Brazil: Cookie compliance and the LGPD
With the entry into force of Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD') imminent, it is necessary to take stock of how its provisions will bear upon areas such as cookies which are not specifically mentioned within the law's text. Fábio Luiz Barboza Pereira and Adriana Fernandes Rollo, Partner and Associate respectively at Veirano Advogados, discuss this subject with reference to other key pieces of Brazilian legislation and how the European experience is likely to be of informative value in Brazil going forward.
The LGPD, which, at the time of writing, was expected to come into force in September 2020, brings new principles, concepts, and rules regarding data processing in Brazil. Based on the Brazilian Federal Constitution ('the Constitution') and heavily inspired by the General Data Protection Data Regulation (Regulation (EU) 2016/679) ('GDPR'), the LGPD foreshadows a massive change in the market and in the relations involving personal data, affecting all industries, businesses, as well as government and public services in Brazil. Since all types of data usage promoted by these entities will be affected by the LGPD, cookies are no exception. As an important and strategic tool for businesses to collect data, cookies must be placed in accordance with the law and all the upcoming guidelines to be published by the Brazilian data protection authority ('ANPD') to support the improvement of the relationships between data controllers and internet users, and to ensure compliance.
What is an internet cookie?
Cookies are essentially identifiers, an archive based on information captured about a user's or a website visitor's browsing history which is stored in their computer or device. Cookies allow websites and internet applications to remember useful information on the user's visit, such as content viewed, language, time, and duration of a visit, and to record browsing activities. This technology helps the creation of individuals' profiles, including their behaviours, browsing habits, purchases, and trends that may constitute intelligent information to be used by businesses to facilitate and enhance targeted advertising.
Types of cookies and how they work
The way cookies work will depend on the types of cookies concerned. Usually, cookies are classified according to the duration, provenance, and purpose1. As regards the duration there are two types: session cookies, which are excluded when the user finishes the navigation, or persistent cookies, which keep information stored after the session ends. According to EU law2, persistent cookies 'should not last longer than 12 months'3, but if the user does not take any action, it could be kept on the users' device for longer than that. With regards to the provenance, there are: first-party cookies, if applied directly by the website concerned, and third-party cookies, if applied by another party that does not own the website. The last type of cookies relates to the purpose, namely:
- operational cookies, which are essential to allow users to visualise certain pages and are related to the operational system of the device;
- preference cookies, that allow the website to remember past user choices;
- performance cookies, also known as 'analytic cookies', used to value page audience or create statistics; and
- marketing cookies, used to target advertising4.
All types of cookies mentioned can also be subject to the applicability of the Brazilian legislation and mainly the LGPD if cookies are placed within the Brazilian territory, and/or are used to collect data from individuals located in the country.
Before the LGPD - cookies and the Internet Act
After the LGPD - what changes?
With the LGPD coming into force soon, one important change to be observed is the broad concept given to personal data: any information that identifies or makes identifiable a natural person8. Considering that most cookies collect personal data, it is possible to interpret that cookies are in general subject to the LGPD, except for those that collect information from which it is not able to identify a user or which can be turned into anonymised data. As an extra guidance, it is possible to refer to Article 4(1)9 of the GDPR which defined personal data and indirectly mentioned cookies as an 'online identifier.' Moreover, the UK's Information Commissioner's Office ('ICO') states in relation to cookies that 'personal data is being processed where information is being collected and analyzed with the intention of distinguishing one individual from another and to take a particular action in respect of an individual10.' The European understanding on cookies is another indication that its use will also be considered as processing of personal data under the LGPD.
The necessity principle, for instance, limits the amount of data to be collected to that strictly necessary for achieving the purpose. In view of that, entities collecting cookies must be able to justify whenever data is collected beyond the scope of the purpose previously informed to the user, otherwise they will be subject to the penalties provided by the law. Moreover, although the LGPD does not specifically mention for how long cookies can be placed in a user's computer or device, by analysing the necessity principle13, it is possible to conclude that a piece of information could remain stored solely for the duration it is useful and justified by one of the ten legal bases for data processing as provided by the LGPD.
In this regard, it is important to highlight that the LGPD sets forth in Article 8(5)16 that consent may be revoked at any time by express request of the data subject. In this situation, the controller must provide the data subject with a facilitated and free of charge procedure to revoke their consent and, if so revoked, the controller must refrain from processing data for which consent had been previously given.
If controllers fail to comply with the principles and rules provided by the LGPD, sanctions may apply depending on the severity of the violation and the damages caused to data subjects. The administrative sanctions have been included in Article 52 of the LGPD and may vary from warnings, fines of up to 2% of a private legal entity's group or conglomerate revenues in Brazil (up to a total maximum of BRL 50,000,000 (approx. €7,980,000 per infraction)), disclosure of the infraction to the public, or blockage or deletion of the personal data related to the infraction.
Cookie compliance guidelines
Considering the above, the first step for cookie compliance according to Brazilian laws is to identify which type of cookie a certain website uses and then determine the adequate legal bases provided by the LGPD allowing such data processing.
For other types of cookies, a more in-depth assessment must be conducted to evaluate the need to obtain consent from data subjects. As a general rule, if the controller is not able to rely on the execution of an agreement with the user and the processing of data via cookies is beyond the scope of a justifiable legitimate interest of the controller, consent will be required. Whenever the use is controversial and it is not clear if the legitimate interest would be the appropriate base for processing, the data controller may request guidance from the ANPD.
As the ANPD is still in the process of being structured, it is expected that the first guidelines on matters that have not been specifically addressed by the LGPD, such as cookies and the limits of the legitimate interest, will be released within the next two years. As a consequence, controllers will have more precise directions on how to proceed when it comes to protecting data that is subject to cookies in Brazil.
Insofar as the ANPD is likely to follow the approaches taken by European supervisory authorities, it is advisable that all entities placing cookies within the Brazilian territory or in devices of individuals located in Brazil take the following steps:
- receive and register valid user consent prior to using cookies;
- save and store consent provided by users;
- allow users to navigate in the website even if they do not agree with certain cookies; and
- allow and facilitate users to revoke their consent.
In conclusion, although the subject of cookies has not been specifically addressed by Brazilian legislation, including the recent LGPD, it is possible to ascertain that the use of internet cookies is not prohibited and it can be done provided that it respects Article 3(III) and Article 7(VI), (VIII), and (IX) of the Internet Law, as well as all of the principles and one of the legal bases for processing determined by the LGPD in Articles 6 and 7. The LGPD has brought greater legal certainty related to personal data protection, and the ANPD is the entity responsible for the enforcement of the law and also for providing guidelines that will help to define and clarify what constitutes a controversial use of internet cookies. For now, it is possible to predict that operational cookies are likely to fall under the remit of the legitimate interest of the controller, but other types of cookies may require prior consent of data subjects, and failure to obtain consent in accordance with the LGPD may subject the controller to the sanctions set forth in the law.
1. Cookies, the GDPR and the ePrivacy Directive, available at: https://gdpr.eu/cookies/ ('the Cookies Guidance')
2. Directive 2009/136/EC amending Directive 2002/22/EC, Directive 2002/58/EC and Regulation (EC) No 2006/2004, available at: 3. The Cookies Guidance.
4. Cookie notice: inform, obtain and finally collect personal data, Jota, only available in Portuguese at: https://www.jota.info/opiniao-e-analise/colunas/agenda-da-privacidade-e-da-protecao-de-dados/cookie-notice-informar-obter-e-por-fim-coletar-dados-pessoais-23112018
5. Article 3º - The discipline of internet use in Brazil has the following principles: (...) III- protection of personal data, in accordance with the law.
6. Article 7º - Access to the internet is essential to the exercise of citizenship, and the user is guaranteed the following rights: (…) IV clear and complete information contained in the service provision contracts, with details on the protection regime for connection logs and access logs to internet applications, as well as on network management practices that may affect their quality; VII- clear and complete information about the collection, use, storage, treatment and protection of your personal data, which can only be used for purposes that: a) justify their collection; b) are not prohibited by law; and c) are specified in the service provision contracts or in terms of using internet applications (…) IX express consent on the collection, use, storage and treatment of personal data, which must occur in a detached manner from the other contractual clauses.
7. Article 7º - Access to the internet is essential to the exercise of citizenship, and the user is guaranteed the following rights: (…) VII- failure to provide third-parties with your personal data, including connection logs, and access to internet applications, except with free, express and informed consent or in the cases provided by the law.
8. Article 5º - For the purposes of this law, it is considered: I – personal data: information related to an identified or identifiable natural person.
9. For the purposes of the GDPR: 1. 'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
10. Cookies and similar technologies, available at: https://ico.org.uk/for-organisations/guide-to-pecr/cookies-and-similar-technologies/
11. Article 6º - Personal data processing activities must observe good faith and the following principles: I purpose: carrying out the treatment for legitimate, specific, explicit and informed purposes to the holder without the possibility of further treatment in a manner incompatible with those purposes.
12. Article 6º - Personal data processing activities must observe good faith and the following principles: (…) VI- transparency: guarantee, to the holders, of clear, accurate and easily accessible information on the performance of the treatment and the respective treatment agents, observing the commercial and industrial secrets.
13. Article 6º - Personal data processing activities must observe good faith and the following principles: (…) I necessity: limitation of treatment to the minimum necessary for the accomplishment of its purposes, with coverage of the relevant data, proportional and not excessive in relation to the purposes of the data processing.
14. Article 7º - The processing of personal data can only be carried out in the following cases: I- by provision of consent by the holder; II for compliance with legal or regulatory obligation; III - by the public administration, for the processing and shared use of data necessary for the execution of public policies provided in laws or regulations, or based on contracts agreements or similar instruments, subject to the provisions of Chapter IV of this Law; IV for carrying out studies by research entities, ensuring, whenever possible, the anonymization of personal data; V - when necessary for the execution of a contract or preliminary procedures related to a contract of which the data subject is a party, at the request of the data subject; VI for the regular exercise of rights in judicial, administrative or arbitration procedures, the last pursuant to Law No. 9,307/1996 (the Brazilian Arbitration Law); VII - for the protection of life or physical safety of the data subject or a third party; VIII to protect the health, exclusively, in a procedure carried out by health professionals, health services or sanitary authorities; IX when necessary to fulfill the legitimate interests of the controller or a third party, except when the data subject's fundamental rights and liberties which require personal data protection prevail; or X for the protection of credit, including as provided in specific legislation.
15. Article 4(11) of the GDPR stipulates that consent of the data subject means any: freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
16. Article 8(5) of the LGPD - Consent may be revoked at any time, by express request of the data subject, through a facilitated and free of charge procedure, with processing carried out under previously given consent remaining valid as long as there is no request for deletion, pursuant to item VI of the lead sentence of Article 18 of this Law.
17. The Cookies Guidance.
18. Article 10 of the LGPD - The controller's legitimate interest can only justify the processing of personal data for legitimate purposes, considered from concrete situations, which include, but are not limited to: (…) §1 When the processing is based on the legitimate interest of the controller, only personal data strictly necessary for the intended purpose can be processed.