On 18 October, the Brazilian National Data Protection Authority (ANPD) published its Guide on “Cookies and Personal Data Protection”, which is aimed at both processing agents and rights holders.
This post provides some background on Cookies and how they are currently regulated by the ANPD. It also provides a brief discussion of the novelties brought by the new Guide on Cookies and Personal Data Protection.
To get started… what are Cookies?
Cookies can be described as small text files that websites place on your device as you are browsing and accessing a website. These are processed and stored by your web browser.
Cookies have become increasingly important to businesses since they provide useful information of user’s online activity (the type of content viewed, language, time, duration, etc.).
Cookies are classified based on numerous factors, such as their duration and provenance. They may be temporary or permanent in nature and placed on your device by a first or third party (the first party in this case being the website you are visiting).
Further, Cookies are also classified based on their purpose. Some types are essential for the operation of a website, while others are used solely for analytical, tracking and marketing purposes.
Cookies can often store large amounts of information, which may be sufficient to identify a specific user without their consent.
The LGPD and Cookies
Firstly, it can be noted that the LGPD has many similarities to the General Data Protection Data Regulation (Regulation (EU) 2016/679), also known as the “GDPR”.
The Brazilian Data Protection Law (LGPD) now provides for a broad definition of personal data Following the approach in the GDPR, most Cookies will fall under its remits (unless the user is not identifiable or where the relevant data stays completely anonymous).
By way of example, under the law, the purpose for which the data is collected and processed must be legitimate and strictly necessary, and the data subject must be informed of such purpose.
The onus is on the company using the Cookies to show there is a specific legal basis for collecting the data, and where no such basis exists, user consent will be required. The data subject may revoke such consent at any time.
The new ANPD Guide on Cookies and Personal Data Protection
The guide also highlights the provisions of the LGPD that are relevant to the collection of personal data through Cookies, and provides useful guidance on the elaboration of Cookie policies and banners. Finally, it provides several illustrative examples of what should or should not be done in relation to Cookies, for example how these should be used on e-commerce, educational and public sector sites.
This Guide is now open to further comments, contributions and suggestions, which may be sent to the ANPD through the Fala.BR Platform.
Get in touch with us!
Was this information useful? Do you have any doubts on Brazilian IP and Tech issues? Just let us know. We will be glad to answer your questions.