The National Data Protection Authority - ANPD, released this Tuesday, October 18, 2022, a guide on the treatment of cookies on websites and applications, which I referred to in the link sent previously.
The guidance is extremely timely, since there are several examples of inadequate treatment, from a lack of transparency and information to the mistaken adoption of inapplicable legal hypotheses, which could result in penalties for the company.
With the guide, we now have the support of the national authority and we will no longer need to rely on foreign guidelines (GDPR, which is the most common basis for the LGPD to have similar criteria) to support our guidelines.
As we advise our clients that following ANPD guidelines is part of the DPO's activities, we have created this summary. We recommend consulting the ANPD website indicated here.
Download the guide from the link below:
cookie-and-personal-data-protection-guide.pdf (www.gov.br)
Who needs the cookie policy?
All websites that process data, more specifically that fire First-party bitcoin data Cookies (First-party cookies are created by the website a user visits.
They are responsible for collecting information about that person, such as: username, passwords, language preference, payment method and products in a shopping cart. Thanks to these cookies, the website does not have to ask the user to enter their information every time they return, can make product suggestions based on their preferences and, in general, offer a better browsing experience) or Third-party (Third-party cookies are created by a domain other than the one the user is visiting. A third-party domain) and their function is generally associated with digital advertising.
This type of cookie allows advertisers and publishers to perform tracking functions across websites and devices, target advertising and decide when to show an ad). If your website processes personal data or data that, when cross-referenced, can identify an individual person, it needs even more review in the way this information is processed.
How to be suitable?
For a website to be compliant with the LGPD using cookies, there are some principles that you should pay attention to. Especially if you have a good “reason”, or Legal Basis, that supports the use of data and cookies on your website. For many, “Consent”.
How so? In order for companies to process the data of data subjects (individuals, you and me), they now need to be well supported by the Law (LGPD). And this “permission” is the so-called: Legal Basis of the LGPD. Therefore, although consent is not the only Legal Basis that supports the use of data by companies, it plays a very important role in these steps involving cookies. This is precisely why cookie notices play an essential role: Notifying and Communicating with visitors, as well as correctly collecting and storing consents individually.
Therefore, regardless of the information that a cookie carries, it must have been consented to by the user. But what makes consent valid? And what must be communicated to the user? The user must be informed clearly and objectively for what purpose their data will be collected. In addition, they must state that they accept that their data will be processed, by clicking on a notice, giving the so-called Consent or Opt-in.