Support Centre

Brazil: Cookie compliance and the LGPD

With the entry into force of Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD') imminent, it is necessary to take stock of how its provisions will bear upon areas such as cookies which are not specifically mentioned within the law's text. Fábio Luiz Barboza Pereira and Adriana Fernandes Rollo, Partner and Associate respectively at Veirano Advogados, discuss this subject with reference to other key pieces of Brazilian legislation and how the European experience is likely to be of informative value in Brazil going forward.

andersboman / Signature collection / istockphoto.com

Introduction

The LGPD, which, at the time of writing, was expected to come into force in September 2020, brings new principles, concepts, and rules regarding data processing in Brazil. Based on the Brazilian Federal Constitution ('the Constitution') and heavily inspired by the General Data Protection Data Regulation (Regulation (EU) 2016/679) ('GDPR'), the LGPD foreshadows a massive change in the market and in the relations involving personal data, affecting all industries, businesses, as well as government and public services in Brazil. Since all types of data usage promoted by these entities will be affected by the LGPD, cookies are no exception. As an important and strategic tool for businesses to collect data, cookies must be placed in accordance with the law and all the upcoming guidelines to be published by the Brazilian data protection authority ('ANPD') to support the improvement of the relationships between data controllers and internet users, and to ensure compliance.

What is an internet cookie?

Cookies are essentially identifiers, an archive based on information captured about a user's or a website visitor's browsing history which is stored in their computer or device. Cookies allow websites and internet applications to remember useful information on the user's visit, such as content viewed, language, time, and duration of a visit, and to record browsing activities. This technology helps the creation of individuals' profiles, including their behaviours, browsing habits, purchases, and trends that may constitute intelligent information to be used by businesses to facilitate and enhance targeted advertising.

Types of cookies and how they work

Websites and internet applications in general use cookies to identify and record users' information as name, email, preferences, pages visited, how much time is spent on a certain page, what was bought etc. By having access to such information, businesses may tailor offerings to users, improve their experience, and increase sales. In other words, cookies are nowadays an important tool in any commercial strategy for online business.

The way cookies work will depend on the types of cookies concerned. Usually, cookies are classified according to the duration, provenance, and purpose1. As regards the duration there are two types: session cookies, which are excluded when the user finishes the navigation, or persistent cookies, which keep information stored after the session ends. According to EU law2, persistent cookies 'should not last longer than 12 months'3, but if the user does not take any action, it could be kept on the users' device for longer than that. With regards to the provenance, there are: first-party cookies, if applied directly by the website concerned, and third-party cookies, if applied by another party that does not own the website. The last type of cookies relates to the purpose, namely:

  • operational cookies, which are essential to allow users to visualise certain pages and are related to the operational system of the device;
  • preference cookies, that allow the website to remember past user choices;
  • performance cookies, also known as 'analytic cookies', used to value page audience or create statistics; and
  • marketing cookies, used to target advertising4.

All types of cookies mentioned can also be subject to the applicability of the Brazilian legislation and mainly the LGPD if cookies are placed within the Brazilian territory, and/or are used to collect data from individuals located in the country.

Before the LGPD - cookies and the Internet Act

Before 2014, the protection of personal data was encompassed within the Brazilian legal framework by means of generic principles provided by the Constitution, the Consumer Code, and the Civil Code relating to the rights to privacy and intimacy. Law No. 12.965 of 23 April 2014, Establishing the Principles, Guarantees, Rights, and Obligations for the Use of Internet in Brazil ('the Internet Law') was the first Brazilian law defining personal data protection as a principle, at its Article 3(III)5. In this sense, Article 7(VI)6 also provided that users have the right to clear and complete information about the protection regime of connection and access logs. In addition, Article 7(VIII) establishes guidelines to specific personal data processing and requires the collection of data to be justified, in accordance with the law, and specified in the services agreement or in the terms of use of internet applications.

Thus, even considering that there is no specific provision regarding the use of cookies in the Internet Act, it is possible to conclude that the law does not prohibit their use, provided that users are previously informed in a clear and precise way. Furthermore, in case of third-party cookies, it is important to highlight that the Internet Act determined in Article 7(VII)7 that personal data transfers require prior and express consent by the user. Thus, all third-party cookies will require previous consent.

After the LGPD - what changes?

With the LGPD coming into force soon, one important change to be observed is the broad concept given to personal data: any information that identifies or makes identifiable a natural person8. Considering that most cookies collect personal data, it is possible to interpret that cookies are in general subject to the LGPD, except for those that collect information from which it is not able to identify a user or which can be turned into anonymised data. As an extra guidance, it is possible to refer to Article 4(1)9 of the GDPR which defined personal data and indirectly mentioned cookies as an 'online identifier.' Moreover, the UK's Information Commissioner's Office ('ICO') states in relation to cookies that 'personal data is being processed where information is being collected and analyzed with the intention of distinguishing one individual from another and to take a particular action in respect of an individual10.' The European understanding on cookies is another indication that its use will also be considered as processing of personal data under the LGPD.

Considering the application of the LGPD to the use of cookies, they should always be placed on a user's computer or device respecting the main principles for data processing activities provided for in Article 6 of the LGPD. In this regard, one of the most important principles to be observed is the purpose11 for which data is collected and processed, which must be legitimate, specific, explicit, and previously informed to the data subject. Another relevant one is the transparency principle12, which ensures the processing activity must be informed in a clear, precise, and accessible manner. Article 6 of the LGPD lists the principles of adequacy, free access, quality, necessity, security, prevention, non-discrimination, and accountability, which will also apply to the use of cookies and must guide the entities collecting personal data via cookies in their processing activities.

The necessity principle, for instance, limits the amount of data to be collected to that strictly necessary for achieving the purpose. In view of that, entities collecting cookies must be able to justify whenever data is collected beyond the scope of the purpose previously informed to the user, otherwise they will be subject to the penalties provided by the law. Moreover, although the LGPD does not specifically mention for how long cookies can be placed in a user's computer or device, by analysing the necessity principle13, it is possible to conclude that a piece of information could remain stored solely for the duration it is useful and justified by one of the ten legal bases for data processing as provided by the LGPD.

Article 7 of the LGPD14 sets forth the legal bases for processing, and the use of cookies must fall into one of the ten provided in order to be considered lawful. In certain cases, the collection of data via cookies can be part of an agreement entered into by and between a user and a services provider and, in this case, the use of cookies will be legitimate under item V of Article 7. In other cases, it will be possible to rely on legitimate interest grounds of the data controller to collect data via cookies. Based on the European experience, which is likely to be adopted in Brazil, if the use of cookies facilitates users' experience by offering similar services or products according to their purchase history, such marketing activities run by the controller could be framed as justified by legitimate interest.

If the controller is not able to rely on any specific legal basis for processing data via cookies, consent will be required. Similar to the GDPR, the LGPD also stipulates that consent15 must be freely given, specific, and informed in order to be considered valid. In case the use of cookies goes beyond what is considered a legitimate interest of the controller and is likely to have an impact on users' fundamental rights and freedoms, such as the use for profiling, the controller must adopt mechanisms to obtain and record consent given by users.

In this regard, it is important to highlight that the LGPD sets forth in Article 8(5)16 that consent may be revoked at any time by express request of the data subject. In this situation, the controller must provide the data subject with a facilitated and free of charge procedure to revoke their consent and, if so revoked, the controller must refrain from processing data for which consent had been previously given.

If controllers fail to comply with the principles and rules provided by the LGPD, sanctions may apply depending on the severity of the violation and the damages caused to data subjects. The administrative sanctions have been included in Article 52 of the LGPD and may vary from warnings, fines of up to 2% of a private legal entity's group or conglomerate revenues in Brazil (up to a total maximum of BRL 50,000,000 (approx. €7,980,000 per infraction)), disclosure of the infraction to the public, or blockage or deletion of the personal data related to the infraction.

Cookie compliance guidelines

Considering the above, the first step for cookie compliance according to Brazilian laws is to identify which type of cookie a certain website uses and then determine the adequate legal bases provided by the LGPD allowing such data processing.

Whenever operational cookies are concerned, it is known that the GDPR does not require consent17. Although the e-Privacy Directive directly binds cookies to consent, it provides for an exception when the use of cookies is strictly necessary. Therefore, it is possible to anticipate that, while the LGPD and the ANPD do not currently provide specific guidance on cookies, it is likely that operational cookies will fall under the remit of the legitimate interest 18 of the controller.

For other types of cookies, a more in-depth assessment must be conducted to evaluate the need to obtain consent from data subjects. As a general rule, if the controller is not able to rely on the execution of an agreement with the user and the processing of data via cookies is beyond the scope of a justifiable legitimate interest of the controller, consent will be required. Whenever the use is controversial and it is not clear if the legitimate interest would be the appropriate base for processing, the data controller may request guidance from the ANPD.

As the ANPD is still in the process of being structured, it is expected that the first guidelines on matters that have not been specifically addressed by the LGPD, such as cookies and the limits of the legitimate interest, will be released within the next two years. As a consequence, controllers will have more precise directions on how to proceed when it comes to protecting data that is subject to cookies in Brazil.

Insofar as the ANPD is likely to follow the approaches taken by European supervisory authorities, it is advisable that all entities placing cookies within the Brazilian territory or in devices of individuals located in Brazil take the following steps:

  • provide, in plain language, straight, specific, and accurate information about which data each cookie collects and its purpose before users consent, either through a privacy policy or a specific cookies policy;
  • receive and register valid user consent prior to using cookies;
  • save and store consent provided by users;
  • allow users to navigate in the website even if they do not agree with certain cookies; and
  • allow and facilitate users to revoke their consent.

Conclusion

In conclusion, although the subject of cookies has not been specifically addressed by Brazilian legislation, including the recent LGPD, it is possible to ascertain that the use of internet cookies is not prohibited and it can be done provided that it respects Article 3(III) and Article 7(VI), (VIII), and (IX) of the Internet Law, as well as all of the principles and one of the legal bases for processing determined by the LGPD in Articles 6 and 7. The LGPD has brought greater legal certainty related to personal data protection, and the ANPD is the entity responsible for the enforcement of the law and also for providing guidelines that will help to define and clarify what constitutes a controversial use of internet cookies. For now, it is possible to predict that operational cookies are likely to fall under the remit of the legitimate interest of the controller, but other types of cookies may require prior consent of data subjects, and failure to obtain consent in accordance with the LGPD may subject the controller to the sanctions set forth in the law.

Fábio Luiz Barboza Pereira Partner
[email protected]
Adriana Fernandes Rollo Associate
[email protected]
Veirano Advogados, São Paolo


1. Cookies, the GDPR and the ePrivacy Directive, available at: https://gdpr.eu/cookies/ ('the Cookies Guidance')
2. Directive 2009/136/EC amending Directive 2002/22/EC, Directive 2002/58/EC and Regulation (EC) No 2006/2004, available at: 3. The Cookies Guidance.
4. Cookie notice: inform, obtain and finally collect personal data, Jota, only available in Portuguese at: https://www.jota.info/opiniao-e-analise/colunas/agenda-da-privacidade-e-da-protecao-de-dados/cookie-notice-informar-obter-e-por-fim-coletar-dados-pessoais-23112018
5. Article 3º - The discipline of internet use in Brazil has the following principles: (...) III- protection of personal data, in accordance with the law.
6. Article 7º - Access to the internet is essential to the exercise of citizenship, and the user is guaranteed the following rights: (…) IV clear and complete information contained in the service provision contracts, with details on the protection regime for connection logs and access logs to internet applications, as well as on network management practices that may affect their quality; VII- clear and complete information about the collection, use, storage, treatment and protection of your personal data, which can only be used for purposes that: a) justify their collection; b) are not prohibited by law; and c) are specified in the service provision contracts or in terms of using internet applications (…) IX express consent on the collection, use, storage and treatment of personal data, which must occur in a detached manner from the other contractual clauses.
7. Article 7º - Access to the internet is essential to the exercise of citizenship, and the user is guaranteed the following rights: (…) VII- failure to provide third-parties with your personal data, including connection logs, and access to internet applications, except with free, express and informed consent or in the cases provided by the law.
8. Article 5º - For the purposes of this law, it is considered: I – personal data: information related to an identified or identifiable natural person.
9. For the purposes of the GDPR: 1. 'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
10. Cookies and similar technologies, available at: https://ico.org.uk/for-organisations/guide-to-pecr/cookies-and-similar-technologies/
11. Article 6º - Personal data processing activities must observe good faith and the following principles: I purpose: carrying out the treatment for legitimate, specific, explicit and informed purposes to the holder without the possibility of further treatment in a manner incompatible with those purposes.
12. Article 6º - Personal data processing activities must observe good faith and the following principles: (…) VI- transparency: guarantee, to the holders, of clear, accurate and easily accessible information on the performance of the treatment and the respective treatment agents, observing the commercial and industrial secrets.
13. Article 6º - Personal data processing activities must observe good faith and the following principles: (…) I necessity: limitation of treatment to the minimum necessary for the accomplishment of its purposes, with coverage of the relevant data, proportional and not excessive in relation to the purposes of the data processing.
14. Article 7º - The processing of personal data can only be carried out in the following cases: I- by provision of consent by the holder; II for compliance with legal or regulatory obligation; III - by the public administration, for the processing and shared use of data necessary for the execution of public policies provided in laws or regulations, or based on contracts agreements or similar instruments, subject to the provisions of Chapter IV of this Law; IV for carrying out studies by research entities, ensuring, whenever possible, the anonymization of personal data; V - when necessary for the execution of a contract or preliminary procedures related to a contract of which the data subject is a party, at the request of the data subject; VI for the regular exercise of rights in judicial, administrative or arbitration procedures, the last pursuant to Law No. 9,307/1996 (the Brazilian Arbitration Law); VII - for the protection of life or physical safety of the data subject or a third party; VIII to protect the health, exclusively, in a procedure carried out by health professionals, health services or sanitary authorities; IX when necessary to fulfill the legitimate interests of the controller or a third party, except when the data subject's fundamental rights and liberties which require personal data protection prevail; or X for the protection of credit, including as provided in specific legislation.
15. Article 4(11) of the GDPR stipulates that consent of the data subject means any: freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
16. Article 8(5) of the LGPD - Consent may be revoked at any time, by express request of the data subject, through a facilitated and free of charge procedure, with processing carried out under previously given consent remaining valid as long as there is no request for deletion, pursuant to item VI of the lead sentence of Article 18 of this Law.
17. The Cookies Guidance.
18. Article 10 of the LGPD - The controller's legitimate interest can only justify the processing of personal data for legitimate purposes, considered from concrete situations, which include, but are not limited to: (…) §1 When the processing is based on the legitimate interest of the controller, only personal data strictly necessary for the intended purpose can be processed.