Websites and apps must always comply with certain legal obligations. Indeed, failure to comply with regulations carries the risk of significant penalties.

For this reason, we have chosen to partner with iubenda, a company composed of both legal and technical experts specialized in this field. Together with iubenda, with whom we are Certified Partners, we have developed a proposal to offer all our clients a simple and secure solution to their legal compliance needs.

Key legal requirements for website and app owners

Privacy and Cookie Policy

The law requires every website/app that collects data to inform users through a privacy and cookie policy.

The privacy policy must include several essential elements, including:

• Types of personal data processed.
• Legal bases for processing.
• Purposes and methods of processing.
• Parties to whom personal data may be disclosed.
• Possible transfer of data outside the European Union.
• Rights of data subjects.
• Identifying details of the data controller.

The cookie policy specifically describes the various types of cookies installed through the site, any third parties to which these cookies refer—including a link to their respective documents and opt-out forms—and the purposes of processing.

Can’t we use a generic document?

It is not advisable to use generic documents as the information must detail the specific data processing of your own site/app, including all third-party technologies used (e.g., Facebook Like buttons or Google Maps).

And if my site doesn’t collect any data?

It is rare for a site not to collect any data. Even a simple contact form or traffic analysis system like Google Analytics can trigger the obligation to provide information.

Cookie Law

In addition to having a cookie policy, complying with a website’s Cookie Law requires displaying a cookie banner upon each user’s first visit and obtaining consent for cookie installation. Some types of cookies, such as those issued by tools like social media sharing buttons, should only be activated after obtaining valid user consent.

What is a cookie?

Cookies are used to store certain information on the user’s browser during their site navigation. They are now essential to allow a website to function correctly. Moreover, many third-party technologies commonly integrated into our sites, such as a simple YouTube video widget, also rely on cookies.

Consent under GDPR and LGPD

Under the GDPR, if users have the possibility to directly enter personal data on the site/app, for example, by filling out a contact form, service registration, or newsletter subscription, it is necessary to obtain free, specific, and informed consent, as well as record unequivocal proof of consent.

Similarly to the GDPR, under the Brazilian LGPD, the data controller must demonstrate, through the archiving of evidence, that they have correctly obtained the user’s consent.

What is meant by free, specific, and informed consent?

It is necessary to obtain consent for each specific processing purpose—for example, consent to send newsletters and separate consent to send promotional material on behalf of third parties. Consents can be requested by preparing one or more non-pre-selected, non-mandatory checkboxes, accompanied by informative texts that clearly explain to the user how their data will be used.

How can consent be documented unequivocally?

It is necessary to collect a series of information whenever a user fills out a form on your site/app. This information includes a unique user identification code, the content of the privacy policy accepted, and a copy of the form presented to the user.

Is the email I receive from the user following the form completion sufficient proof of consent?

Unfortunately, it is not sufficient, as some necessary information is missing to reconstruct the adequacy of the consent collection procedure, such as a copy of the form actually completed by the user.

Do I need to comply with LGPD even if my organization is not based in Brazil?

You fall within the scope of LGPD if you process data of individuals located within Brazilian territory, regardless of nationality (even if they were in Brazil only at the time of data collection and have since moved).

CCPA

The CCPA (California Consumer Privacy Act) requires that Californian users be informed about how and why their data is used, their rights in this regard, and how they can exercise them, including the right to opt-out. If you fall within the scope of the CCPA, you must provide this information both in your privacy policy and in a data collection notice displayed upon the user’s first visit (where necessary).

To facilitate opt-out requests from Californian users, it is necessary to include a “Do Not Sell My Personal Information” (DNSMPI) link both within the data collection notice shown upon the user’s first visit and in another easily accessible part of the site (a best practice is to include the link in the site footer).

My organization is not based in California, do I still need to comply with the CCPA?

The CCPA can apply to any organization that processes or could potentially process personal information of Californian users, regardless of whether the organization is located in California or not. Since IP addresses are considered personal information, it is likely that any website receiving at least 50,000 unique visits per year from California falls within the scope of the CCPA.

Terms and Conditions

In some cases, it may be appropriate to protect your online business from potential liabilities by preparing a Terms and Conditions document. Terms and Conditions typically include clauses regarding content use (copyright), limitation of liability, sales conditions, allow listing mandatory conditions provided by consumer protection regulations, and much more.

Terms and Conditions should include at least this information:

• Identifying data of the business.
• A description of the service offered by the website/app.
• Information on risk allocation, liability, and waivers.
• Warranties (if applicable).
• Right of withdrawal (if applicable).
• Security information.
• Usage rights (if applicable).
• Terms of use or purchase (such as age requirements or country-related restrictions).
• Refund/replacement/service suspension policies.
• Payment methods information.

When is it mandatory to prepare a Terms and Conditions document?

Terms and Conditions can be useful in any scenario, from e‑commerce to marketplaces, from SaaS to mobile apps and blogs. In the case of e‑commerce, not only is it advisable, but it is often mandatory to prepare this document.

Can I copy and use a Terms and Conditions document from another site?

The Terms and Conditions document is essentially a legally binding agreement, and therefore, it is not only important to have one, but it is also necessary to ensure that it complies with legal requirements, accurately describes your business processes, and remains up-to-date with reference regulations. Copying Terms and Conditions from other sites is very risky as it could render the document null or invalid.

How can we assist you with iubenda solutions

Thanks to our partnership with iubenda, we can help you configure everything you need to bring your site/app into compliance. iubenda is, in fact, the simplest, most comprehensive, and professional solution for legal compliance.

Privacy and Cookie Policy Generator

With iubenda’s Privacy and Cookie Policy Generator, we can create a personalized policy for your website or app. iubenda’s policies are generated from a database of clauses drafted and continuously reviewed by an international team of lawyers.

Cookie Solution

iubenda’s Cookie Solution is a complete system for complying with the Cookie Law through the display of a cookie banner upon each user’s first visit, the implementation of a preventive profiling cookie blocking system, and the collection of valid consent for cookie installation by users. The Cookie Solution