Brazil's Marco Civil da Internet (Law No. 12,965/2014) is not a law most foreign companies think about when entering the Brazilian market. They think about the LGPD for data protection, the CDC for consumer rights, and local tax rules. The Marco Civil tends to be discovered later — usually when a court order arrives, a content dispute emerges, or a platform liability question surfaces.
Understanding it earlier is significantly cheaper.
What the Marco Civil Is and Who It Covers
The Marco Civil is Brazil's internet framework law. It establishes principles, rights, and duties for internet use in Brazil. It applies to any natural person or legal entity that provides services to the public over the internet in Brazil — regardless of the company's country of incorporation.
Two categories of providers, each with distinct obligations:
- Connection providers (provedores de conexão): ISPs — they provide the network infrastructure. Stricter log-retention rules apply.
- Application providers (provedores de aplicação): any service that offers functionality over the internet — websites, apps, SaaS, marketplaces, platforms, communities. Most digital businesses fall here.
The classification matters because it determines your log-retention obligations, your liability for third-party content, and how you must respond to court orders.
Log Retention: What Must Be Kept and for How Long
Application providers must retain internet access records for the period established by the Marco Civil, in a controlled and secure environment. These records must be made available to competent authorities upon a specific court order.
The law requires confidentiality of these logs — they cannot be disclosed to third parties without judicial authorization. This creates a tension with LGPD's data minimization principle: the Marco Civil obliges you to retain data, while the LGPD requires you not to retain it longer than necessary. Internal policy must reconcile both.
Practical consequence: build a data architecture that allows targeted extraction of specific user records in response to court orders, without exposing unrelated data — and retain only what the law requires for exactly the period it requires.
Provider Liability for Third-Party Content
The Marco Civil's most important provision for platform businesses: Art. 19 establishes that application providers are not liable for damages resulting from third-party content unless, after a specific court removal order, they fail to make the content unavailable.
This is a conditional immunity, not absolute protection:
- Platform publishes user content → no liability
- Court orders removal → platform must comply within the deadline
- Platform fails to comply → liability for resulting harm attaches
There is a stricter rule for non-consensual intimate image content (Art. 21): here, liability arises from notification by the victim, without requiring a court order. Platforms must remove this content promptly upon proper notification.
For foreign companies building platforms used in Brazil: Art. 19 applies to your service if it offers content to Brazilian users, regardless of where your servers are located.
Net Neutrality
The Marco Civil establishes net neutrality as a principle: connection providers cannot discriminate between data packets based on origin, destination, service, terminal, or application. Exceptions exist for technical requirements and emergency services.
For digital businesses, this means: your traffic cannot be throttled or prioritized by ISPs based on commercial arrangements — a protection for emerging services competing with established players.
The LGPD Interface
The Marco Civil and LGPD operate in parallel and must be read together for any business handling personal data over the internet in Brazil.
Key overlaps:
| Issue | Marco Civil | LGPD |
|---|---|---|
| Log retention | Mandatory for specific periods | Data minimization — retain only what's necessary |
| User data disclosure | Only on specific court order | Processing must have a legal basis |
| Privacy protection | General framework | Detailed processing obligations |
A data map that covers both laws — identifying what data is collected, why, for how long, and under what conditions it can be disclosed — is the foundation of a compliant operation.
Responding to Court Orders
When a court order arrives demanding user data or content removal, the response must be:
- Timely: failure to comply within the court-specified deadline triggers liability under Art. 19
- Scoped: only what the order specifically requires; over-disclosure creates LGPD exposure
- Documented: maintain records of every order received, the data provided, the date of compliance, and the legal basis
Before any disclosure: legal review. A well-designed response playbook — who receives the order, who reviews it legally, who executes the data extraction, and how compliance is documented — is a compliance infrastructure element, not a one-time task.
Compliance Audit: The Minimum Checklist
For any digital business operating in Brazil:
- Have you classified your operation: connection provider or application provider?
- Are access logs retained for the legally required period in a secure environment?
- Is the retention policy aligned with the LGPD's data minimization requirement?
- Is there a single channel for receiving judicial orders, with a response playbook?
- Are terms of use and privacy policy accessible to Brazilian users?
- Is there a process for Art. 21 intimate-image notifications with defined SLA?
- For foreign companies: is there a local legal representative for judicial communications?
Our practice covers digital law and creator economy and data protection and privacy. See also: Platform Removed Your Content? Marco Civil Explained.
FAQ
Any application that offers functionality over the internet — website, app, marketplace, course platform, community, SaaS. The distinction from a connection provider (ISP) is central because liability regimes and log-retention obligations differ. Most digital businesses qualify as application providers. The correct classification determines what must be logged, for how long, and under what conditions logs can be disclosed.
Application providers must retain internet access records for the period set by the Marco Civil, in a controlled and secure environment. The obligation covers providers offering services to the general public. In practice, logs also support incident response, litigation defense, and compliance with court orders. The retention policy must align with the LGPD to avoid conflict between the two laws.
Generally yes, within what the Marco Civil and LGPD authorize and limited to the specific order. Disclosure is only available upon a specific court order, absent specific legal exceptions. Overly broad requests, requests for data outside the legal retention period, or requests that exceed statutory authority should be challenged. Best practice: a judicial-order response playbook with legal review before any disclosure, and a single channel for receiving notices.
Complementary. The Marco Civil governs internet use, provider liability, net neutrality, and access-record retention. The LGPD governs personal data processing by any agent, online and offline. Where they overlap — such as in log retention — both must be read together. Internal policy must reflect both laws, and the technical architecture must allow the Marco Civil's retention obligations to be met without violating the LGPD's data minimization principle.
It may. The Marco Civil has extraterritorial reach in specific situations — particularly when services are offered to users in Brazil or when at least one endpoint is on Brazilian territory. The LGPD has an analogous criterion. Foreign companies serving the Brazilian public should structure privacy policies, terms of use, judicial-order response procedures, and, where appropriate, designate a local legal representative.
