Brazil’s new Cookie Consent Guidelines

Another day, another major shift in the international data privacy regulatory landscape. This time around, changes are happening in Brazil – and there’s a whole lot to know if you are, or are planning to, process citizens’ personal data in the country.

Brazil’s new cookie consent guidelines

Brazil’s Data Protection Authority Issues Guidance

On October 18th, 2022, Brazil’s central data protection agency, the National Data Protection Authority (ANPD), released long-awaited guidelines regarding its interpretation of the country’s data privacy law, the LGPD. They were created with the goal of providing clarity for organizations subject to the still-new piece of legislation and also outlining best practices to remain compliant with it.

Expectations for these guidelines were high, as some organizations hoped to see a more lenient interpretation of data processing that would make using third-party trackers like cookies in Brazil easier (or less difficult) than other regions. What ended up being released was more or less a balance of flexibility and tradition, with some concessions on issues such as legitimate interest but general policy remaining in-line with existing major laws like the GDPR.

What Should Organizations Know?

There are a few key changes and issues to be aware of in Brazil’s recently released guidelines. We’ll go over the most important through the following as well as explain what they mean for website owners.

Consent

The first and most important issue we should get out of the way here is consent. Luckily, it’s an element of little variation, as the ANPD’s interpretive guidelines have been specifically modeled by the GDPR and other prominent laws. Like these frameworks, they follow an opt-in model for consent, requiring that it be freely given by data subjects after proper disclosure of purpose. The guidelines also propagate the use of cookie banners, specifically those that have a top layer allowing individuals to easily opt-out of the use of any and all unnecessary third-party scripts.

Personally Identifiable Information

Brazil’s latest guidelines have hopped onto the growing trend we’ve seen over the past few years in regards to Personally Identifiable Information. They and other data privacy laws are looking beyond straightforward things like names and phone numbers to include more indirect pieces of identifiable information – namely behavioral profiles and inferences about individual users that can be cross-referenced across data sets – under their definition of ‘personal information’.

Legal Bases

The ANPD has been very straightforward regarding the legal bases upon which organizations may use third-party cookies online. It identifies two main circumstances – the first being consent, and the second legitimate interest.

Here’s a quick reminder of what each of those terms mean:
Consent – Consent refers to a person or entity’s explicit permission to use cookies.
Legitimate interest – Legitimate interest is a legal basis that stipulates processing user data is permissible if an organization has a reasonable purpose for doing so.

This approach is notably simpler than other major data privacy laws, especially those from the EU. They require that organizations undergo a much more intricate process that involves determining whether consent is necessary under ePrivacy rules and choosing one of not two – but six legal bases to justify their use of cookies.

Measurement and Analytics

Cookies for the use of measurement and analytics has been viewed in different ways by international data privacy laws to date. Some regulations like the GDPR prohibit them without consent, point blank. Others, including the LGPD, permit their autonomous use under certain circumstances. Recent guidance from the ANPD states that audience measurement and analytics via third-party scripts can be considered ‘legitimate interest’, and don’t necessarily require user consent. They do however go on to clarify that some situations – such as those that involve behavioral profiles, tracking or combining data – warrant user permission.

Mobile

Similarly to European laws, the ANPD’s recent release makes a point of noting that its guidelines apply to more than just cookies. It states that other tracking technologies (including those not used on websites) are also subject to regulatory provisions. Mobile devices are a main area of interest here – authorities want to ensure that tools like apps, which are as widely used as web pages, don’t have a loophole through which they can unlawfully process consumers’ personal data.

Remember: This Guidance Isn’t Technically a Law

To be clear, the information we’ve seen come out of Brazil over the past couple of weeks is officially non-binding. It simply illustrates the ANPD’s interpretation of the country’s data privacy law and introduces no new penalties.

But this doesn’t mean that it’s unimportant. The guidelines provide critical clarification regarding how the LGPD is understood by regulators and likewise how it will be applied. They serve as essential information to organizations who wish to remain compliant with Brazilian privacy policy and avoid the penalties of laws like the LGPD themselves.

In case you forgot, these include:

• As much as 2% of a company’s annual turnover in Brazil, up to 50 million Reais per infraction
• A prohibition of data processing activities by the ANPD
• An order to block or delete existing personal data by the ANPD

The ANPD’s power may grow over the coming years, as well. A new provisional measure recently passed by Brazil’s Federal Senate granted the authority status as an independent agency, effectively enhancing its ability to apply the LGPD.

Conclusion

Staying up-to-date with changes in the international data privacy landscape – wherever they may be – is pivotal to business success in today’s online world. Brazil’s latest release of guidance is just one example of how quickly things can change, and should likewise serve as a reminder to organizations that compliance can never, ever be put on the backburner.