Brazil: New Cookie recommendations – The Brazilian data protection authority (ANPD) has published new guidance on cookies.
The guidelines aim to highlight both beneficial and detrimental behaviors connected to the usage of cookie banners and policies. Also included are recommendations on what to avoid when creating cookie banners and standards and best practices related to cookie policies and cookie banners.
The ANPD also emphasized that the guidelines will be accessible to comments and contributions from the public, stating that suggestions could be submitted to the ANPD Ombudsman via the Fala.BR Platform. You can access the news release here and the guideline here (available in Portuguese)
Without further ado, letâs jump straight into the new guidance on cookie recommendations đ
The new guidelines offer clear recommendations in regard to cookie policies, stating that you must provide your users with information on:
Your cookie policy must be accessible through a link in the cookie banner and be easily accessible if integrated with the Privacy Policy.
The Authority provides a number of options for you to present the Cookie Policy to users
đĄ Did you know that with iubendaâs Privacy Controls and Cookie Solution, you can automatically link your cookie policy to your cookie banner? Not using iubendaâs privacy and cookie policy? Not to worry, our Privacy Controls and Cookie Solution also allows you to link your own, see the image below.
The Authority advises not to include differently conspicuous buttons on the initial layer of the banner. Meaning the âAcceptâ and âRejectâ buttons, as well as the âmanagement optionâ for non-necessary cookies buttons, must all be the same.
The example below illustrates the first layer conceived by the Authority, with the three buttons mentioned above.
Reject button: your banners ârejectâ button must be easily visible both in the first and second layers of the banner.
The wording proposed by the Authority for this button is the following:
âReject cookies that are not necessaryâ.
Accept button: your bannersâ âacceptâ button must be as prominent as the âRejectâ button.
The wording proposed by the Authority for this button is the following:
“Accept all cookies”
Management option: The management option on your cookie banner must redirect your users to the second layer of the banner to allow the granular provision of consent on the basis of the categories of non-necessary cookies.
The wording proposed by the Authority for this button is the following:
âSelect cookiesâ
Link for the exercise of rights: the banner must include an easily accessible link that allows your users to exercise their rights. These rights include, by way of example:
In the second layer of the banner, you must obtain consent per purpose according to the categories disclosed.
However, the list of cookies presented for the consent collection must not be too granular, as this could hinder the users from expressing their will clearly.
đĄ iubendaâs Privacy Controls and Cookie Solution allows you to obtain granular consent by means of toggles.
You must display the cookies grouped per category. The categories are described on the basis of the use and purposes of cookies. Users should be able to give their specific consent to each category of cookies separately.
You must provide a simple, clear, and precise description of the purposes for which the categories of cookies are installed.
Pre-ticked boxes are not allowed. The Authority specifies that cookies based on consent must be disabled by default, see the image below. Manual deactivation is also considered not in line with the guidance.
In the second layer of the banner, information on how to block cookies through the browser settings must be provided. If it is not possible to disable the cookie or tracker in this way, you must inform users about it (see the image below).
You must provide your users with the possibility to revoke the consent provided for the use of cookies at any time in a simplified and free-of-charge manner. The procedure must be similar to the one used to obtain consent.
Even if your website merely uses strictly necessary cookies, you are still subject to the requirement related to the cookie policy, as the principle of transparency and free access, as well as the exercise of data subjectsâ rights, equally apply.
The guidance includes a non-exhaustive list of cookie categories based on the most popular types of cookies and according to the following aspects:
The Authority clarifies in the guidance that the legal bases of consent and legitimate interests are the “most usual and relevant to the context analyzed”.
However, if the LGPD standards are met, we can expect that gathering personal data via cookies may rely on other legal bases.
Do you have users in more than one country (e.g., Brazil AND Portugal) and need to comply with multiple laws?
With iubenda, it is easy to meet Brazil’s cookie recommendations. Just start generating, and our configuration wizard suggests the right settings, like LGPD protection, based on where you and your users are based.
Our Solution also comes with a geo-location feature so that you’re always displaying the right notice and policies to the users you need to.
And did we mention that our clauses are updated when the law changes to help you stay compliant?
For your convenience, weâve created a brief checklist of the steps you must do to comply with Brazilâs latest cookie recommendations.
