Doing Business in Brazil

16. E-commerce


16.1 Introduction 

As a result of the overall process of digital transformation, electronic commerce, or e-commerce, is the commercial modality conducted through the internet, which can take place between companies and consumers (b2c), companies and companies (b2b), or between consumer and consumer (c2c). It is a type of marketing where the online buying and selling of products or services and financial transactions are carried out entirely over the Internet through electronic devices such as computers, phones, or tablets.

The activity is regulated in Brazil by different legislation that, as a whole, establishes the rules applicable to electronic commerce with a particular focus on B2C relations (that is, companies and consumers). Among such rules, we highlight the following: (i)

the Consumer Protection Code – CDC (Law No. 8,078/90), Decree No, 7,692/2013, which regulates contracting in electronic commerce, (iii) the Civil Framework of Internet (Law No. 12,965/2014), which establishes the reciprocal rights and obligations of Internet-related users and service providers in the country; (iv) General Data Protection Law (Law No. 13,709/2018), (v) the Civil Code (Law No. 10,406/2002), and (vi) ordinances, rules and technical notes issued by the support and consumer protection agencies, including Secretaria Nacional do Consumidor (the National Consumer Secretariat) – SENACON, which is part of the Ministry of Justice and Public Security. We will detail below these provisions and context in the scope of e-commerce.

16.2 Brazilian Legislation

16.2.1 CDC and Decree 7,962/2013

The Consumer Protection Code (“CDC”) establishes consumer protection and defense rules applicable to all commerce and service provision transactions, including online activities, to ensure good faith in consumer relations so that no one is left with any loss.  Among the most important are the following: (i) the principle of the supplier’s objective good faith, which means that the establishment is responsible for providing, in good faith, all information to consumers to ensure their best choice, (ii) the supplier’s responsibility for any defect and/or malfunction to the purchased product and/or service; (iii) the supplier shall be binding to the exact terms of the offer, under penalty of the consumer being able to demand compliance with the offered conditions; and (iv) the premise of the consumer’s vulnerability vis-à-vis supplier, as the most fragile part of the relationship and which, therefore, shall be subject to different treatment in the event of dispute or litigation.

Decree 7,962/2013, popularly known as the E-commerce Act, regulates the CDC and deals explicitly with electronic commerce. This means that, besides the CDC, the E-commerce Law specifically addresses the transactions performed in an online store and its consumer.

The Decree provides, among others, the following obligations to suppliers of online products and/or services: (i) to inform on the websites their physical and electronic addresses; (ii) to keep their complete identification in a prominent and easily accessible place; (iii) to submit at least a kind of summary of the agreement to be entered into between the parties, before the closing of the transaction, and the entire document after completion; (iv) to maintain an efficient customer service channel; and (v) to inform and enforce the consumer’s right to repent.

Contractual rules, as provided for by the CDC and enforced in the Decree, are also applicable, such as preventing suppliers from setting a section exempting or mitigating suppliers’ liability.

In addition to these specific provisions, this legal framework brings several guarantees and protects final consumers of products in Brazil, including on the Internet, against possible abuses by companies that may be in a position of greater economic or technical control in the relationship, especially in the B2C market (business-to-consumer, intended for the final consumer).

In general, both the CDC and the Decree aim to consolidate the culture of ethical, transparent treatment, with greater information clarification, and facilitate corporate accountability in cases of irregularities or defects in their products or services.

Considering that, at the national level, any commercial relations established on the Internet are subject to these same rules and principles, a proper document with the “Terms of Use” and well-designed “Policies” which also reflect these consumer guarantees are essential instruments that must be used to build the reliance on e-commerce in the market.

16.2.2 Decree 10.271/2020 (Mercosur)

In March 2020, Decree 10.271/2020 was issued, subjecting the national jurisdiction to compliance with GMC Resolution No. 37/19, which applies to all consumers and suppliers, whether based, established or with commercial operation under some of their domains on the Internet in Mercosur countries.

Guarantees such as the right of repentance, and provision of supplier’s commercial information, among others, must be observed by such suppliers, which harmonizes the minimum consumer protection obligations in electronic commerce between the four State Members of Mercosur (Argentina, Brazil, Paraguay and Uruguay), through a standard level of protection.

In addition, the decree extends consumer protection since it: (i) reiterates the duty of suppliers to submit in advance a summary of the agreement to be entered into, with an emphasis on the material sections for the consumer; (ii) expressly provides for cooperation between national consumer protection bodies; and (iii) determines the adoption of on-line, expedite, fair, transparent and low-cost dispute resolution mechanisms, so that consumers can be satisfied with their complaints’ resolutions.

In Brazil, some conflict resolution platforms (ODR – Online Dispute Resolution) exist, such as “,” and institutes such as mediation, negotiation and arbitration. Still, the fact is that they return to the digital sphere, supported by legislation due to a need to ensure security for consumers that operate online, requiring companies to act accordingly.

It is noted that the structuring of ODR mechanisms has been a challenge to be faced by companies to make them viable in an innovative, smooth and effective way to improve the consumer experience. Good examples are the mechanisms already adopted today through platforms such as Amazon, which operates between automatic and personal customer service if needed.

Finally, in the document, it is also possible to note several articles that guide the elaboration of the Terms and Conditions as a good framework of what should be observed in Brazil and other countries. In summary, excellent and clear instructions to consumers on the offer conditions have to be ensured, as well as the rights related to it, with the guarantee of their exercise facilitated by e-commerce companies, either through proper customer service channels or by explicit provisions on how to access them.

16.2.3 Civil Framework and LGPD

Regarding the Internet regulation in Brazil, the Civil Framework of Internet (Law No. 12.965/2014) (“MCI”) and the General Data Protection Law (Law 13.709/2018) (“LGPD”) are worth mentioning. 

The MCI is a law that establishes general parameters about principles, warranties, rights and duties for Internet use in Brazil. The wording is quite evident by reaffirming the application of the consumer protection rules in this context, as long as a consumer relationship between the parties is determined.

In addition, such Law also deals with other transactions conducted by electronic commerce establishments, including, without limitation, collection and processing of personal data and other issues involving the protection of privacy, provided that its rules and principles have implications in all relationships established through the Internet, including electronic commerce.

The LGPD approved four years after the Civil Framework of the Internet, strengthens the citizens’ power over controlling their personal data and information.

In general, the LGPD profoundly affects electronic commerce transactions and the way personal data shall be processed (i.e., “processing” shall mean, broadly, any transaction performed using personal data, including collection, storage, access, reproduction, among others). This is because the LGPD brings principles1 and hypotheses of personal data treatment2, which companies must observe to legitimize the use and treatment of personal data.

For e-commerce, except in exceptional cases and as provided for in the LGPD, as a general rule, no personal data – information related to an identified or identifiable natural person – may be collected without consumer or user consent3, and provided they have been previously and clearly informed, subject to the principle of transparency4, in detail the reason for the collection, use and sharing of their data. 

The LGPD also provides for the rights of personal data subjects5 that give them greater control over their data and make it possible for controllers or operators to request to process personal data: (i) confirmation of the existence of personal data processing, (ii) possibility of verifying what data the company holds about the subject, (iii) possibility of correcting incomplete, inaccurate or outdated data; (iv) anonymization, blocking or exclusion of unnecessary, excessive data or treated in non-compliance with the LGPD, (v) data portability to another service or product provider; (vi) exclusion; (vii) information about any parties with which their data was shared, and (viii) information about their right of not giving consent and the consequences of the refusal.

It should be noted that the LGPD does not prohibit the collection and/or use of personal data but provides rules and guidelines for the subject to have knowledge and control over them.

Therefore, companies with activities for electronic commerce of products and services must adjust their practices and operations under the scope and requirements of both the Civil Framework and the LGPD, thus ensuring greater clarity and transparency in relationships with their clients and consumers, mitigating risks and reducing their exposure to the penalties provided for in that legislation.

1Article 6 of the General Data Protection Law.

2Article 7 of the General Data Protection Law.

3Article 7, I of the General Data Protection Law

4Article 6º, VI of the General Data Protection Law

5Article 18 of  the General Data Protection Law


16.2.4 SENACON

In Brazil, the National Consumer Secretariat (Senacon) was created in 2012, by Decree No. 7,738/2012, as part of the Ministry of Justice to concentrate the planning, preparation, coordination and execution of the National Consumer Relations Policy, specifically with the objective of: (i) guaranteeing the protection and exercise of consumers’ rights; (ii) promoting harmonization in consumer relations; (iii) encouraging the integration and joint action of SNDC members; and (iv) participating in national and international bodies, forums, boards or committees dealing with consumer protection and defense, or with matters of interest to consumers, among others.


Within its activities, SENACON has been performing several actions to fight the trade of illegal products, such as the issue of ordinances, technical notes and even mere recommendations for punitive and preventive measures to be observed by electronic commerce establishments to fight piracy.

In 2019, for example, the agency, in a supervisory measure, ordered several of these establishments to submit their anti-piracy policies. Based on the information obtained by 20 of them, the result was a study that listed the main difficulties and made recommendations for more excellent protection for consumers and, as a consequence, for intellectual property owners.

Examples of measures resulting therefrom are the obligation to select and register suppliers, aiming at more significant control of websites over which the trade is made, and the need to inform the trade of illegal products to the proper bodies – such as Conselho Nacional de Combate à Pirataria (the National Board for Fighting Piracy (CNCP) and Senacon as soon as they are identified, as well as inform actions already taken.


The agency also establishes the possibility of making non-compliant platforms liable for damages caused to consumers and not being exempt from legal obligations. 

Also, SENACON published the Good Practices Guide and Guidelines for Electronic Commerce Platforms6, which observes and is in line with the Draft Recommendation on Consumer Product Safety, elaborated by the OECD Working Party on Consumer Product Safety.

Such a document covers “the entire supply chain, including manufacturers, retailers, online platforms that allow third parties to sell products to consumers, as well as call centers”. Therefore, direct electronic (e-commerce) or indirect (marketplace) establishments must be attentive and observe these guidelines.

The document also provides for sanctions and reinforces the directions above arising from the 2019 inspection, in addition to encouraging the adoption of policies, notice procedures, reporting systems, feedback, monitoring of offenders, cooperation with the government, and the adoption of listed preventive measures.

Although not binding, the adhesion to the rules provided for in the Guide is recommended to promote a healthy, competitive digital business environment based on good faith and self-regulation, and free from illegal products, whether due to piracy, smuggling or otherwise, in violation of rights (of consumer or intellectual property), showing the commitment of the members in their fight.


The CDC requires Suppliers to guarantee consumers the safety of the products and services they provide. This includes but is not limited to the obligation to report any defect after such products or services are entered into the market.

The rule establishes that products or consumables may not pose a risk to the health and safety7 of those who purchased them, except those deemed as regular and predictable due to their nature and use.



7Decree No. 7,962, of March 15, 2013, specifically lists: essential characteristics of the product or service, including risks to the health and safety of consumers; breakdown, in the price, of any additional or ancillary expenses, such as those for delivery or insurance; full conditions of the offer, including payment terms, availability, form and term of execution of the service or delivery or availability of the product; and clear and conspicuous information regarding any restrictions on the enjoyment of the offer.


The recall process aiming at repairing and/or replacing a defective product and/or service placed on the market (i.e., Recall Campaign) is regulated by Ordinance No. 618/2019 issued by the Ministry of Justice, which inspection and supports compliance is also the responsibility of SENACON.

According to the rule, any supplier that becomes aware of the possibility that harmful or dangerous products or services have been introduced into the Brazilian consumer market shall, within twenty-four hours, notify the National Consumer Secretariat about the beginning of the investigations. 

Suppose the harmfulness or dangerousness is verified in the investigations above. In that case, the supplier shall notify the fact to SENACON and the proper normative or regulatory body within 2 business days of the decision to make the recall.


Such notice shall be made in writing, preferably through Sistema Eletrônico de Informações (the Electronic Information System) – SEI, or another system introduced by SENACON, and shall contain the following information: 

(i) the complete identification of the supplier (corporate name, trade name, the economic activity involved, CNPJ, address of the establishment’s head office, among others); (ii) a detailed description of the product or service and the defective component, with the characteristics required for its identification, especially: brand, model, batch, series, frame number, start and end date of manufacture and photo; (iii) a detailed description of the defect, together with the technical information required to clarify the facts, as well as the date, specifying day, month and year, and how the harmfulness or dangerousness was verified; (iv) information on the measures already taken and proposed to be taken to resolve the defect and remedy the risk; (v) a media plan to inform the affected consumers; (vi) a customer service plan, among others.

Further information can be obtained in the Safe Consumption and Health Guide issued and disclosed by Senacon through the link

16.2.5 Domain Name

For e-commerce to operate in Brazil, it is possible to register the domain name under the “.br” category with The domain name may be registered in the name of an individual or a legal entity.

For foreign companies willing to register a domain name in Brazil, it is necessary to have a representative in the country who can represent them for this kind of service. Furthermore, in case the foreign company does not yet have a company organized in Brazil, it is necessary to sign a letter in which it is established that, within twelve (12) months, the foreign company will organize a company in Brazilian territory to conduct activities in Brazil, with a physical address in the country.

Domain names are registered without review of potential conflict with third parties. Therefore, in the event of a dispute involving a domain name, has established an administrative body responsible for resolving such disputes8.

The domain name may be challenged when used in bad faith, and in case it is:


  1. Identical or similar capable of confusing with a trademark already registered or filed in Brazil before such domain name registration;
  2. Identical or similar capable of confusing with a well-known trademark, even if not registered in Brazil; or
  3. Identical or similar can confuse with another domain name, business name, family name, known alias, artistic name, etc.

After analyzing the dispute, the administrative body will decide to maintain, cancel or transfer the domain name. However, such decisions may not impose penalties and may eventually be challenged before the judiciary branch.

8 This type of resource is only applicable for complaints against domain names registered since October 2010.


16.2.6 Establishing an Online Store

Any company can operate through e-commerce in Brazil if it is regularly organized, established by legislation, and conducts lawful activities. Thus, all the requirements for a traditional (non-online) operation entirely apply to electronic commerce. However, specific rules applicable to e-commerce have to be observed for websites or applications, mainly due to their digital nature.

First, a virtual store is required to prominently present the company’s data, such as corporate name, physical and electronic addresses, and registration number with the Brazilian Federal Revenue Service, as well as clear, accurate, direct and prominent information about services and products offered, such as price and methods of payment, quantity, specifications and characteristics, as well as other information that may be relevant to their use and enjoyment by the consumer.

In this regard, it is essential to highlight that the contractual terms of the purchase of the product or service, as well as terms of use of the website, privacy policies, and other documents binding on the consumer, shall be accessible before the consummation of the deal, and included in the website so that they are easily found and accepted.

In addition, an online store must have a reliable and safe system for registering purchases and payments and shall request the users to give their informed consent to use their data and make it easier for the consumers to confirm the data, correct errors, and withdraw from the transaction, if they wish, before its registration. In this regard, the good practices of e-commerce generally adopted in Europe are sufficient to provide security to consumers and companies in e-commerce.

In addition, any virtual store must have a customer service for information, questions, complaints, and suspension or cancellation of purchases or services, both by phone and email, which shall be provided on the webpage9. The company will also have the duty to register calls with protocol numbers and facilitate their follow-up by consumers, being required to answer their questions or complaints within five (5) days.

Therefore, in certain situations, it may be recommended that e-commerce for Brazilians be segregated from that for nationals of other countries due to the peculiarities of Brazilian consumer legislation. In this case, it is possible to use a separation by IP (internet protocol) numbering groups and domain names with Brazilian top-level domain (ccTLD .br), registered directly by the service of the Internet Steering Committee in Brazil, and subject to its rules, which are very similar to those adopted internationally by ICANN.

9Arts. 7, VII to X, 10, 11 and 12 of the Internet Civil Standard (Marco Civil da Internet) in Brazil and arts. 43 and 44 of the Consumer Protection Code.


There is no generic prohibition for a foreign company to sell its products in Brazil through an online store hosted and operated abroad, provided that the delivery of the product from abroad shall be treated as an import. However, the Brazilian legislation for the protection of consumers, internet users and their personal data shall be fully applicable to such company, and any liabilities and penalties may be relevant even in this case, especially if the company is established in Brazil or if it has a branch, agency or representatives in the country.

16.2.7 Internet Sales

In Brazil, except in exceptional cases, purchase and sale agreements do not require specific formalities to be valid. Thus, electronic commerce may operate functionally and directly about the making of sales upon collecting data from buyers such as name, registration number with the Brazilian Federal Revenue Office, and address, and confirmation that buyers accept the conditions of sale under the terms of a standard agreement, with the delivery of the goods after confirmation of payment by the method selected, among other legal provisions for such contracts.

In this regard, consumer protection and security rules are applied to consumer relationships conducted on the Internet10. There is, however, the particularity that national legislation ensures to consumers residing in Brazil seven (7) days after delivery to cancel the purchase and return the product purchased over the Internet11, without reason, and shall receive the amount paid in full via chargeback or credit in a current bank account12.

Also, regarding the sales of products over the Internet, there must be observed the legality of each product offered for sale in Brazil and possible restrictions on its sale, such as, for example, the requirement for registration with public regulators, such as Inmetro (the National Institute for Metrology), Anatel (The National Telecommunications Agency), Anvisa (The National Surveillance Health Agency), Mapa (Ministry of Agriculture, Livestock and Supply), etc., or the need for a minimum age13 or special authorizations for purchase, the proof of which must be operationalized according to the specifics of each business.

In the case of sales of games and computer programs licenses, films and music, e-books and other intellectual property, the Brazilian Copyright Law (Law No. 9,610, of February 19, 1988) shall also apply, the regulations of Agência Nacional de Cinema (the National Film Agency) – Ancine, for films, and the license terms have to be transparent and available to consumers before the sale is consummated, and may not be modified unilaterally without specific provision or prior notice.

16.2.8 Responsibilities

The rules of responsibility for vices and facts on products and services sold in virtual stores are identical to those of merchants who work through physical stores. Due to the CDC’s protection rules, sellers and manufacturers are responsible for defects that a product or service may have and for any delays or failure to deliver products or provide services. By force of law, regardless of the granting or sale of extended warranties, sellers and manufacturers are jointly and severally liable for insuring their products against defects or defects, generally thirty (30) days from the delivery of the product or finding the defect, and ninety (90) days for durable goods14.

10Art. 7º, XIII of the Internet Civil Standard (Marco Civil da Internet) in Brazil.

11There are still controversies as to how to abide by this right in the case of purchase of virtual goods without digital rights management mechanisms (i.e. downloads, printable tickets for shows).

12 Art. 49 of the Consumer Protection Code and art. 5 of Decree No. 7,962, of March 15, 2013.

13Indicative classification rules available from:

14Arts. 26 and 27 of the Consumer Protection Code. However, there are sparse legal decisions aimed at extending this legal guarantee to the entire life of the product, in the case of products of longer durability.


In the event of a defect in any product or service, the law grants thirty (30) days for its repair15  and if this is not possible, the consumer will have the right to choose between receiving a discount on the price, replacing it, or returning it and getting back the price paid.

Also, in this topic, it should be remembered that companies exploiting commerce by electronic means can be held responsible for illicit practices by consumers and other platform users if they cannot cooperate with the Brazilian authorities regarding the discovery of the person who infringed third party rights through them.

Thus, it is recommended to store the access and activity data of consumers and other users of your website for at least six (6) months, as provided by the Internet Civil Standard (Marco Civil da Internet) in Brazil, or even for a more extended period in specific situations, according to sectoral legislation16 This collection and storage of data must be informed to the consumer in the privacy policy and eventual terms of consent, as well as with the other personal data treated.

In addition, regarding collecting data from consumers and users of e-commerce platforms, LGDP provisions must be observed. This is because when there is an infringement of the LGDP due to the processing of personal data, the controller or operator17 may be jointly or severally liable for the violations and will be obliged to repair them. In this sense, the operator and the controller should keep a record of the processing of personal data18  in case an eventual violation of the LGDP is considered.

Brazilian jurisprudence has recognized the possibility of making Brazilian subsidiaries, branches or agents of foreign companies in Brazil liable if these companies are established solely abroad. In exceptional cases, lower court decisions determine telecommunications operators’ blocking of foreign internet services in the national territory due to refusal to comply with court orders.

16.2.9 Taxation

Regarding the taxation of sales from e-commerce, the most relevant point to consider is that each federation state has its tax laws regarding product sales, and each municipality has its own rules on service taxation. In this sense, it is essential to highlight the issue of the division of the Tax on the Circulation of Goods and Services (ICMS) in interstate sales of goods and services to a final consumer, that is, where the delivery of goods from the state in which the company is located to another form of the federation. Constitutional Amendment No. 87, of April 15, 2015, established that, from the year 2016 until the year 2018, the tax must be paid partly to the state of origin and partly to the state of destination19, and from 2019 the tax will be due entirely to the state of origin.

Given the variation in rates involved, since each state in the federation has the competence to dispose of this tax in its territory and the bureaucracy involved in its payment, e-commerce operating companies have heavily criticized the legislation, generating a review of their strategies related to electronic business.

Regarding sales of computer programs and applications, despite the general rule that they are treated as goods when there is a physical copy of the software (e.g., CDs and DVDs), there is still uncertainty regarding taxation when the sale is made by downloading or using generating license codes. However, there is a tendency for some localities to treat this type of sale as a service for tax purposes, but there is no definition to be reached on this issue shortly.

Due to the various peculiarities and minutiae of tax legislation, every company must verify the requirements and obligations applicable to its particular business before deciding to establish an e-commerce operation in Brazil.

15 Except for products or services considered essential, where repair or replacement must be immediate. There is uncertainty about which specific services are considered essential, so the issue must be analyzed on a product by product or service by service basis, with a recommended bias towards caution.

16For example, if there is a specific request from the competent authority to extend this period regarding certain data.

17Art. 5, VI, of the General Law for the Protection of Personal Data: “controller: natural or legal person, public or private, who is responsible for decisions regarding the processing of personal data;”

18Art. 37, of the General Law on Protection of Personal Data.

19This is the difference between the internal rate of the home state and the interstate rate, which vary according to the states involved. For the year 2016 it will be 40% (forty percent) for the State of destination and 60% (sixty percent) for the State of origin; for the year 2017, 60% (sixty percent) for the State of destination and 40% (forty percent) for the State of origin; and finally, for the year 2018, 80% (eighty percent) for the State of destination and 20% (twenty percent) for the State of origin and for the year 2019, 100% (one hundred percent) for the state of Destination.


Authors: Pedro Szajnferber De Franco Carneiro and Gabriela Ongari

Spiewak, Carneiro, Barbosa, Carvalho e Maia Sociedade de Advogados
Al. Campinas, 1.077 – 12th floor
01404-001 São Paulo – SP
Phone: (11) 2039-0130