As a rule, no. According to Article 5(1) of the Portuguese e-Privacy Law (Law no. 41/2004 of 18th August as amended), the placement of cookies in the user’s device or the access to information already stored in the device requires the prior consent of the user. It must also be ensured that consent has been given on the basis of clear and complete information under the GDPR, in particular as to the purposes of the processing carried out. Nonetheless, Article 5(2) of the Portuguese e-Privacy Law states that certain types of cookies can be placed without consent (please see the answer to Question 3 below).
It is also important to note that although the Portuguese e-Privacy Law references the now revoked Portuguese Personal Data Protection Law it is understood that any references regarding the above-mentioned law should be interpreted as referencing the GDPR and Law 58/2019 of 8th August which implements the GDPR in the Portuguese national order.
As the Portuguese Data Protection Authority (CNPD) noted in its notice on cookies dated 25th June 2021, overall, there are substantial deficiencies in the way legal obligations are being applied in this regard. Although the authority anticipated that it is developing guidelines on this subject, the lack of specific guidelines on the use of cookies might be contributing to a higher incidence of non-compliance situations. However, we must note that since the issuance of the notice by CNPD companies and public entities have made an effort to increase compliance with legal rules.
Yes. In accordance with Article 5(2) of the Portuguese E-privacy Law, obtaining consent is not required for cookies whose sole purpose is carrying out the transmission of a communication over an electronic communication network or which are strictly necessary for an information society service provider to deliver a service explicitly requested by the subscriber/user.
No. In accordance with Article 5(1) of the Portuguese E-privacy Law, the rule is that prior consent of the user should always be given. The only exceptions to this rule refer to the cookies mentioned in the answer to Question 3 above.
No. The consent must follow the requirements of the GDPR, which means that it should be expressed through a clear affirmative action from the user. As such, an implicit consent is not acceptable.
No, information must be provided to users.
In cases where the placement of cookies requires consent, Article 5(1) of the Portuguese e-Privacy Law states that the consent must be given on the basis of clear and complete information under the GDPR, in particular as to the purposes of the processing carried out. In this way, and for the consent to be provided in an informed manner, a cookie notice is deemed essential. It should be noted, however, that despite common, there is no legal obligation for the cookie notice to be separate from the privacy policy.
Under Portuguese law, there are no explicit provisions stating the use of a cookie banner or management tool. However, in cases where consent is required, its use is highly recommended and a common market practice since it allows users to be informed of such implementation and of its terms and conditions. In this sense, cookie banners/ management tools allow users to provide their granular consent and manage their preferences, thus complying with the rules imposed by the Portuguese e-Privacy Law, GDPR and Law 58/2019.
Once again, under Portuguese law, there are no explicit provisions or guidelines on this matter. Nevertheless, since cookie walls restrict the access to a website’s content or services until the user agrees to accept the cookies, they should be considered inadequate to the extent that, otherwise, the consent would not be considered freely given and, as consequence, not valid.
We are not aware of any current actions or decisions made public against breaches of cookie rules.
However, considering the concerted action at the European level on cookies, in addition to the notice from CNPD, it is expected that the Portuguese authority will start to enforce decisions against the breach of cookies rules.
None that we are aware of.
As mentioned above, in 2021 CNPD stated that it was preparing specific guidelines on the use of cookies, in order for organisations to align their practices with the legal requirements. However, in 2024 those guidelines are yet to be published.
