LGPD and Cookies
Last Updated: March 11, 2021
LGPD and Cookie Consent
Cookies and other tracking technologies that process personal data are important for LGPD cookie compliance. While similar to other privacy laws such as the GDPR, the LGPD is less restrictive. Still, it’s important to understand the Brazilian Privacy law and how to comply.
What is the LGPD?
The LGPD, or Lei Geral de Protecao de Dados, was unanimously approved on July 10, 2018, and after years of consultation and debate will go into effect in May 2021. Brazil’s General Data Protection Law requires companies to comply with requirements related to the processing of personal data as well as sensitive personal data.
Similar to the GDPR, the LGPD highlights their laws are based on specific principles:
- Purpose Limitation
- Data Minimization
- Security & Privacy by Design
It’s important to note, that accountability is scalable and can be applied to organizations of all types, sizes, sectors (including the public sector), and geographic locations.
Who Does the LGPD Apply To?
The scope of the LGPD applies to any private or public individual or company offering goods or services to data subjects in Brazil, regardless of where they are located. However, the privacy law doesn’t apply to data processing for purposes relating to:
- Personal use
- Journalistic, artistic, literary, or academic
- National security, national defense, public safety, criminal investigations, etc.
Penalties for Non-Compliance
While not as severe as GDPR, LGDP fines are still important to avoid. Failure to comply with the Brazilian Privacy law can result in maximum fines of up to 2% of the company’s Brazilian revenue up to R$50 million – roughly $12.9 million USD or 11.2 million EUR. This is compared to GDPR’s compliance penalties of 4% of global revenue or up to 20 million EUR.
Personal Data Definition
The Brazilian law defines personal data as any data or information of a natural person that can be identified or identifiable. Information that is anonymized or anonymous will not be considered personal data, except when the anonymization process can be reversed by applying reasonable efforts.
LGDP and Cookies
Since all types of data usage, including personal data, used by private and public individuals and entities, will be impacted by the LGPD, cookies are no exception. Cookies and other tracking technologies are important and strategic tools for organizations to collect data. Therefore, they must be certain cookies are placed in accordance with the law and upcoming guidelines published by the Brazilian data protection authority (ANPD) to support the improvement of the relationship between data controllers and internet users, and to ensure compliance.
What Are Cookies?
Cookies are pieces of data, normally stored in text files, that websites place on a visitor’s computer or mobile device to store specific information about the visitor. Cookies were designed to be a reliable mechanism for websites to remember stateful information or to record the user’s browsing activity.
Some cookies are necessary for the operation of the site. While others may be used for analytical, tracking, and marketing purposes. However, all types of cookies can be subject to the applicability of the Brazilian Privacy legislation. If cookies are placed within the Brazilian territory and/or are used to collect data from individuals located in the country are subject to comply with LGDP cookies.
LGPD Cookie Consent
Many websites use tracking technologies such as cookies, pixels, and tags to advertise, collect data, and perform marketing campaigns. Compliance with LGPD cookies states you are responsible for providing notice and obtaining consent for each of those technologies. Data controllers can obtain LGDP cookie consent that demonstrates their will in writing or by other means. It is the data holder’s responsibility to prove that cookie consent was obtained in accordance with the LGPD’s requirements.
As a general rule, if the data controller is not able to rely on the execution of an agreement with the user and the processing of data via cookies is beyond the scope of a justifiable legitimate interest of the controller, consent will be required. In any case, where the use is controversial and it is not clear if the legitimate interest would be the appropriate base for processing, the data controller may request guidance from the ANPD.
LGDP Cookie Banner Example
To obtain valid LGPD cookie consent you must meet specific requirements. It is important that data controllers provide data subjects with the right to withdraw and should be written in plain language that is clearly visible. In this case, the controller must provide the data subject with a facilitated and free of charge procedure to revoke their consent and if they choose to do so, the controller must refrain from processing data for which consent had been previously given.
A compliant LGPD Cookie Banner requires:
- Consent must be affirmative, specific, and unambiguous
- Identification of the recipients and data controller
- Documentation of the purpose of processing and notification of profiling
- Duration length
- Clear withdraw consent
- A link to complain, correct, and transfer data
- An option to decline
Easily Comply with LGPD with CookiePro
CookiePro helps comply with LGDP cookies with:
- Consent and the Right to Opt-Out. Collect and track cookie consent and allow data holders the right to opt-out.
- Right of Information. Demonstrate compliance, maintain records of all holder requests and interactions.
- Right of Access. Pinpoint where an individual’s personal data resides and how it is used.
Capture verifiable Consumer Requests through customizable intake forms on your website using CookiePro’s Data Subject Rights tool and more!