Brazilian Data Protection Authority publishes guide on cookies and personal data protection

On October 18, 2022, the Brazilian Data Protection Authority (ANPD) published a guide on “Cookies and Personal Data Protection”. The purpose of this guide is to provide data processing agents with information on how to use cookies, covering technical matters – such as their concepts and categories – as well as the implications of the Brazilian General Data Protection Law (LGPD) to be observed on the use of cookies on websites.

In addition to providing recommendations to controllers on how to ensure compliance with the LGPD, the guide also highlights the application of legal basis provided by this law that justifies the processing of personal data and specifically relates the legal basis of consent and legitimate interest to different categories of the most used cookies on websites. The guide provides examples of best practices that can be adopted by data processing agents when preparing cookie policies and banners.

For illustrative purposes, below is a list of the main practical instructions the ANPD’s guide provides for the use of cookies. All recommendations must be evaluated with reservations, according to the context and details applicable to each case.

General Guidelines

Language

Not recommended:

• Displaying cookie policies only in a foreign language.

First-level banner (Banner informing about the use of cookies, with a second-level banner enabling the management of these cookies, when applicable)

Buttons to “accept”, “reject”, and “manage” cookies

Not recommended:

• Impairing the visualization or understanding of the buttons to reject or manage cookies, making only the “accept” button clearly visible.
• Preventing or making it difficult to decline all unnecessary cookies.
• Using a single button on the first level banner – with no option to manage cookies in case of consent being used as legal basis (“agree”, “accept”, “aware”, etc.).
• Complicating cookie management (e.g., not providing specific alternatives to manage cookies with different purposes).
• Binding the obtaining of consent to the full acceptance of the cookies’ conditions of use document without offering actual options to the data subject.

Good practice:

• Providing an easy-to-view button on first and second-level banners allowing users to reject unnecessary cookies.

Provision of information

Not recommended:

• Not providing information and a direct, simple and specific mechanism to revoke consent and object to the processing of data (in addition to the browser’s blocking settings).

Good practice:

• Providing information on how to block cookies using the browser’s settings. If the browser cannot disable cookies or trackers, the user must be informed about it.
• Providing an easily accessible link so that users can exercise their rights, including, for instance, being further informed about how their data is used and for how long their data is kept, in addition to requesting data erasure, objecting to data processing or withdrawing consent.

Second-Level Banner (Banner providing more detailed information on the different types of cookies, where applicable, and enabling users to manage these cookies)

Second level banner:

Not recommended:

• Not providing a second-level banner.

Classification and categories of cookies

Good practice:

• Classifying cookies into categories on the second-level banner.
• Describing the types of cookies by their use and purpose.

Provision of information

Not recommended:

• Presenting a list of cookies that is too granular, with an excessive amount of information, making it difficult to understand and leading to fatigue, not allowing users to express a clear and positive will.

Good practice:

• Providing information on how to block cookies using the browser’s settings. If the browser cannot disable the cookie or trackers, users must be informed about it.

Purposes

Good practice:

• Presenting simple, clear, and precise descriptions and information regarding the purposes of the cookies.

Obtaining consent

Good practice:

• Obtaining consent for each specific purpose, according to the categories identified in the second level banner, when applicable.

Default settings

Not recommended:

• Presenting unnecessary cookies enabled by default or pre-selected, for example, requiring manual deactivation by the user.

Good practice:

• Disabling consent-based cookies by default.

The guide will be open to comments and continuous contributions from society through the Fala.BR platform, so that the material can be constantly updated in the event of any new regulations and understandings by the ANPD.

For further information on data protection, please contact Mattos Filho’s Technology, Innovation & Digital Business practice area.