is, however, the particularity that national legislation ensures to consumers residing in Brazil a period of seven (7) days after delivery to cancel the purchase and return the product purchased over the Internet12, without reason, and shall receive the amount paid in full via chargeback or credit in a bank current account13.

Also regarding the sales of product over the Internet, there must be observed the legality of each product offered for sale in Brazil and possible restrictions on its sale, such as, for example, requirement for registration with public regulators, such as Inmetro (the National Institute for Metrology), Anatel (The National Telecommunications Agency), Anvisa (The National Surveillance Health Agency), Mapa (Ministry of Agriculture, Livestock and Supply), etc., or the need for a minimum age14 or special authorizations for purchase, the proof of which must be operationalized according to the specifics of each business.

In the case of sales of games and computer programs licenses, films and music, e-books and other intellectual property, the Brazilian Copyright Law (Law No. 9,610, of February 19, 1988) shall also apply, the regulations of Agência Nacional de Cinema (the National Film Agency) – Ancine, for films, and the license terms have to be clear and available to consumers before the sale is consummated, and may not be modified unilaterally without specific provision or without prior notice.

16.2.8. Responsibilities

The rules of responsibility for vices and facts on products and services sold in virtual stores are identical to those of merchants who work through physical stores. Due to the CDC’s protection rules, sellers and manufacturers are responsible for defects that a product or service may have, and also for any and all delays or failure to deliver products or provide services. By force of law, regardless of the granting or sale of extended warranties, sellers and manufacturers are jointly and severally liable for insuring their products against defects or defects, generally thirty (30) days from the delivery of the product or finding the defect, and ninety (90) days for durable goods16.

In the event of a defect in any product or service, the law grants a period of thirty (30) days for its repair17 and, if this is not possible, the consumer will have the right to choose between receiving a discount on the price, replacing it, or returning it and getting back the price paid.

Also in this topic, it should be remembered that companies exploiting commerce by electronic means can be held responsible for illicit practices by consumers and other users of their platform, if they cannot cooperate with the Brazilian authorities regarding the discovery of the person who infringed third party rights through them.

Thus, it is recommended to store the access and activity data of consumers and other users of your website for at least six (6) months, as provided by the Internet Civil Standard (Marco Civil da Internet) in Brazil, or even for a longer period in specific situations, according to sectoral legislation18. This collection and storage of data must be informed to the consumer in the privacy policy and eventual terms of consent, as well as with the other personal data treated.

In addition, regarding the collection of data from consumers and users of e-commerce platforms, LGDP provisions must be observed. This is because, when there is an infringement of the LGDP as a result of the processing of personal data, the controller or operator19 may be jointly or severally liable for the violations and will be obliged to repair them. In this sense, the operator and the controller should keep a record of the processing of personal data20 in case an eventual violation of the LGDP is considered.

Brazilian jurisprudence has recognized the possibility of making Brazilian subsidiaries, branches or agents of foreign companies in Brazil liable if these companies are established solely abroad. In exceptional cases, there are cases of lower court decisions determining the blocking of foreign internet services in the national territory by telecommunications operators, due to refusal to comply with court orders.

16.2.9. Taxation

Regarding the taxation of sales from e-commerce, the most relevant point to consider arises from the fact that each of the states of the federation has its own tax laws regarding product sales, and each municipality its own laws on the service taxation. In this sense, it is important to highlight the issue of the division of the Tax on the Circulation of Goods and Services (ICMS) in interstate sales of goods and services to a final consumer, that is, where the delivery of goods from the state in which the company is located to another state of the federation. Constitutional Amendment No. 87, of April 15, 2015, established that, from the year 2016 until the year 2018, the tax must be paid partly to the state of origin and partly to the state of destination21, and from 2019 the tax will be due entirely to the state of origin.

In view of the variation in rates involved, since each state in the federation has the competence to dispose of this tax in its territory, and the bureaucracy involved in its payment, the legislation has been heavily criticized by e-commerce operating companies, generating a review of their strategies related to electronic business.

Regarding sales of computer programs and applications, despite the general rule that they are treated as goods when there is a physical copy of the software (e.g. CDs and DVDs), there is still uncertainty regarding taxation when the sale is made by download or by means of generating license codes. However, there is a tendency for some localities to treat this type of sale as a service for tax purposes, but there seems to be no definition to be reached on this issue in the near future.

Due to the various peculiarities and minutiae of tax legislation, every company must verify precisely what the requirements and obligations applicable to its particular business are before deciding to establish an e-commerce operation in Brazil.


  1., accessed on 05/27/2020.,R%24%2075%20bi%20em%202019&text=Apesar%20da%20instabilidade%20econ%C3%B4mica%20no,sexta%2Dfeira%20(14)]
  1. accessed on 05/27/2020
  2. Article 6 of the General Data Protection Law
  3. Art. 7, I, of the General Law for the Protection of Personal Data.
  4. Art. 6, VI, of the General Law for the Protection of Personal Data.
  5. Article 17 of the General Data Protection Law
  7. Decree No. 7,962, of March 15, 2013, specifically lists: essential characteristics of the product or service, including risks to the health and safety of consumers; price breakdown of any additional or incidental expenses, such as delivery or insurance; full conditions of the offer, including payment terms, availability, form and deadline for the performance of the service or the delivery or availability of the product; and clear and conspicuous information regarding any restrictions on the enjoyment of the offer.
  8. This type of resource is only applicable for complaints against domain names registered since October 2010.
  9. Art. 4, V and sole paragraph, of Decree No. 7,962, of March 15, 2013. It is also recommended to follow, as much as possible, the standards of Decree No. 6,523, of July 31, 2008, which deals with customer service to consumers of regulated services.
  10. Art. 7º, XIII of the Internet Civil Standard (Marco Civil da Internet) in Brazil.
  11. There are still controversies as to how to abide by this right in the case of purchase of virtual goods without digital rights management mechanisms (i.e. downloads, printable tickets for shows).
  12. Art. 49 of the Consumer Protection Code and art. 5 of Decree No. 7,962, of March 15, 2013.
  13. Indicative classification rules available from:
  14. Arts. 7, VII to X, 10, 11 and 12 of the Internet Civil Standard (Marco Civil da Internet) in Brazil and arts. 43 and 44 of the Consumer Protection Code.
  15. Arts. 26 and 27 of the Consumer Protection Code. However, there are sparse legal decisions aimed at extending this legal guarantee to the entire life of the product, in the case of products of longer durability.
  16. Except for products or services considered essential, where repair or replacement must be immediate. There is uncertainty about which specific services are considered essential, so the issue must be analyzed on a product by product or service by service basis, with a recommended bias towards caution.
  17. For example, if there is a specific request from the competent authority to extend this period regarding certain data.
  18. Art. 5, VI, of the General Law for the Protection of Personal Data: “controller: natural or legal person, public or private, who is responsible for decisions regarding the processing of personal data;”
  19. Art. 37, of the General Law on Protection of Personal Data.
  20. This is the difference between the internal rate of the home state and the interstate rate, which vary according to the states involved. For the year 2016 it will be 40% (forty percent) for the State of destination and 60% (sixty percent) for the State of origin; for the year 2017, 60% (sixty percent) for the State of destination and 40% (forty percent) for the State of origin; and finally, for the year 2018, 80% (eighty percent) for the State of destination and 20% (twenty percent) for the State of origin and for the year 2019, 100% (one hundred percent) for the state of Destination.

Authors: Pedro Szajnferber De Franco Carneiro, Gustavo Swenson Caetano, Lorena Garrido Borges and Gabriela Ongari.

Spiewak, Carneiro, Barbosa, Carvalho e Maia Sociedade de Advogados
Al. Campinas, 1.077 – 12th floor
01404-001 São Paulo – SP
Phone: (11) 2039-0130