IDC Names Securiti a Worldwide Leader in Data Privacy
ViewListen to the content
On 18th October 2022, the National Data Protection Authority (“ANPD”) of Brazil published guidelines on the use of cookies, titled Cookies and Protection of Personal Data (the “Guidelines”). Cookies are files installed on a user’s device, which allow the collection of information, including personal information, about the user, for various purposes, such as identification of a user before a transaction, ‘remembering’ past choices of the user, or advertising.
This article provides an overview of the Guidelines that will help companies to design and implement adequate cookie consent banners and ensure compliance with the consent requirements as per Brazil’s General Data Protection Law (the “LGPD”). It is important to note that where personal user data is collected without lawful grounds, the same shall constitute a violation of the users’ rights under the LGPD.
For your ease, we have divided the overview of the Guidelines into the following key sections:
Under the LGPD, consent is considered to be required for the use of non-essential cookies. Such consent must be freely given, informed and unambiguous. This requires organizations to ensure the following:
The ANPD has emphasized the importance of user transparency, i.e., keeping the data subject informed of data collecting and processing practices by providing clear, precise, easily accessible and easily understandable information to the data subject. This information can be provided to the data subject via cookie consent banners, cookie policies and privacy policies. A cookie policy, consisting of detailed information on the categories of cookies, may be presented in a specific section within the main privacy policy of the website, separately in a specific location, or in the cookie banner.
Regardless of the mechanism used, the data subjects must be adequately informed about the use of cookies, the specific purposes of cookies that justify the collection of personal data through cookies, the retention periods, and whether or not there is any sharing of personal information with third parties.
A cookie banner is a visual feature that is designed to provide information about the use of cookies in a summarized, simple and direct manner. The cookie consent banner ensures that users have greater control with respect to the processing of their personal data by allowing them to consent to certain types of cookies. A cookie banner should be designed in compliance with the LGPD’s principles and obligations for handling personal data.
The ANPD encourages a layered information format for the cookie consent banner:
Both the ‘Accept All Cookies’ and ‘Reject All Cookies’ options must be equally prominent and accessible for the user. Consent-based cookies and non-essential cookies should be disabled by default.
Legitimate interests of the data controller can be considered an appropriate legal basis for the processing of data of non-sensitive nature, only if the rights and freedoms of data subjects do not prevail over the legitimate interests of the controller. The controller’s interests shall only be considered legitimate if they are in compliance with the applicable legal and regulatory requirements. When relying on legitimate interest as the basis of data processing, the controller should adopt appropriate technical and organizational measures to ensure secure processing and transparency for data subjects.
In the context of the use of cookies, the ANPD has clarified that legitimate interests is an appropriate legal basis under the following circumstances:
In any situation of relying upon legitimate interests as a legal basis for data processing, the data controller must ensure that the fundamental rights and freedoms of data subjects do not prevail over its legitimate interests. The controller should ensure that the data subject could anticipate such use of their data, at the time of collection thereof, based on the information provided by the controller. Also, the data subject has the right to object to the processing based on the legitimate interests of the data controller, in case of non-compliance with the requirements of the LGPD, and in such instances, the data controller must stop the data processing.
The collection of information through cookies can be considered as processing of personal data and therefore, is under the protection of the LGPD. Regardless of the types of cookies used, organizations must ensure that they adhere to key data protection principles, including the following:
Data subjects’ rights fulfillment: in the context of cookies, the data subject has the right to revoke consent at any time that is granted for the use of non-essential cookies. The data subject also has the right to access their personal information collected through cookies.
In order to be able to demonstrate compliance with the consent requirements of the LGPD and the ANPD Guidelines on the use of cookies, the data controller must maintain adequate records and documentation of consent.
Our experts at Securiti continue to closely monitor any legal developments in order to help you prepare for compliance. Securiti’s Cookie Consent Management Solution helps you comply with Brazil’s cookie guidance by ensuring:
Ask for a DEMO to understand how we can help you comply with global data privacy laws.
Maria Khan is a IAPP Certified Information Privacy Professional (CIPP/Europe) and a Certified Information Privacy Manager (CIPM). She earned her LL.M from the University of Michigan Law School, where she received the Michigan Grotius Fellowship, a fully-funded award. Additionally, Maria holds a B.A-LL.B (Hons.) from Pakistan.
Passionate about data privacy, AI governance, and business and human rights, Maria facilitates organizations in evaluating data privacy compliance risks and offers privacy-compliant solutions. She plays a key role in supporting regulatory intelligence within products/software and aiding organizations in meeting compliance efforts. Maria possesses a substantial understanding of global data privacy obligations, particularly in relation to AI governance, consent management, user transparency, digital marketing, cross-border data transfers, and AI risk assessments.
Get all the latest information, law updates and more delivered to your inbox
April 8, 2023
On 30th November 2022, the German Data Protection Conference (DSK) published an Updated Guide on the Federal Act on the Regulation of Data Protection...
January 5, 2023
The Andorran Data Protection Agency (APDA) released an updated version of its Guide on the use of cookies, privacy policy and legal notice in...
December 7, 2022
On 30th September 2022, the German state Lower Saxony data protection authority (LfD Niedersachsen) released updated consent guidelines for the use of cookies and...
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
Copyright © 2023 Securiti · Sitemap · XML Sitemap
info@securiti.ai
Securiti, Inc.
300 Santana Row
Suite 450
San Jose, CA 95128