LGPD Cookie Banner Requirements
Learn if the LGPD is applicable to your business and how to create an LGPD-compliant cookie banner in this article.
Before incorporating one on your website, you should familiarize yourself with the LGPD cookie banner requirements. This article will provide you with the necessary information.
- Is the LGPD applicable to your business
- What is an LGPD-compliant cookie banner?
- What happens when you have a non-compliant cookie banner?
Do You Need to Comply with the LGPD?
LGPD is applicable if:
- The data processing is carried out in Brazil (i.e., servers used are located in Brazil)
- The data processing takes place anywhere in the world, but the website offers goods and services to people located in Brazil.
- The personal data was collected in Brazil.
If you are a Brazilian company or process the personal data of Brazilians, you need to comply with the LGPD.
Depending on how you collect the data, you may need to integrate an LGPD-compliant cookie banner into your website.
Do You Have a Legal Basis for Data Processing Under the LGPD?
A legal basis is required to process personal data under the LGPD. You cannot process data unless you have a legal basis. That would be against the law.
The Brazilian data protection law establishes ten legal bases for data processing:
- User's explicit consent
- Legal or regulatory duty of the controller
- Contract fulfillment
- For providing public services for public administration
- For research
- For legal proceedings
- Life protection and public safety
- Health protection
- Legitimate interests
- Credit protection
In almost all cases, if you run a private company, you'll need to rely on explicit user consent, the contract fulfillment, or legitimate interest. The user's explicit consent will be the most common of the three.
That's where a cookie banner comes in handy. It enables you to request consent from the user and possibly keep records of the consent if ever this is requested by a supervisory authority.
What Are the LGPD Cookie Banner Requirements?
LGPD cookie banner requirements arise from the requirements for obtaining consent.
The consent is considered valid if it is:
- Freely given
- Informed, specific, and unambiguous
- Given in writing
- Easily withdrawn
In addition, the cookie banner text has to be easily readable and understandable by the average user.
If your cookie banner obtains consent without meeting all of these requirements, the consent is null and void. As a result, the data processing is rendered invalid. Take a look at our Data Processing Agreement Guide.
So, how do you incorporate these requirements in your cookie banner?
You must not restrict access to parts of the website or the whole website without first obtaining cookie consent. Whether they agree to non-essential cookies or not, their website access will remain unchanged.
Informed, specific, and unambiguous
The consent is informed if the user receives information about the data processing, such as the purposes, categories of data processed, third parties with whom the data is being shared, international data transfers, and other information.
In terms of your cookie banner, this means that:
- You need to obtain consent for each specific processing purpose. You must obtain two consents: one for analytics and one for marketing. It is illegal to obtain general consent for all the processing.
- You have to wait for the user's affirmative action before using the cookies, which means two things:
Given in writing
Consent must be given in writing, whether on paper or electronically, which means that consent obtained via cookie banner is in writing.
You need to keep records of the consent. Your users' supervisory authorities may request proof that you obtained their consent. If you cannot prove it, you'll be fined.
The user should be able to withdraw their consent as easily as they gave it.
If they provided it through a cookie banner, make sure they can withdraw their consent in your preference center. Do not make them fill out forms and email them to you. That is not a consent that can be easily withdrawn, and it will land you in legal trouble.
Consequences for Non-Compliance
Penalties are imposed for failing to comply with the law. According to the Brazil data protection law, the penalties for violating the law include:
- A warning, along with corrective measures and a deadline to implement them
- A fine of up to 2% of annual turnover excluding taxes, with a maximum fine of 50 Million Brazilian Reals
- A daily fine, with a maximum fine of 50 Million Brazilian Reals
- Mandatory publishing of the violation
- Deletion or blocking of personal data to which the violation refers
In addition to any of these penalties, you may also face the following:
- Partial suspension of the operation of the database to which the violation refers to, with a maximum of six months, and the possibility of extension of another six months, or until the controller fixes the violation.
- Suspension of all processing activities for six months, with the possibility of extension for another six months.
- Partial or total prohibition of all processing activities.
The Brazilian National Data Protection Authority (ANPD) enforces the LGPD (see Latest LGPD Updates), so they decide what kind of penalty to impose on the violator. They will consider the following factors in determining the penalty:
- How severe the violation is
- The good faith in the offender, if any
- The violator's financial situation, specifically the total revenue
- The benefits gained as a result of the violation
- How long the violation lasted and how frequently it has occurred
- The violator's cooperation
- The technical and organizational measures for damage prevention, if any
- The corrective action taken when the violation is discovered
How to Get an LGPD-Compliant Cookie Banner
We can provide you with the Secure Privacy LGDP-compliant cookie banner, with the first week for free. Our solution incorporates the Brazilian data protection law to ensure that your website remains in compliance with the law.
Download your free LGPD e-book and have it delivered directly into your inbox.
The Ultimate Guide to GDPR Data Breach Responses
If you think that data breaches only happen to someone else, think again. Data breaches have happened to all types of businesses - from small ecommerce stores to large corporations such as Microsoft and it could happen to you as well. Read about GDPR Data Breach Responses here.
What Is a Data Protection Officer and Do You Need One?
When a business operator realizes they need to comply with the GDPR or any other data protection law, one of the first questions to pop up in their head is - Do I need a DPO? Learn all about DPOs here.
- Data Protection
How to implement an Online Data Protection Strategy
When a company operates online within the European Union, or when its website visitors come from the EU, the company must comply with the General Data Protection Regulation (GDPR). The GDPR was created to protect citizens' personal data and restrict abuses.
- Data Protection