ANPD publishes a guide on cookies and personal data protection
Definition of Cookies
Attribution of a Lawful Basis
The guide exemplifies cases in which the use of consent is not appropriate. These include:
• Strictly Necessary Cookies – since in these cases, the processing of the information is essential for the functioning of the website or service, and therefore there is no effective condition for the free manifestation of the data subject; and
• Cookies that are strictly necessary to comply with legal obligations and duties, especially in cases with a clear and direct link between data processing through Cookies and the exercise of typical state prerogatives by public entities and bodies.
Not exhaustively, the guide exposes good practices to be considered when setting up Cookie Banners, such as
• The provision of a button that allows rejecting all cookies that are not necessary;
• The provision of an access link for the data subjects to exercise their rights, such as obtaining details about the use of their data, the retention period, requesting the disposal of data, and revoking consent;
• The classification of Cookies into categories;
• The description of the categories of Cookies according to their uses and purposes, with a simple explanation of these purposes;
• Obtaining consent for each specific purpose;
• Disabling Cookies based on consent by default; and
• The provision of information on whether browser settings can block cookies.
Also, the guide lists some inadvisable practices in the elaboration of Cookies banners, for example:
• The use of a single button, with no management option, in the case of using the legal basis of consent;
• The impossibility or impediment in the visualization of the buttons to reject or configure Cookies, emphasizing the acceptance button;
• The impossibility or impediment of rejecting all Cookies that are not necessary;
• The activation of Cookies that are not necessary by default so that the user must manually deactivate them;
• The non-availability of second-level Cookie Banners;
• The failure to provide information and direct, simplified, and proper mechanisms for the exercise of the data subject’s rights to revoke consent and object to the processing of their data;
• The difficulty in managing Cookies;
• The display of the Cookie list in an exaggeratedly granular manner;
Although the guide deals primarily with processing personal data by Cookies in the electronic environment, its guidelines apply to processing personal data through similar tracking technologies, observing the particularity of the case in question.
Furthermore, even though the guide exposes good practices to be followed by processing agents, it is emphasized that compliance with the guidelines contained therein does not exempt agents from observing the LGPD instructions.
Access the full guide by clicking here.
For more information, please contact our Data Protection team.