The Guide defines cookies as files installed on a user’s device that allow the collection of certain information, including personal data, to fulfill different purposes. In practice, cookies allow the storage of a series of information about an internet user or the device on which they are installed, which may be essential for the functioning of a website or be used for other purposes such as analytics or advertising.
Considering the different types and functions of cookies, the ANPD proposes their classification according to the following criteria: (i) the entity responsible for managing cookies; (ii) if they are necessary; (iii) the purpose for which they are used; and (iv) the information retention period. These classifications are relevant to ANPD’s analysis of the adequacy of using cookies to the LGPD.
With respect to the entity responsible for the cookie management, cookies can be named first-party cookies when set directly by the website or application that the data subject is visiting, or third-party cookies – those created by a different domain than the one the data subject is visiting.
Regarding necessity: cookies may be necessary, if used by the website or application to perform basic functions and operate correctly, or unnecessary, i.e., those whose disabling does not prevent the website or application from functioning or the use of the services by users.
As for their purpose, cookies can be: (i) analytical or performance-related cookies, allowing collection of data and information about the use of the platform by the user and the occurrence of errors; (ii) functionality cookies, used to provide basic services to the user and remember preferences; and (iii) advertising cookies, used to collect user information for the purpose of displaying advertisements.
Finally, regarding the information retention period, session or temporary cookies are those discarded after the user exits the application or browser, while persistent cookies are stored for a longer period defined by the data controller.
Summarizing the Guide’s considerations, it can be stated that ANPD recommends that consent (art. 7, I, of the LGPD) will not be the appropriate legal basis for the use of strictly necessary cookies as these are essential for the functioning of the electronic page. Therefore, there is no room for the free expression of consent by the data subject, which is one of the LGPD requirements for consent to be valid.
According to the ANPD, consent is a legal basis that is better suited to the use of unnecessary cookies, without prejudice to the use of other legal bases according to the specific case.
Regarding consent, the Guide highlights the importance that in addition to being free, it is unequivocal and informed, which leads to some specific guidelines for best practices related to the use of cookie banners, as further detailed below.
(ii) Legitimate interest
As for the legitimate interest legal basis (art. 7, IX, of the LGPD), the ANPD recommends that this may be the appropriate legal basis for the processing of strictly necessary cookies.
At this point, it is worth noting that in many cases, the use of necessary cookies could be better grounded on another legal basis, which is the performance of a contract or preliminary procedures related to a contract to which the data subject is a party to (Article 7 V, of the LGPD). Nonetheless, this aspect was not explored by the Authority.
In addition, the ANPD points to legitimate interest as an appropriate legal basis for handling analytical cookies in different contexts such as measuring the audience of a page.
Finally, the Guide points out that legitimate interest would not be the most appropriate legal basis in cases in which data collected through cookies are used for advertising purposes. In this scenario, collecting consent is considered more appropriate by the ANPD.
This point can also be criticized, insofar as: (i) the argument used by the Authority that there is no legitimate expectation of data subjects to have their data processed through technologies such as cookies for advertising purposes is questionable; and (ii) it forces internet application providers to use cookie banners on their platforms, which in addition to hampering user navigation, can lead internet users to an overload of consent requests and, ultimately, to the so-called consent fatigue.
Cookie policies and cookie banners
(ii) Cookie banner
The ANPD has described what it sees as good practices related to the use of the cookie banner tool. The Authority points out that in the first level banner (the one initially presented to the user when he/she accesses the internet application), it is necessary to have the option to reject unnecessary cookies and to select the cookies that the user wants to accept – instead of using one button to accept all cookies in a generic way, which is common practice today.
In practice, the Guide leaves some flexibility on the use of cookie banners. Among other points of uncertainty, it is not clear whether the ANPD considers that cookies based on legitimate interest could be enabled by default in the cookie banner, allowing users to opt-out as a safeguard.
However, unlike the European Union, which has a specific rule (Directive 2002/58/EC – the ePrivacy Directive) that makes it mandatory to obtain consent to use tracking technologies such as cookies (in situations where this use is not strictly necessary), Brazil does not have an equivalent legal provision.
Lastly, it should be noted that the ANPD clarifies that the Guide will remain open to comments and contributions on an ongoing basis and that suggestions can be sent to the Authority through the “Fala.BR Platform”.
Click here to access the Guide (Portuguese only).
Tel.: (+55) 11 3024 6490
Tel.: (+55) 11 3024 6256
 “Consent fatigue” occurs when users end up facing a huge amount of validation boxes or cookie banners with requests for consent when browsing the internet, leading them to accept cookies automatically, without taking time to understand them and their consequences. This phenomenon puts in check the idea of “free choice” that the consent legal basis wants to achieve.
 European Commission. Evaluation and review of Directive 2002/58 on privacy and the electronic communication sector. Available at: https://digital-strategy.ec.europa.eu/en/library/evaluation-and-review-directive-200258-privacy-and-electronic-communication-sector. Access on 21.10.2022.
 Available at: https://digital-strategy.ec.europa.eu/en/policies/eprivacy-regulation. Access on 21.10.2022.