If your company has customers in Brazil and you collect or process personal data, you need to comply with the Lei Geral de Proteção de Dados (LGPD). If you are already compliant with the GDPR, then you have already done a great deal of the work necessary to comply with LGPD.
LGPD: an introduction
What is the LGPD?
The LGPD is Brazil’s federal data privacy law that governs all personal data processing within the country. It was passed in August 2018 and took effect in August 2020. LGPD empowers individuals inside Brazil with nine enforceable rights over their own personal data.
What is personal data under the LGPD?
The LGPD defines personal data as any kind of information regarding an identified or identifiable natural person. This includes anything from names, addresses, location data, information on physical, genetic, mental, economic, cultural or social facts, as well as online identifiers such as IP addresses, cookies, browser and search history.
Who is required to comply with the LGPD?
Any website, company or organization that processes personal data within Brazil’s territory is required to comply with the LGPD – even foreign data processors. The LGPD has extraterritorial application, meaning that websites anywhere in the world will have to comply with the LGPD if they process personal data from individuals inside Brazil.
How can my website become compliant with the LGPD?
Your website must have a legal basis for processing personal data from individuals inside Brazil. You might need to ask for and obtain the clear and unambiguous consent of its users before legally being allowed to process any personal data, e.g. through cookies and trackers in operation on your website.
Our solution simplifies these requirements for you by allowing you to easily manage consent and log proof of consent for each of your website users.
LGPD: A Cookiebot CMP checklist:
The checklist is not intended as legal advice - if in doubt, seek advice from a trusted legal source or your Data Protection Authority.
It’s easy to setup your Cookiebot banner for LGPD compliance. Cookiebot uses the same ruleset applied for GDPR to enable your LGPD compliance. As the two rulesets in many aspects are nearly identical, our solution is ready to use out of the box.
Make sure you comply with LGPD by following these simple steps.
New to Cookiebot?
Don’t already have a Cookiebot account? Sign up for a free trial today and see how we can help you with your website compliance. Follow our guide here to get started!
Already have a Cookiebot account?
You can use the existing banner configuration in the domain group you set up for GDPR compliance. You would only need to check your regions and ensure that Brazil is included. Also ensure that Brazilian Portuguese is added under languages.
Alternatively, you can create a new domain group for your LGPD setup. Want to use our solution to cover both GDPR, LGPD and maybe even CCPA as well? No problem. See our guide on how to setup multiple banners on the same domain at no extra cost, to cover different regions.
Step 1: Add your domain
- Log into the Cookiebot Manager and navigate to the Domains tab.
- Enter the domain name (excluding the "https://" part, for example: domain.com)
Step 2: banner type
Navigate to Settings > Dialog. For LGPD compliance, make sure to have the following configurations added;
- Method: Explicit Consent (in order to collect valid proof of consent)
- Type: Accept/Decline, Inline Multilevel (2 buttons and 3 button) or Multilevel (2 button and 3 button) version
- Leave checkboxes unticked
Unsure about what the right configuration is for you? Find more information in our blog post on LGPD
Step 3: Add geo-locations
If you'd like to limit the banner to be displayed only to visitors from Brazil, you can do so by configuring "Distribution" at the bottom of the page:
Step 4: Set your banner language
Our solution supports 46 languages, including Portuguese. Brazilian Portuguese is currently not supported as a separate language, but we’re working on adding this as well as several other language variants. You can still easily add Brazilian Portuguese to your Cookiebot configuration, simply by replacing one of the existing languages. As an example, it is easy to make your banner show Portuguese by default and manually adjust your Portuguese text to Brazilian Portuguese. This can all be done through your Cookiebot manager.
Step 5: Check your monthly scan report
With Cookiebot you receive monthly scan reports with detailed information on cookies and other tracking found on your website. Your report will currently only highlight compliance towards the GDPR adequacy list. This information should be manually assessed in relation to LGPD.
Make sure to check your report for these 3 things;
- Unclassified cookies
- Cookie not blocked before consent is provided
- Data is sent to adequate countries*
*GDPR introduced the notion of data protection “adequacy”, where certain countries outside of the EU are deemed to have “GDPR-adequate” levels of personal data rights and protection measures in place. Data transfer can happen to these countries without the need for additional safeguards and similar to intra-EU transmissions of data. The list of adequate countries can be found here: the GDPR Adequacy decision list.
LGPD takes a similar approach, however the list of LGDP-adequate countries has not yet been published. It is known however, that the countries operating under GDPR (EU plus Norway, Liechtenstein and Iceland) are deemed LGPD-adequate.
Limitations in the Cookiebot compliance test and scan: Currently the Cookiebot compliance test does not fully support LGPD as a separate legislation from GDPR. We’re working on this. Our current compliance test will scan your website and assess your compliance against the GDPR ruleset. This has no effect on Cookiebot’s ability to comply with LGPD.
Step 6: Get your scripts