Brazil’s Guidance on Cookies

On 18th October 2022, the National Data Protection Authority (“ANPD”) of Brazil published guidelines on the use of cookies, titled Cookies and Protection of Personal Data (the “Guidelines”). Cookies are files installed on a user’s device, which allow the collection of information, including personal information, about the user, for various purposes, such as identification of a user before a transaction, ‘remembering’ past choices of the user, or advertising.

This article provides an overview of the Guidelines that will help companies to design and implement adequate cookie consent banners and ensure compliance with the consent requirements as per Brazil’s General Data Protection Law (the “LGPD”). It is important to note that where personal user data is collected without lawful grounds, the same shall constitute a violation of the users’ rights under the LGPD.

For your ease, we have divided the overview of the Guidelines into the following key sections:

(A) How to obtain consent from users for the use of cookies?

Under the LGPD, consent is considered to be required for the use of non-essential cookies. Such consent must be freely given, informed and unambiguous. This requires organizations to ensure the following:

• the data subject must be provided with equally prominent choices of accepting and refusing the use of cookies on cookie consent banners, without any negative consequences or any interventions by the controller for refusing cookies which could vitiate or impair their expression of will;
• access to a website’s service or functionality should not be made conditional on the user’s acceptance of non-essential cookies so that the user is not forced to accept the use of cookies;
• the use of pre-selected checkboxes is prohibited. Similarly, consent cannot be implied and must be in the form of an explicit expression of will by the data subject;
• the data subject must be provided with adequate information necessary to enable them to make an informed assessment as to whether they should consent to the cookies;
• in case of collection of sensitive data on the basis of consent, in addition to being free, informed, and unambiguous, consent should be obtained in a specific and prominent manner;
• the data subject must be able to unilaterally revoke consent once granted at any time via a simplified and easy mechanism. The withdrawal of consent must be free of charge;
• new consent must be obtained from the data subject if the assumptions underpinning previously given consent change, such as the purposes of the use of cookies change, or other legal basis should be relied upon for the use of cookies; and
• all non-essential cookies must be disabled by default so that the user has the ability to choose the cookies that they deem appropriate for the collection of their personal information.

(B) How to provide information to data subjects regarding the use of cookies?

The ANPD has emphasized the importance of user transparency, i.e., keeping the data subject informed of data collecting and processing practices by providing clear, precise, easily accessible and easily understandable information to the data subject. This information can be provided to the data subject via cookie consent banners, cookie policies and privacy policies. A cookie policy, consisting of detailed information on the categories of cookies, may be presented in a specific section within the main privacy policy of the website, separately in a specific location, or in the cookie banner.

Regardless of the mechanism used, the data subjects must be adequately informed about the use of cookies, the specific purposes of cookies that justify the collection of personal data through cookies, the retention periods, and whether or not there is any sharing of personal information with third parties.

(C) How to provide information to users on a cookie consent banner?

A cookie banner is a visual feature that is designed to provide information about the use of cookies in a summarized, simple and direct manner. The cookie consent banner ensures that users have greater control with respect to the processing of their personal data by allowing them to consent to certain types of cookies. A cookie banner should be designed in compliance with the LGPD’s principles and obligations for handling personal data.

The ANPD encourages a layered information format for the cookie consent banner:

• The first information layer of the cookie consent banner should consist of the following:
  • an “Accept All Cookies” option;
  • a “Reject All Cookies” option; and
  • a “Manage Cookies” option whereby the user is directed to the second information layer of the consent banner consisting of simple, accessible and detailed information about the use of cookies, such as their specific purposes and retention periods, and how they can be blocked (Cookie Policy).

Both the ‘Accept All Cookies’ and ‘Reject All Cookies’ options must be equally prominent and accessible for the user. Consent-based cookies and non-essential cookies should be disabled by default.

• The second information layer is the detailed Cookie Policy of the company. It should provide the following information:
  • description of cookie categories according to their uses and purposes;
  • the purpose of each cookie category in a simple, clear and accurate manner;
  • information regarding the potential sharing of user data with third parties;
  • granular opt-in and opt-out options for different categories of cookies. However, the ANPD has warned that a list of cookies that is too granular may be difficult for the user to understand, and it may lead to consent fatigue. Further, an excessive amount of data collection would also not be appropriate;
  • the information on how cookies can be blocked using browser settings. If a particular cookie category cannot be disabled / blocked through the browser settings, the data subject must be informed about it;
  • the information on how data subjects can exercise their rights in relation to cookies, such as the right to know more details about how data is used, the right to deletion of data, the right to object to data processing, and the right to revoke consent; and
  • the data retention periods.

(D) Is legitimate interest an appropriate legal basis for the use of cookies?

Legitimate interests of the data controller can be considered an appropriate legal basis for the processing of data of non-sensitive nature, only if the rights and freedoms of data subjects do not prevail over the legitimate interests of the controller. The controller’s interests shall only be considered legitimate if they are in compliance with the applicable legal and regulatory requirements. When relying on legitimate interest as the basis of data processing, the controller should adopt appropriate technical and organizational measures to ensure secure processing and transparency for data subjects.

In the context of the use of cookies, the ANPD has clarified that legitimate interests is an appropriate legal basis under the following circumstances:

• for the use of cookies that are considered strictly necessary or essential to provide the service or functionality of a website or platform;
• for the use of audience measurement cookies (analytical or measurement cookies), provided the following conditions are met:
  • the processing is limited to the specific purpose of identifying patterns and trends based on aggregated data, and not combined with other tracking mechanisms or user profiling;
  • no personal information is shared with third parties;
  • no user profiles are created; and
  • the privacy risks to data subjects are minimal.

In any situation of relying upon legitimate interests as a legal basis for data processing, the data controller must ensure that the fundamental rights and freedoms of data subjects do not prevail over its legitimate interests. The controller should ensure that the data subject could anticipate such use of their data, at the time of collection thereof, based on the information provided by the controller. Also, the data subject has the right to object to the processing based on the legitimate interests of the data controller, in case of non-compliance with the requirements of the LGPD, and in such instances, the data controller must stop the data processing.

(E) What data protection principles are relevant in the context of cookies?

The collection of information through cookies can be considered as processing of personal data and therefore, is under the protection of the LGPD. Regardless of the types of cookies used, organizations must ensure that they adhere to key data protection principles, including the following:

• Transparency: the ANPD has emphasized the importance of user transparency, i.e. keeping the data subject informed of data collecting and processing practices by providing clear, precise and easily accessible and understandable information. This information can be provided via cookie consent banners, cookie policies and privacy policies;
• Principle of necessity and purpose limitation: the principle of necessity requires organizations to collect the data relevant and limited to what is necessary for the purposes for which it is processed. Purpose limitation, on the other hand, requires organizations to process personal data only for specified, explicit and legitimate purposes;
• Storage limitation: the ANPD emphasizes that data retention periods in relation to cookies must be limited to what is strictly necessary to achieve the purposes of the cookies. In this regard, data controllers are required to delete personal data after it is no longer required for the purposes it was collected for; and

• Data subjects’ rights fulfillment: in the context of cookies, the data subject has the right to revoke consent at any time that is granted for the use of non-essential cookies. The data subject also has the right to access their personal information collected through cookies.

(F) How to demonstrate compliance with the consent requirements?

In order to be able to demonstrate compliance with the consent requirements of the LGPD and the ANPD Guidelines on the use of cookies, the data controller must maintain adequate records and documentation of consent.

Our experts at Securiti continue to closely monitor any legal developments in order to help you prepare for compliance. Securiti’s Cookie Consent Management Solution helps you comply with Brazil’s cookie guidance by ensuring:

• advanced opt-in cookie consent banner for Brazil with equally prominent accept and reject options of equal sizes, fonts, colors and formats;
• unchecked consent for non-essential cookies by default;
• the ability to add privacy policy URL on consent banners;
• consent preference center allowing granular consent opt-ins and opt-outs;
• adequate and updated consent records, including individual consent records, the content the data subject has consented to, consent status (granted, declined or withdrawn) and timestamps of consent status;
• simple, accessible and detailed information for users on the use of cookies can be stated on consent banners and preference centers, such as their specific purposes and retention periods, how data subjects can exercise their rights in relation to cookies, and cookies may be blocked / disabled; and
• the ability to scan local storage, session storage, tracking pixels, and web beacons in addition to just cookies in order to be prepared for the post third-party cookie world.

Ask for a DEMO to understand how we can help you comply with global data privacy laws.