Learn if the LGPD is applicable to your business and how to create an LGPD-compliant cookie banner in this article.
If your website uses cookies and you need to comply with the Brazilian data protection law, an LGPD-compliant cookie banner can keep you away from legal trouble.
Before incorporating one on your website, you should familiarize yourself with the LGPD cookie banner requirements. This article will provide you with the necessary information.
You'll learn:
Explore more privacy compliance insights and best practices
LGPD is applicable if:
If you are a Brazilian company or process the personal data of Brazilians, you need to comply with the LGPD.
Depending on how you collect the data, you may need to integrate an LGPD-compliant cookie banner into your website.
Learn what is a DPO (Data Protection Officer) under LGPD and take a look at the 2022 LGPD updates.
A legal basis is required to process personal data under the LGPD. You cannot process data unless you have a legal basis. That would be against the law.
The Brazilian data protection law establishes ten legal bases for data processing:
In almost all cases, if you run a private company, you'll need to rely on explicit user consent, the contract fulfillment, or legitimate interest. The user's explicit consent will be the most common of the three.
That's where a cookie banner comes in handy. It enables you to request consent from the user and possibly keep records of the consent if ever this is requested by a supervisory authority.
LGPD cookie banner requirements arise from the requirements for obtaining consent.
The consent is considered valid if it is:
In addition, the cookie banner text has to be easily readable and understandable by the average user.
If your cookie banner obtains consent without meeting all of these requirements, the consent is null and void. As a result, the data processing is rendered invalid. Take a look at our Data Processing Agreement Guide.
So, how do you incorporate these requirements in your cookie banner?
TEST YOUR COOKIE BANNER KNOWLEDGE
You must not restrict access to parts of the website or the whole website without first obtaining cookie consent. Whether they agree to non-essential cookies or not, their website access will remain unchanged.
The consent is informed if the user receives information about the data processing, such as the purposes, categories of data processed, third parties with whom the data is being shared, international data transfers, and other information.
In terms of your cookie banner, this means that:
Consent must be given in writing, whether on paper or electronically, which means that consent obtained via cookie banner is in writing.
You need to keep records of the consent. Your users' supervisory authorities may request proof that you obtained their consent. If you cannot prove it, you'll be fined.
The user should be able to withdraw their consent as easily as they gave it.
If they provided it through a cookie banner, make sure they can withdraw their consent in your preference center. Do not make them fill out forms and email them to you. That is not a consent that can be easily withdrawn, and it will land you in legal trouble.
Penalties are imposed for failing to comply with the law. According to the Brazil data protection law, the penalties for violating the law include:
In addition to any of these penalties, you may also face the following:
The Brazilian National Data Protection Authority (ANPD) enforces the LGPD (see Latest LGPD Updates), so they decide what kind of penalty to impose on the violator. They will consider the following factors in determining the penalty:
We can provide you with the Secure Privacy LGDP-compliant cookie banner, with the first week for free. Our solution incorporates the Brazilian data protection law to ensure that your website remains in compliance with the law.
Download your free LGPD e-book and have it delivered directly into your inbox.
Schedule a call to learn more
