ANPD publishes a guide on cookies and personal data protection

On October 18, 2022, the National Data Protection Authority (“ANPD”) launched the guidelines “Cookies and Personal Data Protection”. The guide aims to provide a general overview of the use of Cookies in online environments, taking into consideration the precautions that data processing agents must take regarding protecting personal data. Also, the guide intends to elucidate positive and negative practices in elaborating Cookie Banners in the electronic environment through illustrative cases. 

Definition of Cookies

The guide defines Cookies as “files installed in a user’s device that allow the gathering of certain information, that may include personal data, to meet several purposes” and clarifies that, through the use of Cookies, it is possible, for example, to register information of a user in a certain website, such as his credit card number, his login, or a product previously added to his shopping cart.

Attribution of a Lawful Basis

According to the guide, the attribution of a lawful basis provided in the Brazilian General Data Protection Law (“LGPD”) is necessary to enable the use of Cookies. In this sense, consent and legitimate interest are the most relevant ones.

Consent 

The guide exemplifies cases in which the use of consent is not appropriate. These include:

• Strictly Necessary Cookies – since in these cases, the processing of the information is essential for the functioning of the website or service, and therefore there is no effective condition for the free manifestation of the data subject; and 

• Cookies that are strictly necessary to comply with legal obligations and duties, especially in cases with a clear and direct link between data processing through Cookies and the exercise of typical state prerogatives by public entities and bodies.

Legitimate Interest

As for legitimate interest, the guide informs that it may be employed when the use of Cookies is strictly necessary and in the case of analytical Cookies, which are responsible for measuring audience. However, in cases of Cookies used for advertising purposes, the ANPD reinforces that this lawful basis may not always be used and recommends applying the balancing test to determine the prevalence of the fundamental rights and freedoms of the data subjects concerning the legitimate interests of the controller or third parties.

Good Practices

Not exhaustively, the guide exposes good practices to be considered when setting up Cookie Banners, such as

• The provision of a button that allows rejecting all cookies that are not necessary;

• The provision of an access link for the data subjects to exercise their rights, such as obtaining details about the use of their data, the retention period, requesting the disposal of data, and revoking consent;

• The classification of Cookies into categories;

• The description of the categories of Cookies according to their uses and purposes, with a simple explanation of these purposes;

• Obtaining consent for each specific purpose;

• Disabling Cookies based on consent by default; and

• The provision of information on whether browser settings can block cookies.

Unadvised Practices 

Also, the guide lists some inadvisable practices in the elaboration of Cookies banners, for example:

• The use of a single button, with no management option, in the case of using the legal basis of consent;

• The impossibility or impediment in the visualization of the buttons to reject or configure Cookies, emphasizing the acceptance button;

• The impossibility or impediment of rejecting all Cookies that are not necessary;

• The activation of Cookies that are not necessary by default so that the user must manually deactivate them;

• The non-availability of second-level Cookie Banners;

• The failure to provide information and direct, simplified, and proper mechanisms for the exercise of the data subject’s rights to revoke consent and object to the processing of their data;

• The difficulty in managing Cookies;

• The display of information on the Cookie policy in a foreign language only;

• The display of the Cookie list in an exaggeratedly granular manner;

• Linking the obtaining of consent to the full acceptance of the conditions of use of Cookies without providing effective options to the data subject.

Although the guide deals primarily with processing personal data by Cookies in the electronic environment, its guidelines apply to processing personal data through similar tracking technologies, observing the particularity of the case in question.

Furthermore, even though the guide exposes good practices to be followed by processing agents, it is emphasized that compliance with the guidelines contained therein does not exempt agents from observing the LGPD instructions. 

Access the full guide by clicking here.

For more information, please contact our Data Protection team.