The National Data Protection Authority launched the "Guidance on Cookies and Personal Data Protection" on October 18, 2022. This document is eagerly awaited by industry professionals and holds significant importance as it explores various applicable legal scenarios and defines the requirements to be followed when using cookies. As emphasized in the document itself, it does not aim to exhaust the discussions already made but highlights what should be more aligned with the Authority's interpretation.
Once again, ANPD reinforces the importance of Privacy by Design, and it highlights right at the beginning of the Guide that one of the main problems related to cookies is the lack of transparency. Here is the full excerpt:
Because LGPD, despite being new, is already in effect and has always highlighted in its Article 5 various definitions that anticipated these directions. Definitions of Personal Data, Controller and Processor, Anonymization, and the concept of Consent have not been reformed or altered at any point.
XII - consent: free, informed, and unequivocal expression by which the data subject agrees to the processing of their personal data for a specific purpose;
Before the publication of the Guidance, AdOpt has always focused its work on the above-mentioned excerpt, as well as Article 6 and its various paragraphs, including specifically:
I - purpose: processing for legitimate, specific, explicit, and informed purposes, without the possibility of subsequent processing that is incompatible with these purposes; IV - free access: ensuring data subjects have easy and free access to information about the manner and duration of processing, as well as the entirety of their personal data; VI - transparency: ensuring data subjects receive clear, accurate, and easily accessible information about the processing and the respective data processing agents, while respecting commercial and industrial secrets;
It was precisely based on the above excerpts and the analyzed experience of E-privacy that AdOpt has always based its design and features. Now, with the Guidance, nothing will change, and all processes will be adjusted to ensure compliance and adequacy for all our customers, including the free plan.
Below are the main observations from AdOpt regarding the new Guidance from ANPD and its immediate direction towards the updates that will be incorporated into the AdOpt platform for all its customers.
ANPD does not necessarily bring new concepts to the technology of cookies. However, it reaffirms that even though files are often encrypted or "anonymized," there is a "possibility of identifying the natural person" through "inference or cross-referencing."
Most technical professionals already had this empirical knowledge. Still, many insisted that such cross-referencing would not be possible, reducing the analysis to the reality of some smaller and less digitized companies, ignoring this warning.
With ANPD's emphasis, this dilemma ceases.
Up until now, Categories of Cookies have been imported from other regulations and are the way in which cookies can be classified. This classification is not definitive, and ANPD itself states that new categories may emerge, and some cookies may be classified in more than one category.
In this Guide, some of the most commonly used categories will be presented, in a non-exhaustive manner, organized by the types of most common cookies. It's important to consider that the same cookie can be included in more than one category.
To this end, the Guide presents four criteria for organizing cookies. Below are each of them and their respective descriptions, summarized:
Entity responsible for their management; First-party cookies "are cookies set directly by the website or application the user is visiting. First-party cookies generally cannot be used to track user activity on a different site other than the original site where it was placed. These types of cookies may include information such as login credentials, items in the shopping cart, or preferred language."
Third-party cookies "are cookies created by a domain other than the one the user is visiting. They result from functionalities of other domains that are incorporated into a web page, such as displaying ads."
Necessary cookies "are those used for the website or application to perform basic functions and operate correctly. Therefore, collecting information is essential to ensure the functioning of the web page or the proper provision of the service. ~~Thus, activities covered as strictly necessary include those related to the specific functionality of the service, in other words, without them, the user would not be able to perform the main activities of the website or application. ~~ This category is limited to what is essential to provide the service requested by the user, not including non-essential purposes that serve other interests of the controller."
Non-necessary cookies "are cookies that do not fall within the definition of necessary cookies and disabling them does not prevent the functioning of the website or application or the use of services by the user. In this sense, non-necessary cookies are related to non-essential functionalities of the service, application, or web page. Examples of non-necessary cookies include, among others, those used to track behaviors, measure the performance of the page or service, as well as display ads or other embedded content."
Analytical or Performance Cookies "allow the collection of data and information about how users use the site, which pages they visit most frequently on that site, the occurrence of errors, or information about the performance of the site or application."
Functionality Cookies "are used to provide the basic services requested by the user and allow remembering preferences of the website or application, such as username, region, or language. Functionality cookies may include first-party or third-party cookies, as well as persistent or session cookies."
Advertising Cookies "are used to collect information from the user for the purpose of displaying ads. More specifically, through the collection of information related to user browsing habits, advertising cookies allow for user identification, the creation of profiles, and the display of personalized ads according to their interests."
Session or Temporary Cookies "are designed to collect and store information while users access a website. They are usually discarded after the session ends, that is, after the user closes the browser. They are regularly used to store information that is only relevant for providing a service requested by users or for a specific temporary purpose, as typically occurs with a list of products in the shopping cart of an online store."
Persistent Cookies "data collected through these cookies are stored and can be accessed and processed for a period defined by the controller, which can vary from a few minutes to several years. In this regard, it should be assessed on a case-by-case basis whether the use of persistent cookies is necessary, as privacy threats can be reduced with the use of session cookies. In any case, when persistent cookies are used, it is advisable to limit their duration as much as possible, considering the purpose for which they were collected and will be processed..."
Below are some of the main concepts and definitions covered in the document:
- Major providers and the asymmetry with the end user:
"- Personal data collected from interactions on a website, application, or digital service can reveal various aspects of people's personality and behavior. In such contexts, these individuals are placed in a position of greater vulnerability, especially in the face of information asymmetry with regard to major internet application providers, who are responsible for processing a massive amount of personal data or when the purposes of processing are not presented clearly, precisely, and easily accessible."
- The Marco Civil da Internet already provided strong protection for personal data, which has been expanded by LGPD.
- Whether cookies or other tracking technologies, all must be guided by some principles, including:
Principles of Purpose, Necessity, and Adequacy (art. 6, i, ii, and iii):
Principles of Free Access and Transparency (art. 6, iv and vi):
"require the data processing agent to provide data subjects with clear, accurate, and easily accessible information about the processing, retention period, and specific purposes that justify the collection of their data through cookies. It is also important to provide information about the possible sharing of data with third parties and the rights guaranteed to the data subject, among other aspects indicated in art. 9 of LGPD.
Data Subject Rights:
"among others, are especially relevant in the context of cookie use, the right to access, delete data, revoke consent, and object to processing, always through a free and facilitated procedure, as provided for in art. 18 of LGPD.
"Violation of data subject rights will occur, especially when the collection is not supported by an appropriate legal basis and clear, accurate, and easily accessible information is not provided that gives the data subject the effective ability to understand and control the use of their personal data."
Termination of Processing and Elimination of Personal Data:
"LGPD provides that, as a general rule, personal data must be eliminated after the termination of processing, which may occur, for example, when the purpose is achieved or elimination is legitimately requested by the data subject..."
"The retention period for cookies must be compatible with the purposes of processing, limited to what is strictly necessary to achieve that purpose. Therefore, indefinite, excessive, or disproportionate retention periods in relation to the purposes of data processing are not compatible with LGPD."
The ANPD's Guidance Guide highlights two main legal bases - Consent and Legitimate Interest, as "more common and relevant for the analyzed context." However, it does not limit the use of other legal bases, as long as they meet the requirements set out in LGPD:
*"data collected through these cookies are stored and can be accessed and processed for a period defined by the controller, which can vary from a few minutes to several years. In this regard, it should be assessed on a case-by-case basis whether the use of persistent cookies is necessary, as privacy threats can be reduced with the use of session cookies. In any case, when persistent cookies are used, it is advisable to limit their duration as much as possible, considering the purpose for which they were collected and will be processed...
"The indication made in this Guide is not exhaustive, as the collection of personal data through cookies may, eventually, rely on other legal bases, provided that the requirements established in LGPD are met."
Below are the definitions, in full, made by the ANPD regarding each legal base:
Due to this legal requirement, the "forced" obtaining of consent, i.e., conditioned on the full acceptance of cookie terms and conditions without providing effective options to the data subject, is not compatible with LGPD. However, it should be noted that the regularity of consent should be verified according to the context and specificities of each individual case, particularly whether the data subject is provided with a real and satisfactory alternative.
It is important to note that this information is linked to the very use of personal data. Any change in the premises adopted for obtaining consent taints the legal base adopted, requiring new consent from the data subject or the use of another legal base, according to the new established premises and all necessary information.
Additionally, consent must be unequivocal, requiring the clear and positive expression of the data subject's will, and not allowing inference or obtaining it tacitly or through the data subject's omission. Therefore, given its incompatibility with LGPD provisions, it is not recommended to use cookie banners with pre-selected authorization options or to adopt mechanisms of tacit consent, such as the assumption that by continuing to browse a page, the data subject would consent to the processing of their personal data.
In the case of the collection of sensitive data based on the data subject's consent, it is necessary that, additionally, the consent be obtained in a specific and separate manner, as provided for in Article 11, i, of LGPD. Regarding the separate form, it is recommended that the authorization for the processing of sensitive data be separate from the main text or that resources be used to highlight it, indicating which sensitive data will be collected and for what specific purpose they will be used by the processing agent.
It is important to note that it is the controller's responsibility to prove that consent was obtained with respect to all parameters established by LGPD. Thus, it is a good practice to record and document all necessary requirements to prove that consent is free from defects and includes all necessary information.
Given what these legal requirements establish, it can be stated that it is not appropriate to use the legal base of consent in cases of strictly necessary cookies. This is because, in these cases, the collection of information is essential to ensure the operation of the web page or the proper provision of the service, so there are no effective conditions for free expression by the data subject or to ensure that they have a real choice between accepting or refusing the processing of their personal data.
Similarly, consent will not be the appropriate legal base if the processing is strictly necessary to fulfill legal obligations, especially when there is a clear and direct link between data collection through cookies and the exercise of typical state prerogatives by public entities and bodies[ 5 ]. In any case, relevant information should be provided to data subjects in accordance with the principles of transparency and free access, and the exercise of their rights should be ensured, while observing the provisions of Article 23 of LGPD.*
Thus, although there is no hierarchy or preference among the legal bases provided in LGPD, the use of consent will be more appropriate when collecting information through non-essential cookies. In these situations, the collection of information is not essential for the proper provision of the service or to ensure the operation of the web page. In fact, as seen earlier, non-essential cookies are related to non-essential functionalities of the service or web page, such as displaying ads or creating behavioral profiles. In these cases, it becomes possible to provide the user with a genuine option to accept or refuse the installation of cookies for one or more of these purposes, a central prerequisite for using the legal base of consent.
Another legal base presented by the Guidance Guide is Legitimate Interest. For more information on Legal Bases, we have this article for you.
The guide provides excellent guidance on the application of the Legitimate Interest Base. Here are some of its key points.
The controller's interest will be considered legitimate when it is compatible with the legal framework and does not contradict the provisions of the law. In addition, the controller must assess, before carrying out any operation based on legitimate interest, whether, in the case at hand, the fundamental rights and freedoms of the data subject prevail, requiring the protection of personal data and therefore preventing the processing. As in any data processing operation, it is also important to prove the adoption of technical and administrative measures capable of safeguarding the operation and the data used, ensuring the security of processing and transparency for data subjects.
To be considered appropriate, the controller must ensure that the intended use, in addition to not infringing on rights and freedoms, could be reasonably foreseen by the data subject. That is, the data subject should be able to assume that such use could occur with their personal data based on the information provided by the controller at the time of data collection. In addition, it should be considered that, according to Article 18, § 2, the data subject has the right to object to processing based on legitimate interest if the requirements of LGPD are not met.
In general, legitimate interest may be the appropriate legal base in cases of using strictly necessary cookies, that is, those that are essential for the proper provision of the service or for the operation of the web page, which can be understood as a way to support and promote activities of the controller and provide services that benefit the data subject (Article 10, i and ii, LGPD).
A significant milestone in this guidance is the ANPD's position regarding the use of analytical or measurement cookies, which can be supported by the legal base of legitimate interest.
Here's the paragraph in full:
As mentioned earlier, the possibility of data cross-referencing and inferences that access natural persons is real. Especially when carried out by "major internet application providers" Unfortunately, the practice of sharing user analytical profiles with advertising initiatives is quite common.
Therefore, great attention and care are recommended for the use of this strategy. This is precisely why the ANPD emphasizes that:
...˜legitimate interest is unlikely to be the most appropriate legal base in cases where data collected through cookies is used for advertising purposes. This is particularly evident if the collection is carried out through third-party cookies and when associated with practices that may pose a greater risk to the privacy and fundamental rights of data subjects, such as behavioral profiling, analysis, and prediction of preferences and behaviors, or tracking of users on different web pages.˜
It is a fact that in theory, analytical cookies are distinct from advertising cookies; however, market practice often shows the opposite, where these are commonly crossed and shared. Therefore, the distinction is necessary, and the use of another more appropriate legal base is recommended.
"So, consent may be considered a more appropriate legal base for the use of advertising cookies, subject to applicable legal requirements and the circumstances of the specific case. This conclusion is reinforced when considering that advertising cookies are classified as non-essential, and it is of paramount importance to respect data subjects' legitimate expectations,"
Going a little deeper into this contradiction, as mentioned above, in the last paragraph on page 24, the ANPD gives controllers the option to classify analytical cookies as essential, using the legal basis of legitimate interest.
It should be noted that this decision may not be the best, especially in light of the clarification made about the possibility of inference.
Here's the excerpt:
Another contradiction arises when, on page 10 of the same document, while detailing the definition of non-essential cookies, the ANPD exemplifies the category as "cookies used to track behaviors."
Non-essential cookies: these are cookies that do not fit the definition of necessary cookies, and disabling them does not prevent the site, application, or service from functioning or the user from using the services. In this sense, non-essential cookies are related to non-essential functionalities of the service, application, or web page. Examples of non-essential cookies include, among others, those used to track behaviors, measure page or service performance, and display ads or other embedded content.
Furthermore, on page 20 of the Guide, the ANPD specifies that consent is the most appropriate legal basis for non-essential cookies, not legitimate interest.
Thus, although there is no hierarchy or preference among the legal bases provided in LGPD, the use of consent will be more appropriate when collecting information through non-essential cookies. In these situations, the collection of information is not essential for the proper provision of the service or to ensure the operation of the web page. In fact, as seen earlier, non-essential cookies are related to non-essential functionalities of the service or web page, such as displaying ads or creating behavioral profiles.
It is essential to have a very clear distinction between analytical cookies and behavior tracking cookies. Using the nomenclature of the Guide itself: Building behavioral profiles vs. Tracking behaviors. There is a very thin line between the technologies used by them. A direct proof of this is that many tracking services have a branch of Analytics within their technologies, which can lead to confusion. Additionally, many are translated and presented in the market simply as behavior analysis services.Important
Therefore, we recommend a thorough analysis of these services by the Data Controllers of the companies. As tracking cookies, you can find popular services such as "heatmaps," DMPs, CMPs, persistent cookies from Marketing automation platforms, and more.
That said, we emphasize that all AdOpt customers retain complete freedom to classify their Cookies and LocalStorage freely. This includes analytical cookies, such as those from Google Analytics, following the ANPD's guidance.Important
However, we understand that this would not be the most "pro-privacy of citizens" decision.
Since internet giants are precisely the most capable ones, they could easily generate statistical inferences and crossovers, reaching natural persons with extreme ease.
The ANPD itself, on page 13, mentions this "asymmetry" between citizens and "major internet application providers." Here's the excerpt:
Personal data collected from interactions on a website, app, or digital service can reveal various aspects of people's personalities and behavior. In such contexts, these individuals are placed in a more vulnerable position, especially in the face of information asymmetry concerning major internet application providers, which are responsible for processing massive amounts of personal data or when the purposes of processing are not presented clearly, precisely, and easily accessible.
One of these "major providers" is Alphabet (Google), which, for example, not only has the Analytics service that generates an 'anonymized' identifier for the visitor but also has the browser (Chrome), the device (Nexus and Chrome Books), the operating system (Android), the entire search and advertising network (Ads), email (Gmail), Maps, Earth, Waze, Photos, and more.
The Guide itself, when classifying Advertising Cookies, informs that they are capable of identifying the user.
Advertising cookies: these are used to collect information from the data subject for the purpose of displaying ads. More specifically, by collecting information about the user's browsing habits, advertising cookies allow for identification, profile building, and the display of personalized ads based on their interests.
Therefore, our recommendation to clients, especially those whose website visitors are from European Union countries, is to keep their analytical cookies NOT CLASSIFIED AS ESSENTIAL. Also, exercise extra caution when using behavior mapping services to ensure a clear distinction between what could be supported by each legal basis, as required by the legislation.
We understand that this topic may be questioned by the GDPR and other regulations in the future, given the various jurisprudences created on this same point in the past.
In Europe, the trend is that Google Analytics may not be compliant for unrestricted use.
At the beginning of 2022, in France, it has already been listed as "Non-compliant" and in Austria, there are also decisions against its use, following the same understanding. This would naturally veto its use as an essential cookie, especially in these countries and, consequently, by their citizens.
Finally, it is worth noting that these services are not prohibited. However, their indiscriminate use may be seen as contrary to the parameters of these legislations.
"...present information about the specific purposes that justify the collection of personal data through cookies, the retention period, and whether there is sharing with third parties, among other aspects indicated in art. 9 of the LGPD."
According to the ANPD, popular Cookie Banners "embody the principles provided for in the LGPD, especially those of transparency and free access..., contributing to the data subject's process of making conscious decisions, providing control over their personal data, and respecting their legitimate expectations."
Below are some of the best practices listed in the ANPD's Guide: Cookies and Personal Data Protection.
1 - Provide a button that allows the rejection of all unnecessary cookies, easily visible, in first and second-level banners.
2 - Provide an easily accessible link for the data subject to exercise their rights, which may include, for example, obtaining more details about how their data is used and the retention period, as well as requesting data deletion, objecting to processing, or revoking consent.
Categorize cookies in the second-level banner.
Describe the cookie categories according to their uses and purposes.
Provide simple, clear, and precise descriptions and information about these purposes.
Allow consent to be obtained for each specific purpose, according to the categories identified in the second-level banner, where applicable.
Disable consent-based cookies by default.
Provide information on how to block cookies through browser settings. If the cookie or tracker cannot be disabled through the browser, the data subject should be informed.
Below are discouraged practices when creating cookie banners on websites.
A - Use a single button in the first-level banner, without the option to manage cookies in case the legal basis of consent is used ("agree," "accept," "acknowledge," etc.); See an example below.
B - Make it difficult to see or understand the buttons to reject cookies or configure cookies, giving greater prominence only to the accept button.
C - Prevent or make it difficult to reject all unnecessary cookies.
D - Present unnecessary cookies as enabled by default, requiring manual deactivation by the data subject.
E - Not provide a second-level banner.
F - Not provide information and a direct, simplified mechanism for data subjects to exercise their rights to revoke consent and object to processing (in addition to browser blocking settings).
G - Make cookie management difficult (e.g., not providing specific management options for cookies with different purposes).
I - Present an excessively granularized list of cookies, generating an excessive amount of information that makes it difficult to understand and can lead to fatigue, preventing a clear and positive expression of the data subject's will.
J - When using consent as the legal basis, link its acquisition to the full acceptance of cookie usage conditions, without providing effective options to the data subject.
At AdOpt, we work 24/7 to ensure that your website is 100% compliant with national and international privacy standards (LGPD, GDPR, CCPA, CNIL...). Always in a quick, direct manner without disrupting your site's design.
Currently, thousands of websites use AdOpt's technology for compliance, starting from the free plan. Every month, we manage billions of consents in more than 45 countries!
Get in touch with an AdOpt specialist now and check this off your to-do list.
Surely you've already seen the predictions of fines and sanctions, processes. But, what does it mean to your company?
Want to understand why there are cookie banners on every website you visit today? This article is for you!
Tired of the ads from that site you visited following you around? Is your computer running slow when accessing a particular site? Want to delete all cookies from a specific service or site?
In this article, you will have a great introduction to the topic, as well as various other variations that revolve around the subject: Cookies and LGPD.
In this article, we will answer all your questions regarding fines under the LGPD (Brazil's General Data Protection Law).
In the end, our goal has never been to predict doom for companies or to be part of the LGPD's Apocalypse Cavalry. But, since we've been in the market for some time, these kinds of issues always catch our attention when we start data mapping and having conversations with colleagues.
While both regulations share the goal of safeguarding individuals' rights regarding the processing of their personal data, there are some important differences between them. It is crucial to understand these distinctions and their implications, particularly in the context of internet cookies.
What are the criteria for this choice, and what are the strengths and weaknesses of each option? Well, we're here to help you because this decision needs to be well thought out!
It's time to talk about one of the most impactful tasks, both for the company and for the visitors of your websites: tag categorization. But why is it so impactful? What is the relevance of this configuration and how can it affect us? It is precisely because of these common questions we receive from our clients that we have written this article on best practices in tag categorization.
Every day, millions of users generate data on the web, which is used by companies around the globe to improve their offerings. Therefore, in 2018, a law was created to regulate the use of personal data by companies, and this directly impacts digital marketing. We're talking about LGPD.
© AdOpt since 2020 • Made by people who love🍪