LGPD Cookie Banner (Categories) Generator

LGPD-compliant cookie banners with granular categories

Brazil's LGPD (Lei Geral de Proteção de Dados, Federal Law 13.709/2018) entered into force in September 2020 and became sanctionable in August 2021. It treats most cookies — anything carrying device fingerprints, behavioural signals or advertising identifiers — as personal data, requiring a valid legal basis under Art. 7. The default basis for non-essential cookies is consent, and the regulator ANPD (Autoridade Nacional de Proteção de Dados) can apply fines of up to 2% of the company's revenue in Brazil, capped at R$ 50 million per infraction, plus daily penalties, blocking and even publication of the violation. The 2022 ANPD Guia Orientativo sobre Cookies made it explicit: implied consent (a "by continuing to browse" notice) is not valid in Brazil either.

A LGPD-aware banner differs from a generic GDPR one because it must reflect five granular categories recognised by the market and ANPD guidance, not just "accept/reject all". Art. 11 also requires explicit consent for sensitive data — race, health, biometric or political opinion — so trackers that infer those signals (medical sites, dating apps) need an extra layer.

The five-category standard

• Strictly necessary — session, CSRF, shopping cart, load balancing. Always on, no consent needed.
• Functional / Preferences — language, theme, region. Opt-in but low risk.
• Analytics / Statistics — Google Analytics, Hotjar, Plausible, Clarity. Block until consented.
• Marketing / Advertising — Facebook Pixel, Google Ads, RD Station, TikTok Pixel. Hardest hit by enforcement.
• Personalisation — recommendation engines, A/B test cohorts tied to identifiers.

First-party vs third-party

First-party cookies are set by the domain the user is visiting; third-party cookies belong to external vendors loaded inside iframes or pixels and are the main vector of cross-site tracking. Safari (ITP) and Firefox (ETP) block third-party cookies by default; Chrome's Privacy Sandbox is phasing them out via Topics API, Protected Audience and Attribution Reporting. The realistic mid-term direction is server-side tracking with first-party reliance and SameSite=Lax defaults.

CMPs and Brazilian options

Most companies adopt a Consent Management Platform: OneTrust, Cookiebot, Iubenda, Cookieyes, Usercentrics; WordPress sites lean on Borlabs or Complianz. Brazilian vendors include Conta Azul Compliance and LGPD Solutions. Many CMPs publish a TCF v2.2 signal (IAB Transparency and Consent Framework) consumed by ad-tech; if you serve Brazilian users only, TCF is optional.

Dark patterns ANPD watches for

• Pre-checked categories beyond "strictly necessary" (illegal under GDPR; ANPD treats it as invalid consent).
• "Reject all" hidden behind a "Customize" path that requires multiple clicks.
• Tracking that fires before the user interacts with the banner.
• No way to revoke consent — Art. 8 §5 LGPD requires withdrawal to be as easy as giving consent.
• Missing record of consent (log of timestamp, IP, version of policy, configuration accepted).

FAQ

Is granular consent mandatory under LGPD? The law itself is principle-based, but the 2022 ANPD guide strongly recommends per-category control. In practice, generic "accept/reject" only is risky if your site loads marketing pixels.

If I only use strictly necessary cookies, do I still need a banner? No banner is required, but a short cookie policy in the footer is best practice and helps with audit trails.

Can I do analytics without cookies and skip the banner? Yes — Plausible, Fathom, Simple Analytics and Umami anonymise IPs and store no persistent identifiers. CNIL accepted Plausible as exempt from consent; ANPD has not formally ruled, but the risk profile is much lower.

How long must I keep consent records? No fixed period in the LGPD, but most CMPs default to the policy's lifetime plus 6 months. Store timestamp, IP hash, policy version and exact toggle state — they are your evidence of compliance.