Digital Law in Brazil
Advisory and litigation across every front of digital operations — contracts, platforms, regulatory compliance, disputes.
Digital Law in Brazil covers the legal infrastructure of online operations — terms of use, policies, intermediary liability, moderation, content removal, e-commerce, marketplaces, SaaS, and digital products. Hosaki Law structures, reviews and defends companies, platforms and digital businesses under Brazil's Marco Civil da Internet (Law No. 12,965/2014), the Consumer Protection Code (CDC), and applicable sector-specific regulation.
Frequently asked questions
Are terms of use and privacy policy mandatory for SaaS operating in Brazil?
A privacy policy is mandatory whenever personal data is processed, under Brazil's LGPD. Terms of use, while not mandated by a single dedicated statute, function as the contract governing the user relationship and are required in practice under the Consumer Protection Code (CDC), the Civil Code, and Brazil's Marco Civil da Internet when an online service is provided. SaaS without robust contractual documentation is exposed to consumer disputes, B2B disagreements, and weak evidence in discussions about scope, support, SLA, and termination. Proper documentation includes terms of use, an LGPD-compliant privacy policy, a cookie policy, and — where applicable — specific B2B contracts.
How does platform and intermediary liability work in Brazil?
Brazil's Marco Civil da Internet (Law No. 12,965/2014) sets the liability regime for application providers regarding third-party conduct. As a general rule, an application provider is only civilly liable for third-party content if, after a specific court order, it fails to take measures to make the content unavailable. Specific rules apply to non-consensual nudity, which allows direct notification. Case law has applied this regime case by case, considering the level of active moderation, the monetization of third-party content, and the platform's commercial structure. Operating companies need internal notice-and-takedown flows, a clear moderation policy, and log preservation procedures.
Does a foreign platform serving Brazilian users need to comply with LGPD and Marco Civil?
Yes, as a general rule. The LGPD (Law No. 13,709/2018) has extraterritorial reach: it applies when the processing operation occurs in Brazilian territory, when the activity is aimed at offering or providing goods or services to individuals located in Brazil, or when the data was collected in Brazilian territory. Marco Civil da Internet also reaches operations that offer services to the Brazilian public. Foreign platforms serving Brazil typically need to appoint a data protection officer (DPO), adapt terms and privacy policy to Portuguese, and set up notification channels accessible to Brazilian users and authorities.
Can I remove content from my marketplace or platform without prior notice in Brazil?
The moderation policy is set out in the terms of service accepted by the user, and the platform has a contractual right to moderate — provided that moderation is not arbitrary, discriminatory, or disproportionate to the harm caused. Generic terms, without objective removal criteria, create high exposure to judicial challenges and reputational damage. Good practice includes objective moderation criteria published in the terms, an internal appeals process, prior notice to the user whenever possible, and preservation of logs and removed content for the legal retention period. For third-party content, the notice-and-takedown procedure must be documented and auditable.
Are e-commerce and marketplaces in Brazil subject to CDC, Marco Civil, and LGPD at the same time?
Yes. E-commerce and marketplaces operate under a cumulative regime. Brazil's Consumer Protection Code (CDC) governs the relationship with the end consumer, including the right of withdrawal, clear information, and exchange and return policies. Marco Civil da Internet governs operations as an application provider, including log retention and liability for third-party content — relevant for marketplaces hosting sellers. LGPD governs the processing of personal data of users and sellers. Decree No. 7,962/2013, which regulates e-commerce, sets specific transparency and customer support requirements. Full compliance requires legal integration across all three axes.
Do platforms have to retain logs and user data within Brazil?
Brazil's Marco Civil da Internet imposes a retention obligation of connection records (connection providers) for one year and application access records (application providers) for six months, with possible extension by judicial or administrative order. LGPD requires retention only for as long as necessary to fulfill the purposes for which the data was collected, except for legal retention obligations. In apparent conflict, the legal retention obligation prevails. Platforms must document the legal basis and retention period for each category of data, and implement deletion procedures at the end of the cycle. Storage on servers abroad is permitted, subject to LGPD's international transfer requirements.
Have a specific situation regarding Digital Law in Brazil?
Talk to our team →