The National Data Protection Authority (“ANPD”) has just released its Guide on Cookies and Personal Data Protection. The regulation is relevant topic as it addresses a technology widely used for collecting and processing data in digital environments.
Among the information that can be processed by these files that are able to collect data – the so-called Cookies, there is personal data, which is where the ANPD’s concern with the subject comes in. This type of file can be used for various purposes, such as remembering choices previously made by that user (i.e., password or login), measuring the audience of a particular site, and other activities. To create this “memory,” cookies may need to store personal data – identifying individuals directly or crossing data, which allows indirect identification, which is precisely what causes the General Data Protection Law (“LGPD”) to apply.
The ANPD deals with the concept of cookies in its Guide, by presenting a classification of different types (i.e., first-party cookies, third-party cookies, necessary cookies, analytical cookies, functionality cookies). Additionally, it addresses the principles applicable to the processing carried out through them, more specifically – the principles of purpose, necessity and adequation, and of free access and transparency, as well as detailing the rights of the holder applicable when using them and how to guarantee them.
Moreover, the guide includes a topic that specifically addresses the legal hypotheses that would be potentially applicable when using cookies, which are those of consent and legitimate interest and detail the particularities of each of these hypotheses within this context.
Furthermore, the ANPD makes specific guidelines on Cookie Policies, suggesting that they be made available: (i) as a specific section of the Privacy Notice; (ii) in a specific and separate location; or (iii) in the cookie banner itself, while always respecting the necessary transparency, concerning data processing: “most importantly is that clear, accurate, and easily accessible information is made available on the use of cookies and the collection of personal data, regardless of the mechanism adopted.”
The guide characterizes cookie banners as a realization of principles and rights provided for in the LGPD, since they can be a way of enforcing the rights and principles of law. Thereby, it determines a series of good practices relating to these banners, as well as lists of practices that are not recommended.
Among the best practices, the ANPD suggests the description of the categories of cookies, in accordance with their uses and purposes; the presentation of simple, clear, and accurate descriptions and information regarding these purposes; the permission to obtain consent for each specific purpose, according to the categories identified in the banner, when applicable; and the disabling of consent-based cookies by default. Some of the practices that are not recommended are making it difficult to manage cookies (i.e. not making specific management options for cookies that have different purposes available); only presenting policy information in a foreign language; presenting a list of cookies that is overly detailed, generating an excessive amount of information, which can make it difficult to understand and can lead to fatigue, not allowing the holder to express their clear and positive will; linking consent to complete acceptance of the conditions of use of cookies without providing effective options to the holder.
The Authority reinforces that the Guide will be open for comments and contributions from the civil society, which can be sent to the ANPD Ombudsman through the Plataforma Fala.BR. The complete Guide can be accessed through this link.