The ANPD Guide on Cookies and Personal Data Protection

January 17, 2023

‍

Cookies continue to be a source of concern for authorities responsible for data protection in all countries, even more so if one considers the lack of transparency in the collection and use of much of this data. Behold, the National Data Protection Authority (ANPD) issued an orientation guide for dealing with cookies in Brazil, although the General Data Protection Law (LGPD) itself has not displayed specific rules on the subject. Even for that very reason, this ANPD guide comes at a good time to resolve doubts and serve as a basis for guiding everyone on how to deal with the issue in Brazil.

The guide begins with the definition of cookies, that is, they are files installed on a user's device that allow the collection of certain information, including personal data in some situations, in order to serve different purposes, including the proper functioning of some pages. that are customized from the data collected by cookies. By the way, as cookies can contain information that directly refers to natural persons or even indirectly allow their identification, through, for example, making inferences and crossing with other information and, sometimes, through training of behavioral profiles, so such cookies end up containing personal data, which is protected by the LGPD.

The guide then proceeds to classify cookies into macro categories, according to:

1. the entity responsible for its management.

2. the need.

3. the purpose.

4. the information retention period.

Cookies, according to the entity responsible for their management, are classified into:

Own or primary cookies	are cookies set directly by the website or application that the holder is visiting. First party cookies generally cannot be used to track activity on a website other than the original website it was placed on. These types of cookies may include information such as login credentials, shopping cart items or preferred language.
Third-party cookies	are cookies created by a domain other than the one the holder is visiting. They arise from functionalities of other domains that are incorporated into an electronic page, such as the display of advertisements.

‍

Cookies, according to need, are classified into:

Necessary cookies

are those used for the website or application to perform basic functions and operate correctly. Therefore, the collection of information is essential to ensure the operation of the electronic page or for the adequate provision of the service. In this way, the activities covered as strictly necessary include those related to the specific functionality of the service, that is, without them the user would not be able to carry out the main activities of the website or application. This category is restricted to what is essential to provide the service requested by the holder, not including non-essential purposes that meet other interests of the controller.

Cookies not required

are cookies that do not fit the definition of necessary cookies and whose disabling does not prevent the functioning of the website or application or the use of services by the user. In this sense, non-necessary cookies are related to non-essential functionalities of the service, application or website. Examples of unnecessary cookies include, but are not limited to, those used to track behavior, measure page or service performance, and display advertisements or other embedded content.

‍

Cookies, according to their purpose, are classified into:

Analytical or performance cookies	make it possible to collect data and information about how users use the website, which pages they visit most frequently on that website, the occurrence of errors or information about the performance of the website or application.
functionality cookies	are used to provide the basic services requested by the user and make it possible to remember preferences of the site or application, such as username, region or language. Functionality cookies may include first-party, third-party, persistent or session cookies.
advertising cookies	are used to collect information from the holder for the purpose of displaying advertisements. More specifically, from the collection of information regarding the user's browsing habits, advertising cookies allow their identification, the construction of profiles and the display of personalized advertisements according to their interests.

‍

Cookies, according to the retention period of information, are classified into:

Session or temporary cookies

are designed to collect and store information while holders access a website. They are usually discarded after closing the session, that is, after the user closes the browser. They are regularly used to store information that is only relevant to the provision of a service requested by users or for a specific temporary purpose, as is generally the case with a list of products in the cart on a shopping website.

Persistent cookies

the data collected through these cookies is stored and can be accessed and processed for a period defined by the controller, which can vary from a few minutes to several years. In this regard, it must be assessed in the specific case whether the use of persistent cookies is necessary, since threats to privacy can be reduced with the use of session cookies. In any case, when persistent cookies are used, it is advisable to limit their duration in time as much as possible, considering the purpose for which they were collected and will be treated, as explained later in this Guide.

‍

The guide makes it clear that the use of cookies will only be legitimate if the principles, rights of holders and the data protection regime provided for in the LGPD are respected.

Thus, the guide starts to refer to the main points of the LGPD that are applicable to the collection of personal data through cookies, according to the aspects mentioned below:

LGPD ITEM	EXPLANATION	RECOMMENDATION
1. Principles of Purpose, Necessity and Appropriateness (Art. 6, I, II and III)	the collection of personal data through the use of cookies must be limited to the minimum necessary for the fulfillment of legitimate, explicit and specific purposes, observing the impossibility of further processing in a manner incompatible with these purposes. In this sense, the purpose that justifies the use of a certain category of cookies must be specific and informed to the holder, and data collection must be compatible with that purpose. For example, if the person in charge of the website informs the holder that he uses cookies only for the purpose of measuring the audience, he will not be able to use the information collected for different purposes and not compatible with that purpose, such as for the formation of profiles and the display Ads. Likewise, you will not be able to collect other personal data that are not related or not compatible with this purpose. Therefore, the indication of general purposes is not allowed, as with the request for acceptance of general terms and conditions, without indicating the specific purposes for using cookies. In addition, the principle of necessity determines that the processing should cover only “data that are relevant, proportionate and not excessive in relation to the purposes of the data processing”. This principle advises against the processing of personal data when the intended purpose can be achieved by other less burdensome means for the data subject.
2. Principles of free access and transparency (Art. 6, IV and VI)	impose on the treatment agent the obligation to provide holders with clear, precise and easily accessible information on the form of treatment, the retention period and the specific purposes that justify the collection of their data through cookies. It is also important that information is provided on the possible sharing of data with third parties and on the rights guaranteed to the holder, among other aspects indicated in Art. 9 of the LGPD.	A good practice is to indicate to the data subject how to manage cookie preferences in their own browser or device. Thus, for example, the way in which cookies can be deleted or, even, how to disable third-party cookies can be explained. It is important to emphasize that the management of cookies by the browser has a complementary function, which does not remove the need to provide the owner with a direct and specific mechanism for managing cookies and exercising their rights, always accompanied by the indication of the corresponding information. As for the form of presentation, this information can be indicated, for example, in banners, displayed after accessing a page on the internet; and, in more detail, in privacy policies or notices, which contain information about the cookie policy used by the treatment agent, in accordance with the recommendations presented in this Guide.
3. Holder's rights	among others, are especially relevant in the context of the use of cookies, the right of access, deletion of data, revocation of consent and opposition to treatment, always through a free and facilitated procedure, as provided for in Art. 18 of the LGPD.	In order to comply with this legal determination, it is advisable to provide the holder with a mechanism for the “management of of cookies", through which it is possible, for example, to review previously granted permissions, as in the case of revocation of consent related to the use of cookies for marketing purposes, when this is the legal basis used.
4. Termination of processing and deletion of personal data	the LGPD provides that, as a general rule, personal data must be deleted after the end of the treatment, which may occur, for example, when the purpose has been achieved or the deletion is legitimately requested by the data subject. In this way, the storage of personal information after the end of the treatment is only allowed in exceptional circumstances, such as for the purpose of complying with a legal obligation, among other hypotheses provided for in Art. 16 of the GDPR. It follows that the cookie retention period must be compatible with the purposes of the treatment, limited to what is strictly necessary to achieve that purpose. Therefore, retention periods that are indeterminate, excessive or disproportionate to the purposes of the treatment are not compatible with the LGPD.
5. Legal hypotheses	are the cases in which the LGPD authorizes the processing of personal data, in accordance with the provisions of Art. 7 and in Art. 11, this in the case of sensitive personal data. Thus, whenever the processing of personal data is involved, the use of cookies can only be accepted if the legal hypothesis applicable by the controller is identified and the specific requirements stipulated for this purpose in the LGPD are met.	Here, consent and legitimate interest are in the main focus. With respect to consent, it must be free, informed and unequivocal, in addition to being obtained in a specific and prominent way, especially with regard to authorization for the processing of sensitive personal data, appearing separately. Therefore, it is not recommended to use consent for necessary cookies. A simplified and free procedure for revoking consent should also be made available. In the case of legitimate interest, it can always be used in the processing of personal data of a non-sensitive nature when necessary to meet the legitimate interests of the controller or third parties, “except in the case of prevailing fundamental rights and freedoms of the holder that require the protection of personal data”. Therefore, for the treatment to be adequate, the controller must make sure that the intended use, in addition to not infringing rights and freedoms, could be reasonably foreseen by the data subject, that is, that it would be possible for the subject to assume that that use could occur with your personal data from the information provided by the controller at the time of collection of personal data. Thus, analytical or measurement cookies are appropriate under the justification of legitimate interest, while advertising cookies are not.

‍

The guide finally recommends that a Cookies Policy be created, constituting a public statement that makes information available to users of a website or application, and must provide information on the specific purposes that justify the collection of personal data through cookies, the retention period and whether there is sharing. The Cookie Policy can be presented: (i) as a specific section of the Privacy Notice; (ii) in a specific and separate location; or (iii) on the cookie banner itself.

Cookies banners are visual resources used in the design of applications or websites on the internet, which use highlighted reading bars to inform the data subject, in a summarized, simple and direct way, about the use of cookies in that environment. And the guide establishes the following good practices regarding the use of cookie banners:

1. First level banners

– Provide an easy-to-view button that allows you to reject all unnecessary cookies on the first and second level banners, with the following options: (i) Reject unnecessary cookies, (ii) Accept all cookies and (iii) Select cookies.

– Provide an easily accessible link so that the holder can exercise their rights, which may include, for example, knowing more details about how their data is used and the retention period, in addition to requesting the deletion of the data, opposing consent to processing or withdraw consent.

2. Second level banners

– Sort cookies into categories in the second level banner.

– Describe the categories of cookies according to their uses and purposes.

– Present a simple, clear and precise description and information regarding these purposes.

– Allow obtaining consent for each specific purpose, according to the categories identified in the second-level banner, when applicable.

– Disable consent-based cookies by default.

– Provide information on how to block cookies through browser settings. If the cookie or tracker cannot be disabled via the browser, the holder must be informed about this.

‍

Finally, the guide recommends avoiding the following practices in cookie banners:

Use a single button on the first level banner, with no management option in the case of using the legal hypothesis of consent (“I agree”, “I accept”, “Aware” etc.);
Make it difficult to view or understand the buttons for rejecting cookies or configuring cookies, and highlighting only the acceptance button;
Make it impossible or difficult to reject all unnecessary cookies;
Display unnecessary cookies enabled by default, requiring manual deactivation by the owner;
Do not make the second level banner available;
Not providing information and a direct, simplified and proper mechanism for exercising rights to revoke consent and oppose treatment by the data subject (in addition to browser blocking settings);
Make it difficult to manage cookies (example: not providing specific management options for cookies that have different purposes);
Display information about the cookie policy only in a foreign language;
Presenting an overly granular list of cookies, generating an excessive amount of information, which makes understanding difficult and can lead to the effect of fatigue, not allowing the holder to express a clear and positive will;
When using consent as a legal hypothesis, link obtaining it to the full acceptance of the conditions for the use of cookies, without providing the holder with effective options.

LINKEDIN FEED

In view of our commitment with privacy, we have created this Privacy Statement, which aims to provide information about how we collect, store and process personal data submitted by users through our website.‍

LICKS ATTORNEYS' COMPLIANCE BLOG