CookiePro Knowledgebase

dot pattern banner

Knowledgebase Regulations LGPD and Cookies


LGPD and Cookies

Last Updated: August 5, 2022

LGPD and Cookie Consent

Cookies and other tracking technologies that process personal data are important for LGPD cookie compliance. While similar to other privacy laws such as the GDPR, the LGPD is less restrictive. Still, it’s important to understand the Brazilian Privacy law and how to comply.


What is the LGPD?

The LGPD, or Lei Geral de Protecao de Dados, was unanimously approved on July 10, 2018, and after years of consultation and debate will go into effect in May 2021. Brazil’s General Data Protection Law requires companies to comply with requirements related to the processing of personal data as well as sensitive personal data.

Similar to the GDPR, the LGPD highlights their laws are based on specific principles:

  • Accountability
  • Purpose Limitation
  • Data Minimization
  • Security & Privacy by Design

It’s important to note, that accountability is scalable and can be applied to organizations of all types, sizes, sectors (including the public sector), and geographic locations.

Who Does the LGPD Apply To?

The scope of the LGPD applies to any private or public individual or company offering goods or services to data subjects in Brazil, regardless of where they are located. However, the privacy law doesn’t apply to data processing for purposes relating to:

  • Personal use
  • Journalistic, artistic, literary, or academic
  • National security, national defense, public safety, criminal investigations, etc.

Penalties for Non-Compliance

While not as severe as GDPR, LGDP fines are still important to avoid. Failure to comply with the Brazilian Privacy law can result in maximum fines of up to 2% of the company’s Brazilian revenue up to R$50 million – roughly $12.9 million USD or 11.2 million EUR. This is compared to GDPR’s compliance penalties of 4% of global revenue or up to 20 million EUR.

Personal Data Definition

The Brazilian law defines personal data as any data or information of a natural person that can be identified or identifiable. Information that is anonymized or anonymous will not be considered personal data, except when the anonymization process can be reversed by applying reasonable efforts.


LGDP and Cookies

Since all types of data usage, including personal data, used by private and public individuals and entities, will be impacted by the LGPD, cookies are no exception. Cookies and other tracking technologies are important and strategic tools for organizations to collect data. Therefore, they must be certain cookies are placed in accordance with the law and upcoming guidelines published by the Brazilian data protection authority (ANPD) to support the improvement of the relationship between data controllers and internet users, and to ensure compliance.

What Are Cookies?

Cookies are pieces of data, normally stored in text files, that websites place on a visitor’s computer or mobile device to store specific information about the visitor. Cookies were designed to be a reliable mechanism for websites to remember stateful information or to record the user’s browsing activity.

Some cookies are necessary for the operation of the site. While others may be used for analytical, tracking, and marketing purposes. However, all types of cookies can be subject to the applicability of the Brazilian Privacy legislation. If cookies are placed within the Brazilian territory and/or are used to collect data from individuals located in the country are subject to comply with LGDP cookies.


LGPD Cookie Consent

Many websites use tracking technologies such as cookies, pixels, and tags to advertise, collect data, and perform marketing campaigns. Compliance with LGPD cookies states you are responsible for providing notice and obtaining consent for each of those technologies. Data controllers can obtain LGDP cookie consent that demonstrates their will in writing or by other means. It is the data holder’s responsibility to prove that cookie consent was obtained in accordance with the LGPD’s requirements.

Article 6 of the LGPD lists the principles of adequacy, free access, quality, necessity, security, prevention, non-discrimination, and accountability. These apply to the use of cookies and must guide the entities collecting personal data via cookies in their processing activities. For example, the necessity principles limit the amount of data to be collected to that strictly necessary for achieving the purpose. Meaning entities collecting cookies must be able to justify whenever data is collected beyond the scope of the purpose previously informed to the user, otherwise, they will be subject to fines.

If the data controller is not able to rely on any specific legal basis for processing data via cookies, consent will be required. Since the use of cookies goes beyond what is considered a legitimate interest of the controller, it is likely to have an impact on users’ fundamental rights and freedoms. Including the use for profiling, the controller must adopt mechanisms to obtain and record consent given by users.

As a general rule, if the data controller is not able to rely on the execution of an agreement with the user and the processing of data via cookies is beyond the scope of a justifiable legitimate interest of the controller, consent will be required. In any case, where the use is controversial and it is not clear if the legitimate interest would be the appropriate base for processing, the data controller may request guidance from the ANPD.

LGDP Cookie Banner Example

To obtain valid LGPD cookie consent you must meet specific requirements. It is important that data controllers provide data subjects with the right to withdraw and should be written in plain language that is clearly visible. In this case, the controller must provide the data subject with a facilitated and free of charge procedure to revoke their consent and if they choose to do so, the controller must refrain from processing data for which consent had been previously given.

A compliant LGPD Cookie Banner requires:

  • Consent must be affirmative, specific, and unambiguous
  • Identification of the recipients and data controller
  • Documentation of the purpose of processing and notification of profiling
  • Duration length
  • Clear withdraw consent
  • A link to complain, correct, and transfer data
  • An option to decline

LGPD Cookie Banner


Easily Comply with LGPD with CookiePro

Since the LGPD applies to cookies, maintaining cookie compliance is important to avoid any penalties. Because cookies can contain personal, identifiable data, they are subject to regulation by the LGPD. CookiePro offers solutions to aid in compliance with GDPR, CCPA, and LGPD.

CookiePro helps comply with LGDP cookies with:

  • Consent and the Right to Opt-Out. Collect and track cookie consent and allow data holders the right to opt-out.
  • Right of Information. Demonstrate compliance, maintain records of all holder requests and interactions.
  • Right of Access. Pinpoint where an individual’s personal data resides and how it is used.

Capture verifiable Consumer Requests through customizable intake forms on your website using CookiePro’s Data Subject Rights tool and more!

Onetrust All Rights Reserved