CookieConfig
Log inSign up
Back to Documentation

LGPD Compliance

Lei Geral de Proteção de Dados (Brazil)

What is LGPD?

The Lei Geral de Proteção de Dados (LGPD), or General Data Protection Law, is Brazil's comprehensive data privacy legislation that came into effect on September 18, 2020. The law regulates the processing of personal data of individuals in Brazil, both online and offline, by public and private entities.

LGPD is heavily inspired by the European Union's GDPR and shares many similar principles, but it has unique characteristics tailored to the Brazilian legal system and cultural context. If your website has Brazilian visitors or processes data of Brazilian residents, LGPD compliance is mandatory.

Key Principles and Requirements

1. Legal Bases for Data Processing

Under LGPD, you must have a valid legal basis to process personal data. The law recognizes 10 legal bases, including:

  • Consent: Freely given, informed, and unambiguous consent from the data subject
  • Legitimate Interest: Processing necessary for legitimate interests of the controller or third parties (must be balanced against data subject rights)
  • Contractual Necessity: Processing necessary for contract performance
  • Legal Obligation: Compliance with legal or regulatory obligations
  • Vital Interests: Protection of life or physical safety
  • Credit Protection: For credit protection purposes

For cookies and tracking technologies, consent is typically the most appropriate legal basis, especially for analytics and marketing cookies.

2. Consent Requirements

When relying on consent as the legal basis, LGPD requires that consent must be:

  • Freely given: No coercion or bundling of consent with other matters
  • Informed: Users must be clearly told what data is collected and why
  • Unambiguous: Obtained through a clear affirmative action (not silence or inactivity)
  • Specific: Consent must be obtained for specific purposes
  • Highlighted: Consent clauses must be presented separately from other terms

Important: Pre-ticked boxes, implied consent through continued browsing, and bundled consent are NOT valid under LGPD.

3. Data Subject Rights

LGPD grants Brazilian residents comprehensive rights over their personal data:

  • Right to Confirmation and Access: Know whether their data is being processed and access their data
  • Right to Correction: Request correction of incomplete, inaccurate, or outdated data
  • Right to Anonymization, Blocking, or Deletion: Request anonymization or deletion of unnecessary, excessive, or unlawfully processed data
  • Right to Portability: Obtain data in a structured, commonly used format and transfer to another service provider
  • Right to Information: Know which public and private entities the controller has shared data with
  • Right to Withdraw Consent: Revoke consent at any time
  • Right to Object: Object to processing based on legitimate interest
  • Right to Review: Request review of automated decisions

4. Transparency and Privacy Policy

Your privacy policy must be clear, accessible, and written in plain language. It must include:

  • What personal data is collected (including through cookies)
  • Legal basis for processing
  • Purpose of processing
  • How long data will be retained
  • Whether data is shared with third parties
  • Data subject rights and how to exercise them
  • Contact information for the Data Protection Officer (DPO) or responsible person

5. Data Protection Officer (DPO)

While not mandatory for all organizations, appointing a DPO is recommended, especially for larger organizations or those processing sensitive data. The DPO's contact information must be publicly available.

LGPD vs GDPR: Key Differences

While LGPD is inspired by GDPR, there are some important differences:

AspectLGPDGDPR
Territorial ScopeApplies to processing of data of individuals in BrazilApplies to processing of data of individuals in EU/EEA
Legal Bases10 legal bases including credit protection6 legal bases
Age of ConsentNot explicitly defined (generally considered 18)16 years (member states can lower to 13)
Maximum Fine2% of revenue in Brazil, up to R$50 million per violation4% of global annual revenue or €20 million, whichever is higher
DPO RequirementRecommended but not always mandatoryMandatory for certain categories of processing
Data Breach NotificationMust notify ANPD within a reasonable timeframeMust notify within 72 hours

Cookie Consent Under LGPD

While LGPD doesn't have a separate "cookie law" like the EU's ePrivacy Directive, cookie consent falls under LGPD's general consent requirements. Here's what you need to know:

Strictly Necessary Cookies

Cookies that are essential for the website to function can be placed without consent, based on the "legitimate interest" legal basis. Examples include:

  • Session cookies for logged-in users
  • Shopping cart cookies for e-commerce
  • Security and fraud prevention cookies
  • Load balancing cookies

Non-Essential Cookies Require Consent

All other cookies require explicit consent before being placed:

  • Analytics Cookies: Google Analytics, Adobe Analytics, etc.
  • Marketing Cookies: Facebook Pixel, Google Ads, retargeting cookies
  • Functional Cookies: Language preferences, video players, social media embeds
  • Third-Party Cookies: Any cookies set by external domains

Cookie Banner Requirements

Your cookie banner must:

  • Appear BEFORE any non-essential cookies are placed
  • Clearly explain what types of cookies will be used and their purposes
  • Provide granular options (not just "Accept All")
  • Make it as easy to reject as to accept cookies
  • Include a link to the full privacy policy
  • Store proof of consent with timestamp

How CookieConfig Ensures LGPD Compliance

CookieConfig is designed to help you meet LGPD's cookie consent requirements:

Consent Management

  • Prior Consent: Scripts and cookies are blocked BEFORE they load until explicit consent is obtained
  • Granular Control: Users can accept/reject different cookie categories (Necessary, Functional, Analytics, Marketing)
  • No Pre-Ticked Boxes: All non-essential categories are opt-in by default
  • Clear Affirmative Action: Users must actively click to consent (no implied consent)
  • Easy Withdrawal: Users can change their preferences at any time with equal ease

Transparency

  • Clear Information: Banner explains what data is collected and why
  • Customizable Text: You can adapt the banner text to your specific cookie usage
  • Privacy Policy Link: Direct link from the banner to your privacy policy
  • Cookie Details: Users can see exactly which cookies are in each category

Record Keeping and Proof of Consent

  • Consent Logging: Every consent decision is logged with timestamp and visitor ID
  • Detailed Breakdown: Records show exactly which categories were accepted/rejected
  • Geographic Data: Country and region information for each consent record
  • Audit Reports: Generate PDF/CSV reports for ANPD audits and compliance verification
  • Consent History: Track changes to consent over time

Data Subject Rights Support

  • Access to Data: Users can see their consent history
  • Easy Modification: Users can change preferences at any time
  • Deletion Support: Consent records can be deleted upon request
  • Portability: Consent data can be exported in standard formats

Who Must Comply with LGPD?

You must comply with LGPD if:

  • Your organization operates in Brazil (regardless of where data processing occurs)
  • You process personal data of individuals located in Brazil (even if your organization is based elsewhere)
  • You offer goods or services to individuals in Brazil
  • The personal data was collected in Brazil

Important: LGPD has extraterritorial reach. If you have a website that's accessible to Brazilian users and you use cookies to track them, LGPD likely applies to you, regardless of where your company is based.

Exemptions

LGPD does NOT apply to:

  • Processing for exclusively personal or household purposes
  • Processing for journalistic, artistic, or academic purposes
  • Processing for public security, national defense, or state security purposes
  • Processing performed outside Brazil where the data is not shared with Brazilian entities and is not subject to international transfer

Implementation Checklist

  1. Conduct a Data Mapping Exercise

    Identify all cookies and tracking technologies on your website. Document what data each cookie collects and why.

  2. Install CookieConfig

    Place the CookieConfig script in your website's <head> section BEFORE any tracking scripts.

  3. Configure Cookie Categories

    Review and customize the cookie categories in your CookieConfig dashboard to match your actual cookie usage.

  4. Update Your Privacy Policy

    Ensure your privacy policy is LGPD-compliant and includes detailed information about:

    • What personal data you collect (including via cookies)
    • Legal basis for processing (consent, legitimate interest, etc.)
    • Purpose of data collection
    • Data retention periods
    • Whether data is shared with third parties
    • Data subject rights and how to exercise them
    • DPO or responsible person contact information
    • International data transfers (if applicable)
  5. Customize Your Cookie Banner

    Update the banner text to clearly explain your cookie usage in Portuguese (if targeting Brazilian users) or provide a Portuguese translation option.

  6. Establish Data Subject Request Procedures

    Create processes to handle requests from Brazilian users to:

    • Access their personal data
    • Correct inaccurate data
    • Delete or anonymize data
    • Export data (data portability)
    • Withdraw consent
  7. Test Your Implementation

    Verify that:

    • The banner appears before any non-essential cookies are set
    • Rejecting cookies actually blocks tracking scripts
    • Users can easily access and change their preferences
    • Consent is being properly logged in your CookieConfig dashboard
  8. Maintain Consent Records

    Regularly review and export consent logs. Be prepared to provide proof of consent if requested by ANPD or a data subject.

  9. Regular Audits

    Periodically review your website for new cookies or tracking technologies. Update your cookie banner and privacy policy accordingly.

  10. Staff Training

    Train your team on LGPD requirements and how to handle data subject requests properly.

Enforcement and Penalties

The Autoridade Nacional de Proteção de Dados (ANPD) is Brazil's data protection authority responsible for enforcing LGPD. The ANPD gained full enforcement powers in August 2021.

Penalty Structure

LGPD violations can result in the following administrative sanctions:

  • Warning: With a deadline to adopt corrective measures
  • Simple Fine: Up to 2% of revenue in Brazil (capped at R$50 million per violation)
  • Daily Fine: For ongoing violations
  • Publicization: Public disclosure of the violation after it's investigated and confirmed
  • Data Blocking: Blocking of personal data to which the violation refers until it's regularized
  • Data Deletion: Deletion of the personal data to which the violation refers
  • Partial or Total Suspension: Partial or total suspension of database operations
  • Ban on Processing: Partial or total prohibition of data processing activities

Factors Affecting Penalties

When determining penalties, ANPD considers:

  • Severity and nature of the violation
  • Good faith of the violator
  • Advantages obtained or intended by the violator
  • Economic condition of the violator
  • Recurrence of violations
  • Degree of harm caused
  • Cooperation of the violator
  • Adoption of internal compliance mechanisms and good practices
  • Prompt adoption of corrective measures

Recent Enforcement Actions

While LGPD enforcement is still ramping up, ANPD has begun taking action:

  • 2023: ANPD issued its first sanctions, including warnings and fines to companies for improper data processing
  • Cookie Consent Focus: ANPD has indicated that cookie consent mechanisms will be an area of enforcement focus
  • Website Audits: ANPD has started conducting audits of website cookie practices

Common LGPD Compliance Mistakes

1. Cookie Walls

Mistake: Blocking access to the website unless users accept all cookies.

Why It's Wrong: LGPD requires that consent be "freely given." Forcing users to accept cookies to access content makes consent conditional and potentially invalid.

Solution: Allow users to access your basic content even if they reject non-essential cookies. Only truly essential cookies should be required for site functionality.

2. Pre-Ticked Boxes

Mistake: Having cookie categories pre-selected or automatically checked.

Why It's Wrong: LGPD requires explicit, unambiguous consent through an affirmative action. Pre-ticked boxes don't meet this standard.

Solution: All non-essential cookie categories must be unchecked by default. Users must actively opt in.

3. Implied Consent Through Browsing

Mistake: Assuming that continued browsing or scrolling constitutes consent to cookies.

Why It's Wrong: LGPD requires explicit consent. Silence, inactivity, or continued browsing cannot be considered valid consent.

Solution: Require users to click "Accept" or actively select cookie preferences. Block non-essential cookies until explicit consent is received.

4. Bundled Consent

Mistake: Bundling cookie consent with acceptance of terms of service or other agreements.

Why It's Wrong: LGPD Article 8 requires that consent clauses be "highlighted" and presented separately from other contractual clauses.

Solution: Keep cookie consent separate from other agreements. Users should be able to accept terms of service without being forced to accept all cookies.

5. Vague or Technical Language

Mistake: Using overly technical or legal language in cookie notices without clear explanations.

Why It's Wrong: LGPD requires information to be provided in "clear, adequate, and easily accessible" language. Users must be properly informed.

Solution: Use plain Portuguese (or translated text) that average users can understand. Explain in simple terms what each cookie type does.

6. No Record of Consent

Mistake: Not keeping records of when and how consent was obtained.

Why It's Wrong: Under LGPD, you must be able to prove that valid consent was obtained. ANPD can request evidence of consent.

Solution: Use CookieConfig's consent logging to maintain detailed records with timestamps, visitor IDs, and geographic information.

7. Difficult Withdrawal

Mistake: Making it hard for users to withdraw consent or change cookie preferences (e.g., buried in settings, requiring account login).

Why It's Wrong: LGPD Article 8 requires that consent withdrawal be as easy as giving consent.

Solution: Provide a clear, easily accessible way for users to change their cookie preferences at any time (e.g., a link in the footer or floating button).

8. Ignoring Children's Data

Mistake: Not having special procedures for processing data of children and adolescents.

Why It's Wrong: LGPD Article 14 requires that processing of children's data must be in their best interest and requires parental consent (for minors under 18).

Solution: If your website targets children or knowingly collects data from minors, implement age verification and parental consent mechanisms.

Best Practices for LGPD Cookie Compliance

  1. Be Transparent: Clearly explain what cookies you use, why you use them, and how long they're stored
  2. Provide Portuguese Language Option: If you have Brazilian users, offer your privacy policy and cookie banner in Portuguese
  3. Minimize Data Collection: Only use cookies that are necessary for your business purposes. Don't collect data "just in case"
  4. Regular Audits: Periodically scan your website for new cookies and update your documentation
  5. Document Everything: Keep records of your data mapping, consent mechanisms, and compliance decisions
  6. Respond Quickly to Requests: Have processes in place to handle data subject requests within LGPD's timeframes
  7. Train Your Team: Ensure everyone who handles personal data understands LGPD requirements
  8. Stay Updated: Follow ANPD guidance and regulatory updates as LGPD interpretation evolves
  9. Implement Privacy by Design: Consider privacy and data protection from the earliest stages of developing new features
  10. Consider a DPO: Even if not required, appointing a Data Protection Officer demonstrates commitment to compliance

Legal Disclaimer

CookieConfig is a tool to help implement cookie consent requirements under LGPD and other privacy regulations. However, it is not legal advice. Your specific compliance obligations depend on your business activities, the types of data you process, and your target markets. We strongly recommend consulting with legal counsel familiar with LGPD and Brazilian privacy law for your specific situation.

Useful Resources