Data

LGPD Cookies: Are They Required & How to Comply?

lgpd cookies

Craving a bite-sized guide on LGPD cookies? Well, you’ve come to the right place.

On 18 September 2020, the Congress of Brazil passed the country's first data privacy and protection law - the LGPD or Lei Geral de Proteção de Dados.

Although influenced by the EU’s General Data Protection Regulation, LGPD is still unique, and in this article, we’ll explore what you need to know about LGPD cookies in depth.

Let’s dive in.

Key Takeaways

  • LGPD does not explicitly require cookies on your website. However, cookies are still one way to obtain consent if your business processes data.
  • LGPD defines consent as follows: Consent… shall be provided in writing or by other means demonstrating the data subject’s manifestation of will.”
  • Follow the best practices when it comes to LGPD cookies consent requirements: use a cookie banner, transparency, explicit consent, update cookie policy, maintain records, and more.

What is LGPD?

Before we dive deep into LGPD cookies requirements and consent, we should understand what LGPD is.

LGPD is the data protection law that regulates how businesses collect, process, store, and transfer personal data of the residents of Brazil.

This law applies to any business, even those not operating in Brazil, as long as they handle the data of Brazilian residents.

Does the LGPD Require Cookies?

Yes, it requires you to obtain consent for using cookies. If your business processes the personal data of Brazilian residents, you still need to obtain their consent for this, and cookie consent banners are one way to do it, of course.

This means informing your consumers about the types of cookies you use, their purpose, and what sensitive data you collect via cookies.

The exception to obtaining consent for cookies is if your business only uses strictly necessary cookies and nothing more.

How Does the LGPD Define Cookie Consent?

When it comes to cookie consent or consent in general, the LGPD has guidelines on how to handle this. Consent is defined in LGPD Article 8: Consent of the Personal Data Holder, which says that:

“Consent … shall be provided in writing or by other means demonstrating the data subject’s manifestation of will.”

Specifically, the law requires consent to be:

  1. Highlighted if given in writing
  2. For a specified purpose and not a generic
  3. Obtained in accordance with the law (the burden of proving this is on the data controller)
  4. Free to revoke at any time by the data subject

LGPD Cookie Consent Requirements

LGPD has several general consent requirements that also carry over to cookies. Here are a few essential cookie consent requirements:

Consent Must be Given Freely

Consent must be given freely under the LGPD. This also means that the person must be allowed the opportunity for informed decision-making and have access to sufficient information before they can give meaningful consent.

If it is given through any type of coercion, pressure, trickery, or implied consequences for refusing, consent will be considered void.

It has to be Explicit

Consent can only be given through an informed and explicit affirmative action of the user.

For instance, consent can be given in written form, or if it is given through a cookie consent banner, by checking the “accept all cookies” or “accept only strictly necessary cookies” checkbox or link.

Option to Revoked Consent

Previously given consent can be revoked or withdrawn by the data subject (individual) at any time and for any reason.

Revoking consent also must be easy to do for the individual who wants to do this.

It is Clear and Transparent

Businesses that collect, store, and process the personal data of consumers must provide clear information about these activities. This includes types of data collected, how data is processed, with whom (3rd parties) data is shared or is sold, etc. This should be included in the cookies policy or privacy policy.

Consent must not be ambiguous in any way and can only be given for a specific purpose until that purpose is fulfilled.

Processing of Personal Data of Children and Adolescents

When processing the personal data of children or adolescents under 18, consent must be obtained either from their parents or their legal guardians.

The same applies to any adult individuals who are incapable of giving informed consent themselves due to a mental disorder, and their consent is also obtained through a guardian.

Recordkeeping

Maintaining records of how consent is obtained falls on the organization or business that has obtained them in the first place.

These records should, at a minimum, include:

  1. The method (or methods) by which consent is procured
  2. Date and time that the consent is obtained
  3. The content of the consent message

LGPD Cookie Consent Best Practices

LGPD cookie consent best practices is not different from any other data privacy law.

Here are a few that your business should follow to stay compliant with Brazil’s data privacy law:

Use a Cookie Consent Banner

Use a cookie consent banner to get informed consent from consumers visiting your website to process their sensitive information.

Ensure the banner is clear and allows the visitor to easily accept and reject cookies.

Make Your Cookies Policies Clear and Transparent

Ensure that your cookies policy is easy to find on your website and is clear and transparent.

It should explain the types of data you process, the purpose of processing data, how long you process data for, as well as the types of cookies you collect.

Use Granular Consent

Give your users the ability to choose which cookies they want to accept and which to reject.

It’s not enough to only offer “accept all cookies” and “reject cookies.” For example, you can add the option to “accept only strictly necessary cookies” or to accept or reject different types of cookies, such as analytics or tracking cookies.

Do Not Use Pre-Ticked Boxes

Consent must be obtained through the user’s affirmative action. This can be in the form of clicking an “accept” button or ticking the box.

Do not pre-tick consent boxes for the user. They must click the options themselves.

Allow Easy Consent Withdrawal

Make sure to provide users with an easy way to withdraw their previously given consent.

The withdrawal process should be clear and respected for any reason the data subject gives as well as honored promptly.

Maintain Records

Always maintain records of the consent you obtain, including the date and time your business has received consent, the method by which it is accepted, the consent message, etc.

Conduct a DPIA

Whenever you are processing data, you need to conduct a DPIA or a Data Privacy Impact Assessment.

This enables your business to identify, assess, and mitigate any potential privacy risks associated with the processing of personal data.

Typically, a DPIA involves four steps:

  1. Identify the scope and purpose of data processing
  2. Assess the risks to the consumer’s privacy
  3. Identify the measures by which such risks can be reduced
  4. Monitor and review

Regularly Update Cookie Policy and Mechanisms

Be sure to regularly update your cookie policy and mechanisms when you introduce new cookies or change the way you process data.

Consult with Legal and Data Privacy Experts

Don’t forget to consult with legal and data privacy experts, like the ones at Captain Compliance, to stay fully compliant with the LGPD.

We have the resources and expertise to help you understand and comply with Brazilian regulations. Feel free to reach out for a consultation so that we can review your process, advise on any LGPD compliance needs, and offer support for your compliance efforts.

Closing

If your business processes the personal data of Brazilian residents, you need to ensure you remain compliant with the Lei Geral de Proteção de Dados or LGPD.

In this article, we discussed the LGPD cookies and hopefully, you now have a better understanding of how cookies work under the Brazilian data privacy law.

For more help in getting and staying compliant under LGPD, contact Captain Compliance.

FAQs

How is LGPD Different from GDPR?

Brazil’s LGPD and EU’s GDPR are similar (LGPD is loosely based on the GDPR), but still have a few essential differences, such as:

  • Differences in principles.

LGPD has ten principles for data processing: purpose, adequacy, necessity, free access, data quality, transparency, security, prevention, nondiscrimination, and accountability.

On the other hand, GDPR has seven similar principles: purpose, adequacy, necessity, free access, data quality, transparency, security, prevention, nondiscrimination, and accountability.

  • Differences in data subject rights

LGPD does not include the right to the restriction of data processing. Also, data subject rights under GDPR are more open to interpretation and broader.

  • Differences in justification

Consent, contract, legal obligation, vital interest, public task, legitimate interest, and health are acceptable reasons for processing personal data under both regulations.

However, the LGPD also adds research, legal rights, and credit as justified reasons for data processing, which GDPR does not.

What Does LGPD Stand for?

LGPD stands for Lei Geral de Proteção de Dados, which translated to English means “general data protection law.”

What is the Maximum Fine for LGPD?

The maximum monetary fine for LGPD is 50 million Brazilian Real (BRL), which is approximately $10 million or €9.3 million.

What are the Data Subject Rights of LGPD Brazil?

LGPD has nine data subject rights, which are outlined in Article 18 of this law:

  1. Right to confirmation of the existence of processing;
  2. Right to access to data;
  3. Right to correction of incomplete, inaccurate, or outdated data;
  4. Right to anonymization, blocking, or deletion of unnecessary, excessive, or processed data in violation of the provisions of this Law;
  5. Right to portability of data to another service or product provider, upon express request, following the regulations of the national authority, subject to commercial and industrial secrets;
  6. Right to deletion of personal data processed with the consent of the data subject;
  7. Right to information on public and private entities with which the controller made shared use of data;
  8. Right to information about the possibility of not giving consent and about the consequences of the refusal;
  9. Right to revocation of consent