Cookies continue to be a source of concern for authorities responsible for data protection in all countries, even more so if one considers the lack of transparency in the collection and use of much of this data. Behold, the National Data Protection Authority (ANPD) issued an orientation guide for dealing with cookies in Brazil, although the General Data Protection Law (LGPD) itself has not displayed specific rules on the subject. Even for that very reason, this ANPD guide comes at a good time to resolve doubts and serve as a basis for guiding everyone on how to deal with the issue in Brazil.
The guide begins with the definition of cookies, that is, they are files installed on a user's device that allow the collection of certain information, including personal data in some situations, in order to serve different purposes, including the proper functioning of some pages. that are customized from the data collected by cookies. By the way, as cookies can contain information that directly refers to natural persons or even indirectly allow their identification, through, for example, making inferences and crossing with other information and, sometimes, through training of behavioral profiles, so such cookies end up containing personal data, which is protected by the LGPD.
The guide then proceeds to classify cookies into macro categories, according to:
1. the entity responsible for its management.
2. the need.
3. the purpose.
4. the information retention period.
Cookies, according to the entity responsible for their management, are classified into:
Cookies, according to need, are classified into:
Cookies, according to their purpose, are classified into:
Cookies, according to the retention period of information, are classified into:
Thus, the guide starts to refer to the main points of the LGPD that are applicable to the collection of personal data through cookies, according to the aspects mentioned below:
Finally, the guide recommends avoiding the following practices in cookie banners:
- Use a single button on the first level banner, with no management option in the case of using the legal hypothesis of consent (“I agree”, “I accept”, “Aware” etc.);
- Make it difficult to view or understand the buttons for rejecting cookies or configuring cookies, and highlighting only the acceptance button;
- Make it impossible or difficult to reject all unnecessary cookies;
- Display unnecessary cookies enabled by default, requiring manual deactivation by the owner;
- Do not make the second level banner available;
- Not providing information and a direct, simplified and proper mechanism for exercising rights to revoke consent and oppose treatment by the data subject (in addition to browser blocking settings);
- Make it difficult to manage cookies (example: not providing specific management options for cookies that have different purposes);
- Presenting an overly granular list of cookies, generating an excessive amount of information, which makes understanding difficult and can lead to the effect of fatigue, not allowing the holder to express a clear and positive will;