LGPD Cookie Banner Requirements
Learn if the LGPD is applicable to your business and how to create an LGPD-compliant cookie banner in this article.
Before incorporating one on your website, you should familiarize yourself with the LGPD cookie banner requirements. This article will provide you with the necessary information.
- Is the LGPD applicable to your business
- What is an LGPD-compliant cookie banner?
- What happens when you have a non-compliant cookie banner?
Do You Need to Comply with the LGPD?
LGPD is applicable if:
- The data processing is carried out in Brazil (i.e., servers used are located in Brazil)
- The data processing takes place anywhere in the world, but the website offers goods and services to people located in Brazil.
- The personal data was collected in Brazil.
If you are a Brazilian company or process the personal data of Brazilians, you need to comply with the LGPD.
Depending on how you collect the data, you may need to integrate an LGPD-compliant cookie banner into your website.
Do You Have a Legal Basis for Data Processing Under the LGPD?
A legal basis is required to process personal data under the LGPD. You cannot process data unless you have a legal basis. That would be against the law.
The Brazilian data protection law establishes ten legal bases for data processing:
- User's explicit consent
- Legal or regulatory duty of the controller
- Contract fulfillment
- For providing public services for public administration
- For research
- For legal proceedings
- Life protection and public safety
- Health protection
- Legitimate interests
- Credit protection
In almost all cases, if you run a private company, you'll need to rely on explicit user consent, the contract fulfillment, or legitimate interest. The user's explicit consent will be the most common of the three.
That's where a cookie banner comes in handy. It enables you to request consent from the user and possibly keep records of the consent if ever this is requested by a supervisory authority.
What Are the LGPD Cookie Banner Requirements?
LGPD cookie banner requirements arise from the requirements for obtaining consent.
The consent is considered valid if it is:
- Freely given
- Informed, specific, and unambiguous
- Given in writing
- Easily withdrawn
In addition, the cookie banner text has to be easily readable and understandable by the average user.
If your cookie banner obtains consent without meeting all of these requirements, the consent is null and void. As a result, the data processing is rendered invalid. Take a look at our Data Processing Agreement Guide.
So, how do you incorporate these requirements in your cookie banner?
You must not restrict access to parts of the website or the whole website without first obtaining cookie consent. Whether they agree to non-essential cookies or not, their website access will remain unchanged.
Informed, specific, and unambiguous
The consent is informed if the user receives information about the data processing, such as the purposes, categories of data processed, third parties with whom the data is being shared, international data transfers, and other information.
In terms of your cookie banner, this means that:
- You need to obtain consent for each specific processing purpose. You must obtain two consents: one for analytics and one for marketing. It is illegal to obtain general consent for all the processing.
- You have to wait for the user's affirmative action before using the cookies, which means two things:
Given in writing
Consent must be given in writing, whether on paper or electronically, which means that consent obtained via cookie banner is in writing.
You need to keep records of the consent. Your users' supervisory authorities may request proof that you obtained their consent. If you cannot prove it, you'll be fined.
The user should be able to withdraw their consent as easily as they gave it.
If they provided it through a cookie banner, make sure they can withdraw their consent in your preference center. Do not make them fill out forms and email them to you. That is not a consent that can be easily withdrawn, and it will land you in legal trouble.
Consequences for Non-Compliance
Penalties are imposed for failing to comply with the law. According to the Brazil data protection law, the penalties for violating the law include:
- A warning, along with corrective measures and a deadline to implement them
- A fine of up to 2% of annual turnover excluding taxes, with a maximum fine of 50 Million Brazilian Reals
- A daily fine, with a maximum fine of 50 Million Brazilian Reals
- Mandatory publishing of the violation
- Deletion or blocking of personal data to which the violation refers
In addition to any of these penalties, you may also face the following:
- Partial suspension of the operation of the database to which the violation refers to, with a maximum of six months, and the possibility of extension of another six months, or until the controller fixes the violation.
- Suspension of all processing activities for six months, with the possibility of extension for another six months.
- Partial or total prohibition of all processing activities.
The Brazilian National Data Protection Authority (ANPD) enforces the LGPD (see Latest LGPD Updates), so they decide what kind of penalty to impose on the violator. They will consider the following factors in determining the penalty:
- How severe the violation is
- The good faith in the offender, if any
- The violator's financial situation, specifically the total revenue
- The benefits gained as a result of the violation
- How long the violation lasted and how frequently it has occurred
- The violator's cooperation
- The technical and organizational measures for damage prevention, if any
- The corrective action taken when the violation is discovered
How to Get an LGPD-Compliant Cookie Banner
We can provide you with the Secure Privacy LGDP-compliant cookie banner, with the first week for free. Our solution incorporates the Brazilian data protection law to ensure that your website remains in compliance with the law.
Download your free LGPD e-book and have it delivered directly into your inbox.
This article keeps track of the new CPRA regulations passed by the California AG. In the first part, we’ll briefly overview the existing regulations. The proposed regulations follow. Finally, we’ll provide a brief overview of all the regulations that could be expected in the next few years.
The Data Protection and Digital Information Bill: Data Privacy Reform in the UK Government
The introduction of Bill 143 to the House of Commons on July 18, 2022, follows the UK Government’s consultation in September 2021. The consultation detailed the UK Government’s proposed reforms to the UK’s data protection regime following Brexit and is a big step towards achieving the planned reform of the UK's data protection framework, with many significant proposed changes for companies to be aware of. To get started, here are some key provisions to consider about this new data protection legislation.
CPRA Guide | Full Text Summary
If you need to comply with the CCPA, you must also comply with the California Privacy Rights Act (CPRA). Here we have the full text of the CPRA. California legislature bodies have written it in legalese, of course, but we added notes at the beginning of each section to help you understand what that specific section is about.