Doing Business in Brazil

16. E-commerce


16.1. Introduction 

E-commerce is the trading of good and services on the Internet, commonly on websites, and more recently through mobile apps, especially smartphones and tablets. E-commerce data in Brazil grow by the year, and they are impressive. In 2018, Brazilian e-commerce grew 12% and invoiced 53.2 billion, according to a survey by Ebit/Nielsen. For 2019, the forecast is that of an expansion of 15%, with total sales of BRL 61.2 billion. Orders must be 12% higher, 137 million, and the average ticket must be around BRL 447, an increase of 3%1.

The growing choice of the Brazilian consumer for online shopping makes it an attractive option for both national and international companies. On the other hand, the lack of unified and specific legislation to e-commerce, allied with the existence of multidisciplinary and strict rules, makes it fundamental to know the possible reflections onto the desired operation, as well as specialized consulting before starting your online operations to Brazilian customers, or within the national territory.

16.2. Inexistence of Specific Regulation

Brazil does not have a specific legislation fully applied to govern e-commerce and not related to conventional trade. There are a few bills in course in the National Congress2  aiming at covering such regulation, and to change the Consumer Defense Code (Act no. 8.078, dated September 11, 1990), based on the UNCITRAL Model Law on Electronic Commerce of 1996, however with uncertain pass.

Notwithstanding the foregoing, several aspects of e-commerce are governed by sparse laws and decrees, which end reflecting the conduction of this type of business. In this regard, it is worthwhile to mention the Consumer Defense Code (“CDC”), applicable to commercial activities in which the consumer is the end receiver of products and services; Decree no. 7.962, dated March 15, 2013, which governs the CDC specifically in relation to certain aspects of e-commerce and other decrees governing the consumption relation. It is also important to mention the Brazilian Civil Rights Framework for the Internet (Act no. 12.965, dated April 23, 2014), which establishes the reciprocal rights and obligations of users and providers of services related to the Internet in the country, and the recently published Brazilian General Data Protection Act (Act no. 13.709, dated August 14, 2018), which establishes the provisions on the treatment of personal data, including digital means, with the objective of protecting the fundamental rights of freedom and privacy, and the free development of the individual’s personality.

This legal framework brings several guarantees and offers protection to Internet users and to end customers of products in Brazil against eventual abuses by companies that may be in a condition of greater economic or technical control in the relationship, especially in the B2C market. In general, such rules establish, among other provisions, the guarantee of an ethic and transparent treatment, with a greater clarity of information and obtainment of free, prior, and informed consent of the customer or user, facilitating the responsibility of the companies in cases of irregularities in its products or services.

E-commerce is also subject to the legislation applicable to trade in general, i.e., the Brazilian Civil Code, the Industrial Property Act (“LPI”), the Brazilian Copyright and Software Act, among others.

16.3. Domain Name

In order for an e-commerce store to operate in Brazil, it is possible to register the domain name with the extension “.br” with website ‘’. The domain name may be registered on behalf of an individual or legal entity.

Foreign companies willing to register a domain name in Brazil must have in the country an attorney for representation purposes to this type of service. In addition, in case the foreign company is not organized in Brazil, it will be necessary to sign a letter that establishes a period of twelve (12) months for the organization of the company in the Brazilian territory, establishing activities in Brazil, with physical address in the country.

Domain names are registered without review of a potential conflict with third parties. Thus, in the case of dispute of a domain name, the implemented an administrative agency responsible for the resolution of disputes involving a domain name3.

The domain name may be contested when used in bad-faith and in the following cases:

a. Identical or similar, capable of causing confusion with the trademark already registered or filed in Brazil before the registration of the domain name;

b. Identical or similar, capable of causing confusion with a notoriously known trademark, even if without registration in Brazil; or

c. Identical or similar, capable of causing confusion with other domain name, corporate name, family name, known pseudonym, artistic name, etc.
The administrative agency, after the analysis of the dispute, shall decide to maintain, cancel, or transfer the domain name. The decisions, however, shall not impose penalties and may be contested before the Judiciary Power.

16.4. Establishing a Virtual Store

Any company is free to operate via e-commerce in Brazil, provided that duly organized and existing according to the legislation and engaged in licit activities. Thus, all requirements necessary for a traditional operation (not virtual) are, in thesis, applicable to e-commerce. However, specific rules of e-commerce shall be observed in websites or apps, especially due to the digital nature.

First of all, the virtual store must visibly present the company’s data, such as its name, physical and electronic addresses, registration with the Internal Revenue Service, as well as clear, precise, direct, and ostensive information on the services and products offered, such as price and forms of payment, quantity, specifications, and characteristics, in addition to other information that may be relevant to its usage and benefit by the consumer4.

In this regard, it is worthwhile to note that the contractual terms of the purchase of the product or service, as well as the terms of use of the website, privacy policies, and other binding documents to the customer must be accessible before the conclusion of the business, and included in the website so that they are easily found and accepted.

In addition, the virtual store must have a reliable and safe system of registration of the purchases and payments, requesting the informed consent of the user in relation to the usage of his/her data and facility for the customer to confirm data, correct errors, and quit the transaction, if desired, before registered as set forth by the General Data Protection Act (“LGPD”). In this regard, the good e-commerce practices usually adopted in Europe are deemed as sufficient to grant security to the customer and the company in the e-commerce.

Moreover, the virtual store must offer a customer service center related to information, doubts, complaints, and suspension or cancellation of orders or services, both via telephone and email as exhibited on the webpage5. The company must also keep a record of the calls according to protocol number and facilitate the follow-up of the ticket by the customer, being compelled to reply within five (5) days to questions or complaints.

The virtual store must comply with the obligations imposed by the Brazilian Civil Rights Framework for the Internet and the Personal General Data Protection Act, such as the disclosure of a privacy policy clearly describing the forms and means of collection and use of personal data of users in its website, and the custody of access data thereto, especially in the case of interaction of customers with the store, such as in the comment or blog sessions, for instance.

In view of these factors, in certain situations the recommendation is that the e-commerce for Brazilian customers should be segregated of the e-commerce to foreign citizens, due to specificities in the Brazilian consumption legislation. In this case, the segregation may be provided by IP number groups and domain names with Brazilian top-level domain (ccTLD .br), registered directly by the service of the Brazilian Internet Managing Committee and subject to the rules quite similar to those adopted internationally by ICANN.

There is not a generic prohibition for a foreign company to sell its products in Brazil on a virtual store hosted and operated abroad, being certain that the delivery of the product from outside the country will be treated as an importing operation. However, the Brazilian legislation of protection of customers, Internet users, and personal data will be fully applicable to such company and eventual responsibilities and penalties will be made effective even in such case, with special facility if the company is established in Brazil, or has a branch, office, or representatives in the country.

16.5. Internet Sales

In Brazil, except in special cases, the purchase and sale agreements do not require specific formalities to become valid. Therefore, e-commerce may operate functionally and directly regarding the sales, against the collection of purchasers data, such as name, Individual Taxpayer Registration (“CPF”) number and address, and the confirmation that he or she accepts the conditions of the sale according to the standard contracting terms, with the delivery of the good after the confirmation of the payment by the chosen method, among other standard provisions of agreements of this nature.

In this case, the regulations of customer protection and defense in the consumption relations on the Internet shall apply6. However, the particularity that the national legislation assures to customers residing in Brazil a term of seven (7) days after the delivery to cancel the order and return the product bought on the Internet7 , without justification, being full compensated for the amount paid, by means of credit reversal or credit in the checking account8.

Still in relation to the sales of products on the Internet, it should be observed, case by case, the legality of each product offered for sale in Brazil and eventual restrictions to its sale, such as, for instance, the requirement of registration with the government regulatory agencies, such as the Inmetro (Brazilian Institute of Metrology and Standardization), Anatel (Brazilian Telecommunications Agency), Anvisa (Brazilian Health Surveillance Agency), Mapa (Ministry of Agriculture, Livestock, and Food Supply), and etc., or the need o minimum age9 or special authorizations for the purchase, whose confirmation must be made effective according to the specificities of each business.

In the case of sale of licenses for games and computer programs, films and music, e-books, and other intellectual items, the Brazilian Copyrights Act shall apply (Act no. 9.610, dated February 19, 1988), and the terms of the license shall be clear and available to the customers before concluding the sale, not being subject to unilateral modification without specific anticipation or without prior notice.

16.6. Privacy and Personal Data Protection 

In relation to privacy and the collection and use of personal data of customers, Brazil has a few general rules brought by the Brazilian Civil Rights Framework for the Internet and by the Customer Defense Code10 . Recently, the National Congress passed Act no. 13.709, dated August 14, 2018, known as the Personal General Data Protection Act (“LGDP”), also edited by Provisional Presidential Act no. 869/2018, which changed and included certain Articles in such act. However, the General Data Protection Act will only become effective in February or August 2020, depending on the pass of the Provisional Presidential Act.

The General Data Protection Act was based on the General Data Protection Regulation (“GDPR”) and has quite similar rules regarding the treatment of personal data. By rule, no personal data – such as name, registration number and documents, addresses, IP number, and other electronic flags – shall be collected by the e-commerce without the consent of the customer or user11  and without being previously informed with the due clarity, observing the principle of transparency12, of details of its collection, use, and sharing, which usually occurs with a privacy policy and by means of terms of consent.

According to the General Data Protection Act, the treatment of personal data will only be legitimate if based on the principles listed by the legislation13 and legitimated by one of the hypotheses of treatment: consent, compliance of legal or regulatory obligation, execution of public policies and studies by research agencies, performance of agreement/pre-contractual diligences, regular exercise of rights, protection to life and heath custody, legitimate interests of the controller/third party, and credit protection.

There is no prohibition or specific regulation on the use of cookies, nor of other behavior measurement and analysis tools (i.e., data analytics), on data custody and processing abroad, or even on the use of directed advertising, however, the recommendation is that the adoption of any of these practices should be included in the privacy policy previously accepted by the customer, because even though these are anonymous data, when used to set a behavior profile, they will be considered as Personal Data and are subject to the General Data Protection Act.

The Brazilian legislation also determines that the customer shall be assured the possibility to verify the data that a given company has on it at any time, so that it may ask its correlation or update if not exact, or even if reflecting its exclusion and portability14.

Although the Brazilian legislation focus on the protection of the individual’s privacy, it also determines the obligation of access data custody of users to the Internet services, including e-commerce. This is the custody of data such as IP number and other data15  that may be used to identify the action of users in a given website, for the minimum period of six (6) months from each access, so that, if necessary, they can be used as evidence in a civil or criminal proceeding. It should be noted that, in this case, it does not regard to customer enrollment data, but data related to the accesses to the e-commerce, so that the customer does not have the power to demand their deletion.

There are no penalties for the inobservance of the duty of access data custody16. However, if these data are required in court to identify any infringement committed through an Internet service (e.g., calumnious comments), the Courts have been understanding that the service operator may be held liable for damages caused if it refuses or is not able to fulfill the court order to submit such data17. Therefore, the observance of this duty is fundamental in the cases of a deeper interactions between a user and the e-commerce, such as, for instance, in situations where a comment or a public post is made (i.e., risk of defamation), or in the case of fraud in any order.

It is worthwhile to note that all personal data collected from the users or customers in any of the contexts above are protected by the customer protection legislation, by the Brazilian Civil Rights Framework for the Internet and by the General Data Protection Act, and shall not be disclosed or shared with third parties without the consent of the holder or without a court order for such disclosure. Therefore, the recommendation is that the data shall always be transferred, treated, and stored safely, using encryption, anonymization, and pseudoanonymization whenever possible, and the best internationally accepted practices of information security, since the company may be held liable for eventual leakage of personal data and for its undue use by third parties, with fines of up to 2% of the company’s invoicing, limited to fifty million Brazilian Reais (BRL 50,000,000.00) per infringement.

16.7. Responsibilities

The rules on the responsibility for defects and facts of products and services sold in virtual stores are identical to those of physical stores. Due to the rules of protection of the CDC, sellers and manufacturers are responsible for defects that a product or service may present, and also for any and all eventual delays or failure in the delivery of the products or provision of the services. By operation of law, regardless of the concession or sale of extended warranties, sellers and manufacturers are jointly and severely responsible for assuring their products against defects or vices, usually within thirty (30) days from the date of delivery of the product or identification of the defect, and ninety (90) days to durable goods18.

In the case of defect to any product or service, the law grants a term of thirty (30) days for the due repair and, if such repair19 is not possible, the customer will be entitled to choose between receiving a discount in the price, replace it, or return it, being compensated the amount paid.

In addition, on this topic, it should be noted that the e-commerce company may be held responsible for tort of customers and other users of its platform, in case it is not able to collaborate with the Brazilian authorities in relation to discovering the identity of the person that has infringed the rights of third parties using such e-commerce platform. Thus, the recommendation is to keep the data of customer access and activity and other users of your website for at least six (6) months, as set forth by the Brazilian Civil Rights Framework for the Internet, or even for greater period in specific situations, according to the legislation of each sector20. Such collection and custody of data must be informed to the customer in the privacy policy and eventual terms of consent, similarly to the other personal data treated.

Moreover, in relation to the collection of data of customers and users of e-commerce platforms, the provisions of the General Data Protection Act must be observed. That because when the General Data Protection Act is breached as a result of the treatment of personal data, the controller21 or operator22 may be held liable, severally or jointly, in relation to the infringements, and they will be compelled to repair them. In this regard, both the operator and controller must keep a record of the personal data treatment operations23 in case an eventual breach of the General Data Protection Act LGDP is considered.

The Brazilian court precedents has been recognizing the possibility of hold branches, offices, or Brazilian representatives of foreign companies in Brazil liable if such companies are only established abroad. In exceptional cases, first-instance legal decisions have determined the freeze of foreign Internet services in the national territory by telecommunications operators due to refusal to comply with the legal orders.

16.8. Taxation

In relation to the taxation of the e-commerce sales, the most relevant point to be considered results from the fact that each one of the States has its own tax laws in relation to the sale of products, and each municipality has its own laws on the taxation of services. In this regard, it should be noted that the issue related to the division of the Tax on the Circulation of Goods and Services (“ICMS”) on interstate sales delivering goods and services to an end customer, i.e., in which there is delivery of goods of the State in which the company is located to another State of the country. Constitutional Amendment no. 87, dated April 15th, 2015, established that, from 2016 to 2018, the tax shall be paid part to the State of origin and part to the State of destination24 , and as of 2019 the tax will be due to the State of origin in its totality.

Considering the variation of the involved rates, since each State has the power to establish its own terms on such tax in its territory, and the bureaucracy involved in its payment, the legislation has been widely criticized by the e-commerce companies, generating the review of their strategies in relation to electronic sales activities.

In relation to the sale of computer programs and apps, although the general rule is that these are treated as goods when there is the sale of a physical copy of the software (e.g., CDs and DVDs), there is still uncertainty in relation to the taxation whether the sale occurs with a download or with the generation of a license code. However, certain locations have been presenting the trend of treating this modality of sale as a service for tax purposes, however without a definition about it in the near future.

Due to the several specificities and details of the tax legislation, every company must precisely verify the requirements and obligations applicable to its business, especially if deciding to establish an e-commerce operation in Brazil.


1 Available at: and

2 As per Bill no. 4.906/2001, of the Federal Senate, and currently in course in the Chamber of Deputies, attached to Bill no. 3514/2015 and several others, in addition to the several bills applicable to sparse aspects of e-commerce (

3 This type of remedy is only applicable to complaints against domain names registered since October 2010.

4 Decree no. 7.962, dated March 15, 2013, lists specifically: essential characteristics of the product or service, including the risks to health and safety of customers; description, in the price, of any additional or supplementary expenses, such as those of delivery or insurance; full conditions of the offer, including modalities of payment, availability, form, and term of the execution of the service or delivery or provision of the product; and clear and visible information of any restrictions to the fruition of the offer.

5 Art. 4, V and sole paragraph, of Decree no. 7.962, dated March 15, 2013. It is also recommended to follow, whenever possible, the standards of Decree no. 6.523, dated July 31, 2008, applicable to support services to customers of regulated services.

6 Art. 7, XIII of the Brazilian Civil Rights Framework for the Internet.

7 There are still controversies on how to respect such right in the case of purchase of virtual goods without mechanisms of digital rights management (i.e. downloads, printable tickets to shows).

8 Art. 49 of the Customer Defense Code and Art. 5 of Decree no. 7.962, dated March 15, 2013.

9 Rules of indicative classification at:

10 Arts. 7, VII to X, 10, 11, and 12 of the Brazilian Civil Rights Framework for the Internet and Arts. 43 and 44 of the Customer Defense Code.

11 Art. 7, I, of the General Personal Data Protection Act.

12 Art. 6, VI, of the General Personal Data Protection Act.

13 Art. 6 of the General Personal Data Protection Act.

14 Art. 18, I, II, and VI, of the General Personal Data Protection Act.

15 There is no regulation on the type of data that must be collected, but courts have been interpreting this obligation basically as the duty of custody of the IP numbers, in addition to the dates and starting and ending times of each access.

16 Art. 12 of the Brazilian Civil Rights Framework for the Internet establishes several penalties in the case of inobservance of such obligations. However, due to lack of regulation of the law, its form of application is still uncertain.

17 Art. 19 of the Brazilian Civil Rights Framework for the Internet.

18 Arts. 26 and 27 of the Customer Defense Code. However, it is possible to note sparse legal decisions aiming at extending this legal guarantee to the entire shelf life of the product, in the case of products with greater durability.

19 Except products or services deemed as essential, in which the repair or replacement must be immediate. There is an uncertainty regarding which services in particular are deemed as essential, so that the issue shall be analyzed product by product or service by service, recommending an inclination to caution

20 For instance, in the case of specific request by the competent authority to extend such deadline in relation to certain data.

21 Art. 5, VI, of the General Personal Data Protection Act: “controller: individual or legal entity, public or private, responsible for the decisions related to the treatment of personal data;”

22 Art. 5, VII, of the General Personal Data Protection Act: “operator: individual or legal entity, public or private, engaged in the treatment of personal data on behalf of the controller;”

23 Art. 37, of the General Personal Data Protection Act.

24 This is the difference between the internal rate of the State of origin and the interstate rate, which range according to the involved States. To 2016, the taxation will be of forty percent (40%) to the State of destination and sixty percent (60%) to the State of origin; to 2017, sixty percent (60%) to the State of destination and forty percent (40%) to the State of origin; and, finally, to 2018, eighty percent (80%) to the State of destination and twenty percent (20%) to the State of origin, and to 2019, one hundred percent (100%) to the State of destination.


Authors: Beatriz Wainstein Silber, Isabel Hering, Luiz Fernando Plastino Andrade and Pedro Szajnferber De Franco Carneiro

Spiewak, Carneiro, Barbosa, Carvalho e Maia Sociedade de Advogados
Al. Campinas, 1.077 – 3º andar
01404-001 São Paulo – SP
Tel.: +55 (11) 2039-0130