National Data Protection Authority publishes guidelines on “Cookies and Personal Data Protection” 31 out 2022

National Data Protection Authority publishes guidelines on “Cookies and Personal Data Protection”

On October 18, 2022, the National Data Protection Authority (“ANPD”) published an orientation guide on “Cookies and personal data protection” (“Guide”). The material aims to establish a general scenario about this technology, including the main concepts and classifications of cookies, as well as guide processing agents (controllers and processors) on good practices and requirements that must be observed to comply with the General Data Protection Law (Federal Law No. 13,709/2018 – “LGPD”).

In the Guide, cookies are defined as “files installed on a user’s device that allow the collection of certain information, including personal data in some situations, in order to meet different purposes”, such as ensuring that the websites work properly and securely, identifying users, displaying personalized advertisements, or measuring the effectiveness of an electronic page. The main categories of cookies are also presented, in a non-exhaustive basis, according to the following criteria:

  • Entity responsible for management:

(i) own or first-party cookies; or (ii) third party cookies;

  • Necessity: (i) necessary cookies; or (ii) unnecessary cookies;
  • Purpose: (i) analytical or performance cookies; (ii) functionality cookies; or (iii) marketing cookies;
  • Information retention period:

(i) session or temporary cookies; or (ii) persistent cookies.

In this sense, the Guide clarifies that it is possible for the same cookie to fall into more than one of these listed categories.

Regarding the LGPD requirements applicable to the processing of personal data obtained through cookies or other online tracking technologies, it is highlighted the importance of observing the principles of purpose, necessity, adequacy, free access and transparency, in addition to the rights of the data subjects, through the provision of a mechanism for the “management of cookies”. Through this tool, it is possible to disclose information about the use of cookies (for example, the ways of deleting or disabling them), as well as allowing previously granted permissions to be revoked, thus permitting data subjects to understand and be able to directly control the use of their personal data.

One of the main doubts clarified in the Guide to data processing agents is about the legal bases applicable to the use of cookies. In this context, the ANPD understands that consent and legitimate interest are the most common and relevant legal hypotheses in relation to cookies, although it should be noted that the other legal bases provided for in the LGPD may also be used eventually to support the processing of data, depending on the purpose and context of the processing activities.

Therefore, it is more appropriate to be based on the consent of the data subject – which must be free, informed, unambiguous -, depending on the case, when personal data are collected by “non-essential cookies” (i.e., which are related to non-essential functionalities for the proper performance of the services or the functioning of the website) for displaying advertisements, for example. However, it is important to note that the proper legal basis for non-essential cookies will be defined in accordance with the purpose and the context of the processing activities, so consent is not the only applicable legal hypothesis.

On the other hand, in cases where “essential cookies” are used, the ANPD recommends that data processing take place based on legitimate interest, as it can be considered as a way of supporting and promoting the controller’s activities and providing services for the benefit of the data subject.

In addition, in order to comply with the principles of the LGPD, it is also recommended to prepare a Cookies Policy, or equivalent document, in which detailed, clear, accurate and easily accessible information about the processing of their data through cookies is made available to the data subject, including, but not limited to, the processing purposes, retention period, if there is sharing with third parties, among other points provided for in art. 9 of the LGPD.

The ANPD also emphasizes that “cookie banners” are a relevant tool to inform users in a summarized, simple, and direct way about the use of cookies, as well as to allow the data subject to have greater control over their data. In this sense, the Guide provides visual examples, guidelines to be followed, as well as non-best practices, such as making the “opt-out” button more difficult to see than the “opt-in”, not providing the option to opt out of non-essential cookies or not providing the Cookie Policy in Portuguese.

Finally, it is important to note that compliance with the ANPD guidelines provided in the Guide does not exempt processing agents from complying with other LGPD requirements, nor from adopting the necessary measures to protect the rights of data subjects.

In case of any doubts about this subject, please do not hesitate to contact us.



Main Contact:

Paula Mena Barreto