Data Security

Hands Off My Biscoitos: Brazil’s New Cookie Guidance

Published: Oct. 26, 2022

Updated: Oct. 28, 2022

The Brazilian (Portuguese) word for cookies is “biscoitos,” and Brazil’s data protection regulator won’t have you using biscoitos without consent—at least for tracking to serve ads. The ANPD, Brazil’s data protection authority, issued new guidance on October 18, joining the ranks of the strictest regulators in the world when it comes to cookies.

The guidance won’t satisfy those who were hoping to squeeze everything into the “legitimate interest” basis box of cookies under Brazilian law—but not all of the cookies have crumbled. For those who were hoping that the ANPD’s interpretation of the LGPD (the country’s new data protection law) would be more lenient than European regulators’ interpretation of the GDPR, there are a few hopeful pieces.

Below are some takeaways from the ANPD’s latest guidance.

Brazil is well past old-school PII. Brazil joins the trend in data protection regulation over the past several years that goes beyond obvious identifiers like plain-text names and phone numbers. The ANPD states that behavioral profiles, as well as inferences about individual internet users that can be cross-referenced across data sets, are personal data and subject to the LGPD.  That said, unlike in the EU, where ePrivacy rules sometimes require consent for the mere storage of data on an end user’s device, or for accessing data previously stored there, regardless of whether it is personal data under the GDPR, the Brazilian cookie approach focuses exclusively on data that can be associated with an individual.  However, the guidance appears to recognize that seemingly non-personal data stored in a user’s cookie may be personal data where the website operator or a third party can associate that data with the particular user.

Just two legal bases.  The ANPD cuts to the chase: generally, when it comes to cookies, the legal basis is either consent (which is subject to opt-out) or legitimate interest (which only is subject to opt-out in some cases).  This is simpler than under EU law, which requires (i) determining whether consent is necessary under ePrivacy rules, (ii) selecting from among six legal bases under the GDPR for the processing of any associated personal data, and (iii) dealing with the controversy and compliance difficulties of selecting a legal basis other than consent. 

Brazil is comfortable without consent for measurement and analytics. It appears the ANPD has found peace with carving out audience measurement and analytics from the requirement to obtain opt-in consent. Perhaps as a bit of a compromise (like some U.S. states in upcoming state privacy laws that exclude measurement from the requirement to provide an opt-out of targeted advertising), the ANPD’s guidance says audience measurement or analytics can be a legitimate interest—at least where not combining data with other tracking or forming behavioral profiles. It is still unclear what this means in practice, given that modern performance measurement for ads is based largely on tracking.

Brazil is not so comfortable without consent for ads and behavioral profiles. The ANPD says consent is more appropriate for unnecessary cookies for purposes like ads or behavioral profiles—especially if carried out through third-party cookies involving analysis or prediction of preferences or tracking across sites. This is an interesting twist for those who had expected LGPD Art. 10(I) would allow consent-free use of cookies for personalized marketing and ads as forms of “promotion,” which is a statutorily recognized legitimate interest. According to the ANPD, the balancing test required for reliance on legitimate interest doesn’t look so good for cookies that enable tracking-based or behavioral ads. This is especially challenging for modern digital ads, which often go hand-in-hand with tracking or personalization based on user activity across digital properties.

Consent is similar to GDPR consent. The guidance, which sets out interpretive guidelines for appropriate legal bases as well as best practices, is modeled in large part on GDPR-like principles. The ANPD’s guidance for consent in particular is very similar to guidance from some European regulators. For example, the ANPD states that cookie banners should have a button in the top layer allowing users to reject all unnecessary cookies, but that it is acceptable to relegate more granular controls and certain details to a second layer.

Mobile gets a nod, but nothing new. Like European guidance, the ANPD mentions its guidance doesn’t just apply to cookies, but also to other tracking technologies. So it’s not just about websites. But the Brazilian guidance doesn’t explain, for example, how this guidance should work in the context of SDKs in mobile apps, where the purposes of processing often are bundled, opaque, and difficult to parse out (and negotiate) with vendors and partners. As is often the case, operationalizing the requirements is much harder than expressing them in principle.

Why does any of it matter? This is non-binding guidance, not a regulation. But LGPD penalties can reach up to 2% of a company’s annual turnover in Brazil, up to 50 million Brazilian reais (approximately $9.5 million U.S. dollars) per infraction. The ANPD can also prohibit data processing activities or order the blocking or deletion of personal data. And it appears the ANPD may now have even more influence and authority, thanks to a provisional measure that was just passed by the Federal Senate (and had already been passed by the lower house, the Chamber of Deputies) making the ANPD an independent agency.