Digital business in Brazil: overview

A Q&A guide to digital business in Brazil.

The Q&A gives a high level overview of matters relating to regulations and regulatory bodies for doing business online, setting up an online business, electronic contracts and signatures, data retention requirements, security of online transactions and personal data, licensing of domain names, jurisdiction and governing law, advertising, tax, liability for content online, insurance, and proposals for reform.

To compare answers across multiple jurisdictions, visit the Digital Business Country Q&A tool.

This Q&A is part of the global guide to digital business law. For a full list of jurisdictional Q&As visit


Regulatory overview

1. What are the relevant regulations for doing business online (for business-to-business and business-to-customer)?

There is no specific legislation in Brazil regulating business-to-business activities. Online business-to-customer activities are regulated by the:

  • Consumer Protection Code (CDC) (Federal Law No. 8,078/90).

  • Electronic Commerce Decree (Decree No. 7,962/13).

  • Regulations issued by the Department of the Ministry of Justice for Consumer Protection and Defence (DPDC).

2. What legislative bodies are responsible for passing legislation in this area? What regulatory and industry bodies are responsible for passing regulations and codes in this area?

There is no specific authority in Brazil responsible for regulating online business activities. Legislation in this area can be passed through the ordinary legislative process provided for in the Brazilian Federal Constitution, on the approval of a bill of law by the Chamber of Representatives and the Federal Senate.

Currently, there are no bodies passing regulations and laws specifically in the area of online business.


Setting up a business online

3. What are the common steps a company must take to set up an existing/new business online?

From a Brazilian law perspective, there are no specific steps to be considered by a company to set up a business online, other than the ordinary measures that the implementation of a business of any other nature requires, such as:

  • The incorporation of an entity.

  • The entity obtaining the registrations necessary for it to:

    • pay taxes and issue invoices (mandatory registrations with the Federal and Municipal Tax Authorities and registration with the State Tax Authorities if the company sells goods);

    • hire employees (registrations with the Social Security and the Severance Pay Fund).

  • Other specific registrations, where necessary (for example, registration with the Brazilian Central Bank if the company has foreign direct investments).

4. What are the relevant types of parties that an online business can expect to contract with?

Basically, anyone may enter into online agreements, whether individuals, or legal entities of a private or public nature. The procedure of online contracting for public entities will depend on the rules provided in the applicable bid notice.

5. What are the procedures for developing and distributing an app?

There are no specific procedures for developing and distributing an app under Brazilian law. It is important to note, though, that the creation of an app in the form of software, would in principle be subject to copyright protection and that this protection does not require registration with a public authority to be enforceable before third parties. On the other hand, it is advisable to prepare, before the app starts being downloaded by users, the terms of use of the app, including applicable privacy provisions, and to require the user's agreement to those terms prior to download.


Running a business online

Electronic contracts

6. Is it possible to form a contract electronically? If so, what are the requirements for electronic contract formation? Please comment on the enforceability of click-wrap, browse-wrap and shrink-wrap contracts.

Although there is no law governing specifically electronic contracts, there is no risk that the execution of electronic contracts, whether these are interpersonal or interactive (click-wrap) contracts, will be prevented. As a rule, and if the requirements for execution of an agreement are fulfilled (such as able agent, legal purpose and form), electronic contracts are as enforceable as if they had a handwritten signature.

One of the most substantial risks in the enforceability of click-wrap and similar contracts is the ability to evidence who accepted it. If the validity of an electronic contract is questioned, the burden to demonstrate lack of consent will generally fall on the questioning party. There are a number of options that can be used to help secure the necessary evidence, such as digital signature or a previous enrolment.

7. What laws govern contracting on the internet?

Electronic contracts are governed by all Brazilian laws that are applicable to ordinary contracts, as well as by the Federal Law No. 12,965/14, which governs the principles, warranties, rights and duties concerning the internet in Brazil.

Specifically when dealing with consumer relations, electronic contracts will also be governed by:

  • The Consumer Protection Code (CDC) (Federal Law No. 8,078/90).

  • Regulations issued by the Department of the Ministry of Justice for Consumer Protection and Defence (DPDC).

  • The Electronic Commerce Decree (Decree No. 7,962/13).

8. Are there any limitations in relation to electronic contracts?

Electronic contracts cannot be used where Brazilian law requires specific formal procedures for a particular activity. For example, contracts constituting, transferring, modifying or waiving rights to a real estate with a value higher than thirty times the minimum monthly salary in Brazil must be in the form of a public deed.

9. Are there any data retention requirements in relation to personal data collected and processed via electronic contracting?

There are no data retention requirements for the formation of electronic contracts. However, under the Brazilian Internet Act and the Brazilian Consumer Protection and Defence Code, it is necessary to obtain consent from the people and/or companies whose data is collected for any use of such data (for example, formation of a database). Further, under the Brazilian Internet Act websites must keep access registrations for six months.

10. Are there any trusted site accreditations available?

The official cryptography and electronic signature mechanism is the Infraestrutura de Chaves Públicas Brasileira (ICP Brasil). E-signatures based on the ICP-Brasil public key infrastructure have a presumption of validity, as established by Provisional Measure No. 2,200-2/01.

11. What remedies are available for breach of an electronic contract?

As electronic contracts are governed by the Brazilian laws applicable to ordinary contracts, in general the remedies available for breach of ordinary contracts are also available to electronic contracts.

However, as electronic contracts do not fulfil the requirements set out in the Brazilian Civil Procedure Code for the filing of execution proceedings, Brazilian courts consider that this remedy is not available for electronic contracts.


12. Does the law recognise e-signatures? To what extent and when are e-signatures used in electronic contracting? Are they required in most transactions, or very few?

Applicable legislation

Provisional Measure No. 2,200-2/01, which created the Infraestrutura de Chaves Públicas Brasileira (ICP Brasil), is the applicable legislation.

Definition of e-signatures

According to the ICP Brasil, e-signatures are electronic mechanisms that identify the mailer of a certain electronic message.

E-signatures used with the ICP-Brasil have authenticity, integrity, reliability and cannot be repudiated: the author of an e-signature cannot, by technological and legal means, deny his responsibility. The e-signature stays linked to the signed electronic document. If the document is changed the e-signature becomes invalid.

Format of e-signatures

E-signatures are electronic mechanisms which allow the identification of the mailer of an electronic message.

E-signatures are not the same as scanned signatures.

Use of e-signatures in Brazil

E-signatures are not a legal requirement for any specific transaction. For this reason, e-signatures are rarely used in Brazil.

13. Are there any limitations on the use of e-signatures?

There is no limitation on the use of e-signatures in electronic contracts. There are, however, limitations on the use of electronic contracts under Brazilian law (see Question 8). In those cases, as there cannot be an electronic contract, e-signatures do not apply.


Implications of running a business online

Cyber security/privacy protection/data protection

14. Are there any laws that regulate the collection or use of personal data? To whom do the data protection laws apply?

The collection and use of private data is expressly regulated by the:

  • Brazilian Internet Act (Law 12,965/2014).

  • Brazilian Consumer Protection and Defence Code (Law 8,078/1990).

Under this legislation, the collection and use of consumers' personal data and the collection and use of personal data online are subject to the prior and express consent of data subjects. The silence of data subjects is not considered to be implied consent.

In relation to personal data in general, unauthorised collection and use is potentially deemed to be a breach of the fundamental right to privacy granted to all Brazilian individuals under the Federal Constitution.

Certain matters in the Brazilian Internet Act are pending regulation by a presidential decree, including, among other things, the procedure for the application of penalties to the breach of the Brazilian Internet Act. Presidential Decree 8,771/2016 has introduced security standards applicable to connection and application providers when collecting, storing or otherwise treating personal data and private communications, including the following:

  • Strict control over access to personal data, including liability rules applicable to those who will be able to access personal data.

  • Authentication mechanisms for access of registries, including, for example, double authentication systems to ensure the identification of the person responsible for the registries.

  • The creation of a detailed inventory of access to registries, including the time, duration and identity of the employee or person responsible for the access.

  • Registry management solutions that use cryptography or equivalent protection technologies to ensure data integrity.

    As of the law-stated date of this article, the bill of law dealing specifically with data privacy matters has yet to be adopted (see Question 41).

    15. What data is regulated?

    Presidential Decree 8,771/2016 defines personal data as any data relating to an identified or identifiable individual, including numbering identification, location data or electronic identifiers.

    Outside the internet environment, there is no legal definition of personal data in Brazil. However, on the basis of the case law and the general law relating to this issue, any data that may identify a data subject should be considered personal.

    The upcoming Bill of Law (see Question 14) currently defines personal data as any information related to an identified or identifiable individual, including numbering identification, location data and electronic identifiers. It is worth noting that the Bill of Law also provides a special category of personal data, "sensitive data", covering personal data that reveals:

    • Racial or ethnic origins.

    • Religious, philosophical or moral convictions.

    • Affiliation to unions or organisations of a religious, philosophical or political character.

    • Data relating to health or sexual life.

    • Genetic data.

    16. Are there any limitations on collecting or using personal data? Are there any specific limitations on storage of personal data in the cloud?

    As a rule, the collection of personal data requires the consent of data subjects for the collection and use of personal data.

    The upcoming Bill of Law (see Question 14) currently establishes specific waivers for consent requirement for personal data in general and sensitive data, as follows:

    • Personal data. Consent is waived when the data is public or its treatment is necessary for:

      • compliance with a legal duty;

      • the exercise of rights or obligations by the public administration;

      • the enforcement of contractual or pre-contractual obligations of the data subject;

      • carrying out historical, scientific or statistical research;

      • the exercise of rights within a judicial or administrative procedure;

      • the protection of the intimacy and physical integrity of the data subject or a third party; and

      • the protection of health, in procedures conducted by health professionals or sanitary entities.

    • Sensitive data. Consent is waived when the treatment is:

      • carried out by non-profit organisations of a political, philosophical, religious or syndical nature relating to Union activity;

      • necessary to protect the life or physical integrity of the data subject or a third party;

      • performed solely for the purposes of historical, scientific or statistical research;

      • relates to information made public by the data subject;

      • conducted by professionals of the health area or sanitary entities, when the treatment is necessary to preserve the health of the data subject; and

      • necessary for the exercise of state functions provided for in the law.

    17. Is the use of cookies allowed? If so, what conditions apply to their use that impact system design?

    The storage of cookies or equivalent devices on the data subject's terminal equipment requires the prior authorisation of data subjects when the storage of cookies ultimately corresponds to the storage of personal data.

    18. What measures must be taken by contracting companies or the internet providers to guarantee the security of internet transactions?

    Payment institutions operating in Brazil must implement certain risk management structures, including:

    • Protection mechanisms for stored, processed and transferred data.

    • A mechanism for the authentication of users and for authorising payment transactions.

    • A mechanism for the monitoring and authorisation of payment transactions with the purpose of preventing fraud, as well as identifying and blocking on a timely basis suspicious payment transactions.

    • Notifications to users in relation to blocked payment transactions.

    • A mechanism which allows users to verify if their payment transactions are carried out correctly.

    See Question 21.

    The upcoming Bill of Law (see Question 14) provides that those dealing with private data must adopt technical and administrative measures, proportional to the nature of the information treated and adequate to protect the personal data from:

    • Unauthorised access.

    • Accidental or illegal situations involving the data's destruction, loss, change, communication, disclosure or any other form of illegal or inadequate treatment.

    The Bill of Law also states that a data privacy authority may specify security standards and procedures relating to the collection of personal data. The data protection authority does not currently exist; it will be created if and after the Bill of Law is approved with its current wording.

    19. Is the use of encryption required or prohibited in any circumstances?

    The use of encryption is not specifically required by Brazilian law.

    However, if personal data is encrypted in a way that it may be decrypted, the consent of data subjects will be necessary for any destination intended for the encrypted data.

    20. Can government bodies access or compel disclosure of personal data in certain circumstances?

    The Brazilian Constitution protects the privacy of any citizen's and resident foreigner's personal data and ensures the inviolability of the person's intimacy and personal life (see Question 14). Given these constitutional guarantees to privacy protection, any Brazilian citizen (or foreign resident) is entitled to protection and privacy of his personal information, including privacy of correspondence, electronic communication, and fiscal and banking information. In other words, government bodies are not authorised to access personal data absent a court order authorising them to do so.

    21. Are there any regulations in relation to electronic payments?

    The Brazilian Payments System (Sistema de Pagamentos Brasileiro) (SPB) is made up of all the entities, systems and procedures related to the clearing and settlement of funds transfer, foreign currency operations, financial assets, and securities transactions. These entities are known, collectively, as financial market infrastructures (FMIs). After October 2013, when Law No. 12,865 was enacted, payment schemes and payment institutions also became part of the SPB. To operate in the SPB, any payment institution must obtain prior authorisation from the Brazilian Central Bank (Banco Central do Brasil) (BACEN) and they are also subject to Brazilian law, including all relevant regulations of BACEN.

    The BACEN, while overseeing the SPB, constantly monitors the payments industry. Oversight includes the monitoring of aspects related to the:

    • Efficiency and security of retail payment systems.

    • Existence of competition in the services provided.

    • Intensity of co-operation among market infrastructures.

    Innovation in the development of new products that suit end users' needs is also taken into account.

    With this objective in mind, the BACEN collects information and data pertaining to the use of payment cards (credit, debit and prepaid) along with the other payment instruments employed in the industry. The following are monitored:

    • Access channels usage, for example, ATMs, internet, home and office banking, call centres, mobile phones, and correspondent banking.

    • The pricing policy, supporting FMIs, levels of co-operation and interoperability among market infrastructures.

    In this regard, Law No. 12,865 provides that the BACEN may request from payment institutions the disclosure of any documents, books of registry, and information, including data stored in electronic systems, for the purpose of overseeing payment institutions.

    Moreover, payment institutions operating in Brazil must implement certain risk management structures as described in BACEN Circular No. 3,681, dated November 4, 2013. It provides that such risk management structures must include protection mechanisms for:

    • Stored, processed and transferred data.

    • Authentication of users and for authorising payment transactions.

    • The monitoring and authorisation of payment transactions with the purpose of preventing fraud.

    • Identifying and blocking on a timely basis suspicious payment transactions.

    • Notifications to users in relation to blocked payment transactions.

    • A mechanism which allows users to verify if their payment transactions are carried out correctly.

    All documents relating to this information must be available to the BACEN at all times.

    22. If the site is aimed at children, are there any specific rules or guidance that apply?

    There are no specific rules for sites aimed at children. There are, however, rules for advertising aimed at children. Section 37 of the Brazilian Advertising Self-Regulation Code provides guidelines for advertisers in relation to children advertising, such as the prohibition of any advertisement which incentivises socially reprehensible behaviour or discrimination. These parameters can be considered as applicable to sites aimed at children as well.

    Sites aimed at children cannot contain any references to certain industries and products aimed at adult audiences (alcohol beverages, tobacco, firearms, and so on).

    Under Brazilian law, a person under 16 years old is totally incapable. A person aged between 16 and 18 years old is relatively incapable. Transactions engaged by a totally incapable person are deemed null and void. Transactions engaged by a relatively incapable person are deemed valid if such person is assisted by his or her legal representatives (such as his/her parents).

    Finally, Brazilian courts have ruled that parents are responsible for online transactions engaged by totally or partially incapable persons when they make use of their parents account on a particular site or app, making it impossible for the site/app to identify that a minor person was actually responsible for the transaction. In such cases it is the parents' responsibility to supervise the use of the site/app account.



    23. Are there any limitations on linking to a third party website and other practices such as framing, caching, spidering and the use of metatags?

    The Brazilian Internet Act created a legal framework, establishing principles, rights and duties for the use of the internet in Brazil. It has not, however, provided detailed regulations for the internet (see Question 14). There are, therefore, currently no express limitations on limitations to linking to a third party website, or other practices such as spidering, framing, caching or using metatags. However, it is possible to impose limitations by systematically applying the principles of the Act: section 3 recognises principles such as privacy and user data protection, net neutrality, security and functionality preservation, among others. Such principles, reaffirmed throughout the law, shape the limitations that can be applied on a case-to-case basis, until further regulation is issued.

    Specifically in relation to copyright law, however, any reference to content published elsewhere must display information relating to its origin/authoring.


    Domain names

    24. What regulations are there in relation to licensing of domain names?

    There is no specific legislation in Brazil concerning domain names.

    25. Do domain names confer any additional rights (in relation to trade marks or passing off) beyond the rights that are vested in domain names?

    The owner of a domain name has no additional rights, such as the priority in the registration of a corresponding trade mark.

    It should be noted that trade mark registration depends on a specific procedure before the Brazilian Patent and Trade Mark Office, a public authority which has no connections with Registro.BR, the private platform which registers domain names.

    26. What restrictions apply to the selection of a business name, and what is the procedure for obtaining one?

    In principle, a business name can be protected either through a domain name or via a commercial name.

    The registration of a domain name occurs within the private platform Registro.BR (see Question 24).

    The creation of a commercial name, on the other hand, must be provided for by a corporate document of the relevant company registered with the Board of Trade.

    Prior to the registration of either a domain name or a commercial name, it is advisable to conduct a research on the databases of Registro.BR or the Board of Trade, as applicable, to check the existence of prior domain or commercial names.


    Jurisdiction and governing law

    27. What rules do the courts apply to determine the jurisdiction for internet transactions (or disputes)?

    Brazilian courts have jurisdiction to process and decide actions where the (Civil Procedure Code):

    • Defendant is domiciled in Brazil (irrespective of the defendant's nationality).

    • Obligation is to be performed in Brazil.

    • Grounds arise from facts occurred or acts practiced in Brazil.

    While the general rule provides that lawsuits are filed before the courts where the defendant is domiciled, the Consumer Protection Code authorises consumers to file lawsuits before the courts where those consumers are domiciled, irrespective of whether the provider of services and goods is located elsewhere.

    28. What rules do the courts apply to determine the governing law for internet transactions (or disputes)?

    Parties to a business-to-business transaction (B2B) may technically choose the substantive law to govern potential disputes (particularly in the context of an arbitration clause (see Question 28)). However, the Brazilian Consumer Protection Code has mandatory application whenever the underlying transaction (or dispute) involves consumer-related issues. When an arbitration clause is absent, courts usually apply Brazilian law to disputes, even those arising from B2B transactions.

    29. Are there any alternative dispute resolution/ online dispute resolution (ADR/ODR) options available to online traders and their customers? What remedies are available from the ADR/ODR methods? Are there any requirements to notify customers of the availability of these methods?

    Arbitration is generally available in Brazil and courts will permit this alternative means of dispute resolution, particularly in B2B transactions and as long as parties use a properly drafted arbitration clause or voluntarily submit their dispute to arbitration in the absence of a prior agreement to arbitrate. However, in consumer-related contracts containing arbitration clauses, arbitration will only be possible if the consumer takes the initiative to begin proceedings (as a claimant), or expressly agrees to arbitration where the relevant provider of services or goods commences it (see Question 27).



    30. What are the relevant rules on advertising goods/services online/via social media?

    The Brazilian Consumer Protection Code applies to advertising goods and services online, as well as via social media. The Brazilian Advertising Self-Regulation Code is voluntarily and largely adopted by advertisers, media companies and agencies. It also contains specific provisions, particularly on comparative advertising.

    31. Are there any types of services or products that are specifically regulated when advertised/sold online (for example, financial services or medications)? 

    Certain industries and products are addressed in the annexes of the Brazilian Advertising Self-Regulation Code, for example:

    • Alcoholic beverages.

    • Investments.

    • Loans and securities market.

    • OTC pharmaceutical products.

    • Tobacco.

    • Real estate.

    • Hospital services.

    • Firearms.

    32. Are there any rules or limitations in relation to text messages/spam emails?

    Although there are bills pending before the Brazilian Congress (for example, bills 2186/2003, 2423/2003 and 3731/2004), there are no specific rules in force regarding text messages and spam e-mails. However, since 2013 the Criminal Code lists as a crime the breach of security protocols to gain access to computers, or the installation of malware for illicit purposes.

    33. Are there any language requirements in your jurisdiction for a website that targets your particular jurisdiction or whose target market includes your jurisdiction?

    The Brazilian Advertising Self-Regulation Code requires that websites for alcoholic beverage companies contain a mechanism to prevent access by minors (that is, younger than 18 years old).



    34. Are sales concluded online subject to taxation?

    For Brazilian tax purposes online sales of merchandise are deemed regular sales of goods and subject to state VAT (Imposto sobre Operações relativas à Circulação de Mercadorias e sobre Prestações de Serviços de Transporte Interestadual e Intermunicipal e de Comunicação) (ICMS).

    35. Where and when must online companies register for VAT and other taxes? Which country's VAT rate will apply?

    Since sales of merchandise concluded online are deemed regular sales for Brazilian tax purposes, online companies must follow the same rule applied to other ICMS taxpayers and register for ICMS and other taxes with the state where they do business, and where its main place of business is located (see Question 33). If the company intends to do business from various states, registration for ICMS is required for each state. This is based on the general rule that provides that the state ICMS belongs to the state where seller's establishment is located, that is, the location from which the merchandise sold is to be invoiced and shipped to the final customer. An exception to this rule was the sale to final customers ICMS taxpayers, in which case both the state of origin and state of destination would be entitled to a portion of the total ICMS due on the transaction.

    This had been a sensitive matter for years, since many Brazilian states had considered that this rule gave rise to adverse consequences, particular on the basis that it was unfair that the total ICMS due on the transaction with final customers (non-ICMS taxpayers) should be granted to the state where the transaction was originated but not finalised. However, this rule was changed by Constitutional Amendment No. 87/2015 (EC 87/15). Under EC 87/15, both the state where the transaction originated and the state where the final customer is located are entitled to a share of the ICMS due on the transaction according to the following proportions:

    • In 2015: 20% to the state of destination and 80% to the state of origin.

    • In 2016: 40% to the state of destination and 60% to the state of origin.

    • In 2017: 60% to the state of destination and 40% to the state of origin.

    • In 2018: 80% to the state of destination and 20% to the state of origin.

    • From 2019 onwards, 100% of the ICMS due on the transaction must be collected to the state of destination.

    The responsibility to collect the ICMS will be on the:

    • Seller, if the final customer is a non-ICMS taxpayer.

    • Final customer, if the final customer is an ICMS taxpayer.

    Current debate involving the new rule relates to its implementation by the states, mainly because the rule somehow obliges seller to either collect the respective ICMS due to the state of destination at each invoice issued or to register with the state of destination to allow collection of the ICMS due on a monthly basis. This, besides increasing considerably the ancillary tax obligations of the seller, allows the tax authorities of the state of destination to perform tax audits in the seller's tax books.

    Finally, ICMS rates applied on goods can range from 7% up to 25%, depending on whether the goods are considered essential according to Constitutional principles. VAT rates on interstate transactions can range from 4% up to 12%.


    Protecting an online business

    Liability for content online

    36. What laws govern liability for website content?

    There are basically three laws in the Brazilian legal system that govern liability for website content:

    • The Brazilian Internet Act (Law 12,965/2014).

    • The Brazilian Consumer Protection and Defence Code (Law 8,078/1990).

    • The Civil Code (Law 10,406/2002).

    37. What legal information must a website operator provide?

    A business-to-consumer website must provide the information required by:

    • Sections 2, 3, and 5 of Decree n. 7962/2013.

    • Chapter II, section 3 of the Guidelines issued by the Department of Economic Rights, Consumer Protection and Defence Office.

    Examples of information that must be provided to consumers include the company's address and other contact information.

    For other website operators, sites must obey the general principles of information and transparency set out by the Brazilian Internet Act (sections 7 (VI and VIII), 9 (§2, item III), 10 (§4) and 20).

    38. Who is liable for the content a website displays (including mistakes)?

    In connection with business-to-consumer websites, there is strict liability for any misleading information or failure to comply with a legal or contractual obligation. This strict liability derives from the Consumer Law.

    With regards to social media websites, including blogs, the user who inserts the content is the one liable for it. The application provider will be liable only, as a general rule, if it does not remove the content when judicially ordered. The application provider will, however, be liable without a judicial order if the provider does not remove content related to pornography involving the person requesting the removal.

    39. Can an internet service provider (ISP) shut down a website, remove content, or disable linking due to the website's content and without permission?

    ISPs cannot interfere in the flow of communications. Chapter 3, section 9 of the Brazilian Internet Act sets out rules that guarantee net neutrality, in accordance with the Act's principles. Net neutrality means ISPs must treat equally data packets of any kind, origin, destination, service or application. In addition, ISPs are forbidden to block, monitor, filter or analyse the contents of data packets.

    However, it is possible for an exception to be made where discrimination or degradation of traffic is allowed for (section 9 (§2), Internet Civil Act):

    • Mandatory technical requirements.

    • Prioritisation of emergency services.

    Under Presidential Decree 8,771/2016, mandatory technical requirements are restricted to:

    • Network security matters (for example, anti-spam mechanisms and control of denial of service attacks).

    • The treatment of network congestion matters (for example, for the sake of load redistribution, alternative routes in case of interruption of the main route and management in emergency situations).

    Management of networks to maintain their stability, security and functionality is allowed under the regulation, if it is done in accordance with the:

    • International standards.

    • Regulatory parameters of the Brazilian Telecommunications Agency (Agência Nacional de Telecomunicações) (ANATEL).

    • Guidelines from the Brazil's Internet Management Committee (Comitê Gestor da Internet no Brasil) (CGIbr).

    The users being must also be informed of the reasons, effects and description of such practices.

    Courts can issue total or partial site blocking or removal orders to ISPs based on the Internet Civil Act. The decision is enforceable by means of imposition of a daily penalty for non-compliance with the court order. Other coercive measures can be imposed by the judiciary as well.


    Liability for products / services supplied online

    40. Are there any rules that might apply to products or services supplied online?

    In general, rules applied to the ordinary acquisition of products and services are also applicable to products and services supplied online. Products and services supplied to consumers are subject to the rules established in the:

    • Consumer Protection Code, the Electronic Commerce Decree (Decree No. 7,962/13).

    • Regulations issued by the Department of the Ministry of Justice for Consumer Protection and Defence (DPDC).

    Among relevant provisions, we point out the right of retraction. Section 49 of the Consumer Protection Code allows the customer, in cases of products purchased out of the store, to cancel the purchase within seven days from the signing of the agreement or the subscription of the service.

    For liability rules, the Consumer Protection Code establishes that all participants in the supply chain are jointly and severally liable for a defective product or service, and the consumer can choose who to demand in the supply chain.

    For sites that offer a sales platform for third parties, court decisions are not uniform, some consider the sites severally and jointly liable for the products offered and others mitigate the sites' liability in certain cases.

    In a decision issued in 2014, São Paulo State Appeals Court determined that such sites are responsible for the products offered when they receive any kind of remuneration for the transactions engaged between third parties (that is, when the site receives a percentage of sales made through its platform). This liability, however, does not cover the quality of the product sold, as the site does not have contact with the actual product.



    41. How should an online business be insured?

    The type of insurance that should be entered into by a business in Brazil depends mainly on:

    • The nature of the company's activities.

    • Whether any legal provision regarding insurance coverage is applicable to the company and/or its activities.

    However, there is no specific class of insurance directed solely to online companies or businesses.

    As a general rule, in Brazil most companies are only legally compelled to insure all assets, whether real or personal property, against fire, regardless of the activities being developed by the company. In practice, most companies enter into a multi-risk property insurance policy which includes the mandatory fire coverage.

    The applicable regulation to multi-risk property insurance sets out a few standard coverages that may be included in multi-risk property products, but also allows insurance companies to tweak the multi-risk coverage to better suit the insured's needs. Common coverages include damages resulting from explosions, lightning crashes, riots, certain equipments, electrical damages, and theft. However, it is very common for multi-risk property insurance products to expressly exclude damages to software, hardware, electronic data and/or IT systems from their coverage, which is why online companies should pay attention to the terms and conditions of the contracted policies and whether they adequately cover their main assets.

    Depending on the nature of an online company's operations, entering into liability insurance may be recommended given the highly litigious consumer and labour relations in Brazil, particularly if the operations involve sales to a final consumer or depend heavily on contracted personnel. For the same reason, a Directors and Officers (D&O) or Errors and Omissions (E&O) policy may also be recommended.



    42. Are there any proposals to reform digital business law in your jurisdiction?

    A comprehensive Bill of Law on data privacy was presented by the Brazilian President to the Legislative Branch on 13 May 2016(see Question 14 to 18). As it was presented with an urgency request, the Chambers of Representatives and the Federal Senate can take no more than 45 days each to deliberate on the approval of it.

    The Chamber of Representatives has until 27 June 2016 to deliberate on the approval of the Bill of Law and, if approved, the Federal Senate has another 45-day deadline to examine it. After that, if the Bill of Law is also approved by the Federal Senate, the Brazilian President will partially or totally sanction the Bill of Law. Vetoes will be subject to further confirmation or revocation by a joint deliberation of the Chamber of Representatives and Federal Senate.


    Contributor profiles

    Marcela Waksman Ejnisman, Partner

    TozziniFreire Advogados

    T +55 11 5086 5471
    F +55 11 5086 5555

    Professional qualifications. LL.M. (Cornell University), United States, 1998; International Business and Business Law (University of California), United States, 1995; Graduate Law School (Pontifícia Universidade Católica de São Paulo (PUC-SP)), 1992.

    Areas of practice. Corporate law and foreign investment; mergers and acquisitions; media and entertainment; IP; telecommunications/information technology; life sciences and healthcare; private equity and venture capital; infrastructure.

    Professional associations/memberships. Events Director of the Brazilian Association of Information Technology and Telecommunications Law (ABDI); Member of the American Bankruptcy Institute; Member of the International Trademark Association;

    Member of the International Technology Law Association.

    Languages. Portuguese, English


    • "Moving With the Times: Major Changes to the IP Framework", IP Value 2009 (London: Globe White Page, 2008).

    • "Privacidade Possível na Era Digital" (Possible Privacy in the Digital Age), E-Dicas: O Direito na Sociedade da Informação (E-tips: The Law in the Information Society) (São Paulo: Câmara E-Net, 2005).

    Fernando Cinci Avelino Silva, Partner

    TozziniFreire Advogados

    T +55 11 5086 5568
    F +55 11 5086 5000

    Professional qualifications. Business Management (Business School São Paulo), 2007; Corporate Law (Pontifícia Universidade Católica de São Paulo (PUC-SP)), 2004; University extension in Regulatory Theory: Telecommunications Law (Fundação Getulio Vargas (FGV)), 2002; Graduate Law School (Pontifícia Universidade Católica de São Paulo (PUC-SP)), 2000.

    Areas of practice. Corporate law and foreign investment; mergers and acquisitions; media and entertainment; telecommunications/information technology; private equity and venture capital; infrastructure.

    Publications. "Direito Institucional: Auto-Regulação da Internet (Institutional Law)" E-Dicas: O Direito na Sociedade da Informação (E-tips: The Law in the Information Society) (São Paulo: Usina do Livro, 2005).

    Patricia Helena Marta, Partner

    TozziniFreire Advogados

    T +55 11 5086 5439
    F +55 11 5086 5000

    Professional qualifications. Business Management (Business School São Paulo), 2007; Consumer Law (Pontifícia Universidade Católica de São Paulo (PUC-SP)), 2001; Graduate Law School (Pontifícia Universidade Católica de São Paulo (PUC-SP)), 1998.

    Areas of practice. Litigation; consumer affairs.

    Languages. Portuguese, English

    Publications. "Brazil", The International Comparative Legal Guide to: Class and Group Actions 2013.

    Antonio Marzagão Barbuto Neto, Partner

    TozziniFreire Advogados

    T +55 11 5086 5245
    F +55 11 5086 5555

    Professional qualifications. Business Management (Business School São Paulo), 2007; LL.M. General Studies (New York University (NYU) Law School), United States, 2005; Graduate Law School (University of São Paulo School of Law (USP-SP)), 2001.

    Areas of practice. Litigation; arbitration.

    Languages. Portuguese, English

    Professional associations/memberships. Admitted to the New York State Bar Association; Member of the New York State Bar Association (NYSBA); Member of the Mediation and Arbitration Committee of the Brazilian Bar Association - São Paulo section (OAB-SP); Member of the International Center for Dispute Resolution.


    • Co-author, "Brazil", Corporate Internal Investigations (Oxford University Press, 2013).

    • Co-author, "Arbitration", Latin Lawyer Reference, 2012, 2013 and 2014.

    • Co-author, "Brazil", International Civil Procedure Handbook (London: Kluwer Law International, 2004).

    Marta Viegas, Partner

    TozziniFreire Advogados

    T +55 11 5086 5233
    F +55 11 5086 5555

    Professional qualifications. Business Management (Business School São Paulo), 2007; LL.M. Law School (Northwestern University) and Certificate in Business Administration (Kellog School of Management), United States, 2002; Graduate Law School (Pontifícia Universidade Católica de São Paulo (PUC-SP)), 1998.

    Areas of practice. Corporate law and foreign investment; mergers and acquisitions; private equity and venture capital; insurance and reinsurance; infrastructure.

    Languages. Portuguese, English, Spanish

    Professional associations/memberships. Member of the Board of Directors of the Brazilian Institute of Corporate Governance (IBGC); Professor in the Corporate Governance MBA of the Foundation Institute of Accounting and Financial Researches (FIPECAFI); Member of the Brazilian section of the Association Internationale de Droit des Assurances (AIDA); Member of the legal commission of CNSEG - Confederação Nacional das Empresas de Seguros Gerais, Previdência Privada e Vida, Saúde Suplementar e Capitalização.


    • "Deveres Fiduciários e Responsabilidade dos Administradores", Governança Corporativa - Discussões sobre os Conselhos de Empresas no Brasil (São Paulo: Saint Paul, 2012).

    • "Corporate Governance in Brazil", Corporate Governance - Jurisdictional Comparisons (London: European Lawyer, 2013).

    Jerry Levers de Abreu, Partner

    TozziniFreire Advogados

    T +55 11 5086 5354
    F +55 11 5086 5555

    Professional qualifications. Academy of American and International Law (Center for American and International Law), United States, 2014; Tax Law (Pontifícia Universidade Católica de São Paulo (PUC-SP)), 2009; Graduate (Faculdade de Direito da Universidade São Francisco), 1999.

    Areas of practice. Tax.

    Languages. Portuguese, English

    Rodrigo de Campos Vieira, Partner

    TozziniFreire Advogados

    T +55 11 5086 5230
    F +55 11 5086 5000

    Professional qualifications. Business Management (Fundação Dom Cabral (FDC)), 2011; Business Management (Business School São Paulo), 2007; Graduate Law School (Faculdade Milton Campos), 1998.

    Areas of practice. Capital markets; banking and finance; investment funds; corporate finance; project finance; private equity and venture capital; infrastructure.

    Languages. Portuguese, English

    Professional associations/memberships. Member of the Brazilian Institute of Finance Executives (IBEF).


    • "Brazil", Getting the Deal Through Banking Regulation (London: Global Competition Review, 2014 and 2015 ed).

    • Several articles for IFLR Magazine's International Briefings and other relevant legal publications.

    Felipe Borges Lacerda Loiola, Associate

    TozziniFreire Advogados

    T +55 11 5086 5194
    F +55 11 5086 5555

    { "siteName" : "PLC", "objType" : "PLC_Doc_C", "objID" : "1248216849391", "objName" : "Digital business in Brazil", "userID" : "2", "objUrl" : "", "pageType" : "Resource", "academicUserID" : "", "contentAccessed" : "true", "analyticsPermCookie" : "25e8a493e:15b08e9df1f:-717a", "analyticsSessionCookie" : "25e8a493e:15b08e9df1f:-7179", "statisticSensorPath" : "" }