Brazilian Data Protection Authority Issues Guidance on Cookies

The Brazilian Data Protection Authority (ANPD) recently issued non-binding guidance on cookies. Controllers are advised to implement the directives on the following topics:

• Cookies Notice
  
  • A specific cookies notice is recommended, informing individuals about categories of cookies, their purposes, third parties involved, retention period, data subjects rights and other requirements under the LGPD. Nonetheless, including a cookie topic in a general privacy notice is not forbidden.
  • The cookies notice should have a specific topic about how individuals may block, disable or delete cookies through their own web browsers.
  • If there is a cookies notice, a Portuguese version of it is required.
• Cookies Banners
  
  • First- and second-level cookies banners should be implemented.
  • First-level banner (user-facing banners in landing pages) should:
    • Grant users the ability to fully reject or consent to non-essential cookies. The approval click button should not be more prominent than the rejecting option.
    • Include a link to the second-level cookie banner.
    • Have a very brief statement about the use of cookies by the controller.
  • Second-level banner (opened through the first-level banner) should:
    • Grant users the ability to approve or reject each category/purpose of non-essential cookies (granularity).
    • Provide concise information about the purposes/categories of cookies to be allowed. Broader information should be set forth in the cookies notice (and not in long cookie banners)
    • Non-essential cookies should be rejected by design.
    • Contain a link to the cookies notice (or to a privacy notice that encompass a specific topic for cookies).
  • Banners should be continuously shown to the users, even after they have consented to such collection because controllers must allow the data subjects to withdraw their consent at any time (consent may be withdrawn as easily as it was to given).
  • If there is a cookies banner, a Portuguese version of it is required.
• Lawful Bases
  • According to the ANPD:
    • Legitimate interest is the proper lawful basis for essential cookies.
      • However, essential cookies are generally necessary for the performance of contracts with the data subjects. Therefore, legitimate interest actually may not be the most suitable lawful basis for such purpose.
    • Consent is the proper lawful basis to rely on for the purposes of collecting personal data from non-essential cookies. Under the LGPD, consent must be freely given, informed and unambiguous.
      • However, as with the legitimate interest, ANPD’s choice for consent as an appropriate lawful basis for non-essential cookies may not be entirely suitable in light of the LGPD’s legitimate interest alternative. Controllers should bear in mind any precedent that may be created from choosing consent as the appropriate lawful basis, especially for marketing and advertising purposes.
    • In light of the above, a specific and documented lawful bases assessment is highly recommended.
• Accountability
  • Once controllers decide to rely on consent, approval on cookie banners must be documented. Also, any cookie should be disabled upon consent withdrawal.
  • If the controller relies on legitimate interest, a legitimate interest assessment is recommended by the ANPD.
  • If legitimate interest is used for the purposes of marketing and advertising, given that profiling and large-scale processing are likely involved (i.e., any processing activity likely to result in a high risk to the rights and freedoms of individuals), a data protection impact assessment is also recommended.