Home
LGPD & COOKIES - ANPD Releases "Guidance on Cookies and Personal Data Protection"

LGPD & COOKIES - ANPD Releases "Guidance on Cookies and Personal Data Protection"

2 mounths ago
João Bruno Soares
18 minutes

important The present article contains exact word-for-word quotes and free translations of the official content from ANPD. For a legitimate interpretation of the official sources, here is the link.

The National Data Protection Authority launched the "Guidance on Cookies and Personal Data Protection" on October 18, 2022. This document is eagerly awaited by industry professionals and holds significant importance as it explores various applicable legal scenarios and defines the requirements to be followed when using cookies. As emphasized in the document itself, it does not aim to exhaust the discussions already made but highlights what should be more aligned with the Authority's interpretation.

It's worth noting that these guidelines are not detailed and specific within the law itself. Many of the standards adopted were being imported by the more conservative from international legislations, such as GDPR and E-Privacy. Now, all stakeholders and especially Brazilian citizens can use this document as the official norm for the use of cookies and their applications.

Once again, ANPD reinforces the importance of Privacy by Design, and it highlights right at the beginning of the Guide that one of the main problems related to cookies is the lack of transparency. Here is the full excerpt:

One of the potential problems related to the use of cookies is the lack of transparency, meaning the failure to provide clear, accurate, and easily accessible information about the collection and processing, which can hinder or unduly restrict the data subject's control over their personal data.
Important
It's important to emphasize that the Guidance does not exempt responsibilities under LGPD but provides specific directions regarding the use of cookies in various scenarios not extensively covered in the law.

Because LGPD, despite being new, is already in effect and has always highlighted in its Article 5 various definitions that anticipated these directions. Definitions of Personal Data, Controller and Processor, Anonymization, and the concept of Consent have not been reformed or altered at any point.

XII - consent: free, informed, and unequivocal expression by which the data subject agrees to the processing of their personal data for a specific purpose;

Before the publication of the Guidance, AdOpt has always focused its work on the above-mentioned excerpt, as well as Article 6 and its various paragraphs, including specifically:

I - purpose: processing for legitimate, specific, explicit, and informed purposes, without the possibility of subsequent processing that is incompatible with these purposes;
IV - free access: ensuring data subjects have easy and free access to information about the manner and duration of processing, as well as the entirety of their personal data;
VI - transparency: ensuring data subjects receive clear, accurate, and easily accessible information about the processing and the respective data processing agents, while respecting commercial and industrial secrets;

It was precisely based on the above excerpts and the analyzed experience of E-privacy that AdOpt has always based its design and features. Now, with the Guidance, nothing will change, and all processes will be adjusted to ensure compliance and adequacy for all our customers, including the free plan.

Below are the main observations from AdOpt regarding the new Guidance from ANPD and its immediate direction towards the updates that will be incorporated into the AdOpt platform for all its customers.

Definitions of Cookies and the Possibility of Cross-Referencing

ANPD does not necessarily bring new concepts to the technology of cookies. However, it reaffirms that even though files are often encrypted or "anonymized," there is a "possibility of identifying the natural person" through "inference or cross-referencing."

Most technical professionals already had this empirical knowledge. Still, many insisted that such cross-referencing would not be possible, reducing the analysis to the reality of some smaller and less digitized companies, ignoring this warning.

With ANPD's emphasis, this dilemma ceases.

Cookie Categories

Up until now, Categories of Cookies have been imported from other regulations and are the way in which cookies can be classified. This classification is not definitive, and ANPD itself states that new categories may emerge, and some cookies may be classified in more than one category.

In this Guide, some of the most commonly used categories will be presented, in a non-exhaustive manner, organized by the types of most common cookies. It's important to consider that the same cookie can be included in more than one category.

To this end, the Guide presents four criteria for organizing cookies. Below are each of them and their respective descriptions, summarized:

Entity responsible for their management; First-party cookies "are cookies set directly by the website or application the user is visiting. First-party cookies generally cannot be used to track user activity on a different site other than the original site where it was placed. These types of cookies may include information such as login credentials, items in the shopping cart, or preferred language."

Third-party cookies "are cookies created by a domain other than the one the user is visiting. They result from functionalities of other domains that are incorporated into a web page, such as displaying ads."

Necessity;

Necessary cookies "are those used for the website or application to perform basic functions and operate correctly. Therefore, collecting information is essential to ensure the functioning of the web page or the proper provision of the service. ~~Thus, activities covered as strictly necessary include those related to the specific functionality of the service, in other words, without them, the user would not be able to perform the main activities of the website or application. ~~ This category is limited to what is essential to provide the service requested by the user, not including non-essential purposes that serve other interests of the controller."

Non-necessary cookies "are cookies that do not fall within the definition of necessary cookies and disabling them does not prevent the functioning of the website or application or the use of services by the user. In this sense, non-necessary cookies are related to non-essential functionalities of the service, application, or web page. Examples of non-necessary cookies include, among others, those used to track behaviors, measure the performance of the page or service, as well as display ads or other embedded content."

"It is worth noting that the distinction between necessary and non-necessary cookies is especially relevant for determining the legal basis that authorizes the use of cookies and the collection of personal data, such as consent and legitimate interest..."

Purpose;

Analytical or Performance Cookies "allow the collection of data and information about how users use the site, which pages they visit most frequently on that site, the occurrence of errors, or information about the performance of the site or application."

Functionality Cookies "are used to provide the basic services requested by the user and allow remembering preferences of the website or application, such as username, region, or language. Functionality cookies may include first-party or third-party cookies, as well as persistent or session cookies."

Advertising Cookies "are used to collect information from the user for the purpose of displaying ads. More specifically, through the collection of information related to user browsing habits, advertising cookies allow for user identification, the creation of profiles, and the display of personalized ads according to their interests."

Retention Period of Information

Session or Temporary Cookies "are designed to collect and store information while users access a website. They are usually discarded after the session ends, that is, after the user closes the browser. They are regularly used to store information that is only relevant for providing a service requested by users or for a specific temporary purpose, as typically occurs with a list of products in the shopping cart of an online store."

Persistent Cookies "data collected through these cookies are stored and can be accessed and processed for a period defined by the controller, which can vary from a few minutes to several years. In this regard, it should be assessed on a case-by-case basis whether the use of persistent cookies is necessary, as privacy threats can be reduced with the use of session cookies. In any case, when persistent cookies are used, it is advisable to limit their duration as much as possible, considering the purpose for which they were collected and will be processed..."

Cookies and LGPD

Below are some of the main concepts and definitions covered in the document:

- The use of cookies "will only be legitimate if the principles, the rights of data subjects, and the data protection regime provided for in LGPD are respected."

- Major providers and the asymmetry with the end user:

"- Personal data collected from interactions on a website, application, or digital service can reveal various aspects of people's personality and behavior. In such contexts, these individuals are placed in a position of greater vulnerability, especially in the face of information asymmetry with regard to major internet application providers, who are responsible for processing a massive amount of personal data or when the purposes of processing are not presented clearly, precisely, and easily accessible."

- The Marco Civil da Internet already provided strong protection for personal data, which has been expanded by LGPD.

- Whether cookies or other tracking technologies, all must be guided by some principles, including:

Principles of Purpose, Necessity, and Adequacy (art. 6, i, ii, and iii):

"The collection of personal data through the use of cookies must be limited to the minimum necessary for the accomplishment of legitimate, explicit, and specific purposes, considering the impossibility of subsequent processing incompatible with these purposes. In this sense, the purpose justifying the use of a specific category of cookies must be specific and informed to the data subject, and data collection must be compatible with that purpose..."

"...it cannot collect other personal data unrelated or incompatible with that purpose. Therefore, the indication of generic purposes, as is the case with the request for acceptance of general terms and conditions without indicating specific purposes for the use of cookies, is not allowed. Furthermore, the principle of necessity determines that processing should only include "relevant, proportionate, and not excessive data in relation to the purposes of data processing."

Principles of Free Access and Transparency (art. 6, iv and vi):

"require the data processing agent to provide data subjects with clear, accurate, and easily accessible information about the processing, retention period, and specific purposes that justify the collection of their data through cookies. It is also important to provide information about the possible sharing of data with third parties and the rights guaranteed to the data subject, among other aspects indicated in art. 9 of LGPD.

"...Regarding the presentation, this information can be indicated, for example, in banners displayed after accessing a web page; and, in more detailed form, in policies or privacy banners that contain information about the cookie policy used by the data processing agent."

Data Subject Rights:

"among others, are especially relevant in the context of cookie use, the right to access, delete data, revoke consent, and object to processing, always through a free and facilitated procedure, as provided for in art. 18 of LGPD.

To comply with this legal requirement, it is advisable to provide data subjects with a mechanism for "cookie management," through which it is possible, for example, to review previously granted permissions, such as in the case of revoking consent related to the use of cookies for marketing purposes when that is the legal basis used.

"Violation of data subject rights will occur, especially when the collection is not supported by an appropriate legal basis and clear, accurate, and easily accessible information is not provided that gives the data subject the effective ability to understand and control the use of their personal data."

Termination of Processing and Elimination of Personal Data:

"LGPD provides that, as a general rule, personal data must be eliminated after the termination of processing, which may occur, for example, when the purpose is achieved or elimination is legitimately requested by the data subject..."

"The retention period for cookies must be compatible with the purposes of processing, limited to what is strictly necessary to achieve that purpose. Therefore, indefinite, excessive, or disproportionate retention periods in relation to the purposes of data processing are not compatible with LGPD."

Legal Bases:

*"These are the scenarios in which LGPD authorizes the processing of personal data, as provided for in Article 7 and Article 11, the latter in the case of sensitive personal data. Thus, whenever personal data processing is involved, the use of cookies can only be admitted if the applicable legal base is identified by the controller, and the specific requirements stipulated for this purpose in LGPD are met."

Legal Bases

The ANPD's Guidance Guide highlights two main legal bases - Consent and Legitimate Interest, as "more common and relevant for the analyzed context." However, it does not limit the use of other legal bases, as long as they meet the requirements set out in LGPD:

*"data collected through these cookies are stored and can be accessed and processed for a period defined by the controller, which can vary from a few minutes to several years. In this regard, it should be assessed on a case-by-case basis whether the use of persistent cookies is necessary, as privacy threats can be reduced with the use of session cookies. In any case, when persistent cookies are used, it is advisable to limit their duration as much as possible, considering the purpose for which they were collected and will be processed...

"The indication made in this Guide is not exhaustive, as the collection of personal data through cookies may, eventually, rely on other legal bases, provided that the requirements established in LGPD are met."

Below are the definitions, in full, made by the ANPD regarding each legal base:

Legal Base - Consent

According to LGPD, consent must be free, informed, and unequivocal. Consent will be free when the data subject truly has the power to choose over the processing of their personal data. In other words, they must be assured the effective possibility to accept or refuse the use of cookies without negative consequences or interventions by the controller that may bias or harm their expression of will.

Due to this legal requirement, the "forced" obtaining of consent, i.e., conditioned on the full acceptance of cookie terms and conditions without providing effective options to the data subject, is not compatible with LGPD. However, it should be noted that the regularity of consent should be verified according to the context and specificities of each individual case, particularly whether the data subject is provided with a real and satisfactory alternative.

Consent must also be informed, requiring that the data subject be provided with all necessary information for an assessment and a conscious decision regarding authorization or refusal for the use of cookies. Thus, as mentioned earlier, clear, accurate, and easily accessible information must be provided to data subjects about the manner of processing, the retention period, and the specific purposes justifying the collection of their data through cookies, among other information indicated in Article 9 of LGPD.

It is important to note that this information is linked to the very use of personal data. Any change in the premises adopted for obtaining consent taints the legal base adopted, requiring new consent from the data subject or the use of another legal base, according to the new established premises and all necessary information.

Additionally, consent must be unequivocal, requiring the clear and positive expression of the data subject's will, and not allowing inference or obtaining it tacitly or through the data subject's omission. Therefore, given its incompatibility with LGPD provisions, it is not recommended to use cookie banners with pre-selected authorization options or to adopt mechanisms of tacit consent, such as the assumption that by continuing to browse a page, the data subject would consent to the processing of their personal data.

In the case of the collection of sensitive data based on the data subject's consent, it is necessary that, additionally, the consent be obtained in a specific and separate manner, as provided for in Article 11, i, of LGPD. Regarding the separate form, it is recommended that the authorization for the processing of sensitive data be separate from the main text or that resources be used to highlight it, indicating which sensitive data will be collected and for what specific purpose they will be used by the processing agent.

In any case, a simplified and free procedure for revoking consent provided for the use of cookies must be made available to the data subject, similar to the procedure used to obtain it. In this regard, Article 8, § 5, of LGPD states that "consent may be revoked at any time by the express manifestation of the data subject, through a free and facilitated procedure." The act of revocation is unilateral and must be complied with whenever requested by the data subject.

It is important to note that it is the controller's responsibility to prove that consent was obtained with respect to all parameters established by LGPD. Thus, it is a good practice to record and document all necessary requirements to prove that consent is free from defects and includes all necessary information.

Given what these legal requirements establish, it can be stated that it is not appropriate to use the legal base of consent in cases of strictly necessary cookies. This is because, in these cases, the collection of information is essential to ensure the operation of the web page or the proper provision of the service, so there are no effective conditions for free expression by the data subject or to ensure that they have a real choice between accepting or refusing the processing of their personal data.

Similarly, consent will not be the appropriate legal base if the processing is strictly necessary to fulfill legal obligations, especially when there is a clear and direct link between data collection through cookies and the exercise of typical state prerogatives by public entities and bodies[ 5 ]. In any case, relevant information should be provided to data subjects in accordance with the principles of transparency and free access, and the exercise of their rights should be ensured, while observing the provisions of Article 23 of LGPD.*

Thus, although there is no hierarchy or preference among the legal bases provided in LGPD, the use of consent will be more appropriate when collecting information through non-essential cookies. In these situations, the collection of information is not essential for the proper provision of the service or to ensure the operation of the web page. In fact, as seen earlier, non-essential cookies are related to non-essential functionalities of the service or web page, such as displaying ads or creating behavioral profiles. In these cases, it becomes possible to provide the user with a genuine option to accept or refuse the installation of cookies for one or more of these purposes, a central prerequisite for using the legal base of consent.

Legal Base - Legitimate Interest

Another legal base presented by the Guidance Guide is Legitimate Interest. For more information on Legal Bases, we have this article for you.

The guide provides excellent guidance on the application of the Legitimate Interest Base. Here are some of its key points.

The controller's interest will be considered legitimate when it is compatible with the legal framework and does not contradict the provisions of the law. In addition, the controller must assess, before carrying out any operation based on legitimate interest, whether, in the case at hand, the fundamental rights and freedoms of the data subject prevail, requiring the protection of personal data and therefore preventing the processing. As in any data processing operation, it is also important to prove the adoption of technical and administrative measures capable of safeguarding the operation and the data used, ensuring the security of processing and transparency for data subjects.
To be considered appropriate, the controller must ensure that the intended use, in addition to not infringing on rights and freedoms, could be reasonably foreseen by the data subject. That is, the data subject should be able to assume that such use could occur with their personal data based on the information provided by the controller at the time of data collection. In addition, it should be considered that, according to Article 18, § 2, the data subject has the right to object to processing based on legitimate interest if the requirements of LGPD are not met.
In general, legitimate interest may be the appropriate legal base in cases of using strictly necessary cookies, that is, those that are essential for the proper provision of the service or for the operation of the web page, which can be understood as a way to support and promote activities of the controller and provide services that benefit the data subject (Article 10, i and ii, LGPD).

A significant milestone in this guidance is the ANPD's position regarding the use of analytical or measurement cookies, which can be supported by the legal base of legitimate interest.

Here's the paragraph in full:

The use of cookies for audience measurement purposes (analytical or measurement cookies) may be supported by the legal base of legitimate interest in certain contexts, provided that the requirements of LGPD are observed in any case. In particular, it is reasonable to assume that audience measurement constitutes a legitimate interest of the controller, as well as that the risks to the privacy of data subjects will be lower when processing is limited to the specific purpose of identifying patterns and trends based on aggregated data and without combining them with other tracking mechanisms or creating user profiles.

As mentioned earlier, the possibility of data cross-referencing and inferences that access natural persons is real. Especially when carried out by "major internet application providers" Unfortunately, the practice of sharing user analytical profiles with advertising initiatives is quite common.

Therefore, great attention and care are recommended for the use of this strategy. This is precisely why the ANPD emphasizes that:

...˜legitimate interest is unlikely to be the most appropriate legal base in cases where data collected through cookies is used for advertising purposes. This is particularly evident if the collection is carried out through third-party cookies and when associated with practices that may pose a greater risk to the privacy and fundamental rights of data subjects, such as behavioral profiling, analysis, and prediction of preferences and behaviors, or tracking of users on different web pages.˜

It is a fact that in theory, analytical cookies are distinct from advertising cookies; however, market practice often shows the opposite, where these are commonly crossed and shared. Therefore, the distinction is necessary, and the use of another more appropriate legal base is recommended.

"So, consent may be considered a more appropriate legal base for the use of advertising cookies, subject to applicable legal requirements and the circumstances of the specific case. This conclusion is reinforced when considering that advertising cookies are classified as non-essential, and it is of paramount importance to respect data subjects' legitimate expectations,"

An Important Note

Going a little deeper into this contradiction, as mentioned above, in the last paragraph on page 24, the ANPD gives controllers the option to classify analytical cookies as essential, using the legal basis of legitimate interest.

It should be noted that this decision may not be the best, especially in light of the clarification made about the possibility of inference.

Here's the excerpt:

The use of cookies for audience measurement purposes (analytical or measurement cookies) may be supported by the legal base of legitimate interest in certain contexts, provided that the requirements of LGPD are observed in any case. In particular, it is reasonable to assume that audience measurement constitutes a legitimate interest of the controller, as well as that the risks to the privacy of data subjects will be lower when processing is limited to the specific purpose of identifying patterns and trends based on aggregated data and without the combination with other tracking mechanisms or the creation of user profiles.

Another contradiction arises when, on page 10 of the same document, while detailing the definition of non-essential cookies, the ANPD exemplifies the category as "cookies used to track behaviors."

Non-essential cookies: these are cookies that do not fit the definition of necessary cookies, and disabling them does not prevent the site, application, or service from functioning or the user from using the services. In this sense, non-essential cookies are related to non-essential functionalities of the service, application, or web page. Examples of non-essential cookies include, among others, those used to track behaviors, measure page or service performance, and display ads or other embedded content.

Furthermore, on page 20 of the Guide, the ANPD specifies that consent is the most appropriate legal basis for non-essential cookies, not legitimate interest.

Thus, although there is no hierarchy or preference among the legal bases provided in LGPD, the use of consent will be more appropriate when collecting information through non-essential cookies. In these situations, the collection of information is not essential for the proper provision of the service or to ensure the operation of the web page. In fact, as seen earlier, non-essential cookies are related to non-essential functionalities of the service or web page, such as displaying ads or creating behavioral profiles.
Important
It is essential to have a very clear distinction between analytical cookies and behavior tracking cookies. Using the nomenclature of the Guide itself: Building behavioral profiles vs. Tracking behaviors. There is a very thin line between the technologies used by them. A direct proof of this is that many tracking services have a branch of Analytics within their technologies, which can lead to confusion. Additionally, many are translated and presented in the market simply as behavior analysis services.

Therefore, we recommend a thorough analysis of these services by the Data Controllers of the companies. As tracking cookies, you can find popular services such as "heatmaps," DMPs, CMPs, persistent cookies from Marketing automation platforms, and more.

Important
That said, we emphasize that all AdOpt customers retain complete freedom to classify their Cookies and LocalStorage freely. This includes analytical cookies, such as those from Google Analytics, following the ANPD's guidance.

However, we understand that this would not be the most "pro-privacy of citizens" decision.

Since internet giants are precisely the most capable ones, they could easily generate statistical inferences and crossovers, reaching natural persons with extreme ease.

The ANPD itself, on page 13, mentions this "asymmetry" between citizens and "major internet application providers." Here's the excerpt:

Personal data collected from interactions on a website, app, or digital service can reveal various aspects of people's personalities and behavior. In such contexts, these individuals are placed in a more vulnerable position, especially in the face of information asymmetry concerning major internet application providers, which are responsible for processing massive amounts of personal data or when the purposes of processing are not presented clearly, precisely, and easily accessible.

One of these "major providers" is Alphabet (Google), which, for example, not only has the Analytics service that generates an 'anonymized' identifier for the visitor but also has the browser (Chrome), the device (Nexus and Chrome Books), the operating system (Android), the entire search and advertising network (Ads), email (Gmail), Maps, Earth, Waze, Photos, and more.

All these identifiers, even if initially anonymized, can be easily cross-referenced. Since all these services fall under the same corporate group's privacy policy, allowing unrestricted information sharing within the group.

The Guide itself, when classifying Advertising Cookies, informs that they are capable of identifying the user.

Advertising cookies: these are used to collect information from the data subject for the purpose of displaying ads. More specifically, by collecting information about the user's browsing habits, advertising cookies allow for identification, profile building, and the display of personalized ads based on their interests.

Therefore, our recommendation to clients, especially those whose website visitors are from European Union countries, is to keep their analytical cookies NOT CLASSIFIED AS ESSENTIAL. Also, exercise extra caution when using behavior mapping services to ensure a clear distinction between what could be supported by each legal basis, as required by the legislation.

We understand that this topic may be questioned by the GDPR and other regulations in the future, given the various jurisprudences created on this same point in the past.

In Europe, the trend is that Google Analytics may not be compliant for unrestricted use.

At the beginning of 2022, in France, it has already been listed as "Non-compliant" and in Austria, there are also decisions against its use, following the same understanding. This would naturally veto its use as an essential cookie, especially in these countries and, consequently, by their citizens.

Nowadays, there are already a series of services that do not use cookies and are 100% anonymous for the same analytical purpose, and they are constantly improved and updated to meet this demand. An example is fathom.

Finally, it is worth noting that these services are not prohibited. However, their indiscriminate use may be seen as contrary to the parameters of these legislations.

Cookie Policy

Another significant recommendation from the ANPD is the creation of the so-called Cookie Policy. Reinforcing the principles of transparency, this document "is a public statement that provides information to users of a website or application." According to the ANPD, the Cookie Policy should:

"...present information about the specific purposes that justify the collection of personal data through cookies, the retention period, and whether there is sharing with third parties, among other aspects indicated in art. 9 of the LGPD."

Regarding the need to distinguish between a Cookie Policy and a Cookie Banner:

"It is important to differentiate between a Cookie Policy and a Cookie Banner. The Cookie Banner is a visual feature used in the design of applications or websites on the internet, which uses highlighted reading bars to inform the data subject, in a summarized, simple, and direct manner, about the use of cookies in that environment. In addition, the banner provides tools for the user to have greater control over the processing, such as allowing them to consent or not to certain types of cookies. There are various ways to create a Cookie Banner, and best practices..."
"On the other hand, the Cookie Policy is usually made available on a specific page that contains more detailed information on the subject, generally accessible through a link presented in the banner. It can also be integrated, prominently and easily accessible, into the Privacy Notice (or "Privacy Policy") - the public declaration of the data controller about the processing of personal data in a general way. In some cases, the data controller prefers to include their Cookie Policy in the cookie banner, meaning that the set of information about the use of cookies appears in various layers of the banner."

Regarding the option for the controller to include their cookie policy "diluted" in the cookie banner:

"...regardless of the mechanism adopted, what matters is that clear, precise, and easily accessible information is provided about the use of cookies and the collection of personal data when the data subject accesses a particular website, service, or application, in compliance with the principles of transparency and free access and with art. 9 of the LGPD."

Cookie Banners

According to the ANPD, popular Cookie Banners "embody the principles provided for in the LGPD, especially those of transparency and free access..., contributing to the data subject's process of making conscious decisions, providing control over their personal data, and respecting their legitimate expectations."

Below are some of the best practices listed in the ANPD's Guide: Cookies and Personal Data Protection.

What to consider when creating a cookie banner

FIRST-LEVEL BANNERS

1 - Provide a button that allows the rejection of all unnecessary cookies, easily visible, in first and second-level banners.

2 - Provide an easily accessible link for the data subject to exercise their rights, which may include, for example, obtaining more details about how their data is used and the retention period, as well as requesting data deletion, objecting to processing, or revoking consent.

This is the link that will be provided in the AdOpt banner.

novo banner de cookies adopt 1.png

SECOND-LEVEL BANNERS

  1. Categorize cookies in the second-level banner.

  2. Describe the cookie categories according to their uses and purposes.

  3. Provide simple, clear, and precise descriptions and information about these purposes.

  4. Allow consent to be obtained for each specific purpose, according to the categories identified in the second-level banner, where applicable.

  5. Disable consent-based cookies by default.

  6. Provide information on how to block cookies through browser settings. If the cookie or tracker cannot be disabled through the browser, the data subject should be informed.

novo banner de cookies adopt.png

What to avoid when creating cookie banners

Below are discouraged practices when creating cookie banners on websites.

A - Use a single button in the first-level banner, without the option to manage cookies in case the legal basis of consent is used ("agree," "accept," "acknowledge," etc.); See an example below.

aviso de cookies mortadela.png

B - Make it difficult to see or understand the buttons to reject cookies or configure cookies, giving greater prominence only to the accept button.

C - Prevent or make it difficult to reject all unnecessary cookies.

D - Present unnecessary cookies as enabled by default, requiring manual deactivation by the data subject.

Learn here how to configure so that all unnecessary cookies are disabled by default in AdOpt.

E - Not provide a second-level banner.

F - Not provide information and a direct, simplified mechanism for data subjects to exercise their rights to revoke consent and object to processing (in addition to browser blocking settings).

G - Make cookie management difficult (e.g., not providing specific management options for cookies with different purposes).

H - Present information about the cookie policy only in a foreign language.

Learn here about AdOpt's banner and its recognition of over 2 languages automatically based on the visitor's browser.

I - Present an excessively granularized list of cookies, generating an excessive amount of information that makes it difficult to understand and can lead to fatigue, preventing a clear and positive expression of the data subject's will.

J - When using consent as the legal basis, link its acquisition to the full acceptance of cookie usage conditions, without providing effective options to the data subject.

SOURCE: ANPD's Guide on Cookies and Personal Data Protection, in full

Have you chosen a cookie banner for your website?

At AdOpt, we work 24/7 to ensure that your website is 100% compliant with national and international privacy standards (LGPD, GDPR, CCPA, CNIL...). Always in a quick, direct manner without disrupting your site's design.

Currently, thousands of websites use AdOpt's technology for compliance, starting from the free plan. Every month, we manage billions of consents in more than 45 countries!

Get in touch with an AdOpt specialist now and check this off your to-do list.

Tags

LGPD

Related posts

Adopt post

Understand the meaning of the LGPD for your company

Surely you've already seen the predictions of fines and sanctions, processes. But, what does it mean to your company?

Adopt post

Why are cookie banners everywhere?

Want to understand why there are cookie banners on every website you visit today? This article is for you!

Adopt post

How to delete cookies and cache in Chrome and other browsers?

Tired of the ads from that site you visited following you around? Is your computer running slow when accessing a particular site? Want to delete all cookies from a specific service or site?

Adopt post

LGPD and Cookies all do you need to know?

In this article, you will have a great introduction to the topic, as well as various other variations that revolve around the subject: Cookies and LGPD.

Adopt post

Fines in LGPD - What are they, amounts, and compliance deadlines

In this article, we will answer all your questions regarding fines under the LGPD (Brazil's General Data Protection Law).

Adopt post

10 Marketing Processes You Should Rethink under the LGPD!

In the end, our goal has never been to predict doom for companies or to be part of the LGPD's Apocalypse Cavalry. But, since we've been in the market for some time, these kinds of issues always catch our attention when we start data mapping and having conversations with colleagues.

Adopt post

Key Differences between LGPD and GDPR and the Impact on Internet Cookies

While both regulations share the goal of safeguarding individuals' rights regarding the processing of their personal data, there are some important differences between them. It is crucial to understand these distinctions and their implications, particularly in the context of internet cookies.

Adopt post

How to choose a Cookie Banner for your website

What are the criteria for this choice, and what are the strengths and weaknesses of each option? Well, we're here to help you because this decision needs to be well thought out!

Adopt post

Best practices in tag categorization

It's time to talk about one of the most impactful tasks, both for the company and for the visitors of your websites: tag categorization. But why is it so impactful? What is the relevance of this configuration and how can it affect us? It is precisely because of these common questions we receive from our clients that we have written this article on best practices in tag categorization.

Adopt post

LGPD for marketing | A practical guideline.

Every day, millions of users generate data on the web, which is used by companies around the globe to improve their offerings. Therefore, in 2018, a law was created to regulate the use of personal data by companies, and this directly impacts digital marketing. We're talking about LGPD.

Logo

AdOpt

Resources

Legal Terms

© AdOpt since 2020 • Made by people who love

🍪