Iubenda logo
Start generating

Documentation

Table of Contents

🇧🇷 Brazil: New Cookie Requirements

Brazil: New Cookie Requirements – The Brazilian data protection authority (ANPD) has published new guidance on cookies.

The guidelines aim to highlight both beneficial and detrimental behaviors connected to the usage of cookie banners and policies. Also included are recommendations on what to avoid when creating cookie banners and standards and best practices related to cookie policies and cookie banners.

The ANPD also emphasized that the guidelines will be accessible to comments and contributions from the public, stating that suggestions could be submitted to the ANPD Ombudsman via the Fala.BR Platform. You can access the news release here and the guideline here (available in Portuguese)

Without further ado, let’s jump straight into the new guidance on cookie requirements 👇

Brazil: New Cookie Requirements

📌 Cookie Policies 

The new guidelines offer clear requirements in regard to cookie policies, stating that you must provide your users with information on: 

  1. the specific purposes that justify the collection of personal data through cookies,
  2. the retention period, and
  3. sharing of personal data with third parties, if applicable.

Your cookie policy must be accessible through a link in the cookie banner and be easily accessible if integrated with the Privacy Policy.

The Authority provides a number of options for you to present the Cookie Policy to users

  • as a specific section of the Privacy Policy;
  • in a specific and separate location; or
  • in the cookies banner.

💡 Did you know that with iubenda’s Cookie Solution, you can automatically link your cookie policy to your cookie banner? Not using iubenda’s privacy and cookie policy? Not to worry, our Cookie Solution also allows you to link your own, see the image below. 

📌 The Cookie Banner

1. First layer of the banner (“Accept” and “Reject” buttons)

The Authority advises not to include differently conspicuous buttons on the initial layer of the banner. Meaning the “Accept” and “Reject” buttons, as well as the “management option” for non-necessary cookies buttons, must all be the same.

The example below illustrates the first layer conceived by the Authority, with the three buttons mentioned above.

Image: ANPD Guiding Handbook Cookies and Personal Data Protection 

Reject button: your banners ‘reject’ button must be easily visible both in the first and second layers of the banner. 

The wording proposed by the Authority for this button is the following: 

“Reject cookies that are not necessary”.

Accept button: your banners’ “accept” button must be as prominent as the “Reject” button.

The wording proposed by the Authority for this button is the following: 

“Accept all cookies”

Management option: The management option on your cookie banner must redirect your users to the second layer of the banner to allow the granular provision of consent on the basis of the categories of non-necessary cookies.

The wording proposed by the Authority for this button is the following: 

“Select cookies”

Link for the exercise of rights: the banner must include an easily accessible link that allows your users to exercise their rights. These rights include, by way of example: 

  • learning more about how their data is used and the retention period, 
  • requesting the deletion of data, 
  • objecting to the processing of data, 
  • revoking consent for the use of cookies.

2. Second layer of the banner 

Consent

In the second layer of the banner, you must obtain consent per purpose according to the categories disclosed.

However, the list of cookies presented for the consent collection must not be too granular, as this could hinder the users from expressing their will clearly.

💡 iubenda’s Cookie Solution allows you to obtain granular consent by means of toggles.

Cookie Categories 

You must display the cookies grouped per category. The categories are described on the basis of the use and purposes of cookies. Users should be able to give their specific consent to each category of cookies separately.

Purposes of cookies 

You must provide a simple, clear, and precise description of the purposes for which the categories of cookies are installed.

Pre-ticked boxes 

Pre-ticked boxes are not allowed. The Authority specifies that cookies based on consent must be disabled by default, see the image below. Manual deactivation is also considered not in line with the guidance.

Image: ANPD Guiding Handbook Cookies and Personal Data Protection 
Browser settings 

In the second layer of the banner, information on how to block cookies through the browser settings must be provided. If it is not possible to disable the cookie or tracker in this way, you must inform users about it (see the image below).

Image: ANPD Guiding Handbook Cookies and Personal Data Protection 
Withdrawal of consent 

You must provide your users with the possibility to revoke the consent provided for the use of cookies at any time in a simplified and free-of-charge manner. The procedure must be similar to the one used to obtain consent. 

Only strictly necessary cookies

Even if your website merely uses strictly necessary cookies, you are still subject to the requirement related to the cookie policy, as the principle of transparency and free access, as well as the exercise of data subjects’ rights, equally apply.

📌 Categories of cookies

The guidance includes a non-exhaustive list of cookie categories based on the most popular types of cookies and according to the following aspects:

  • the entity responsible for their management;
  • the need;
  • the purpose; and
  • the information retention period.

📌 Legal basis

The Authority clarifies in the guidance that the legal bases of consent and legitimate interests are the “most usual and relevant to the context analyzed”. 

However, if the LGPD standards are met, we can expect that gathering personal data via cookies may rely on other legal bases.

How iubenda can help you manage the new Cookie Requirements 

Do you have users in more than one country (e.g., Brazil AND Portugal) and need to comply with multiple laws?

With iubenda, it is easy to meet Brazil’s cookie requirements. Just start generating, and our configuration wizard suggests the right settings, like LGPD protection, based on where you and your users are based.

Our Solution also comes with a geo-location feature so that you’re always displaying the right notice and policies to the users you need to.

And did we mention that our clauses are updated when the law changes to help you stay compliant?

🇧🇷
How to adopt the new cookie requirements?

For your convenience, we’ve created a brief checklist of the steps you must do to comply with Brazil’s latest cookie requirements.

See also