Brazilian Data Protection Authority issues cookie guidelines | Insights and Events

0

The Brazilian Data Protection Authority (ANPD) recently issued non-binding cookie guidelines. Controllers are advised to implement guidelines on the following topics:

  • Cookie Notice
    • A specific cookie notice is recommended, informing individuals about the categories of cookies, their purposes, third parties involved, retention period, data subject rights and other requirements under the LGPD. Nevertheless, it is not prohibited to include a topic relating to cookies in a general privacy statement.
    • The cookie notice should have a specific topic on how individuals can block, disable or delete cookies through their own web browsers.
    • If there is a cookie notice, a Portuguese version of it is required.
  • Cookies Banners
    • First and second level cookie banners must be set up.
    • The top-level banner (user-facing banners in landing pages) must:
      • Grant users the option to totally reject or accept non-essential cookies. The approve click button should not be more prominent than the reject option.
      • Include a link to the second level cookie banner.
      • Have a very brief statement about the controller’s use of cookies.
    • The second level banner (opened via the first level banner) must:
      • Grant users the ability to approve or reject each category/purpose of non-essential cookies (granularity).
      • Provide concise information on the purposes/categories of cookies to be allowed. Broader information should be presented in the cookie notice (not in long cookie banners)
      • Non-essential cookies should be rejected by design.
      • Contain a link to the cookie notice (or to a privacy notice that encompasses a specific topic for cookies).
    • Banners should be continuously displayed to users, even after they have consented to such collection, as data controllers should allow data subjects to withdraw consent at any time (consent can be withdrawn as easily as it has been given).
    • If there is a cookie banner, a Portuguese version of it is required.
  • Legal bases
    • According to the ANPD:
      • Legitimate interest is the appropriate legal basis for essential cookies.
        • However, essential cookies are generally necessary for the performance of contracts with data subjects. Therefore, legitimate interest may not be the most appropriate legal basis for this purpose.
      • Consent is the appropriate legal basis to rely on for the purpose of collecting personal data from non-essential cookies. Under the LGPD, consent must be given freely, knowingly and unambiguously.
        • However, as with legitimate interest, the ANPD’s choice of consent as the appropriate lawful basis for non-essential cookies may not be entirely appropriate in light of the LGPD’s legitimate interest alternative. Controllers should bear in mind any precedent that may be created by choosing consent as the appropriate legal basis, particularly for marketing and advertising purposes.
      • In light of the above, a specific and documented legal basis assessment is highly recommended.
  • Responsibility
    • Once controllers decide to rely on consent, approval of cookie banners should be documented. In addition, any cookie must be disabled upon withdrawal of consent.
    • If the controller is relying on a legitimate interest, a legitimate interest assessment is recommended by the ANPD.
    • If the legitimate interest is used for marketing and advertising purposes, as large scale profiling and processing is likely to be involved (i.e. any processing activity that may result in high risk to the rights and freedoms of individuals), an impact on data protection an assessment is also recommended.
Share.

Comments are closed.