LGPD and Cookies: What You Need to Know to Comply with the Law
In today’s digital world, the protection of personal data has never been more crucial. The General Data Protection Law (LGPD), sanctioned in Brazil in August 2018 (Law No. 13.709/2018) and in force since September 2020, is a milestone in Brazilian legislation. It establishes detailed rules for the collection, storage, processing, and sharing of personal data, placing the individual at the center of controlling their personal information. The LGPD affects not only Brazilian companies but any entity that processes data of individuals in Brazil, regardless of its geographical location.
Table of Contents
LGPD and Its Historical Context
The journey of the LGPD began as a response to the growing global concern over data privacy. Inspired by international regulations such as the General Data Protection Regulation (GDPR) of the European Union, the LGPD was created to establish a balance between the free flow of data and the protection of citizens’ privacy and freedom. This movement reflects a global trend of strengthening data protection laws, giving individuals more control over their personal information.
The LGPD is based on Article 5 of the Federal Constitution, which guarantees the inviolability of intimacy, private life, honor, and image of people, as well as the right to compensation for material or moral damage resulting from its violation. The LGPD also builds on the Civil Rights Framework for the Internet (Law No. 12.965/2014), which establishes principles, guarantees, rights, and duties for the use of the internet in Brazil, including the protection of privacy and personal data of users.
Comparison with GDPR
Although the LGPD was heavily influenced by the GDPR, there are notable differences. For example, the LGPD is more flexible regarding consent for data processing and offers a broader approach to legal bases for data processing. Additionally, while the GDPR focuses on entities within the European Union, the LGPD has a broader scope, affecting any company that processes data of individuals in Brazil.
ANPD
The National Data Protection Authority (ANPD) is the body responsible for overseeing, interpreting, and applying the LGPD’s laws in Brazil. The ANPD acts as a regulatory agency, offering guidelines to organizations, handling complaints and infractions, and ensuring that the rights of data subjects are respected. The creation of the ANPD is a fundamental step for the effective implementation of the LGPD, ensuring that the norms are applied consistently and fairly.
Concepts, Principles, and Fundamentals
The LGPD defines some important concepts for understanding and applying the law, such as:
- Personal data: is any information related to an identified or identifiable natural person, such as name, CPF, address, email, phone number, among others.
- Sensitive personal data: is data that refers to intimate or discriminatory aspects of a person, such as racial or ethnic origin, religious belief, political opinion, union membership or organization of a religious, philosophical, or political nature, data related to health or sexual life, genetic or biometric data, and others.
- Anonymized data: is data that does not allow the identification of the holder, whether through irreversible anonymization techniques or reversible pseudonymization.
- Data processing: is any operation performed with personal data, such as collection, storage, use, transmission, elimination, among others.
- Data subject: is the natural person to whom the personal data refers.
- Data controller: is the natural or legal person, public or private, that makes decisions about the processing of personal data.
- Data operator: is the natural or legal person, public or private, that processes personal data on behalf of the controller.
- Data protection officer: is the person appointed by the controller to act as a communication channel between the controller, the data subjects, and the ANPD.
The LGPD also establishes some principles that should guide the processing of personal data, such as:
- Purpose: the processing of data must have legitimate, specific, explicit, and informed purposes to the data subject.
- Adequacy: the processing of data must be compatible with the purposes informed to the data subject.
- Necessity: the processing of data must be limited to the minimum necessary for the realization of the purposes.
- Free access: the data subject must have easy and free access to their data, as well as to the form and duration of the processing.
- Quality of data: the controller must ensure the accuracy, clarity, relevance, and updating of the data, according to the necessity and for the fulfillment of the purpose of processing.
- Transparency: the data subject must have clear, precise, and easily accessible information about the processing of their data, as well as about the respective processing agents.
- Security: the controller and the operator must adopt technical and administrative measures capable of protecting the data from unauthorized access and from accidental or illicit situations of destruction, loss, alteration, communication, or diffusion.
- Prevention: the controller and the operator must adopt measures to prevent the occurrence of damage due to data processing.
- Non-discrimination: the processing of data should not be carried out for illicit or abusive purposes that violate human rights, dignity, and the exercise of citizenship.
- Accountability and reporting: the controller and the operator must demonstrate the adoption of effective measures capable of proving compliance with and adherence to data protection norms.
The LGPD is also based on some values and objectives that justify its existence and application, such as:
- Respect for privacy: privacy is a fundamental right that ensures autonomy, freedom, and intimacy of people, as well as the protection of their personal data.
- Informational self-determination: informational self-determination is the power that people have to control their personal data, being able to decide on its collection, use, sharing, and deletion.
- Free development of personality, identity, and dignity of the human person: the dignity of the human person is a supreme value that recognizes the importance and respect that each person deserves, regardless of their personal, social, economic, or cultural characteristics or conditions.
- Free initiative, free competition, and consumer protection: the LGPD also aims to promote economic and technological development, stimulating innovation and competitiveness of companies, as well as protecting the rights and interests of consumers, who are the data subjects.
Consent, Rights of the Data Subject, and Obligations
One of the most significant aspects of the LGPD is the emphasis on the clear and unequivocal consent of the data subject. Companies must inform data subjects about the collection and use of their data and obtain their explicit consent. In addition, the LGPD strengthens the rights of the data subjects, including the right to access, correction, deletion, data portability, and the possibility of revoking consent at any time.
The obligations of companies under the LGPD are extensive. They must ensure data security, report data breaches within a determined timeframe, and maintain detailed records of data processing activities. The appointment of a Data Protection Officer (DPO) is mandatory for certain companies, serving as a point of contact between the company, data subjects, and the ANPD.
LGPD and Technology
The Role of Technology in Compliance with LGPD
Technology plays a crucial role in compliance with LGPD. Technological tools and solutions, such as data encryption and anonymization, are essential for protecting personal data and ensuring information security. Additionally, IT systems must be designed and operated with privacy in mind, a concept known as “privacy by design”. This means that data protection should be an integrated consideration in the development of products and services, not just an afterthought.
Among the technologies that can assist in compliance with LGPD, the following are noteworthy:
- Encryption: is the technique that transforms data into codes, in order to prevent or hinder its access, use, or sharing by unauthorized people. Encryption can be applied to data in transit as well as data at rest, increasing its security and confidentiality.
- Anonymization: is the technique that modifies or eliminates data in such a way that it is not possible to identify the data subject, whether through irreversible techniques, such as replacement, elimination, or aggregation of data, or through reversible techniques, such as pseudonymization, which uses substitute identifiers, that can be reverted using a key. Anonymization can be applied to data in transit as well as data at rest, reducing its scope of application under the LGPD and the risks of privacy violation.
- Auditing: is the technique that verifies and evaluates compliance with data protection norms and good practices, through tests, analyses, reports, recommendations, etc. Auditing can be conducted internally or externally by specialized professionals, services, or entities, increasing confidence and transparency in data processing.
Cookies and Compliance with LGPD
Cookies are small files that store information about users’ behavior on the internet, such as pages visited, products searched, or ads clicked, for example. Cookies are sent by websites to users’ browsers, which store them on their devices, such as computers, cell phones, and tablets. Cookies allow websites to recognize users, personalize content, offer functionalities, improve experience, optimize performance, and much more. Cookies can be classified according to their origin, purpose, and necessity.
According to their origin, cookies can be:
- First-party or Own Cookies: are created and managed directly by the site that the user is visiting. They are essential for many basic functions of websites, such as keeping users logged in and remembering browsing preferences. Under the LGPD, it is important that websites inform users about the use of these cookies and obtain consent when necessary, especially if the cookies are used for purposes beyond the basic functionalities of the site.
- Third-party Cookies: are set by a different domain than the one the user is visiting. They are often used for advertising and tracking. The LGPD requires special attention to these cookies, as they collect data that can be used to profile user behavior. Websites must ensure that users are aware of these cookies and obtain their explicit consent before using them.
According to their purpose, cookies can be:
- Session Cookies: are temporary and are deleted when the user closes the browser or the site.
- Persistent Cookies: remain on the user’s device until they are manually or automatically deleted after a certain period of time.
- Preference Cookies: store the user’s preferences, such as language, theme, and layout.
- Security Cookies: protect the user and the site from malicious activities, such as attacks, fraud, and intrusions.
- Authentication Cookies: identify the user and allow access to restricted or personalized areas of the site, such as accounts, profiles, and shopping carts.
- Performance Cookies: measure the performance of the site, such as loading time, number of visits, and bounce rate.
- Analytics Cookies: analyze the user’s behavior on the site, such as visited pages, searched products, and clicked ads.
- Advertising Cookies: display personalized ads to the user, according to their interests, habits, preferences, etc.
According to their necessity, cookies can be:
- Necessary Cookies: are essential for the functioning of the site, such as security, authentication, and session cookies. These cookies do not require user consent to be installed or used.
- Non-necessary Cookies: are not essential for the functioning of the site but can improve the experience, functionality, performance, analysis, advertising, etc. These cookies require user consent to be installed or used.
The LGPD considers cookies as personal data when they allow the identification or identifiability of the user, whether directly or indirectly, whether in isolation or combined with other information. Therefore, cookies are subject to the norms and good practices of data protection and must respect the rights and interests of data subjects.
The adaptation of websites to the LGPD is necessary and must be done responsibly. To illustrate with very popular examples, tools like Facebook Pixel and Google Analytics use cookies to track and analyze user behavior. Under the LGPD, websites that use these tools must ensure that they are in compliance, which generally means adjusting privacy settings and providing clear information and consent options to users.
To facilitate compliance with the LGPD regarding the use of cookies, our next article will focus on plugins and tools for WordPress that help manage cookies and adapt to the LGPD. These tools can significantly simplify the process of making a website compatible with the law’s requirements.
Sanctions and Penalties
Non-compliance with the LGPD can result in a range of sanctions and penalties. These can vary from warnings to fines of up to 2% of the company’s turnover, limited to R$ 50 million per infraction. Besides fines, companies can also face partial or total prohibition of activities related to data processing. These penalties highlight the seriousness with which the LGPD treats personal data protection and the importance of compliance.
Frequently Asked Questions
What is the LGPD?
The General Data Protection Law, enacted in Brazil in 2018, is legislation that sets detailed rules for collecting, storing, processing, and sharing personal data, aiming to protect individuals’ personal information.
Is the LGPD similar to the EU’s GDPR?
Yes, the LGPD was influenced by the GDPR, but there are differences, such as the LGPD being more flexible regarding consent for data processing.
Who oversees the enforcement of the LGPD?
The National Data Protection Authority (ANPD) is the agency responsible for overseeing, interpreting, and applying LGPD laws in Brazil.
What are the fundamental principles of the LGPD?
The LGPD establishes principles like purpose, adequacy, necessity, free access, data quality, transparency, security, prevention, non-discrimination, and accountability.
What are personal data according to the LGPD?
Personal data is any information related to an identified or identifiable natural person, such as name, CPF, address, email, phone, etc.
How does the LGPD treat cookies?
The LGPD considers cookies as personal data when they allow the user to be identified. Websites must inform about the use of cookies and obtain explicit consent, especially for third-party cookies or for tracking purposes.
What are the penalties for non-compliance with the LGPD?
Penalties include warnings, fines of up to 2% of the company’s revenue, limited to R$ 50 million per infraction, and even partial or total prohibition of activities related to data processing.
Is consent always necessary for data processing?
The LGPD requires clear and unequivocal consent from data subjects for the collection and use of their data, with strengthened rights for data subjects, including access, correction, deletion, and portability of data.
How does technology assist in complying with the LGPD?
Technologies like encryption, data anonymization, and systems designed with integrated privacy (“privacy by design”) are essential for protecting personal data and ensuring compliance with the LGPD.
Conclusion
The LGPD represents a significant advancement in personal data protection in Brazil, aligning the country with global trends in privacy and information security. For companies and individuals, understanding and adapting to the LGPD is not just a matter of legal compliance but also an opportunity to strengthen trust with customers and users, demonstrating a commitment to protecting their personal information.