Brazilian Data Protection Authority guides the adoption of practical recommendations for the adequacy of portal in the collection of cookies

The National Data Protection Authority (ANPD in portuguese), special autarchy, issued a recommendation to the Digital Government Secretariat (SGD/ME) for the adequacy of the portal to the provisions of the General Personal Data Protection Law (LGPD in portuguese). The recommendation made by ANPD proposes practical adjustments regarding the processing of personal data resulting from the collection of cookies at portal

ANPD stressed two points of attention, which according to the authority, need to be reviewed due to the initial adequacy of portal to the LGPD.

The first point is related to the first level banner, which is presented to the user as soon as he accesses the page of any site hosted on “”. ANPD has understood that the information made available to the user on this page is limited and there is only a single acceptance option, which according to the authority, is a practice that is not in compliance with the LGPD. In addition, the authority noted that the information made available on the banner should not raise questions to the user. In this sense, the consent of the data subject  regarding of his personal data processing,  to be valid, must be free and unambiguous, and also have been conceived in a reflected manner and based on clear, ostensible, and previously offered information.

For this first evaluation, ANPD expressly recommended at least the following actions:

I. Provide an easy visualization button that allows you to reject all non-necessary cookies; and

 II. Disable consent-based cookies by default (opt-in).

The second point of attention concerns the portal cookies policy, made available on a second-level banner, accessible to the user who clicks on the corresponding link. According to the evaluation of the ANPD, the information contained in the cookies policy is presented in a generic way, which makes it difficult for the user to understand . The  Authority adds that the purposes presented in the banner, to treat personal data collected through cookies, are presented diluted throughout the banner, and  it is not possible to identified all of them, but only the purposes associated with the necessary primary cookies. In addition, it understands that a mechanism for cookie management by the data subject  himself is necessary, in which the possibility of revocation of consent is included, always accompanied by the corresponding information.

For this second evaluation, ANPD expressly recommended at least the following actions:

I. Identify the legal bases used, according to each purpose/category of the cookie, using consent as the main legal basis, except for strictly necessary cookies, which may be based on legitimate interest;

II. Classify cookies in categories in the second level banner;

III. Allow the specific consent to obtain in accordance with the identified categories; and

IV. Provide an easy-to-view button that allows you to reject all non-necessary cookies. ANPD also points out, which is in the elaboration phase by the technical team, a practical guide on cookies treatment, which will address the types of categories and purposes, as well as the legal bases of LGPD and good data processing practices related practices Personal resulting from the collection of cookies. The guide is expected to be responsible for establishing increasingly linear, objective, and practical guidelines on the subject.

Our specialties

aSee our main areas of expertise