The ANPD Guide on Cookies and Personal Data Protection
January 17, 2023
Cookies continue to be a source of concern for authorities responsible for data protection in all countries, even more so if one considers the lack of transparency in the collection and use of much of this data. Behold, the National Data Protection Authority (ANPD) issued an orientation guide for dealing with cookies in Brazil, although the General Data Protection Law (LGPD) itself has not displayed specific rules on the subject. Even for that very reason, this ANPD guide comes at a good time to resolve doubts and serve as a basis for guiding everyone on how to deal with the issue in Brazil.
The guide begins with the definition of cookies, that is, they are files installed on a user's device that allow the collection of certain information, including personal data in some situations, in order to serve different purposes, including the proper functioning of some pages. that are customized from the data collected by cookies. By the way, as cookies can contain information that directly refers to natural persons or even indirectly allow their identification, through, for example, making inferences and crossing with other information and, sometimes, through training of behavioral profiles, so such cookies end up containing personal data, which is protected by the LGPD.
The guide then proceeds to classify cookies into macro categories, according to:
1. the entity responsible for its management.
2. the need.
3. the purpose.
4. the information retention period.
Cookies, according to the entity responsible for their management, are classified into:
Own or primary cookies
are cookies set directly by the website or application that
the holder is visiting. First party cookies generally
cannot be used to track activity on a website other than
the original website it was placed on. These types of
cookies may include information such as login credentials,
shopping cart items or preferred language.
Third-party cookies
are cookies created by a domain other than the one the
holder is visiting. They arise from functionalities of
other domains that are incorporated into an electronic
page, such as the display of advertisements.
Cookies, according to need, are classified into:
Necessary cookies
are those used for the website or application to perform
basic functions and operate correctly. Therefore, the
collection of information is essential to ensure the
operation of the electronic page or for the adequate
provision of the service. In this way, the activities
covered as strictly necessary include those related to the
specific functionality of the service, that is, without
them the user would not be able to carry out the main
activities of the website or application. This category is
restricted to what is essential to provide the service
requested by the holder, not including non-essential
purposes that meet other interests of the controller.
Cookies not required
are cookies that do not fit the definition of necessary
cookies and whose disabling does not prevent the
functioning of the website or application or the use of
services by the user. In this sense, non-necessary cookies
are related to non-essential functionalities of the
service, application or website. Examples of unnecessary
cookies include, but are not limited to, those used to
track behavior, measure page or service performance, and
display advertisements or other embedded content.
Cookies, according to their purpose, are classified into:
Analytical or performance cookies
make it possible to collect data and information about how
users use the website, which pages they visit most
frequently on that website, the occurrence of errors or
information about the performance of the website or
application.
functionality cookies
are used to provide the basic services requested by the
user and make it possible to remember preferences of the
site or application, such as username, region or language.
Functionality cookies may include first-party, third-party,
persistent or session cookies.
advertising cookies
are used to collect information from the holder for the
purpose of displaying advertisements. More specifically,
from the collection of information regarding the user's
browsing habits, advertising cookies allow their
identification, the construction of profiles and the
display of personalized advertisements according to their
interests.
Cookies, according to the retention period of information, are classified into:
Session or temporary cookies
are designed to collect and store information while holders
access a website. They are usually discarded after closing
the session, that is, after the user closes the browser.
They are regularly used to store information that is only
relevant to the provision of a service requested by users
or for a specific temporary purpose, as is generally the
case with a list of products in the cart on a shopping
website.
Persistent cookies
the data collected through these cookies is stored and can
be accessed and processed for a period defined by the
controller, which can vary from a few minutes to several
years. In this regard, it must be assessed in the specific
case whether the use of persistent cookies is necessary,
since threats to privacy can be reduced with the use of
session cookies. In any case, when persistent cookies are
used, it is advisable to limit their duration in time as
much as possible, considering the purpose for which they
were collected and will be treated, as explained later in
this Guide.
The guide makes it clear that the use of cookies will only be legitimate if the principles, rights of holders and the data protection regime provided for in the LGPD are respected.
Thus, the guide starts to refer to the main points of the LGPD that are applicable to the collection of personal data through cookies, according to the aspects mentioned below:
LGPD ITEM
EXPLANATION
RECOMMENDATION
1. Principles of Purpose, Necessity and Appropriateness
(Art. 6, I, II and III)
the collection of personal data through the use of cookies
must be limited to the minimum necessary for the
fulfillment of legitimate, explicit and specific purposes,
observing the impossibility of further processing in a
manner incompatible with these purposes. In this sense, the
purpose that justifies the use of a certain category of
cookies must be specific and informed to the holder, and
data collection must be compatible with that purpose. For
example, if the person in charge of the website informs the
holder that he uses cookies only for the purpose of
measuring the audience, he will not be able to use the
information collected for different purposes and not
compatible with that purpose, such as for the formation of
profiles and the display Ads. Likewise, you will not be
able to collect other personal data that are not related or
not compatible with this purpose. Therefore, the indication
of general purposes is not allowed, as with the request for
acceptance of general terms and conditions, without
indicating the specific purposes for using cookies. In
addition, the principle of necessity determines that the
processing should cover only “data that are relevant,
proportionate and not excessive in relation to the purposes
of the data processing”. This principle advises against the
processing of personal data when the intended purpose can
be achieved by other less burdensome means for the data
subject.
2. Principles of free access and transparency (Art. 6, IV
and VI)
impose on the treatment agent the obligation to provide
holders with clear, precise and easily accessible
information on the form of treatment, the retention period
and the specific purposes that justify the collection of
their data through cookies. It is also important that
information is provided on the possible sharing of data
with third parties and on the rights guaranteed to the
holder, among other aspects indicated in Art. 9 of the
LGPD.
A good practice is to indicate to the data subject how to
manage cookie preferences in their own browser or device.
Thus, for example, the way in which cookies can be deleted
or, even, how to disable third-party cookies can be
explained. It is important to emphasize that the management
of cookies by the browser has a complementary function,
which does not remove the need to provide the owner with a
direct and specific mechanism for managing cookies and
exercising their rights, always accompanied by the
indication of the corresponding information. As for the
form of presentation, this information can be indicated,
for example, in banners, displayed after accessing a page
on the internet; and, in more detail, in privacy policies
or notices, which contain information about the cookie
policy used by the treatment agent, in accordance with the
recommendations presented in this Guide.
3. Holder's rights
among others, are especially relevant in the context of the
use of cookies, the right of access, deletion of data,
revocation of consent and opposition to treatment, always
through a free and facilitated procedure, as provided for
in Art. 18 of the LGPD.
In order to comply with this legal determination, it is
advisable to provide the holder with a mechanism for the
“management of of cookies", through which it is possible,
for example, to review previously granted permissions, as
in the case of revocation of consent related to the use of
cookies for marketing purposes, when this is the legal
basis used.
4. Termination of processing and deletion of personal data
the LGPD provides that, as a general rule, personal data
must be deleted after the end of the treatment, which may
occur, for example, when the purpose has been achieved or
the deletion is legitimately requested by the data subject.
In this way, the storage of personal information after the
end of the treatment is only allowed in exceptional
circumstances, such as for the purpose of complying with a
legal obligation, among other hypotheses provided for in
Art. 16 of the GDPR. It follows that the cookie retention
period must be compatible with the purposes of the
treatment, limited to what is strictly necessary to achieve
that purpose. Therefore, retention periods that are
indeterminate, excessive or disproportionate to the
purposes of the treatment are not compatible with the LGPD.
5. Legal hypotheses
are the cases in which the LGPD authorizes the processing
of personal data, in accordance with the provisions of Art.
7 and in Art. 11, this in the case of sensitive personal
data. Thus, whenever the processing of personal data is
involved, the use of cookies can only be accepted if the
legal hypothesis applicable by the controller is identified
and the specific requirements stipulated for this purpose
in the LGPD are met.
Here, consent and legitimate interest are in the main
focus. With respect to consent, it must be free, informed
and unequivocal, in addition to being obtained in a
specific and prominent way, especially with regard to
authorization for the processing of sensitive personal
data, appearing separately. Therefore, it is not
recommended to use consent for necessary cookies. A
simplified and free procedure for revoking consent should
also be made available. In the case of legitimate interest,
it can always be used in the processing of personal data of
a non-sensitive nature when necessary to meet the
legitimate interests of the controller or third parties,
“except in the case of prevailing fundamental rights and
freedoms of the holder that require the protection of
personal data”. Therefore, for the treatment to be
adequate, the controller must make sure that the intended
use, in addition to not infringing rights and freedoms,
could be reasonably foreseen by the data subject, that is,
that it would be possible for the subject to assume that
that use could occur with your personal data from the
information provided by the controller at the time of
collection of personal data. Thus, analytical or
measurement cookies are appropriate under the justification
of legitimate interest, while advertising cookies are not.
The guide finally recommends that a Cookies Policy be created, constituting a public statement that makes information available to users of a website or application, and must provide information on the specific purposes that justify the collection of personal data through cookies, the retention period and whether there is sharing. The Cookie Policy can be presented: (i) as a specific section of the Privacy Notice; (ii) in a specific and separate location; or (iii) on the cookie banner itself.
Cookies banners are visual resources used in the design of applications or websites on the internet, which use highlighted reading bars to inform the data subject, in a summarized, simple and direct way, about the use of cookies in that environment. And the guide establishes the following good practices regarding the use of cookie banners:
1. First level banners
– Provide an easy-to-view button that allows you to reject
all unnecessary cookies on the first and second level
banners, with the following options: (i) Reject unnecessary
cookies, (ii) Accept all cookies and (iii) Select cookies.
– Provide an easily accessible link so that the holder can
exercise their rights, which may include, for example,
knowing more details about how their data is used and the
retention period, in addition to requesting the deletion of
the data, opposing consent to processing or withdraw
consent.
2. Second level banners
– Sort cookies into categories in the second level banner.
– Describe the categories of cookies according to their
uses and purposes.
– Present a simple, clear and precise description and
information regarding these purposes.
– Allow obtaining consent for each specific purpose,
according to the categories identified in the second-level
banner, when applicable.
– Disable consent-based cookies by default.
– Provide information on how to block cookies through
browser settings. If the cookie or tracker cannot be
disabled via the browser, the holder must be informed about
this.
Finally, the guide recommends avoiding the following practices in cookie banners:
Use a single button on the first level banner, with no management option in the case of using the legal hypothesis of consent (“I agree”, “I accept”, “Aware” etc.);
Make it difficult to view or understand the buttons for rejecting cookies or configuring cookies, and highlighting only the acceptance button;
Make it impossible or difficult to reject all unnecessary cookies;
Display unnecessary cookies enabled by default, requiring manual deactivation by the owner;
Do not make the second level banner available;
Not providing information and a direct, simplified and proper mechanism for exercising rights to revoke consent and oppose treatment by the data subject (in addition to browser blocking settings);
Make it difficult to manage cookies (example: not providing specific management options for cookies that have different purposes);
Display information about the cookie policy only in a foreign language;
Presenting an overly granular list of cookies, generating an excessive amount of information, which makes understanding difficult and can lead to the effect of fatigue, not allowing the holder to express a clear and positive will;
When using consent as a legal hypothesis, link obtaining it to the full acceptance of the conditions for the use of cookies, without providing the holder with effective options.
Cookies continue to be a source of concern for authorities responsible for data protection in all countries, even more so if one considers the lack of transparency in the collection and use of much of this data. Behold, the National Data Protection Authority (ANPD) issued an orientation guide for dealing with cookies in Brazil, although the General Data Protection Law (LGPD) itself has not displayed specific rules on the subject. Even for that very reason, this ANPD guide comes at a good time to resolve doubts and serve as a basis for guiding everyone on how to deal with the issue in Brazil.
The guide begins with the definition of cookies, that is, they are files installed on a user's device that allow the collection of certain information, including personal data in some situations, in order to serve different purposes, including the proper functioning of some pages. that are customized from the data collected by cookies. By the way, as cookies can contain information that directly refers to natural persons or even indirectly allow their identification, through, for example, making inferences and crossing with other information and, sometimes, through training of behavioral profiles, so such cookies end up containing personal data, which is protected by the LGPD.
The guide then proceeds to classify cookies into macro categories, according to:
1. the entity responsible for its management.
2. the need.
3. the purpose.
4. the information retention period.
Cookies, according to the entity responsible for their management, are classified into:
Own or primary cookies
are cookies set directly by the website or application that
the holder is visiting. First party cookies generally
cannot be used to track activity on a website other than
the original website it was placed on. These types of
cookies may include information such as login credentials,
shopping cart items or preferred language.
Third-party cookies
are cookies created by a domain other than the one the
holder is visiting. They arise from functionalities of
other domains that are incorporated into an electronic
page, such as the display of advertisements.
Cookies, according to need, are classified into:
Necessary cookies
are those used for the website or application to perform
basic functions and operate correctly. Therefore, the
collection of information is essential to ensure the
operation of the electronic page or for the adequate
provision of the service. In this way, the activities
covered as strictly necessary include those related to the
specific functionality of the service, that is, without
them the user would not be able to carry out the main
activities of the website or application. This category is
restricted to what is essential to provide the service
requested by the holder, not including non-essential
purposes that meet other interests of the controller.
Cookies not required
are cookies that do not fit the definition of necessary
cookies and whose disabling does not prevent the
functioning of the website or application or the use of
services by the user. In this sense, non-necessary cookies
are related to non-essential functionalities of the
service, application or website. Examples of unnecessary
cookies include, but are not limited to, those used to
track behavior, measure page or service performance, and
display advertisements or other embedded content.
Cookies, according to their purpose, are classified into:
Analytical or performance cookies
make it possible to collect data and information about how
users use the website, which pages they visit most
frequently on that website, the occurrence of errors or
information about the performance of the website or
application.
functionality cookies
are used to provide the basic services requested by the
user and make it possible to remember preferences of the
site or application, such as username, region or language.
Functionality cookies may include first-party, third-party,
persistent or session cookies.
advertising cookies
are used to collect information from the holder for the
purpose of displaying advertisements. More specifically,
from the collection of information regarding the user's
browsing habits, advertising cookies allow their
identification, the construction of profiles and the
display of personalized advertisements according to their
interests.
Cookies, according to the retention period of information, are classified into:
Session or temporary cookies
are designed to collect and store information while holders
access a website. They are usually discarded after closing
the session, that is, after the user closes the browser.
They are regularly used to store information that is only
relevant to the provision of a service requested by users
or for a specific temporary purpose, as is generally the
case with a list of products in the cart on a shopping
website.
Persistent cookies
the data collected through these cookies is stored and can
be accessed and processed for a period defined by the
controller, which can vary from a few minutes to several
years. In this regard, it must be assessed in the specific
case whether the use of persistent cookies is necessary,
since threats to privacy can be reduced with the use of
session cookies. In any case, when persistent cookies are
used, it is advisable to limit their duration in time as
much as possible, considering the purpose for which they
were collected and will be treated, as explained later in
this Guide.
The guide makes it clear that the use of cookies will only be legitimate if the principles, rights of holders and the data protection regime provided for in the LGPD are respected.
Thus, the guide starts to refer to the main points of the LGPD that are applicable to the collection of personal data through cookies, according to the aspects mentioned below:
LGPD ITEM
EXPLANATION
RECOMMENDATION
1. Principles of Purpose, Necessity and Appropriateness
(Art. 6, I, II and III)
the collection of personal data through the use of cookies
must be limited to the minimum necessary for the
fulfillment of legitimate, explicit and specific purposes,
observing the impossibility of further processing in a
manner incompatible with these purposes. In this sense, the
purpose that justifies the use of a certain category of
cookies must be specific and informed to the holder, and
data collection must be compatible with that purpose. For
example, if the person in charge of the website informs the
holder that he uses cookies only for the purpose of
measuring the audience, he will not be able to use the
information collected for different purposes and not
compatible with that purpose, such as for the formation of
profiles and the display Ads. Likewise, you will not be
able to collect other personal data that are not related or
not compatible with this purpose. Therefore, the indication
of general purposes is not allowed, as with the request for
acceptance of general terms and conditions, without
indicating the specific purposes for using cookies. In
addition, the principle of necessity determines that the
processing should cover only “data that are relevant,
proportionate and not excessive in relation to the purposes
of the data processing”. This principle advises against the
processing of personal data when the intended purpose can
be achieved by other less burdensome means for the data
subject.
2. Principles of free access and transparency (Art. 6, IV
and VI)
impose on the treatment agent the obligation to provide
holders with clear, precise and easily accessible
information on the form of treatment, the retention period
and the specific purposes that justify the collection of
their data through cookies. It is also important that
information is provided on the possible sharing of data
with third parties and on the rights guaranteed to the
holder, among other aspects indicated in Art. 9 of the
LGPD.
A good practice is to indicate to the data subject how to
manage cookie preferences in their own browser or device.
Thus, for example, the way in which cookies can be deleted
or, even, how to disable third-party cookies can be
explained. It is important to emphasize that the management
of cookies by the browser has a complementary function,
which does not remove the need to provide the owner with a
direct and specific mechanism for managing cookies and
exercising their rights, always accompanied by the
indication of the corresponding information. As for the
form of presentation, this information can be indicated,
for example, in banners, displayed after accessing a page
on the internet; and, in more detail, in privacy policies
or notices, which contain information about the cookie
policy used by the treatment agent, in accordance with the
recommendations presented in this Guide.
3. Holder's rights
among others, are especially relevant in the context of the
use of cookies, the right of access, deletion of data,
revocation of consent and opposition to treatment, always
through a free and facilitated procedure, as provided for
in Art. 18 of the LGPD.
In order to comply with this legal determination, it is
advisable to provide the holder with a mechanism for the
“management of of cookies", through which it is possible,
for example, to review previously granted permissions, as
in the case of revocation of consent related to the use of
cookies for marketing purposes, when this is the legal
basis used.
4. Termination of processing and deletion of personal data
the LGPD provides that, as a general rule, personal data
must be deleted after the end of the treatment, which may
occur, for example, when the purpose has been achieved or
the deletion is legitimately requested by the data subject.
In this way, the storage of personal information after the
end of the treatment is only allowed in exceptional
circumstances, such as for the purpose of complying with a
legal obligation, among other hypotheses provided for in
Art. 16 of the GDPR. It follows that the cookie retention
period must be compatible with the purposes of the
treatment, limited to what is strictly necessary to achieve
that purpose. Therefore, retention periods that are
indeterminate, excessive or disproportionate to the
purposes of the treatment are not compatible with the LGPD.
5. Legal hypotheses
are the cases in which the LGPD authorizes the processing
of personal data, in accordance with the provisions of Art.
7 and in Art. 11, this in the case of sensitive personal
data. Thus, whenever the processing of personal data is
involved, the use of cookies can only be accepted if the
legal hypothesis applicable by the controller is identified
and the specific requirements stipulated for this purpose
in the LGPD are met.
Here, consent and legitimate interest are in the main
focus. With respect to consent, it must be free, informed
and unequivocal, in addition to being obtained in a
specific and prominent way, especially with regard to
authorization for the processing of sensitive personal
data, appearing separately. Therefore, it is not
recommended to use consent for necessary cookies. A
simplified and free procedure for revoking consent should
also be made available. In the case of legitimate interest,
it can always be used in the processing of personal data of
a non-sensitive nature when necessary to meet the
legitimate interests of the controller or third parties,
“except in the case of prevailing fundamental rights and
freedoms of the holder that require the protection of
personal data”. Therefore, for the treatment to be
adequate, the controller must make sure that the intended
use, in addition to not infringing rights and freedoms,
could be reasonably foreseen by the data subject, that is,
that it would be possible for the subject to assume that
that use could occur with your personal data from the
information provided by the controller at the time of
collection of personal data. Thus, analytical or
measurement cookies are appropriate under the justification
of legitimate interest, while advertising cookies are not.
The guide finally recommends that a Cookies Policy be created, constituting a public statement that makes information available to users of a website or application, and must provide information on the specific purposes that justify the collection of personal data through cookies, the retention period and whether there is sharing. The Cookie Policy can be presented: (i) as a specific section of the Privacy Notice; (ii) in a specific and separate location; or (iii) on the cookie banner itself.
Cookies banners are visual resources used in the design of applications or websites on the internet, which use highlighted reading bars to inform the data subject, in a summarized, simple and direct way, about the use of cookies in that environment. And the guide establishes the following good practices regarding the use of cookie banners:
1. First level banners
– Provide an easy-to-view button that allows you to reject
all unnecessary cookies on the first and second level
banners, with the following options: (i) Reject unnecessary
cookies, (ii) Accept all cookies and (iii) Select cookies.
– Provide an easily accessible link so that the holder can
exercise their rights, which may include, for example,
knowing more details about how their data is used and the
retention period, in addition to requesting the deletion of
the data, opposing consent to processing or withdraw
consent.
2. Second level banners
– Sort cookies into categories in the second level banner.
– Describe the categories of cookies according to their
uses and purposes.
– Present a simple, clear and precise description and
information regarding these purposes.
– Allow obtaining consent for each specific purpose,
according to the categories identified in the second-level
banner, when applicable.
– Disable consent-based cookies by default.
– Provide information on how to block cookies through
browser settings. If the cookie or tracker cannot be
disabled via the browser, the holder must be informed about
this.
Finally, the guide recommends avoiding the following practices in cookie banners:
Use a single button on the first level banner, with no management option in the case of using the legal hypothesis of consent (“I agree”, “I accept”, “Aware” etc.);
Make it difficult to view or understand the buttons for rejecting cookies or configuring cookies, and highlighting only the acceptance button;
Make it impossible or difficult to reject all unnecessary cookies;
Display unnecessary cookies enabled by default, requiring manual deactivation by the owner;
Do not make the second level banner available;
Not providing information and a direct, simplified and proper mechanism for exercising rights to revoke consent and oppose treatment by the data subject (in addition to browser blocking settings);
Make it difficult to manage cookies (example: not providing specific management options for cookies that have different purposes);
Display information about the cookie policy only in a foreign language;
Presenting an overly granular list of cookies, generating an excessive amount of information, which makes understanding difficult and can lead to the effect of fatigue, not allowing the holder to express a clear and positive will;
When using consent as a legal hypothesis, link obtaining it to the full acceptance of the conditions for the use of cookies, without providing the holder with effective options.
Share with
Related
No items found.
ABOUT US
Licks’ Blog provides regular and insightful updates on Brazil’s political and economic landscape. The posts are authored by our Government Affairs & International Relations group, which is composed of experienced professionals from different backgrounds with multiple policy perspectives.
Licks Attorneys is a top tier Brazilian law firm, speciallized in Intellectual Property and recognized for its success handling large and strategic projects in the country.
ABOUT US
Licks Attorneys Compliance’s Blog provides regular and insightful updates about Ethic and Compliance. The posts are authored by Alexandre Dalmasso, our partner. Licks Attorneys is a top tier Brazilian law firm, specialized in Intellectual Property and recognized for its success handling large and strategic projects in the country.
QUEM SOMOS
O blog Licks Attorneys Compliance fornece atualizações regulares e esclarecedoras sobre Ética e Compliance. As postagens são de autoria de Alexandre Dalmasso, sócio do escritório. O Licks Attorneys é um escritório de advocacia brasileiro renomado, especializado em Propriedade Intelectual e reconhecido por seu sucesso em lidar com grandes e estratégicos cases no país.
