On 18 October, the Brazilian National Data Protection Authority (ANPD) published its Guide on “Cookies and Personal Data Protection”, which is aimed at both processing agents and rights holders.
This post provides some background on Cookies and how they are currently regulated by the ANPD. It also provides a brief discussion of the novelties brought by the new Guide on Cookies and Personal Data Protection.
To get started… what are Cookies?
Cookies can be described as small text files that websites place on your device as you are browsing and accessing a website. These are processed and stored by your web browser.
Cookies have become increasingly important to businesses since they provide useful information of user’s online activity (the type of content viewed, language, time, duration, etc.).
Cookies are classified based on numerous factors, such as their duration and provenance. They may be temporary or permanent in nature and placed on your device by a first or third party (the first party in this case being the website you are visiting).
Further, Cookies are also classified based on their purpose. Some types are essential for the operation of a website, while others are used solely for analytical, tracking and marketing purposes.
Cookies can often store large amounts of information, which may be sufficient to identify a specific user without their consent.
The LGPD and Cookies
Firstly, it can be noted that the LGPD has many similarities to the General Data Protection Data Regulation (Regulation (EU) 2016/679), also known as the “GDPR”.
In Brazil, the use of Cookies was previously regulated by Law 12.965 (known as the Brazilian Internet Law). While Cookie practices were considered legal, the user already had to be informed in a clear and precise manner. Further, express consent in advance was required for the “third party type Cookies”.
The Brazilian Data Protection Law (LGPD) now provides for a broad definition of personal data Following the approach in the GDPR, most Cookies will fall under its remits (unless the user is not identifiable or where the relevant data stays completely anonymous).
The use of Cookies in Brazil requires carefully considering the rules in the LGPD, including the principles of purpose, adequacy, free access, quality, necessity, security, prevention, non-discrimination, and accountability (in Article 6).
By way of example, under the law, the purpose for which the data is collected and processed must be legitimate and strictly necessary, and the data subject must be informed of such purpose.
The onus is on the company using the Cookies to show there is a specific legal basis for collecting the data, and where no such basis exists, user consent will be required. The data subject may revoke such consent at any time.
The new ANPD Guide on Cookies and Personal Data Protection
The new guide on “Cookies and Personal Data Protection” provides information for data processing agents and rights holders on the best practices to be followed in relation to the use of Cookies. In this sense, the ANPD sets out useful information regarding the concept of Cookies and the types of categories in which they can be classified.
The guide also highlights the provisions of the LGPD that are relevant to the collection of personal data through Cookies, and provides useful guidance on the elaboration of Cookie policies and banners. Finally, it provides several illustrative examples of what should or should not be done in relation to Cookies, for example how these should be used on e-commerce, educational and public sector sites.
This Guide is now open to further comments, contributions and suggestions, which may be sent to the ANPD through the Fala.BR Platform.
Get in touch with us!
Was this information useful? Do you have any doubts on Brazilian IP and Tech issues? Just let us know. We will be glad to answer your questions.