In this article, you will have a great introduction to the topic, as well as various other variations that revolve around the subject: Cookies and LGPD.
We list concepts and examples of cookie types, how to classify them in your documentation, Privacy Policy, Legal Bases of LGPD, etc.
In effect since August 2020, the General Data Protection Law (LGPD) will require a drastic change in the operations of companies that use data from their customers and users. Starting from August, data can only be used if it complies with the principles of LGPD - the so-called Legal Bases of LGPD - and is transparently and objectively consented to.
This will cause numerous websites to not only change their privacy policies and the information their cookies store but also various processes and ways of handling people's data. In this article, we will see how the use of cookies will be affected and how your company can continue to use them in a way that respects the law.
Cookies are small text files that can store what the user is doing for a certain period. Some cookies store your browsing history, as well as logins and passwords. It is because of them that you can access your Facebook account without having to enter your email every time, as the browser (using cookies) does it for you.
In addition to various functional aspects, cookies also provide excellent service in well-known systems such as Google Drive, for example. Thanks to the cookie's ability to store information, we can work on our texts, spreadsheets, presentations, even offline, and when we reconnect, our work is not lost.
First-Party and Third-Party Cookies, terms used to refer to cookies generated by the website owner or by third parties.
First-Party Cookies are those generated by the website's own domain. From the website owner's perspective, they are the information that visitors generate during their browsing session.
Many website builders or e-commerce services use cookies to provide these functionalities to their customers. So, don't be surprised if you see that your website triggers first-party cookies without notifying you. They have practically become a "market standard."
Regarding the cookie's storage capacity, this information is indeed "generated" by our browsing, and cookies are one way to store it. How does it work?
When the system generates a cookie, it has an identifier that stores the information in the company's database as well as in the visitor's browser. A very simple example is when we access a news portal and encounter the famous paywall message, "you have reached the limit of daily free articles, subscribe to our services."
How does it know that you have already read a specific article? Simple, through the cookies it stores in your browser for each article read. (Does this mean that if I clear my cookies or browse anonymously, I can read freely?... Wait, wait... do you think they haven't thought about that too? 😉)
On the other hand, Third-Party Cookies are cookies from third-party sources external to the website's domain. In other words, they are cookies from third-party companies that also set cookies to record information about their visitors.
Most of the time, these third-party cookies should (or at least should) all be authorized to be present. Otherwise, the website owner may be surprised by the number of entities "sucking" data from their site(s).
Here are some common examples of services that use cookies:
5th Article 5 of the Lei Geral de Proteção de Dados - LGPD provides legal definitions of terms that you will come across frequently when researching the regulation. Among these definitions is that of personal data:
**"personal data: **information related to an identified or identifiable natural person."
We have the last two words in italic because they are the most important for the subject at hand.
Not all data that cookies carry is personal. For example, your visit to our website is not personal data. However, once you register your email on a site like Facebook, you are identifying yourself. Therefore, this is personal data that can be collected by a cookie.
And it is from there that the LGPD starts to affect how your data is used by websites and how your website handles user data.
The problem with the use of cookies arises when it is not known what data is being collected, for what purposes, and by whom. It is a matter of privacy and transparency, values that are the foundation of the LGPD.
The use of cookies that violates the LGPD will be penalized, and among the penalties are expensive fines.
All websites that process data, specifically those that use First or Third Party Cookies. If your website processes personal data or data that, when combined, can identify an individual person, it needs even more careful review of how this information is processed.
But, should this be listed in the Cookie policy or the Privacy Policy?
That depends on the company's choice to differentiate these aspects, as it may be a different approach based on the business model. Some companies address regulations for their "digital" data in the Cookie policy and the "offline" data in the Privacy Policy. However, it varies greatly, so we recommend consulting an expert who can analyze your business model and all the data flows and mappings of your company to understand the need for such differentiation.
To ensure that a website is compliant with LGPD when using cookies, there are certain principles to consider, especially if you have a valid "reason" or legal basis that supports the use of data and cookies on your site. For many, this legal basis is "Consent."
What does that mean? In order for companies to process personal data of data subjects (individuals like you and me), they now need to have a strong legal basis provided by the law (LGPD). This "permission" is known as the Legal Bases of LGPD.
Therefore, while consent is not the only legal basis that allows companies to use data, it plays a crucial role when it comes to cookies. This is why cookie banners serve an essential purpose: notifying and informing visitors, as well as correctly collecting and storing individual consents.
Regardless of the information carried by a cookie, it should have been consented to by the user. But what makes consent valid? And what should be communicated to the user?
The user must be clearly and objectively informed about the purpose for which their data will be collected. Additionally, they must give their explicit consent, or opt-in, by clicking on a banner.
To automate this process, Cookie Notices or Cookie Banners are used. They serve to fulfill the sixth principle of the law: transparency.
The Cookie Banner is that little pop-up window you can see on most websites nowadays, including when you entered our blog. This banner communicates that the site uses cookies. Ours says the following:
"Take control of your privacy. Our site uses cookies to enhance navigation." Then, there are two links: Privacy Policy and Terms of Use. Right after, there's a button for you to view your privacy options and an "accept" button, indicating that you agree to the use of your data.
The cookie banner, or cookie notice, which is a feature of the Consent Management Platform, serves to explicitly state the practice (use of cookies), the purpose (enhancing navigation), and offer users the possibility to fully or partially agree to the data processing.
This is what LGPD requires: transparency and objectivity, without complications. In this way, the use of cookies is permitted and can greatly assist in your business operations.
GDPR, the European data protection regulation, has a limit of twelve months for the use of a cookie. However, LGPD does not establish an "expiration" deadline.
But one of the principles for data processing is necessity. According to the regulation, data can only be retained for the time necessary to fulfill its purpose. If a cookie carries information that no longer needs to be used, it becomes invalid under the law.
Additionally, there are various initiatives by browsers—especially Apple's Safari, which automatically blocks third-party cookies. This "trend," as it is known in the market, has been widely discussed since 2015, even before GDPR. However, it is always being rethought or adapted because the entire advertising and analytics market relies heavily on the widespread use of cookies.
Thus, any changes in this regard will indeed be revolutionary and will bring many changes to the ecosystem as a whole.
It is important that your privacy policy includes a detailed and specific explanation of how your website uses cookies.
As described earlier, many companies make distinctions between the cookie policy and the privacy policy. This is not mandatory, but it may be necessary based on the business model. So, don't cling to templates, but strengthen transparency and accessibility for the information listed there.
It is important to avoid confusion at this point, as many people end up mixing up these concepts. I'll provide a simple explanation below, which will help us understand the order of things and facilitate overall comprehension.
Remember: Tags and Pixels trigger Cookies.
Tag & Pixel: Code that goes into the HTML of your website to call a specific service. These are scripts (programming codes) that call a server and perform specific functions based on these requests.
Cookies: Text files read and triggered by Tags & Pixels, which store data and serve to identify whether a browser is new (if there is no cookie, the tag triggers) or already known (if It has the cookie, It will overwrite it).
##What is the correct way to use cookies under LGPD?
To maintain compliance with the law, it is necessary to pay attention to the principles of LGPD and have knowledge of the regulation as a whole.
Furthermore, once it is decided that the company will indeed use first-party or third-party cookies in its operations, the categorization or organization of these cookies is the basis for communicating with visitors in your cookie policy and banner.
In general, the market uses five main groups to classify their tags and consequently the cookies triggered by them:
Necessary: Without them, your business model doesn't work, or you have to use them due to legal requirements/legislation. (e.g., first-party cookies, gateway authentication, etc.)
Advertising: With them, you trigger remarketing, populate ad pixels, email sequences, etc. (e.g., Facebook Pixel and Google Ads)
Analytics: With them, you have an analysis of what visitors do, where they come from, how they behave on your site. (e.g., Google Analytics, Hotjar, etc.)
Performance: Tags that maintain site functionality and ensure its operation, e.g., preventing DDoS attacks. (e.g., Cloudflare)
Functional: Tags that handle functional aspects, such as remembering preferences or recognizing that the user is already logged into the system. (e.g., Chatbots, Helpcenters)
To facilitate data collection and record user consent, there are Consent Management Platforms (CMPs) like AdOpt.
In this link, you can learn more about our service: In summary, a Cookie Banner that helps your website comply with LGPD, GPDR, CCPA... standards while also being a comprehensive tool for managing consent and communicating with visitors.
Get started for free now and avoid LGPD, GPDR, CCPA... fines!
Want to understand why there are cookie banners on every website you visit today? This article is for you!
What are the criteria for this choice, and what are the strengths and weaknesses of each option? Well, we're here to help you because this decision needs to be well thought out!
Despite cookies being more well-known, what is the main difference between cookies and session storage and local storage? Why choose one over the other? This article will help you with these doubts!
Having a cookie banner on your brand's website has become indispensable for many. However, for e-commerce websites, it has practically become an obligation to have one. This is because this type of website has a technological composition in which cookies are a structural part. Login flow, items in the shopping cart, recommendation showcases, remarketing... Most of them rely on cookies.
A CMP is a tool/platform used to manage the consent of up to millions of users so that a company can use the data of these users for its previously stated purposes.
The WordPress platform powers nearly 450 million websites globally, and it's estimated that 50% of Brazilian websites are on this platform. We are ready to help you, WP lovers!
Using a CMP (Consent Management Platform) is a great way to make efforts to adapt to new privacy regulations like GDPR, LGPD, DPDPA, CCPA and more...
Have you ever thought that your marketing agency could find a great business opportunity in LGPD? Well, unlike what many think, it brings changes that can accelerate the demand for the services of these companies.
How does your website handle LGPD? What strategies does it use to comply with the General Data Protection Law? Have you thought about using a cookie notice but don't know if your site has cookies or if it's enough? If you can't answer these questions, be cautious! Your page may be exposed to fines and other sanctions.
At the beginning of everything are the legal bases of the LGPD, that is, the legal grounds (legitimate reasons) why companies not only can, but must access customer data in order to do their jobs well.
Surely you've already seen the predictions of fines and sanctions, processes. But, what does it mean to your company?
Tired of the ads from that site you visited following you around? Is your computer running slow when accessing a particular website? Want to delete all cookies from a specific service or site?
In this article, we will answer all your questions regarding fines under the LGPD (Brazil's General Data Protection Law).
In the end, our goal has never been to predict doom for companies or to be part of the LGPD's Apocalypse Cavalry. But, since we've been in the market for some time, these kinds of issues always catch our attention when we start data mapping and having conversations with colleagues.
While both regulations share the goal of safeguarding individuals' rights regarding the processing of their personal data, there are some important differences between them. It is crucial to understand these distinctions and their implications, particularly in the context of internet cookies.
It's time to talk about one of the most impactful tasks, both for the company and for the visitors of your websites: tag categorization. But why is it so impactful? What is the relevance of this configuration and how can it affect us? It is precisely because of these common questions we receive from our clients that we have written this article on best practices in tag categorization.
AdOpt
Resources
Legal Terms
© GO ADOPT, LLC since 2020 • Made by people who love
🍪