ANPD Guidance on Cookie Compliance

The Brazilian National Data Protection Authority (ANPD) have a handbook on cookies and personal data protection in accordance with the LGPD. When looking at cookies and banners on a business’ website there are many things that must be taken into consideration. 

Cookies Overview

When creating information for consumers about the cookies that your website uses there are some fundamentals that must be considered. 

Who Owns Them

Are the cookies used considered first-party or third-party cookies? First-party cookies are set directly by the website or application that is being visited. Third-party cookies are created by a different domain that the one being visited. 

Necessary v. Non-Essential Cookies

Necessary cookies are needed for the website or application to perform certain functions and operate properly. Non-essential cookies do not fall within the definition of essential cookies. They can be used for purposes such as to analyze consumer behaviour or for advertising purposes. 

Analytical or performance cookies

These cookies allow data to be collection about how users use the site.

Functionality cookies

This provides the basic services requested by the user and allow website and application preferences to be remembered. 

advertising cookies

These collect information for the purpose of displaying advertisements. 

Retention Period

The data collected by cookies can be accessed and processed for a period of time defined by the controller. This can be anything from a few minutes to several years. 


Within the handbook regarding cookies and the LGPD there are certain provisions that are worth noting. 

  • Collection of personal data through the use of cookies must be limited to the minimum necessary for the realization of legitimate, explicit, and specific purpose
  • The processing agent is obligated to provide the entitled persons with the necessary information
  • A data subject’s right of access, deletion of data, revocation of consent and opposition to processing are relevant in the context of cookies.
  • Personal data must be erased after the end of processing
    • This may be when the purpose is achieved, or erasure is legitimately requested by the data subject
  • The legal basis with which data can be collected can fall under the consent or legitimate interest category
    • Consent must be free, informed, and unambiguous – often achieved via a banner on a website
    • Some processing is necessary to meet the legitimate interests of the controller or of third parties

A business using cookies is recommended to have a Cookie Policy that is available in a transparent and free way. This can be either within a section of a Privacy Notice, in its own separate place, or within a cookie banner itself. 

A cookie banner needs to provide essential information on the use of cookies. 

Top level banner

A top level banner must provide a visible button to reject all unnecessary cookies and an accessible link for the data subject to exercise their rights.

second level banner

The purpose of a second level banner is more detailed. Cookies should be sorted into categories with a description of the categories including their uses and finalities. The descriptions should be simple, clear, and precise. Consent to be able to be obtained for each specific purposes. Any consent-based cookies should be disabled by default and there should also be information provided on how to block cookies through browser settings. 

  • Using a single button on the first level banner with no management option when using the legal hypothesis of consent
  • Making the buttons to reject cookies harder to see than the accept buttons
  • Additionally, making it impossible or difficult to reject all cookies that are not necessary
  • Not providing a second-level banner
  • Failing to provide information and a direct, simple, and proper mechanism for a data subject to exercise their rights
  • Making it difficult to manage cookies
  • Displaying information on a cookie policy in a foreign language only
  • Presenting a list of cookies that is too granular, generating a excessive amount of information
  • When using consent as a legal basis, linking the consent to the full acceptance of the conditions of use, without the provision of effective options to the holder. 
Previous Post

SheIn $1.9M Fine for Failing to Protect Customer Information

Next Post

FTC Called Upon to Enforce Health Breach Notification Rule

Related Posts