National Data Protection Authority publishes guidelines on “Cookies and Personal Data Protection”
On October 18, 2022, the National Data Protection Authority (“ANPD”) published an orientation guide on “Cookies and personal data protection” (“Guide”). The material aims to establish a general scenario about this technology, including the main concepts and classifications of cookies, as well as guide processing agents (controllers and processors) on good practices and requirements that must be observed to comply with the General Data Protection Law (Federal Law No. 13,709/2018 – “LGPD”).
In the Guide, cookies are defined as “files installed on a user’s device that allow the collection of certain information, including personal data in some situations, in order to meet different purposes”, such as ensuring that the websites work properly and securely, identifying users, displaying personalized advertisements, or measuring the effectiveness of an electronic page. The main categories of cookies are also presented, in a non-exhaustive basis, according to the following criteria:
- Entity responsible for management:
(i) own or first-party cookies; or (ii) third party cookies;
- Necessity: (i) necessary cookies; or (ii) unnecessary cookies;
- Purpose: (i) analytical or performance cookies; (ii) functionality cookies; or (iii) marketing cookies;
- Information retention period:
(i) session or temporary cookies; or (ii) persistent cookies.
In this sense, the Guide clarifies that it is possible for the same cookie to fall into more than one of these listed categories.
Therefore, it is more appropriate to be based on the consent of the data subject – which must be free, informed, unambiguous -, depending on the case, when personal data are collected by “non-essential cookies” (i.e., which are related to non-essential functionalities for the proper performance of the services or the functioning of the website) for displaying advertisements, for example. However, it is important to note that the proper legal basis for non-essential cookies will be defined in accordance with the purpose and the context of the processing activities, so consent is not the only applicable legal hypothesis.
On the other hand, in cases where “essential cookies” are used, the ANPD recommends that data processing take place based on legitimate interest, as it can be considered as a way of supporting and promoting the controller’s activities and providing services for the benefit of the data subject.
In addition, in order to comply with the principles of the LGPD, it is also recommended to prepare a Cookies Policy, or equivalent document, in which detailed, clear, accurate and easily accessible information about the processing of their data through cookies is made available to the data subject, including, but not limited to, the processing purposes, retention period, if there is sharing with third parties, among other points provided for in art. 9 of the LGPD.
Finally, it is important to note that compliance with the ANPD guidelines provided in the Guide does not exempt processing agents from complying with other LGPD requirements, nor from adopting the necessary measures to protect the rights of data subjects.
In case of any doubts about this subject, please do not hesitate to contact us.
Paula Mena Barreto