Brazilian Data Protection Authority publishes guide on cookies and personal data protection
The document provides recommendations to data controllers and examples of good practices for preparing cookie policies and banners under the Brazilian General Data Protection Law
In addition to providing recommendations to controllers on how to ensure compliance with the LGPD, the guide also highlights the application of legal basis provided by this law that justifies the processing of personal data and specifically relates the legal basis of consent and legitimate interest to different categories of the most used cookies on websites. The guide provides examples of best practices that can be adopted by data processing agents when preparing cookie policies and banners.
- Displaying cookie policies only in a foreign language.
Buttons to “accept”, “reject”, and “manage” cookies
- Impairing the visualization or understanding of the buttons to reject or manage cookies, making only the “accept” button clearly visible.
- Preventing or making it difficult to decline all unnecessary cookies.
- Using a single button on the first level banner – with no option to manage cookies in case of consent being used as legal basis (“agree”, “accept”, “aware”, etc.).
- Complicating cookie management (e.g., not providing specific alternatives to manage cookies with different purposes).
- Binding the obtaining of consent to the full acceptance of the cookies’ conditions of use document without offering actual options to the data subject.
- Providing an easy-to-view button on first and second-level banners allowing users to reject unnecessary cookies.
Provision of information
- Not providing information and a direct, simple and specific mechanism to revoke consent and object to the processing of data (in addition to the browser’s blocking settings).
- Providing information on how to block cookies using the browser’s settings. If the browser cannot disable cookies or trackers, the user must be informed about it.
- Providing an easily accessible link so that users can exercise their rights, including, for instance, being further informed about how their data is used and for how long their data is kept, in addition to requesting data erasure, objecting to data processing or withdrawing consent.
Second-Level Banner (Banner providing more detailed information on the different types of cookies, where applicable, and enabling users to manage these cookies)
Second level banner:
- Not providing a second-level banner.
Classification and categories of cookies
- Classifying cookies into categories on the second-level banner.
- Describing the types of cookies by their use and purpose.
Provision of information
- Presenting a list of cookies that is too granular, with an excessive amount of information, making it difficult to understand and leading to fatigue, not allowing users to express a clear and positive will.
- Providing information on how to block cookies using the browser’s settings. If the browser cannot disable the cookie or trackers, users must be informed about it.
- Presenting simple, clear, and precise descriptions and information regarding the purposes of the cookies.
- Obtaining consent for each specific purpose, according to the categories identified in the second level banner, when applicable.
- Presenting unnecessary cookies enabled by default or pre-selected, for example, requiring manual deactivation by the user.
- Disabling consent-based cookies by default.
The guide will be open to comments and continuous contributions from society through the Fala.BR platform, so that the material can be constantly updated in the event of any new regulations and understandings by the ANPD.
For further information on data protection, please contact Mattos Filho’s Technology, Innovation & Digital Business practice area.