Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Brazil: ANPD's first approach on cookies under the LGPD

Brazil is currently in the process of fleshing out its approach to regulating cookies, with more extensive guidance on the way. Celina Bottino, Vinicius Padrão, and Flávia Parra Cano, from Rennó, Penteado, Sampaio Advogados, discuss current developments in this area and the relevance of approaches taken in the EU on this matter.

akinbostanci / Signature collection / istockphoto.com

Introduction

The Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD') does not provide any specific provisions on cookies. A cookie can be defined as a small text file that may be stored on computers or mobile devices that generally contains data related to a website that a certain person accesses. The information stored in these cookies may include non-personal data, such as language preference settings, but may also include personal data, such as IP address or a username. Similar to the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), the LGPD adopts a broad definition of personal data, understood as any information regarding an identified or identifiable natural person (Article 5, I of the LGPD). Therefore, since some cookies may contain information which enables the identification of a natural person, they would be considered as personal data, being subject to the LGPD requirements.

Under the Brazilian legal framework, the LGPD is the main legislation on data protection and there are no specific provisions or laws regarding cookies, as opposed to the EU where other sectoral legislation is applicable to the matter, such as the Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) ('the ePrivacy Directive'). However, recently, on 13 May 2022, the Brazilian data protection authority ('ANPD') published recommendations requested by the Brazilian Digital Government Secretariat ('SGD') on the compliance of the digital government portal ('Gov.br Portal') in relation to the LGPD ('the Recommendations'). Therefore, the main goal of this Insight article is to briefly describe the position of the ANPD regarding cookies and to provide a comparative analysis between the Recommendations and guidelines on cookies based on the GDPR and on the ePrivacy Directive ('the Guidelines'). This first interpretation by the ANPD is not mandatory and is aimed specifically at the SGD, but it could indicate how the ANPD will address its cookie regulation in the future.

The Recommendations

There are still no official guidelines by the ANPD regarding cookies. Nonetheless, the Recommendations are relevant to comprehend how the ANPD could officially regulate cookies in future documents.

Gov.br Portal, analysed by the ANPD due to the SGD request on its compliance with the LGPD, allows Brazilian citizens to use a series of online governmental services, such as the issuance of documents and consulting information related to the Federal Administration bodies and entities, among other functionalities available. Gov.br Portal is one of the most relevant digital government policies that has been implemented in Brazil in the last years and its adequacy to the LGPD is relevant since the portal reunites almost 5,000 services aimed at Brazilian citizens. The portal is responsible for hosting the ANPD website too, which highlights the relevance of its compliance with the LGPD, since the ANPD is regarded as a parameter for good practices on data protection.

In this sense, as the ANPD is the governmental body responsible for the interpretation of the LGPD (Article 55(k) of the LGPD), the ANPD itself stated that its conduct is strongly observed by society and, consequently, that the regulated processing agents could reflect ANPD practices in its own businesses, especially because Gov.br Portal hosts the ANPD official website, as mentioned above. For these reasons, the ANPD highlights that the Recommendations aimed at Gov.br Portal needed to be implemented as soon as possible by the SGD to guarantee its compliance with the LGPD. Even though the ANPD's general analysis was based on the entire website, the main focus of the document published by the ANPD was the data processing practices related to the collection and use of cookies in Gov.br Portal, as indicated in the Recommendations. Therefore, the ANPD has made public the Recommendations presented for the initial compliance of Gov.br Portal, in order to guide other processing agents regarding the practices related to the processing of personal data, resulting from the collection of cookies and how to properly use cookies.

The ANPD's analysis identified two points that would need to be overhauled by the SGD. The first one concerns the cookie banner that is presented to the user when they access a website hosted by Gov.br Portal. Hence, the ANPD understood that the banner contains very limited information and only grants the user a single option, which would be to accept all the cookies used on the website, a practice that would violate the LGPD provisions on consent. This is because Article 5(XII) of the LGPD foresees that, in order to be valid, the data subject's consent must be a free, informed, and unambiguous manifestation.

The second point concerned the cookie policy, which is made available to the user only once they click on a link available at the cookie banner. The ANPD considered that the information provided in the cookie policy is presented in a non-specific way, which makes it difficult for the user to understand it. Similarly, the purposes of the data processing were presented in an unorganised manner throughout the cookie policy, making it hard to identify all of them. The only purposes that were highlighted were the ones associated with essential cookies, such as those related to security, network management, and accessibility. Furthermore, the ANPD indicated that, although a categorisation exists, it was incorrect, as analytic cookies were presented as third-party cookies, for example. The Recommendations indicate that the ANPD may observe the general division between essential and non-essential cookies to establish the most adequate legal basis for this data processing activity in its future official guidance on this matter, taking into consideration a perspective that is usually adopted when it comes to cookie orientations in the EU under the GDPR and the ePrivacy Directive.

Moreover, the ANPD also pointed out that the Gov.br Portal cookie policy provided information on the possibility to disable cookies via the browser. The ANPD recommended maintaining the practice, but it considered that the disabling of cookies by the browser has only a complementary function, since the user should be able to deny the collection of non-essential cookies from the beginning by means of a clear option on the cookie banner, for example. For this reason, it would still be necessary to provide a direct and proper mechanism for the management of cookies by the data subject, which would include the possibility of not providing consent or revoking the consent previously obtained.

The good practices that should be adopted by Gov.br Portal to comply with the LGPD, as described by the ANPD, would be the following ones:

  • in the cookie banner: the SGD would have to (i) provide an accessible and clear button that allows the user to reject all cookies that are not essential; and (ii) also keep cookies based on consent (non-essential cookies) disabled by default (therefore, these would require the user's opt-in to be collected); and
  • in the cookie policy: the SGD would have to (i) identify the legal bases relied upon, according to each purpose/category of cookie (strictly necessary cookies may be based on legitimate interest and non-essential cookies on consent); (ii) classify cookies into categories in the policy; (iii) allow specific consent to be obtained according to the categories identified; and (iv) provide an accessible and clear button that allows the user to reject all cookies that are not essential.

In addition, the ANPD informed that its team is working on a guidance about cookies, for which there is still no estimated date of publication. The document will address the types of categories and purposes of cookies, the legal bases of the LGPD that could be adopted to use and collect cookies, and good practices of cookie collection for processing agents, among other subjects. If the ANPD keeps in line with the Recommendations that it has provided SGD with, it is probable that the ANPD's perspective on cookies will take into consideration the practices already implemented in the EU, based on the GDPR and on the ePrivacy Directive.

During an event1 organised by the SGD to discuss data protection matters, the General Coordinator of Technology and Research of the Authority has had the opportunity to discuss the first perspectives of the ANPD about cookies and has classified cookies into the following categories: (i) first-party or third-party; (ii) essential or non-essential; and (iii) session or persistent cookies. The classification of cookies that received more attention was the one that divides them into essential and non-essential, since the difference between essential and non-essential cookies would be crucial to understanding the basic operation of the processing agent's applications and other practical matters, such as the most adequate legal basis for implementing cookies.

Considering the types of cookies, it was highlighted that their use and collection has to comply with the applicable LGPD requirements, such as the principles of purpose, transparency, necessity, and suitability, as provided in Article 6 of the LGPD. In this sense, establishing appropriate cookie banners would be a good practice and a matter related to Privacy by Default and by Design. Hence, cookie banners could not be automatically programmed to collect all cookies by default, such as non-essential ones. The user would have to have the option to select if they accept the cookies or not in a clear and accessible manner. Thus, in the event, the ANPD's representative has reinforced the interpretations regarding cookies that were previously provided to the SGD.

Furthermore, on the possible legal bases for the collection, consent was mentioned as an adequate legal basis for non-essential cookies (e.g. the ones relating to marketing activities), since there should be an effective possibility to accept or not accept their collection without affecting the use of the service or the website. Legitimate interest, on the other hand, would be a more adequate legal basis for strictly necessary cookies, since providing the user with the possibility of not accepting them would probably affect the user-experience on the website and prevent its proper functioning.

Comparison between the ANPD Recommendations and the GDPR/ePrivacy Directive approach

The ePrivacy Directive regulates the topic of cookies in its Recital 25, determining that cookies can be a legitimate and useful tool. It also provides that, if they are intended for a legitimate purpose, their use should be allowed, considering that the users receive clear and precise information to ensure that they are aware of the cookies being stored on the device they are using, for example. Moreover, the ePrivacy Directive establishes that the users should have the option to refuse to have a non-essential cookie or a similar device stored on their device and that the information and the right to refuse the storage of the cookie has to be offered to the user. In addition, the ePrivacy Directive provides that the methods for providing information on the cookies, the right to refuse the storage of cookies, and the requesting of the consent should be user-friendly.

Finally, based on the GDPR and on the ePrivacy Directive, consent should be requested for the use of non-essential cookies and legitimate interests could serve as a justification for the use of essential cookies. Examples of non-essential cookies include the cookies that are aimed at analysing a certain behaviour of the user or targeting advertising (e.g. analytics cookies and advertising cookies). On the other hand, essential cookies are generally linked to the good functioning of a website or application. As previously mentioned, the difference between essential and non-essential cookies has been a matter of debate in the EU for a long time, and the ANPD seems to be aligned with the concepts since they have taken them into consideration in its own Recommendations to the SGD.

Additionally, the topic of justifications for the use of essential and non-essential cookies is also in line with the GDPR and ePrivacy Directive guidelines, considering that the ANPD mentioned consent as a proper legal basis for essential cookies and the legitimate interest as an adequate legal basis for using non-essential cookies. In general, the ANPD followed the understanding on cookies that is already in place in the EU, calling attention to the influence of the GDPR in the interpretations of the ANPD and on the LGPD itself. This means that, if companies are adequate by EU standards in their the cookie policies, it is probable that they would also be compliant with the LGPD. Nonetheless, it is still relevant to reinforce that the LGPD or any other Brazilian legislation do not state what would be the appropriate legal basis for the collection or use of cookies and the data that originates from them, a matter that is still up to ANPD regulation.

Conclusion

The Recommendations described above were provided by the ANPD as a result of an express request of the SGD. Therefore, it is important to understand that, until the present moment, they are valid to the SGD alone and do not necessarily represent the interpretation that the ANPD will adopt in its guidelines on cookies aimed at data processing agents in general. They are relevant as the first ANPD approach on the subject, but the Recommendations are not mandatory and it is not certain if the ANPD will replicate the interpretations mentioned above in its official guidelines, which are still being drafted.

In any case, the Recommendations by the ANPD demonstrate that they continually take into consideration the interpretations based on the GDPR to establish its own guidance, a trend that may be followed on future orientations and guidelines.

Celina Bottino Partner
[email protected]
Vinicius Padrão Lawyer
[email protected]
Flávia Parra Cano Lawyer
[email protected]
Rennó, Penteado, Sampaio Advogados, Rio de Janeiro


1. More information about the event can be found here: https://www.gov.br/anpd/pt-br/assuntos/noticias/1a-semana-de-protecao-de-dados-pessoais