Websites and apps must always comply with certain requirements imposed by law. Failure to comply with the legal requirements, can result in serious penalties including substantial fines, audits and potential litigation.
For this reason I have chosen to rely on iubenda, a company built on both legal and technical expertise, that specializes in this sector. Together with iubenda, of which I am a Certified Partner, I have developed a proposal to offer all my clients a simple and safe solution to their compliance needs.
The law obliges each site/app that collects personal data to disclose relevant details to users via dedicated privacy and cookie notices.
Privacy policies must contain certain fundamental elements specific to your particular processing activities, including:
site, any third-parties to which these cookies refer — including a link to the respective documents
and opt-out forms — and the purposes of the processing.
Can’t we use a generic document?
It’s not possible to use generic documents as your policy must describe in detail the specific data processing carried out by your site/app, and must also include the particular details of any third-party technologies (e.g., facebook Like buttons or Google Maps) specifically used by you.
What if my site does not process any data?
Furthermore, many third-party vendor networks may limit ad reach if you do not have a cookie management system that meets industry standards in place — potentially reducing your ability to generate ad revenue.
What is a cookie?
The process which allows the user to opt-out should be facilitated via a "Do Not Sell My Personal Information" (DNSMPI) link which should be accessible from your notice of collection and elsewhere on your site (best practice would be to also include the link in the footer).
My business is not based in California, do I need to comply with CCPA?
The CCPA applies to most businesses that collect or could potentially collect Californian customers personal information, whether or not the business itself is geographically located in California. Since IP addresses are considered personal information, this likely applies to any website with at least 50,000 unique visits per year from California.
When a user directly enters personal data on a site/app, for example by filling in a contact form, service registration or newsletter subscription, it is necessary to collect consent that is freely given, specific and informed. Under the GDPR, it’s also necessary to keep unambiguous records that allow you to demonstrate that valid consent was collected.
Similar to the GDPR, the Brazilian LGPD also requires the data controller to provide an unambiguous proof of consent, giving evidence that the user's consent was collected by a valid means.
What is free, specific and informed consent?
You must obtain consent for each specific processing purpose – for example, a consent to send newsletters and another consent to send promotional material on behalf of third-parties. Consent may be requested by setting up one or more checkboxes that are not pre-selected, not mandatory or coerced (freely given) and accompanied by relevant disclosures that make it clear to the user how his or her data will be used.
How can proof of valid consent be demonstrated unambiguously?
Is the email I receive from the user as a result of filling out a form not sufficient as proof of consent?
Unfortunately, it is not sufficient, as some information necessary to reconstruct the suitability of the procedure for collecting consent is missing, such as a copy of the form actually completed by the user and the version of the privacy documents available to the user at the time the consent was collected. Do I have to comply with the LGPD even if my organization is not based in Brazil?
The LGPD has a territorial scope that extends outside of Brazil. This means that you may have to comply even if you or your business are not based in Brazil. Therefore, you fall under the LGPD scope if you process data from individuals located within the Brazilian territory, regardless of their nationality (even if they were in Brazil only at the time of data collection, and have since moved).
In certain circumstances it can be necessary to protect your online business from potential liabilities with a Terms and Conditions document. Though not always legally required, Terms and Conditions set the way in which your product, service or content may be used, in a legally binding way. The Terms and Conditions typically contain copyright clauses, disclaimers, terms of sale, allow you to set governing law, list mandatory consumer protection clauses, and more. The Terms and Conditions should at least include:
When is it mandatory to have Terms and Conditions?
Can I copy and use a Terms and Conditions document from another site?
Because they are essentially a legally binding agreement, it is not only important to have one in place, but also necessary to ensure that it meets legal requirements and it matches your specific business processes, model, and remains up-to-date with the various laws referenced in its contents. Copy-pasting Terms and Conditions from other sites is very risky and could result in the document being void or unenforceable.
Thanks to my partnership with iubenda, I can help you configure everything you need to make your site/app compliant. iubenda is in fact the simplest, most complete and professional solution to comply with regulations.
I am freely recommending this service, which I use myself, as I believe it's a valuable tool for anyone who owns and operates a website/app or collects user/customer data. As such, I have completed an assessment to become an iubenda Certified Bronze Partner.
The signup link below is an affiliate link. If you decide to use my link you will get a 10% discount on your first purchase and I will receive a referral commission. iubenda also offers a free basic account that although limited, may be sufficent for your needs. You can upgrade to a subscription as needed.
The iubenda Cookie Solution is a comprehensive solution to meet EU Cookie Law, CCPA and any other third-party requirements by facilitating the display of a GDPR-compliant cookie banner or a CCPA notice of collection at each user’s first visit, the preventive blocking of the profiling cookies and the collection of users’ consent to the installation of cookies. It also supports opt-out from sale for Californian users via a "Do Not Sell My Personal Information" link.
iubenda’s Consent Solution allows the collection and storage of an unambiguous proof of consent whenever a user fills out a form – such as a contact form or newsletter subscription – on your website or app, as required by the GDPR and the Brazilian LGPD.
The solution can also be used to document opt-out requests from Californian consumers, as imposed by the CCPA.
With iubenda’s Terms and Conditions Generator I can prepare a fully customised, self-updating T&C document for your site/app. iubenda’s Terms and Conditions are generated starting from a database of clauses drafted and continuously reviewed by an international team of lawyers.