Brazil has not signed the United Nations (UN) Convention on the Use of Electronic Communications in International Contracts.

According to Art. 1 of Ministerial Ordinance 156/1999, goods that are part of international postal delivery up to USD 50 (below the 200 USD threshold recommended by the International Chamber of Commerce (ICC) are exempt from customs duties, provided that the seller and buyer are physical persons.

Online pharmacies need to have a "com.br" or "far.br" domains. Internet pharmacies are permitted in Brazil only if the Internet pharmacy is the website component of a licensed Brazilian brick-and-mortar pharmacy according to Art. 53.2 of Resolution of the Director's Board of the National Agency for Health Surveillance 44/2009.

Foreign companies can register a domain ".br" after the conclusion of a special registration, which requires a local legal representative and a declaration that the company will establish activities in Brazil within 12 months from the registration, according to Resolution of the Internet Steering Committee 2008/008/P.

The Brazilian Government charges a flat 60% duty for all express shipments imported through the Simplified Customs Clearance process. The Simplified Customs Clearance process limits commercial shipments to USD 100,000 per importer per year, according to Art. 37 of Normative Instruction 1737/2017. Moreover, Brazilian Customs have established express services maximum per-shipment value limits of USD 3,000 for imports, according to Art. 1 of Ministerial Ordinance 156/1999. This is reported to affect particularly online sales.

The Interpretative Act No. 7 of August 2014, issued by the Brazilian Federal Revenue Secretariat (Receita Federal do Brasil – RFB), deals with the taxation of cross-border payments for the use of data centers located outside Brazil. It applies to all amounts paid, credited, delivered or remitted by individuals or legal entities resident or domiciled in Brazil to companies headquartered abroad that are identified as offshore data centers.
According to the Act, when the Brazilian source of payment hires offshore data centers for the use of infrastructure for storage and remote high-performance data processing systems, the transactions are deemed to be typical provision of services, and cannot be characterized as rental of movable assets, for tax purposes. The consequence of this interpretation is that the use of offshore data centers triggers the following federal taxes in Brazil:
- Withholding income tax (Imposto sobre a Renda Retido na Fonte – IRFF) at the rate of 15% or 25% whenever the recipient is located in a tax haven jurisdiction;
- Cide-royalties contribution (Contribuição de Intervenção no Domínio Econômico destinada a financiar o Programa de Estímulo à Interação Universidade-Empresa para o Apoio à Inovação – Cide-royalties), at the rate of 10%;
- PIS-importation contribution (Contribuição para o PIS/Pasep-Importação) at the rate of 1.65%;
- Cofins-importation contribution (Contribuição para o Cofins-Importação) at the rate of 7.6%; and
- IOF (Imposto sobre Operações de Câmbio), which is the financial tax levied on the foreign exchange transaction, at the rate of 0.38%.

Homologation is mandatory for the use and commercialization of telecommunication products in the country (Art. 55 of Resolution No. 715), and the country accepts third-party certification from Conformity Assessment Bodies from a number of countries with Mutual Recognition Agreements (Art. 8 of Resolution No. 715).
Act No. 7,280 list and clarifies the type of conformity assessment that correspond to radio frequency emitting products of telecommunications. The majority of the products contained in the reference list of telecom products require testing and includes: antennas; energy accumulators (batteries); coaxial cables; optical cables and fiber optics; data transmission cables; telephone cables; chargers for mobile phone and lithium batteries; switching centers; broadcasting equipment; rf equipment (except broadcasting) such as BPL equipment, mobile phones, modems, digital transmitters, and transceivers; optical equipment; data communication equipment; terminal equipment; IP terminal equipment (wireless); telephone wires; protective modules; digital multiplex; rectifier systems; splitters; rectifier units. Act No. 3,939 is the regulation for homologation in Brazil, guiding the necessary steps of the procedure.

According to the guidelines of Act No. 77, when requesting the homologation of the product for telecommunications with ANATEL (Agência Nacional de Telecomunicações), the applicant must present a declaration expressing which cybersecurity requirements the equipment and its supplier meet. There are concerns from the industry regarding the scope and definitions of this Act, including to which products the regulation applies and the lack of reliance on international standards. Among other provisions, it is reported that the Act mandates in a vague way to guarantee appropriate encryption methods.

Normative Ordinance No. 371 introduced a mandatory certification for IT equipment (Voltage stabilizers) as of July 2011. Generally, testing must be performed in-country, unless the necessary capability does not exist in Brazil. Moreover, entities engaged in product testing and mandatory certification must be accredited by the National Institute of Metrology, Standardization and Industrial Quality (INMETRO).

Brazil is a member of the System of Conformity Assessment Schemes for Electrotechnical Equipment and Components (IECEE), which is based on the principle of mutual recognition (reciprocal acceptance) by its members of test results for obtaining certification or approval at national level. Pursuant to Resolution No. 715, the Brazilian National Telecommunications Agency (ANATEL; Agência Nacional de Telecomunicações) implements testing requirements for telecommunication products and equipment. Through subsequent implementing acts, ANATEL has reduced the frequency of testing requirements and introduced the use of a declaration of conformity with test results procedures for certain products, based on a risk analysis.
However, it has been reported that ANATEL needs to approve products that connect to the public telephone network. This approval process requires in-country testing, not accepting test reports from foreign accredited labs. This is the case of the following products, among others: Network routers with E1 WAN ports; WiFi 802.11a/b/g/n access points; GSM and CDMA cellular phones; Network switches; Satellite, Bluetooth; ZigBee products. Other products need certification by ANATEL. For example: Cell phones; Bluetooth headset; Wireless telephones, including DECT systems; Antenna systems; Digital communication systems; Security gateways; Wi-Fi modules.

According to Art. 4 of Normative Instruction 1984, a declarant of goods is defined as importers, exporters, purchasers of imported goods on their own account, orders of imported goods, and legal entities domiciled in the Manaus Free Trade Zone (ZFM) that promote the admission of goods to the rest of the national territory. According to Art. 16, declarants require authorization to operate in foreign trade, which may be granted in one of the following ways:
I - Express, in the case of a legal entity incorporated as an open joint stock company, with shares traded in the stock exchange; or a public company or government-controlled company;
II - Limited, in the case of a declarant of assets not included in the Express form whose financial capacity is estimated in an amount equal to or less than the maximum limit established in Art. 17;.
In accordance with Art. 17, the declarant of goods qualified in the limited modality may carry out import operations, in each consecutive six-month period, up to the limit of USD 50,000, or its equivalent in another currency, if its estimated financial capacity is equal to or less than that amount. Alternatively, if its estimated financial capacity is between USD 50,000 and USD 150,000, then the declarant can carry out imports operations until USD 150,000. To determine the limits established in this article, import operations shall be considered at the customs value of the goods.

According to Art. 41 of Ordinance 23 of July 2011 of the Secretary of Foreign Trade the importation of used machinery, equipment, devices, instruments, molds, and containers are prohibited unless these used goods are not produced in the country, or are irreplaceable by other similar products manufactured in the country. Art. 42 establishes that imports of used computer and used telecommunications products are only allowed under limited circumstances.

The Law 12,965 of 2014 (Internet Civil Regulation) introduces a liability exemption for Internet connection providers and the application of the safe harbor doctrine for other Internet application providers. Art. 18 addresses the liability of Internet connection providers, grants an exception to those services regarding intermediary liability. It states that “the Internet connection provider shall not be subject to civil liability for content generated by third party”. Art. 19, which addresses Internet application providers (excluding connection providers) states that “in order to ensure freedom of expression and to prevent censorship, an Internet application provider shall only be subject to civil liability for damages caused by virtue of content generated by third parties if, after specific court order, it does not take action, according to the framework and technical limits of its services and within the time-frame ordered, to make the infringing content unavailable.”

It is reported that Brazil imposes an identity requirement for SIM registration. Anyone wanting to purchase a SIM card has to provide their national ID card, or a passport in case of foreigners, to activate a new prepaid SIM card. According to Art. 42 of the Resolution No. 477, users must provide a minimum set of personal data to be able to subscribe to a mobile telephone service. This information includes name, identity card number, and taxpayer number.

Privacy impact assessments must be provided to the Autoridade Nacional de Proteção de Dados (ANPD, National Data Protection Authority) upon request. Therefore, even though they are not initially mandatory, it is highly recommended to have them already developed. The ANPD may require the controller to prepare a DPIA relating to its data processing operations, as provided for by the regulations, with due regard to commercial and industrial secrecy (Art. 10(§3º) of Law No. 13.709). This DPIA should contain at least a description of the types of data collected, the methodology used for collection and as a guarantee for the security of the information, an analysis of the controller in relation to the measures, safeguards, and risk mitigation mechanisms adopted (Art. 38).