Alerts
ANPD publishes Guidelines on the use of cookies
On October 18, the Brazilian Data Protection Authority (“ANPD” or “Authority”) published a Guide on cookies and personal data protection (“Guide”) in order to clarify best practices related to personal data processing arising from the use of cookies.
This Guide has no force of law, but it is an interpretative document of the application of the Brazilian Data Protection Law (“LGPD”) to the use of cookies and similar tracking technologies.
The Guide defines cookies as files installed on a user’s device that allow the collection of certain information, including personal data, to fulfill different purposes. In practice, cookies allow the storage of a series of information about an internet user or the device on which they are installed, which may be essential for the functioning of a website or be used for other purposes such as analytics or advertising.
Cookie Classification
Considering the different types and functions of cookies, the ANPD proposes their classification according to the following criteria: (i) the entity responsible for managing cookies; (ii) if they are necessary; (iii) the purpose for which they are used; and (iv) the information retention period. These classifications are relevant to ANPD’s analysis of the adequacy of using cookies to the LGPD.
With respect to the entity responsible for the cookie management, cookies can be named first-party cookies when set directly by the website or application that the data subject is visiting, or third-party cookies – those created by a different domain than the one the data subject is visiting.
Regarding necessity: cookies may be necessary, if used by the website or application to perform basic functions and operate correctly, or unnecessary, i.e., those whose disabling does not prevent the website or application from functioning or the use of the services by users.
As for their purpose, cookies can be: (i) analytical or performance-related cookies, allowing collection of data and information about the use of the platform by the user and the occurrence of errors; (ii) functionality cookies, used to provide basic services to the user and remember preferences; and (iii) advertising cookies, used to collect user information for the purpose of displaying advertisements.
Finally, regarding the information retention period, session or temporary cookies are those discarded after the user exits the application or browser, while persistent cookies are stored for a longer period defined by the data controller.
Legal basis for the use of cookies
The ANPD indicates in its Guide that, like any personal data processing activity, the use of cookies must respect the principles provided for in the LGPD and be supported by one of the legal bases provided for by law.
Although the ANPD indicates that other legal bases provided for in the LGPD can support the processing of personal data resulting from the use of cookies, the Guide analyzes the use of the legal bases of consent and legitimate interest, as it regards that these are the most usual legal bases and the most relevant to the context under analysis.
(i) Consent
Summarizing the Guide’s considerations, it can be stated that ANPD recommends that consent (art. 7, I, of the LGPD) will not be the appropriate legal basis for the use of strictly necessary cookies as these are essential for the functioning of the electronic page. Therefore, there is no room for the free expression of consent by the data subject, which is one of the LGPD requirements for consent to be valid.
According to the ANPD, consent is a legal basis that is better suited to the use of unnecessary cookies, without prejudice to the use of other legal bases according to the specific case.
Regarding consent, the Guide highlights the importance that in addition to being free, it is unequivocal and informed, which leads to some specific guidelines for best practices related to the use of cookie banners, as further detailed below.
(ii) Legitimate interest
As for the legitimate interest legal basis (art. 7, IX, of the LGPD), the ANPD recommends that this may be the appropriate legal basis for the processing of strictly necessary cookies.
At this point, it is worth noting that in many cases, the use of necessary cookies could be better grounded on another legal basis, which is the performance of a contract or preliminary procedures related to a contract to which the data subject is a party to (Article 7 V, of the LGPD). Nonetheless, this aspect was not explored by the Authority.
In addition, the ANPD points to legitimate interest as an appropriate legal basis for handling analytical cookies in different contexts such as measuring the audience of a page.
Finally, the Guide points out that legitimate interest would not be the most appropriate legal basis in cases in which data collected through cookies are used for advertising purposes. In this scenario, collecting consent is considered more appropriate by the ANPD.
This point can also be criticized, insofar as: (i) the argument used by the Authority that there is no legitimate expectation of data subjects to have their data processed through technologies such as cookies for advertising purposes is questionable; and (ii) it forces internet application providers to use cookie banners on their platforms, which in addition to hampering user navigation, can lead internet users to an overload of consent requests and, ultimately, to the so-called consent fatigue.[1]
Cookie policies and cookie banners
The Guide also differentiates cookie policies from cookie banners, pointing out that the policy is a public statement that provides information to users of a website or application about how their data is processed, in accordance with the principles of free access and transparency. In turn, the cookie banner is a visual resource used in applications or websites, aiming to inform the data subject in a synthetic and direct way about the use of cookies in the browsing environment.
(i) Cookie Policy
Regarding the cookie policy, ANPD states that there is no specific mandatory form for the presentation of this document, which can be a specific document or be included in the privacy policy itself (as long as it is presented in a prominent manner), as well as being incorporated into the cookie banner itself.
(ii) Cookie banner
The ANPD has described what it sees as good practices related to the use of the cookie banner tool. The Authority points out that in the first level banner (the one initially presented to the user when he/she accesses the internet application), it is necessary to have the option to reject unnecessary cookies and to select the cookies that the user wants to accept – instead of using one button to accept all cookies in a generic way, which is common practice today.
Regarding the second level banner (the one that is displayed when the user indicates that he/she wants to select the cookies they want to accept), the Guide points out the following good practices: (i) the second level banner must describe the categories of cookies according to their uses and purposes; (ii) when applicable, the banner must allow obtaining consent for each specific purpose of use of cookies; and (iii) consent-based cookies must be disabled by default.
In addition, the Guide recommends that the following practices should be avoided: (i) using a single button on the first-level banner to obtain consent without full cookie management; (ii) not providing a second level banner; (iii) presenting cookie policy information in a foreign language only; (iv) presenting information about cookies in an excessively granular way, making it difficult for users to understand it; and (v) enabling unnecessary cookies by default.
In practice, the Guide leaves some flexibility on the use of cookie banners. Among other points of uncertainty, it is not clear whether the ANPD considers that cookies based on legitimate interest could be enabled by default in the cookie banner, allowing users to opt-out as a safeguard.
Conclusion
ANPD’s Cookie Guide was long-awaited by data processing agents in general, mainly due to the uncertainty of how the body would interpret the use of cookies in Brazil, considering the strong influence of the European Union legislation on the interpretation of the LGPD.
However, unlike the European Union, which has a specific rule (Directive 2002/58/EC – the ePrivacy Directive) that makes it mandatory to obtain consent to use tracking technologies such as cookies (in situations where this use is not strictly necessary), Brazil does not have an equivalent legal provision.
Even so, the Guide imports many of the concepts developed in the European Union to constrain consent as a mandatory legal basis for the use of cookies especially when presenting good practices related to cookie banners.
Nevertheless, the topic is being reassessed in the European Union after studies on the impact of the use of consent as a mandatory requirement for the use of cookies.[2] There is now a recognition that locally institutionalized practices ended up generating an overload of consent requests for internet users.[3] Therefore, the question remains whether using the European model as a reference in this case is in fact the best alternative.
Lastly, it should be noted that the ANPD clarifies that the Guide will remain open to comments and contributions on an ongoing basis and that suggestions can be sent to the Authority through the “Fala.BR Platform”.
Click here to access the Guide (Portuguese only).
Lefosse’s Technology, Data Protection and Intellectual Property team is available to assist our clients with issues related to LGPD including the implementation of good practices related to the use of cookies.
Paulo Lilla
Tel.: (+55) 11 3024 6490 |
Carla Segala
Tel.: (+55) 11 3024 6256 |
[1] “Consent fatigue” occurs when users end up facing a huge amount of validation boxes or cookie banners with requests for consent when browsing the internet, leading them to accept cookies automatically, without taking time to understand them and their consequences. This phenomenon puts in check the idea of “free choice” that the consent legal basis wants to achieve.
[2] European Commission. Evaluation and review of Directive 2002/58 on privacy and the electronic communication sector. Available at: https://digital-strategy.ec.europa.eu/en/library/evaluation-and-review-directive-200258-privacy-and-electronic-communication-sector. Access on 21.10.2022.
[3] Available at: https://digital-strategy.ec.europa.eu/en/policies/eprivacy-regulation. Access on 21.10.2022.