The Anatomy of Valid LGPD Consent
Consent under Brazil's General Data Protection Law (LGPD) is a freely, informed and unambiguous manifestation whereby the data subject agrees to the processing of their personal data for a given purpose[cite: 64]. You cannot rely on implied actions or silence to justify data collection. The law requires a clear and affirmative action from the user.
To meet the standard of being "informed", you must provide facilitated access to information concerning the processing of data[cite: 125]. This information must be made available in a clear, adequate and visible manner[cite: 125]. When consent is required, it is considered void if the information provided to the data subject contains misleading or abusive content, or if it has not been previously presented in a transparent, clear and unambiguous way [cite: 134].
The law also strictly prohibits generic authorisations for the processing of personal data, declaring them void[cite: 122]. Consent must refer to specific purposes [cite: 122].
If the purpose of the data processing changes and becomes incompatible with the original consent, you are required to inform the data subject in advance[cite: 135]. The data subject then has the right to revoke their consent if they disagree with the changes[cite: 135]. Furthermore, if you need to communicate or share personal data with other controllers, you must obtain specific consent from the data subject for that exact purpose [cite: 114].
Processing personal data is entirely prohibited if the consent is defective[cite: 121].
The Burden of Proof
Website owners and data controllers cannot simply claim they obtained consent. The controller bears the burden of proving that the consent has been obtained in accordance with the provisions of this Law[cite: 120].
This requirement makes technical infrastructure critical. If consent is given in writing, it must be included in a clause that stands out from the other contractual clauses[cite: 119]. For digital environments, this means logging the exact timestamp, the version of the privacy notice presented, and the specific categories of data the user agreed to share. Relying on an outdated consent mechanism without audit trails leaves your organisation vulnerable to regulatory action.
Sensitive Data and Children's Data
The LGPD applies heightened standards to specific categories of information. Standard consent mechanisms are often insufficient for these data types.
Sensitive personal data includes information concerning racial or ethnic origin, religious belief, political opinion, affiliation to trade unions or philosophical organisations, health or sex life data, and genetic or biometric data[cite: 51]. Processing this type of data requires the data subject or their legal representative to specifically and emphatically consent, for specific purposes[cite: 146].
Children's data carries its own strict framework. The processing of children's and adolescents' personal data must be carried out in their best interest[cite: 176]. Specifically, the processing of children's personal data shall be carried out with the specific and distinguishable consent given by at least one of the parents or by the legal representative [cite: 177].
Controllers must make all reasonable efforts to confirm that this consent was actually given by the child's representative, considering available technologies[cite: 181]. Information regarding this processing must be provided in a simple, clear and accessible manner that is appropriate for the child's understanding, while providing necessary information to the parents [cite: 182].
Comparing Consent Types
| Data Category | Consent Standard | Key Requirement |
|---|---|---|
| Standard Personal Data | Free, informed, unambiguous [cite: 64] | Must be for a specific purpose; generic requests are void [cite: 122]. |
| Sensitive Personal Data | Specific and emphatic [cite: 146] | Requires clear, standout agreement distinct from general terms [cite: 146]. |
| Children's Data | Specific and distinguishable [cite: 177] | Must be given by at least one parent or legal representative[cite: 177]. |
The Right to Revoke Consent
Consent under the LGPD is not permanent. Data subjects have the right to revoke their consent at any time upon express request[cite: 123]. This revocation must be processed via a free-of-charge and facilitated procedure [cite: 123].
When a user revokes consent, the processing carried out under the previously given consent remains valid as long as there is no specific request for erasure[cite: 123]. The termination of data processing occurs when the data subject provides notice, including when exercising the right to revoke consent[cite: 188]. Following termination, the personal data shall be erased within the scope and technical limits of the activities, subject to certain legal storage exceptions [cite: 191].
Data subjects have the right to obtain information on the possibility of denying consent and the consequences of such denial[cite: 211, 212]. You must clearly outline what features or services will be unavailable if they choose not to agree.
A compliant consent management platform automates this revocation process, ensuring that trackers are blocked immediately upon a user's withdrawal of consent. Handling this manually is prone to error and violates the requirement for a facilitated procedure.
Common Pitfalls to Avoid
Many organisations fail to adapt their processes to the specific text of the LGPD, often relying on outdated privacy laws or non-compliant UX patterns. One common mistake is making consent a strict condition for service. When the processing of personal data is a condition for the provision of a product or service, the data subject must be emphatically informed of this fact[cite: 136].
Another pitfall is failing to communicate downstream. If a controller has obtained consent and needs to communicate or share personal data with other controllers, they must obtain specific consent from the data subject for that purpose[cite: 114]. Furthermore, if a user requests correction, erasure, or blocking of data, the controller must immediately communicate this to the processing agents with whom they have shared data so they can repeat the identical procedure[cite: 221].
Ignoring these rules triggers liability. A controller or processor who causes pecuniary, moral, individual or collective damage in violation of the legislation is required to compensate for such damage[cite: 339]. Implementing a secure compliance workflow protects your organisation from these cascading failures.
Frequently Asked Questions
Can I use pre-ticked boxes for LGPD consent?
No. The LGPD requires consent to be an unambiguous manifestation where the data subject agrees to the processing[cite: 64]. Pre-ticked boxes do not constitute unambiguous agreement.
Does consent last forever under the LGPD?
No. Consent can be revoked at any time upon the express request of the data subject via a free and facilitated procedure [cite: 123].
What happens if my privacy policy is confusing?
If the information provided to the user contains misleading or abusive content, or is not transparent and clear, any consent obtained is considered void[cite: 134].
Do I need a parent's permission to process a teenager's data?
Yes. Processing children's personal data requires specific and distinguishable consent given by at least one of the parents or by the legal representative[cite: 177].
Can I ask for consent to process data for general, future uses?
No. Consent must refer to specific purposes. Generic authorisations for the processing of personal data are considered void[cite: 122].
Take Control of Your Cookie Compliance
If you are collecting user data in Brazil, you must prove that your consent mechanisms meet the strict requirements of the LGPD. Kukie.io detects all trackers, maintains granular consent logs, and provides users with a compliant, facilitated way to manage or revoke their preferences.
