The Brazilian National Data Protection Authority (ANPD) have a handbook on cookies and personal data protection in accordance with the LGPD. When looking at cookies and banners on a business’ website there are many things that must be taken into consideration.
When creating information for consumers about the cookies that your website uses there are some fundamentals that must be considered.
Who Owns Them
Are the cookies used considered first-party or third-party cookies? First-party cookies are set directly by the website or application that is being visited. Third-party cookies are created by a different domain that the one being visited.
Necessary v. Non-Essential Cookies
Necessary cookies are needed for the website or application to perform certain functions and operate properly. Non-essential cookies do not fall within the definition of essential cookies. They can be used for purposes such as to analyze consumer behaviour or for advertising purposes.
Analytical or performance cookies
These cookies allow data to be collection about how users use the site.
This provides the basic services requested by the user and allow website and application preferences to be remembered.
These collect information for the purpose of displaying advertisements.
The data collected by cookies can be accessed and processed for a period of time defined by the controller. This can be anything from a few minutes to several years.
Within the handbook regarding cookies and the LGPD there are certain provisions that are worth noting.
- The processing agent is obligated to provide the entitled persons with the necessary information
- A data subject’s right of access, deletion of data, revocation of consent and opposition to processing are relevant in the context of cookies.
- Personal data must be erased after the end of processing
- This may be when the purpose is achieved, or erasure is legitimately requested by the data subject
- The legal basis with which data can be collected can fall under the consent or legitimate interest category
- Consent must be free, informed, and unambiguous – often achieved via a banner on a website
- Some processing is necessary to meet the legitimate interests of the controller or of third parties
Top level banner
A top level banner must provide a visible button to reject all unnecessary cookies and an accessible link for the data subject to exercise their rights.
second level banner
The purpose of a second level banner is more detailed. Cookies should be sorted into categories with a description of the categories including their uses and finalities. The descriptions should be simple, clear, and precise. Consent to be able to be obtained for each specific purposes. Any consent-based cookies should be disabled by default and there should also be information provided on how to block cookies through browser settings.
things to avoid when designing cookie banners
- Using a single button on the first level banner with no management option when using the legal hypothesis of consent
- Making the buttons to reject cookies harder to see than the accept buttons
- Additionally, making it impossible or difficult to reject all cookies that are not necessary
- Not providing a second-level banner
- Failing to provide information and a direct, simple, and proper mechanism for a data subject to exercise their rights
- Making it difficult to manage cookies
- Presenting a list of cookies that is too granular, generating a excessive amount of information
- When using consent as a legal basis, linking the consent to the full acceptance of the conditions of use, without the provision of effective options to the holder.