In this article, you will have a great introduction to the topic, as well as various other variations that revolve around the subject: Cookies and LGPD.
In effect since August 2020, the General Data Protection Law (LGPD) will require a drastic change in the operations of companies that use data from their customers and users. Starting from August, data can only be used if it complies with the principles of LGPD - the so-called Legal Bases of LGPD - and is transparently and objectively consented to.
##What are cookies?
Cookies are small text files that can store what the user is doing for a certain period. Some cookies store your browsing history, as well as logins and passwords. It is because of them that you can access your Facebook account without having to enter your email every time, as the browser (using cookies) does it for you.
In addition to various functional aspects, cookies also provide excellent service in well-known systems such as Google Drive, for example. Thanks to the cookie's ability to store information, we can work on our texts, spreadsheets, presentations, even offline, and when we reconnect, our work is not lost.
##There are two types of cookies: First-Party and Third-Party Cookies, terms used to refer to cookies generated by the website owner or by third parties.
First-Party Cookies are those generated by the website's own domain. From the website owner's perspective, they are the information that visitors generate during their browsing session.
Regarding the cookie's storage capacity, this information is indeed "generated" by our browsing, and cookies are one way to store it. How does it work?
When the system generates a cookie, it has an identifier that stores the information in the company's database as well as in the visitor's browser. A very simple example is when we access a news portal and encounter the famous paywall message, "you have reached the limit of daily free articles, subscribe to our services."
How does it know that you have already read a specific article? Simple, through the cookies it stores in your browser for each article read. (Does this mean that if I clear my cookies or browse anonymously, I can read freely?... Wait, wait... do you think they haven't thought about that too? 😉)
On the other hand, Third-Party Cookies are cookies from third-party sources external to the website's domain. In other words, they are cookies from third-party companies that also set cookies to record information about their visitors.
Most of the time, these third-party cookies should (or at least should) all be authorized to be present. Otherwise, the website owner may be surprised by the number of entities "sucking" data from their site(s).
5th Article 5 of the Lei Geral de Proteção de Dados - LGPD provides legal definitions of terms that you will come across frequently when researching the regulation. Among these definitions is that of personal data:
**"personal data: **information related to an identified or identifiable natural person."
We have the last two words in italic because they are the most important for the subject at hand.
Not all data that cookies carry is personal. For example, your visit to our website is not personal data. However, once you register your email on a site like Facebook, you are identifying yourself. Therefore, this is personal data that can be collected by a cookie.
And it is from there that the LGPD starts to affect how your data is used by websites and how your website handles user data.
All websites that process data, specifically those that use First or Third Party Cookies. If your website processes personal data or data that, when combined, can identify an individual person, it needs even more careful review of how this information is processed.
##Cookie requirements: How to keep your website compliant with LGPD.
To ensure that a website is compliant with LGPD when using cookies, there are certain principles to consider, especially if you have a valid "reason" or legal basis that supports the use of data and cookies on your site. For many, this legal basis is "Consent."
What does that mean? In order for companies to process personal data of data subjects (individuals like you and me), they now need to have a strong legal basis provided by the law (LGPD). This "permission" is known as the Legal Bases of LGPD.
Therefore, while consent is not the only legal basis that allows companies to use data, it plays a crucial role when it comes to cookies. This is why cookie notices serve an essential purpose: notifying and informing visitors, as well as correctly collecting and storing individual consents.
Regardless of the information carried by a cookie, it should have been consented to by the user. But what makes consent valid? And what should be communicated to the user?
The user must be clearly and objectively informed about the purpose for which their data will be collected. Additionally, they must give their explicit consent, or opt-in, by clicking on a notice.
To automate this process, Cookie Notices or Cookie Banners are used. They serve to fulfill the sixth principle of the law: transparency.
##What is the expiration period of a cookie?
GDPR, the European data protection regulation, has a limit of twelve months for the use of a cookie. However, LGPD does not establish an "expiration" deadline.
But one of the principles for data processing is necessity. According to the regulation, data can only be retained for the time necessary to fulfill its purpose. If a cookie carries information that no longer needs to be used, it becomes invalid under the law.
Thus, any changes in this regard will indeed be revolutionary and will bring many changes to the ecosystem as a whole.
##Cookie Pixel and Tag, what's the difference? It is important to avoid confusion at this point, as many people end up mixing up these concepts. I'll provide a simple explanation below, which will help us understand the order of things and facilitate overall comprehension.
Remember: Tags and Pixels trigger Cookies.
Tag & Pixel: Code that goes into the HTML of your website to call a specific service. These are scripts (programming codes) that call a server and perform specific functions based on these requests.
Cookies: Text files read and triggered by Tags & Pixels, which store data and serve to identify whether a browser is new (if there is no cookie, the tag triggers) or already known (if It has the cookie, It will overwrite it).
To maintain compliance with the law, it is necessary to pay attention to the principles of LGPD and have knowledge of the regulation as a whole.
In general, the market uses five main groups to classify their tags and consequently the cookies triggered by them:
Necessary: Without them, your business model doesn't work, or you have to use them due to legal requirements/legislation. (e.g., first-party cookies, gateway authentication, etc.)
Advertising: With them, you trigger remarketing, populate ad pixels, email sequences, etc. (e.g., Facebook Pixel and Google Ads)
Analytics: With them, you have an analysis of what visitors do, where they come from, how they behave on your site. (e.g., Google Analytics, Hotjar, etc.)
Performance: Tags that maintain site functionality and ensure its operation, e.g., preventing DDoS attacks. (e.g., Cloudflare)
Functional: Tags that handle functional aspects, such as remembering preferences or recognizing that the user is already logged into the system. (e.g., Chatbots, Helpcenters)
##How to manage cookies and visitor consent under LGPD? To facilitate data collection and record user consent, there are Consent Management Platforms (CMPs) like AdOpt.
In this link, you can learn more about our service: In summary, a Cookie Banner that helps your website comply with LGPD, GPDR, CCPA... standards while also being a comprehensive tool for managing consent and communicating with visitors.
Get started for free now and avoid LGPD, GPDR, CCPA... fines!
Want to understand why there are cookie banners on every website you visit today? This article is for you!
Surely you've already seen the predictions of fines and sanctions that the LGPD brought with it, right?
Tired of the ads from that site you visited following you around? Is your computer running slow when accessing a particular site? Want to delete all cookies from a specific service or site?
© AdOpt since 2020 • Made by people who love🍪