In this article, you will have a great introduction to the topic, as well as various other variations that revolve around the subject: Cookies and LGPD.

We list concepts and examples of cookie types, how to classify them in your documentation, Privacy Policy, Legal Bases of LGPD, etc.

In effect since August 2020, the General Data Protection Law (LGPD) will require a drastic change in the operations of companies that use data from their customers and users. Starting from August, data can only be used if it complies with the principles of LGPD - the so-called Legal Bases of LGPD - and is transparently and objectively consented to.

This will cause numerous websites to not only change their privacy policies and the information their cookies store but also various processes and ways of handling people's data. In this article, we will see how the use of cookies will be affected and how your company can continue to use them in a way that respects the law.

Cookies are small text files that can store what the user is doing for a certain period. Some cookies store your browsing history, as well as logins and passwords. It is because of them that you can access your Facebook account without having to enter your email every time, as the browser (using cookies) does it for you.

In addition to various functional aspects, cookies also provide excellent service in well-known systems such as Google Drive, for example. Thanks to the cookie's ability to store information, we can work on our texts, spreadsheets, presentations, even offline, and when we reconnect, our work is not lost.

First-Party and Third-Party Cookies, terms used to refer to cookies generated by the website owner or by third parties.

First-Party Cookies are those generated by the website's own domain. From the website owner's perspective, they are the information that visitors generate during their browsing session.

• Which tabs you visited;
• If you searched for a product, added it to a list, and "forgot it in the shopping cart";
• If you filled out any forms, etc.

Many website builders or e-commerce services use cookies to provide these functionalities to their customers. So, don't be surprised if you see that your website triggers first-party cookies without notifying you. They have practically become a "market standard."

Regarding the cookie's storage capacity, this information is indeed "generated" by our browsing, and cookies are one way to store it. How does it work?

When the system generates a cookie, it has an identifier that stores the information in the company's database as well as in the visitor's browser. A very simple example is when we access a news portal and encounter the famous paywall message, "you have reached the limit of daily free articles, subscribe to our services."

How does it know that you have already read a specific article? Simple, through the cookies it stores in your browser for each article read. (Does this mean that if I clear my cookies or browse anonymously, I can read freely?... Wait, wait... do you think they haven't thought about that too? 😉)

On the other hand, Third-Party Cookies are cookies from third-party sources external to the website's domain. In other words, they are cookies from third-party companies that also set cookies to record information about their visitors.

Most of the time, these third-party cookies should (or at least should) all be authorized to be present. Otherwise, the website owner may be surprised by the number of entities "sucking" data from their site(s).

Here are some common examples of services that use cookies:

• Facebook Ads
• Google Ads
• Google Analytics
• Hotjar
• Cloudflare
• Mixpanel
• Zendesk ...

5th Article 5 of the Lei Geral de Proteção de Dados - LGPD provides legal definitions of terms that you will come across frequently when researching the regulation. Among these definitions is that of personal data:

**"personal data: **information related to an identified or identifiable natural person."

We have the last two words in italic because they are the most important for the subject at hand.

Not all data that cookies carry is personal. For example, your visit to our website is not personal data. However, once you register your email on a site like Facebook, you are identifying yourself. Therefore, this is personal data that can be collected by a cookie.

And it is from there that the LGPD starts to affect how your data is used by websites and how your website handles user data.

The problem with the use of cookies arises when it is not known what data is being collected, for what purposes, and by whom. It is a matter of privacy and transparency, values that are the foundation of the LGPD.

The use of cookies that violates the LGPD will be penalized, and among the penalties are expensive fines.

All websites that process data, specifically those that use First or Third Party Cookies. If your website processes personal data or data that, when combined, can identify an individual person, it needs even more careful review of how this information is processed.

But, should this be listed in the Cookie policy or the Privacy Policy?

That depends on the company's choice to differentiate these aspects, as it may be a different approach based on the business model. Some companies address regulations for their "digital" data in the Cookie policy and the "offline" data in the Privacy Policy. However, it varies greatly, so we recommend consulting an expert who can analyze your business model and all the data flows and mappings of your company to understand the need for such differentiation.

To ensure that a website is compliant with LGPD when using cookies, there are certain principles to consider, especially if you have a valid "reason" or legal basis that supports the use of data and cookies on your site. For many, this legal basis is "Consent."

What does that mean? In order for companies to process personal data of data subjects (individuals like you and me), they now need to have a strong legal basis provided by the law (LGPD). This "permission" is known as the Legal Bases of LGPD.

Therefore, while consent is not the only legal basis that allows companies to use data, it plays a crucial role when it comes to cookies. This is why cookie banners serve an essential purpose: notifying and informing visitors, as well as correctly collecting and storing individual consents.

Regardless of the information carried by a cookie, it should have been consented to by the user. But what makes consent valid? And what should be communicated to the user?

The user must be clearly and objectively informed about the purpose for which their data will be collected. Additionally, they must give their explicit consent, or opt-in, by clicking on a banner.

To automate this process, Cookie Notices or Cookie Banners are used. They serve to fulfill the sixth principle of the law: transparency.

The Cookie Banner is that little pop-up window you can see on most websites nowadays, including when you entered our blog. This banner communicates that the site uses cookies. Ours says the following:

"Take control of your privacy. Our site uses cookies to enhance navigation." Then, there are two links: Privacy Policy and Terms of Use. Right after, there's a button for you to view your privacy options and an "accept" button, indicating that you agree to the use of your data.

The cookie banner, or cookie notice, which is a feature of the Consent Management Platform, serves to explicitly state the practice (use of cookies), the purpose (enhancing navigation), and offer users the possibility to fully or partially agree to the data processing.

This is what LGPD requires: transparency and objectivity, without complications. In this way, the use of cookies is permitted and can greatly assist in your business operations.

GDPR, the European data protection regulation, has a limit of twelve months for the use of a cookie. However, LGPD does not establish an "expiration" deadline.

But one of the principles for data processing is necessity. According to the regulation, data can only be retained for the time necessary to fulfill its purpose. If a cookie carries information that no longer needs to be used, it becomes invalid under the law.

Additionally, there are various initiatives by browsers—especially Apple's Safari, which automatically blocks third-party cookies. This "trend," as it is known in the market, has been widely discussed since 2015, even before GDPR. However, it is always being rethought or adapted because the entire advertising and analytics market relies heavily on the widespread use of cookies.

Thus, any changes in this regard will indeed be revolutionary and will bring many changes to the ecosystem as a whole.

It is important that your privacy policy includes a detailed and specific explanation of how your website uses cookies.

As described earlier, many companies make distinctions between the cookie policy and the privacy policy. This is not mandatory, but it may be necessary based on the business model. So, don't cling to templates, but strengthen transparency and accessibility for the information listed there.

It is important to avoid confusion at this point, as many people end up mixing up these concepts. I'll provide a simple explanation below, which will help us understand the order of things and facilitate overall comprehension.

Remember: Tags and Pixels trigger Cookies.

• Tag & Pixel: Code that goes into the HTML of your website to call a specific service. These are scripts (programming codes) that call a server and perform specific functions based on these requests.

• Cookies: Text files read and triggered by Tags & Pixels, which store data and serve to identify whether a browser is new (if there is no cookie, the tag triggers) or already known (if It has the cookie, It will overwrite it).

##What is the correct way to use cookies under LGPD?

To maintain compliance with the law, it is necessary to pay attention to the principles of LGPD and have knowledge of the regulation as a whole.

Furthermore, once it is decided that the company will indeed use first-party or third-party cookies in its operations, the categorization or organization of these cookies is the basis for communicating with visitors in your cookie policy and banner.

In general, the market uses five main groups to classify their tags and consequently the cookies triggered by them:

• Necessary: Without them, your business model doesn't work, or you have to use them due to legal requirements/legislation. (e.g., first-party cookies, gateway authentication, etc.)

• Advertising: With them, you trigger remarketing, populate ad pixels, email sequences, etc. (e.g., Facebook Pixel and Google Ads)

• Analytics: With them, you have an analysis of what visitors do, where they come from, how they behave on your site. (e.g., Google Analytics, Hotjar, etc.)

• Performance: Tags that maintain site functionality and ensure its operation, e.g., preventing DDoS attacks. (e.g., Cloudflare)

• Functional: Tags that handle functional aspects, such as remembering preferences or recognizing that the user is already logged into the system. (e.g., Chatbots, Helpcenters)

To facilitate data collection and record user consent, there are Consent Management Platforms (CMPs) like AdOpt.

In this link, you can learn more about our service: In summary, a Cookie Banner that helps your website comply with LGPD, GPDR, CCPA... standards while also being a comprehensive tool for managing consent and communicating with visitors.

Get started for free now and avoid LGPD, GPDR, CCPA... fines!