Do You Have a Legal Basis for Data Processing Under the LGPD?
A legal basis is required to process personal data under the LGPD. You cannot process data unless you have a legal basis. That would be against the law.
For providing public services for public administration
For research
For legal proceedings
Life protection and public safety
Health protection
Legitimate interests
Credit protection
In almost all cases, if you run a private company, you'll need to rely on explicit user consent, the contract fulfillment, or legitimate interest. The user's explicit consent will be the most common of the three.
That's where a cookie banner comes in handy. It enables you to request consent from the user and possibly keep records of the consent if ever this is requested by a supervisory authority.
In addition, the cookie banner text has to be easily readable and understandable by the average user.
If your cookie banner obtains consent without meeting all of these requirements, the consent is null and void. As a result, the data processing is rendered invalid. Take a look at our Data Processing Agreement Guide.
So, how do you incorporate these requirements in your cookie banner?
You must not restrict access to parts of the website or the whole website without first obtaining cookie consent. Whether they agree to non-essential cookies or not, their website access will remain unchanged.
Informed, specific, and unambiguous
The consent is informed if the user receives information about the data processing, such as the purposes, categories of data processed, third parties with whom the data is being shared, international data transfers, and other information.
In terms of your cookie banner, this means that:
You need to include a link to your privacy policy in the cookie banner. It isn't explicitly required, but it improves the user experience.
You need to obtain consent for each specific processing purpose. You must obtain two consents: one for analytics and one for marketing. It is illegal to obtain general consent for all the processing.
You have to wait for the user's affirmative action before using the cookies, which means two things: undefinedundefinedundefined
Given in writing
Consent must be given in writing, whether on paper or electronically, which means that consent obtained via cookie banner is in writing.
You need to keep records of the consent. Your users' supervisory authorities may request proof that you obtained their consent. If you cannot prove it, you'll be fined.
Easily Withdrawn
The user should be able to withdraw their consent as easily as they gave it.
If they provided it through a cookie banner, make sure they can withdraw their consent in your preference center. Do not make them fill out forms and email them to you. That is not a consent that can be easily withdrawn, and it will land you in legal trouble.
Consequences for Non-Compliance
Penalties are imposed for failing to comply with the law. According to the Brazil data protection law, the penalties for violating the law include:
A warning, along with corrective measures and a deadline to implement them
A fine of up to 2% of annual turnover excluding taxes, with a maximum fine of 50 Million Brazilian Reals
A daily fine, with a maximum fine of 50 Million Brazilian Reals
Mandatory publishing of the violation
Deletion or blocking of personal data to which the violation refers
In addition to any of these penalties, you may also face the following:
Partial suspension of the operation of the database to which the violation refers to, with a maximum of six months, and the possibility of extension of another six months, or until the controller fixes the violation.
Suspension of all processing activities for six months, with the possibility of extension for another six months.
Partial or total prohibition of all processing activities.
The Brazilian National Data Protection Authority (ANPD) enforces the LGPD (see Latest LGPD Updates), so they decide what kind of penalty to impose on the violator. They will consider the following factors in determining the penalty:
How severe the violation is
The good faith in the offender, if any
The violator's financial situation, specifically the total revenue
The benefits gained as a result of the violation
How long the violation lasted and how frequently it has occurred
The violator's cooperation
The technical and organizational measures for damage prevention, if any
The corrective action taken when the violation is discovered
We can provide you with the Secure Privacy LGDP-compliant cookie banner, with the first week for free. Our solution incorporates the Brazilian data protection law to ensure that your website remains in compliance with the law.
Download your free LGPD e-book and have it delivered directly into your inbox.
