By imposing the suitability of companies to the Brazilian General Data Protection Act (Lei Geral de Proteção de Dados Pessoais or LGPD), came to tow, in Brazil, a flood of new types of warnings on hundreds of Brazilian sites regarding the so-called Cookies, files installed on the device that allow the collection of information from users, which can even happen to track their behaviors.
For their technical features, Cookies play a key role on the Internet. They enable the operation of websites and the provision of online services and can help improve the user experience by supporting countless business models. To perform their functions, however, they ause themselves to the processing of personal data, and this requires special attention.
The truth is that the warnings of Cookies they appeared in Brazil even before the lgpd was in force, inspired by a specific standard (e-Privacy Directive) that Europe adopted years ago for this collection methodology, although our law is different from the European reality.
All this raised many questions. For example, in recent months Brazilian companies have often wondered whether or not they needed to do a warning from Cookies. In addition, critics were also heard with opinions contrary to the mechanism.
The question, however, it's not eliminating the Cookies, but strengthen the balance line between business development and protection of privacy and personal data. This guideline has always been present in historical data protection documents and is expressly reinforced by the distribution of grounds made by Art. 2° of the LGPD.
Then, at a great time, the new Guidelines to Cookies and Protection of Personal Data National Data Protection Authority (ANPD). The guide presents an overview of the subject, sets out the main concepts and categories of Cookies and examines the most common legal bases of treatment and the requirements to be observed in the use of Cookies, such as strengthening transparency measures through policy publication. The document remains open for public consultation, which demonstrates the democratic performance of the ANPD.
Classification of Cookies
Reinforcing the recommendations of the specialized literature and what the practice reveals, the guide brings clear and useful criteria for the classification of Cookies, by separating them according to:
- The entity responsible for the management of: may be suitable when defined directly by the site, or third-party, if diverse domain.
- The need: May be necessary, if used to ensure the functionalities of the site, or not necessary, when disabling does not prevent the operation of the site.
- The purpose: may be analytical or performance, if they aim to identify the use of the site; functionality, when used to provide basic services to the user; when used to display ads.
- The retention period of the information: may be session or temporary, if they collect and store information only while the holder accesses the site, or persistent, if stored for a defined period.
It is interesting to note that the guide highlights the Cookies able to make the user identifiable, because they contain personal data, and that, therefore, are pertinent to the regulation of privacy protection.
The Cookies that store only information that does not identify the user or make it identifiable (with anonymous data profile only) does not fall within the scope of application of the LGPD and, consequently, is not subject to anpd guidelines.
Use of Cookies and the LGPD
The ANPD reinforces that the use of Cookies that identify users is within the scope of the LGPD and should follow their predictions.
In an extremely didactic way, the Authority explains how this should be done, highlighting the need to observe the principles of legislation in the collection and use of information, such as the principles of purpose, need and adequacy, free access, rights of the holder, period of processing and deletion of personal data and transparency, among others. The ANPD provides practical examples of how to observe such criteria.
Transparency, as expected, receives special attention. Ensure the clarity and completeness of the information regarding Cookies is a measure of governance to be constantly sought.
In addition, the ANPD demonstrates caution in this respect, recommending that companies redouble their attention to the subject in order to mitigate sanctioning risks.
As the Authority itself points out in the Guide, "one of the potential problems related to the use of Cookies it is the lack of transparency, that is, the lack of clear, accurate and easily accessible information about the collection and performance of the processing, which may derail or unduly restrict the control of the holder over his/her personal data. Privacy risks can be magnified in situations where lack of transparency is associated with practices of collecting massive amounts of personal information for the purpose of identifying, tracking, and creating behavioral profiles of users."
The publication also highlights the concern to realize the foundation of informational self-determination (Art. 2°, I, LGPD) in relation to Cookies.
In this way, the holder should be given the possibility to manage the preferences of Cookies, so that you have the option to disable those that are not necessary for the operation of the site, which involves, for example, Cookies third-party and advertising.
The information should be made available by means of notice or banner from Cookies already widely used by the portals and with more detailed information in privacy policies or notice or in the Cookies Specific.
The ANPD stresses that the holder should be informed, in a clear and easy manner, about the processing purposes for which the Cookies will be collected and for what period they will be stored. According to the Authority, the purposes of using Cookies should be specific, and no longer generic, as with the request to accept general terms and conditions. Storage periods must be determined and proportionate in relation to their processing purposes and necessarily compatible with the LGPD.
In this sense, explains the Authority in its Guide, "if the person responsible for the website informs the holder who uses Cookies for the purpose of audience measurement only, you may not use the information collected for purposes other than that purpose and not compatible with that purpose, such as for the formation of profiles and the display of advertisements."
Consent or legitimate interest?
I'm having another question about the Cookies, the ANPD delimited a little more the pattern to be followed in identifying the legal bases related to such files. The Authority identifies consent and legitimate interest as the two most common legal bases,[1] reaffirming its understanding that there is no hierarchy between legal bases.
Or assent, following LGPD standards, should be free, informed and unambiguous. That is, the free option for the collection or not of the data should be ensured, complete information about what data is collected and all the circumstances of processing must be ensured, and consent must be obtained without the holder having any doubt about his expression of willingness to agree.
In relation to Cookies not necessary (as the necessary ones will be related to other bases – legitimate interest and compliance with legal obligation so in particular), the holder must be provided with all information relating to the Cookies collected on the page and offered the possibility of authorizing or not the collection.
In practice, the holder should be assured of the effective possibility of accepting or not the use of Cookies, without negative consequences or interventions of the controller, may become addicted or impair his expression of will, so that he is not truly free.
Considering that consent cannot be tacit, it is not possible to use warnings or Banners from Cookies with pre-selected authorization options.
The holder must also be given the possibility to revoke such consent in a simple and free manner. According to the ANPD "a simplified and free procedure should be made available to the holder to revoke the consent provided for the use of Cookies, similar to the procedure used to obtain it."
In relation to the legitimate interest, the ANPD stresses that it can be used in cases of Cookies strictly necessary, which the Authority considers as those that "are essential for the proper provision of the service or for the operation of the website, which can be understood as a form of support and promotion of activities of the controller and the provision of services that benefit the holder (Art. 10, I and II, LGPD)".
According to the Authority, following the best market practices to date, this essentiality it should "consider the peculiarities of each specific situation and assess whether, in this case, the rights and interests of the holders do not prevail, in compliance with the other applicable legal requirements".
In other words, governance decisions establishing legitimate interest in a generic way may be questioned. Such a basis is therefore not a carte blanche for the use of any Cookies. The specific preparation and documentation of a LIA (Legitimate Interest Assessment) is essential for decision-making and the documentation of accountability expected by law.
Based on the idea that the case-by-case analysis will reveal whether the legitimate interest is a possible legal basis or not, the ANPD stresses that "the use of Cookies for audience measurement purposes (Cookies can be based on the legal hypothesis of legitimate interest in certain contexts, in any event, the requirements laid down in the LGPD. In particular, it is reasonable to assume that audience measurement will be a legitimate interest of the controller, as well as that the risks to the privacy of holders will be minor when the processing is limited to the specific purpose of identifying patterns and trends, based on aggregated data and without the combination with other tracking mechanisms or without the formation of user profiles."
Policy of Cookies
The ANPD dedicates a relevant part of the guide to recommendations on the structure and content expected for the Cookies or equivalent document, such as a banner, to ensure the necessary transparency.
The policy of Cookies may be included in a specific section of the privacy notice, in a specific and separate location, or in the banner from Cookies. Regardless of the format adopted, the holder must be informed how its collection is carried out and for what purpose. The main thing is to ensure how this information will reach the user. The guidelines of ABNT ISO IEC 29.184/2021 in this regard are relevant.
In addition, the holder should be able to give his consent to the Cookies which cannot be previously enabled, through the options "accept all Cookies", "reject Cookies not needed" and "manage/select Cookies". The holder should also be able to revoke the consent, which can be carried out by means of banner second level.
The guide expressly indicates the following guidelines on the banner from Cookies, including a number of practical examples:
- all buttons (reject, accept, and manage Cookies) must be the same size;
- Cookies cannot be enabled by default;
- all information should be brought in a clear and simplified manner to the holders; and
- the options for choosing Cookies for the holder should be simple and easy to adjust.
The policy of Cookies and the privacy notice to comply with the principle of transparency and the rules of Article 9 of the LGPD should be easily accessible to the holder (as hyperlink included in the banner), in Portuguese, presenting which categories of Cookies collected, for what purposes and providing information on how to perform the blocking of Cookies browser settings.
Final comments
The guide brings an educational bias that deserves praise and reinforces how much the ANPD represents a Case success in this respect. The publication corroborates the guiding stance adopted by the Authority, which seeks to promote the culture of the protection of personal data, encouraging the adoption of transparent practices that improve understanding and control of holders over the use of their personal data.
Similarly, the guide reinforces the ANPD's tendency to follow the directions adopted by european data protection authorities on the subject. It thus revalidates the work supported by the foreign experience. Although there is convergence between European regulation and Brazilian legislation, it is worth remembering that Europe has a specific standardisation on the application of Cookies, which does not occur in Brazil. Therefore, the collection and use of Cookies may be subject to new regulations by the ANPD.
[1] Cookies may also meet compliance with legal obligations for example (art. 7°, II, LGPD), in the case of the duty to guard electronic records by the application providers, according to the legal obligation established by the Civil Framework of the Internet (Federal Law No. 12.965/2014).