GENERAL
WHICH LOCAL LAW IMPLEMENTS THE EPRIVACY DIRECTIVE?
Law 41/2004, of 18 of August 2004 on the protection of personal data and privacy in telecommunications, amended by Law 46/2012, of 29 August 2012 (ePrivacy Law).
IS THERE ANY REGULATORY GUIDANCE ISSUED TO SPECIFICALLY ADDRESS COOKIES?
No, Portuguese Data Protection Authority (CNPD) has not issued any guidance specifically addressing cookies.
CONSENT
CAN A USER PROVIDE CONSENT TO COOKIES VIA WEB BROWSER SETTINGS?
No. For purposes of Portuguese ePrivacy Law, the definition of consent is the definition provided by GDPR. Therefore, where consent for cookies is necessary, it must be freely given, specific, informed and unambiguous and be given by a statement or by a clear affirmative action. As such, a user's browser settings allow access to and storing of cookies generally, this does not amount to consent for use of cookies on a specific website.
ARE COOKIE WALLS ALLOWED?
No, please note that there are no specific rules or guidance. However, considering that, pursuant to GDPR, consent must be granular (for each purpose for which cookies are used) and freely given (the provision of a service cannot be conditional on consent to the processing of personal data that is not necessary for the performance of that contract), we consider that cookie walls are not allowed.
CAN CONSENT BE IMPLICIT, (I.E. THROUGH USE OF WEBSITE)?
No. Consent must be unambiguous and be given by a statement or by a clear affirmative action. Thus, implicit consent is not accepted.
TRANSPARENCY AND RETENTION
ARE THERE SPECIFIC RULES OR GUIDANCE FOR COOKIE BANNERS?
No, there are no specific rules or guidance for cookie banners.
IS A SEPARATE COOKIE POLICY REQUIRED IN ADDITION TO THE WEBSITE PRIVACY POLICY?
No. The cookie policy may be separated from the website privacy policy or may be a section included in the website privacy policy. However, it is common practice to have a separate cookie policy.
ARE THERE ANY SPECIFIC RETENTION PERIODS FOR DATA HELD BY COOKIES?
No, there are no specific retention periods for data held by cookies.
DO ANY COOKIE RULES OR GUIDANCE APPLY DIFFERENTLY FOR FIRST-PARTY AND THIRD-PARTY COOKIES?
No, there is no difference between first-party and third-party cookies.
ENFORCEMENT
IS THERE ANY REGULATORY STRATEGY ON THE ENFORCEMENT OF COOKIE RULES?
No, currently there is no regulatory strategy on the enforcement of cookie rules.
HAVE THERE BEEN ANY FINES ISSUED FOR NON-COMPLIANCE OF COOKIE RULES?
No.
However, it should be noted that decisions from CNPD applying any fines were not public until 25 May 2018. As of this date, although the decisions are publicised on the CNPD's website, the same may not be up to date.
HAVE THERE BEEN ANY COURT CASES ADDRESSING COOKIE COMPLIANCE?
No.
ADDITIONAL INFORMATION
According to Portuguese ePrivacy Law, consent is not necessary for technical cookies whose sole purpose is carrying out the transmission of a communication over an electronic communication network or which are strictly necessary for the provider of an information society service to provide a service expressly requested by the subscriber/user.
As to the cookies that require consent, such consent is required for the information stored or access on such equipment, irrespective of whether the information includes personal data or not.
Originally published 27 November 2020
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
