Your Iubenda Certified Partner
How to Make Your Website or App Compliant
Websites and apps are required to meet specific legal obligations. Non-compliance can lead to substantial penalties, making it crucial to get it right.
That's why we've partnered with Iubenda, a company of legal and technical experts specializing in this field. As Iubenda Certified Partners, we’ve developed a straightforward and secure solution to help all our clients achieve legal compliance effortlessly.
Key Legal Requirements for Website and App Owners
Privacy and Cookie Policy
Legally, any website or app that collects data must inform its users via a comprehensive privacy and cookie policy.
- the types of personal data processed;
- the legal basis for the processing;
- the purposes and methods of processing;
- the subjects to whom personal data may be disclosed;
- the possible transfer of data outside the European Union;
- the rights of the data subject;
- the identification details of the data controller.
The cookie policy specifically details the types of cookies installed via your site, identifies any third-party cookies involved – including links to their documentation and opt-out forms – and outlines the data processing purposes.
Can't we use a generic template?
Generic templates are not suitable because your policy must detail the specific data processing activities of your website/app, including all third-party technologies used (e.g., Facebook Like buttons, Google Maps).
What if my site doesn't process any data?
It's highly unlikely your site processes no data. Even a simple contact form or a traffic analysis tool like Google Analytics triggers the requirement for a data processing notice.
Cookie Law
Beyond having a cookie policy, to comply with cookie law, your website must also display a cookie banner on a user’s first visit and obtain their consent before installing cookies. Certain cookies, like those from social sharing buttons, should only be activated after receiving valid user consent.
What exactly is a cookie?
Cookies store small pieces of information in a user's browser during their site visit. They are essential for a website to function correctly. Furthermore, many third-party technologies commonly integrated into sites, like a YouTube video widget, also rely on cookies.
Understanding Consent under GDPR and LGPD
Under GDPR, if users can directly input personal data on your site/app (e.g., via contact forms, service registrations, or newsletter sign-ups), you must obtain freely given, specific, and informed consent, and also record unequivocal proof of this consent.
Similar to GDPR, Brazil's LGPD also requires data controllers to demonstrate and store proof of correctly obtained user consent.
What does "freely given, specific, and informed consent" mean?
You need to collect separate consent for each specific processing purpose – for instance, one for newsletters and another for third-party promotional materials. This is typically done using one or more non-pre-ticked, optional checkboxes, accompanied by clear explanatory text about how user data will be utilized.
How can unambiguous consent be proven?
Whenever a user completes a form on your site/app, you must collect specific information. This includes a unique user ID, the content of the accepted privacy policy, and a copy of the form as it was presented to the user.
Isn't the confirmation email I receive after a user fills out a form sufficient proof of consent?
Unfortunately, no. It lacks essential information needed to verify the adequacy of the consent collection process, such as a copy of the actual form the user completed.
Do I need to comply with LGPD if my organization isn’t based in Brazil?
Yes, LGPD applies if you process data of individuals within Brazilian territory, irrespective of their nationality (even if they were only in Brazil when the data was collected and have since moved).
CCPA
The CCPA (California Consumer Privacy Act) mandates that Californian users are informed about how and why their data is used, their rights, and how to exercise them, including the right to opt-out. If CCPA applies to you, this information must be in your privacy policy and a data collection notice displayed on a user’s first visit (where applicable).
To streamline opt-out requests from Californian users, include a “Do Not Sell My Personal Information” (DNSMPI) link in the first-visit data collection notice and another easily accessible spot on your site (e.g., the website footer is a best practice).
My organization isn’t based in California. Do I still need to comply with CCPA?
CCPA can apply to any organization processing (or potentially processing) personal information of California users, regardless of your business location. Since IP addresses count as personal information, any website with at least 50,000 unique annual visits from California likely falls under CCPA.
Terms and Conditions
Protecting your online business from potential liability with a Terms and Conditions document is often advisable. Typically, these T&Cs include clauses on content use (copyright), liability limitations, sales conditions, mandatory consumer protection stipulations, and more.
Your Terms and Conditions should cover at least the following:
- the identification details of the business;
- a description of the service offered by the website/app;
- information on the allocation of risks, responsibilities, and disclaimers;
- warranties (if applicable);
- right of withdrawal (if applicable);
- security information;
- usage rights (if applicable);
- conditions of use or purchase (such as age requirements or country-related restrictions);
- refund/replacement/service suspension policies;
- information on payment methods.
When is a Terms and Conditions document mandatory?
Terms and Conditions are valuable in many scenarios – from e-commerce and marketplaces to SaaS, mobile apps, and blogs. For e-commerce businesses, they are not just advisable but often legally required.
Can I copy a Terms and Conditions document from another website?
A Terms and Conditions document is a legally binding agreement. It’s crucial not only to have one, but to ensure it meets legal standards, accurately reflects your business operations and model, and stays updated with current regulations. Copying T&Cs from other sites is highly risky and could invalidate your document.
How We Help You with Iubenda’s Solutions
Through our partnership with Iubenda, we can help you set up everything needed to make your website/app compliant. Iubenda is indeed the simplest, most comprehensive, and professional solution for regulatory compliance.
Privacy and Cookie Policy Generator
With Iubenda’s Privacy and Cookie Policy Generator, we can create a tailored policy for your website or app. Iubenda's policies are built from a database of clauses drafted and continually updated by an international legal team.
Cookie Solution
Iubenda's Cookie Solution is a comprehensive system for Cookie Law compliance. It enables displaying a cookie banner on each user's first visit, implementing a prior blocking system for profiling cookies, and collecting valid user consent for cookie installation. The Cookie Solution also helps meet CCPA requirements by showing Californian users a data collection notice with a “Do Not Sell My Personal Information” link and simplifying opt-out requests.
Consent Solution
Iubenda's Consent Solution enables the collection and storage of unequivocal proof of consent under GDPR and Brazil's LGPD whenever a user completes a form on your website or app (e.g., contact or newsletter sign-up). It also documents opt-out requests from Californian users in line with CCPA.
Terms and Conditions Generator
Using Iubenda’s Terms and Conditions Generator, we can craft a custom T&Cs document for your website or app. Iubenda's T&Cs are sourced from a comprehensive database of clauses, all drafted and regularly updated by an international team of legal experts.