Brazil

Can you place cookies without consent?

There are no specific cookie-related laws or regulations in force in Brazil. However, companies that are subject to the Brazilian General Data Protection Law (LGPD) must comply with the requirements set forth under the law for processing personal data. Moreover, the Brazilian DPA (“ANPD”) in October 2022 published an orienting guidance on Cookies (“Cookies Guidance”).

“Personal data” is defined under the LGPD as information related to an identified or identifiable natural person. Therefore, in some situations, cookies could be deemed as personal data, especially where they assign a unique identifier to each user and may contain data such as the e-mail address, personal preferences, location, IP address, among others.

Under the LGPD, there are several legal bases that permit the processing of personal data. Specifically for cookies, both consent and the data controllers’ or a third-party’s legitimate interest are viable legal bases, which has been acknowledged by the Cookies Guidance. Specifically for strictly necessary cookies, the Guidance sets forth that legitimate interest would usually be an appropriate lawful basis for such processing.

In order to use legitimate interest as a legal basis for the processing the data controller or the third-party must be able to demonstrate that: (i) the purpose of the processing is legitimate; (ii) the processing is considered based on an actual situation; (iii) only personal data strictly necessary for the intended purpose is processed; (iv) the legitimate expectations of the data subjects were considered prior to the processing; and (v) the legitimate interest is not overridden by the interests or fundamental rights and freedoms of the data subject.

In these cases, the controller or the third-party should consider carrying out a Legitimate Interest Assessment prior to placing cookies. Although this is not a strictly mandatory requirement under the LGPD, it would be helpful to demonstrate that the controller or the third-party thoughtfully assessed any processing activity likely to result in a high risk to the rights and freedoms of individuals and whether it had a legitimate interest or not and recorded the outcome of such evaluation. Performing a Legitimate Interest Assessment would also be useful to demonstrate compliance with the accountability principle set forth by the LGPD.

Are cookie rules (whether specific or within general data protection laws) followed in practice?

Besides the Cookies Guidance, which is not binding and has an educative purpose, there are no other specific laws related to cookies. Organisations have been taking different approaches so far, although we expect this to change. The tendency is that organisations follow the Cookies Guidance implementing good practices in the area.

Organisations have started to use cookie banners/ management tools on their websites to collect users' prior consent to place cookies and other similar technologies. For consent to be valid, it must be express, freely given, informed and unambiguous.

Other organisations are placing cookies based on their legitimate interest and informing data subjects of such use as soon as a website is loaded through a cookie banner.  However, the Cookies Guidance does not recommend the use of cookie banners with pre-selected authorisation options or the adoption of tacit consent mechanisms. Furthermore, it is advised to implement first and second-level cookie banners, provide a Portuguese version and provide a link to the cookie notice or to a privacy notice that encompass a specific section for cookies. 

Are there any exemptions if consent is required?

Consent is not required for placing cookies.

In the Cookies Guidance, any other lawful bases provided by the LGPD may be used for placing cookies depending on the facts, including legitimate interest.

Can you place the following cookies automatically:

i. Analytics cookies, ii. Advertising cookies, iii. Social media cookies

Although the Cookies Guidance gives examples of cookie categories, it does not impose explicit restrictions on placing any type of cookies.

As mentioned above, cookies may be placed automatically under the legitimate interest of the data controller or a third-party, provided that the requirements stated in answer 1 are complied with.

Moreover, data controllers must provide clear, precise, and easily accessible information about the use of cookies on their website (such as including information on the use of cookies in their privacy notice or cookies notice). On the other hand, if the data controller decides to place cookies based on consent, cookies cannot be placed automatically prior to consent being granted by the data subject.

Are you able to gain consent without a user ticking ‘accept’, i.e., imply consent from a user continuing to browse the site?

No. Under the LGPD, consent must be freely given, informed and unambiguous, which means that the user must express its consent by a clear affirmative action. The Cookies Guidance echoes this, requiring a “clear and positive manifestation of will” from the data subject. Furthermore, the use of cookie banners with pre-selected authorisation options or the adoption of tacit consent mechanisms must be avoided. Therefore, to reinforce the previous example, continuing to browse on a website cannot be considered as a valid consent considering it fails to fulfill all the legal requirements.

Can you set cookies without a cookie notice? 

No. Transparency and free access are one of the key principles of the LGPD. Data subjects must receive clear, precise and easily accessible information on any personal data processing activities.

Although, there is no mandatory requirement for a separate cookie notice under the law, data controllers must be able to present information on the use of cookies. This could be done through a cookie banner or a privacy notice, provided that all information required by law is made available to the data subjects. Also, the Cookies Guidance reinforces that data subjects must be able to easily withdraw their consent, in addition to ensuring the exercise of their rights, as set forth by the LGPD.

Can you set cookies without a cookie banner/ management tool?

There is no legal requirement in Brazil to implement a cookie banner/ management tool, although it may be considered as a good practice. The Cookies Guidance, although not binding, strongly recommends the adoption of such procedures or mechanisms.

If the personal data processing via cookies is carried out based on consent, the data controller must be able to demonstrate that consent was duly obtained in compliance with the provisions of the LGPD. In this case, a cookie banner/ management tool could be useful to collect evidence on the lawfulness of obtaining the data subjects’ consent.

In the Cookies Guidance, the ANPD states that banners can serve as a tool to bring transparency and adherence to data protection principles. It outlines how to design cookie banners in a manner compatible with provisions of the LGPD. In particular, it outlines what should be avoided when designing cookie banners, as mentioned in item 8 bellow.

Are you able to use cookie walls? 

There are no specific rules or regulation by ANPD prohibiting the use of cookie walls. However, the Cookies Guidance provides clear recommendation on the matter emphasising that the use of cookie banners with pre-selected authorisation options or the adoption of tacit consent mechanisms must be avoided.

By the same token, cookie walls would more likely than not be deemed as an invalid way of obtaining consent considering it would be hard to defend that consent was freely given, one of the requirements for consent to be valid under the LGPD.

Is the local regulator currently enforcing decisions against breaches of cookie rules?

No specific laws or regulations set penalties for breaches of applicable cookie restrictions. Currently there are no public investigations or enforcement actions carried out by the ANPD regarding cookies. As the ANPD began functioning in 2021, the Authority is largely focusing its efforts on issuing regulations and guidelines.

It should be noted, though, that the LGPD may also be enforced by consumer protection agencies and other regulatory bodies. Recently, a State Consumer Protection Agency announced it was investigating the use of cookies on the Brazilian Post and Telegraph Company website, on the ground that the Post Company had violated the principle of transparency and that it failed to collect users’ consent according to the law.

In the Cookies Guidance, the ANPD noted that one of the potential problems related to the use of cookies is the lack of transparency. The Cookies Guidance highlights that privacy risks may be magnified where the lack of transparency is coupled with practices of collecting massive amounts of personal information for purposes of identifying, tracking and profiling behaviour. The Cookies Guidance seeks to bring illustrative examples to enable the identification of positive and negative practices in cookie use. It states that it is the responsibility of organisations to take the necessary steps to safeguard the rights of data subjects.

Are there any current consultations relating to ad tech/cookies?

No, we are not aware of any.

Are there any anticipated changes to the rules and/ or have there been changes to the attitudes in the market (for example, case law or industry body decisions)?

None that we are aware of.