loading...

ANPD publishes guidelines on the use of cookies

The Brazilian National Data Protection Authority (ANPD) released this Tuesday (October 18) the “Cookies and Data Protection” Guidelines. The guidelines aim to advise processing agents on good practices regarding the use of cookies on websites. The main aspects are detailed below.

COMPLIANCE

According to the guidelines, the use of cookies must comply with principles set forth in the Brazilian Data Protection Act (LGPD). In order to meet the principles of purpose, necessity and adequacy, the collection of personal data through the use of cookies must be limited to the minimum necessary for the accomplishment of legitimate, explicit and specific purposes.

In order to comply with the principles of free access and transparency, processing agents must provide data subjects with clear, accurate and easily accessible information on the form of processing, the retention period and the specific purposes justifying the collection of their data through cookies.

APPLICABLE LEGAL BASES

The guidelines indicate that the collection of personal data through cookies can happen on various legal bases, not only the consent of the data subject or the controller’s legitimate interest. However, the guidelines provide specific guidance only in relation to these two legal bases.

Consent

  • The controller must provide the data subject with clear, accurate and easily accessible information on the form of the processing, the retention period and the specific purposes that justify the collection of their data through cookies;
  • “Forced” consent – without providing effective options to the data subject – is incompatible with the LGPD;
  • Consent should be unambiguous, therefore it is not recommended to use cookie banners with pre-selected authorization options or the adoption of tacit consent mechanisms; options should be disabled by default;
  • Consent is not an adequate legal basis for collecting data through strictly necessary cookies, since in these cases the data subject has no power of choice;
  • If the controller uses consent as a legal basis, it must allow the data subject to reject the collection of data through non-essential cookies;
  • Consent would be the most appropriate legal basis for collecting data through advertising cookies; and
  • The controller is responsible for proving that consent was given respecting all parameters established by the LGPD.

Legitimate Interest

  • The use of the legitimate interest for collecting data through cookies requires an assessment of the legitimate interest. In this assessment, the controller shall:
  • o identify whether there is a legitimate purpose for the processing of the data;
  • o verify if the use of the data may harm the rights and freedoms of the data subjects involved; and
  • o assess whether the use could reasonably be expected by the data subjects;
  • The legitimate interest would be the most appropriate legal basis for collecting data by strictly necessary cookies and could also be suitable for analytical cookies; however, it would hardly be the most appropriate legal basis in the cases in which data collected through cookies is used for advertising purposes.

GOOD PRACTICES

In addition, the guidelines indicate best practices to be followed by controllers when setting their cookie policies and developing their notices and banners:

  • Provide clear, accurate and easily accessible information on the use of cookies and the collection of personal data to the data subject; the information may be made available in (i) a specific section of the Privacy Notice; (ii) a specific Notice or Policy; or (iii) the cookie banner;
  • Provide a button on the cookie banner that allows the rejection of all non-essential cookies, if the chosen legal basis is consent;
  • Provide a link that allows the data subject to access the page with information on the use of their data and exercise of their rights;
  • Classify cookies into categories, describing their purposes in the second-level banner (preference management panel);
  • Set up the second-level banner (preference management panel) allowing consent to be obtained for each specific purpose;
  • Keep cookies based on the data subject’s consent disabled by default, only enabling them after the effective provision of consent; and
  • Provide information on how to block cookies by the browser’s settings.

Our team is closely monitoring all measures relating to the protection of personal data and assisting clients in privacy and data protection claims. For more information on this, contact us at privacy@lickslegal.com.

Tags: