The General Law for the Protection of Personal Data (LGPD) entered into force in 2020. Companies that have always used data registration to control the flow of customers must adapt the use and processing of personal data as much as possible. But the drugstore chain Droga Raia, belonging to the Raia Drogasil group, has been accumulating in recent months complaints from customers who had to provide their cell phone number and even a fingerprint in order to obtain discounts. O Techblog cleared the cases.
Droga Raia refuses to provide discount without fingerprint
Gabriel (pseudonym) was visiting his mother-in-law in Londrina (PR) when he stopped at a Droga Raia unit. It was nighttime and he needed to buy baby milk for his little daughter – he left home for that purpose. And it was lucky: the product was in a considerable 33% promotion. When passing the cashier to carry out the transaction, the attendant asks an irresistible question: “Will you want the discount?”.
Upon hearing the “yes”, the Droga Raia employee imposed a condition: “only if you are in the loyalty plan”. Gabriel was confused, as he told the Techblog: “they already had my CPF”. But the attendant stated that, to confirm the registration, she needed digital biometrics. He says he didn’t put his finger on any reader, but provided his cell phone number to take advantage of the baby milk offer.
In another case, the resident of Bauru (SP) and engineer Lucas Maldonado decided to stop at Droga Raia, which is located between his house, located in Jardim Solange, and his work, which is in Bela Vista. He always bought his medicine for continuous use at this store, but that day he had a discount.
“I always provided the CPF, even because the medicine is a little expensive. I’ve never been so uncomfortable doing this,” Lucas told the story. But again, one employee stated that to use the offer he would have to provide his fingerprint: “It’s quick, just put your finger. It’s because of the LGPD”.
Lucas was surprised and asked for further explanation – which the attendant was unable to provide. The pharmacy supervisor was called; he stated that without the digital, he would not be able to complete the purchase. In the end, Lucas insisted and took the medicine with the offer. But when returning to the same store and repeating the purchase, the second time was not successful. When calling the SAC, the engineer heard that biometrics would be used to participate in the Droga Raia discount club.
The researcher Mariana Valente decided to tell about how Droga Raia employees asked for her biometrics on Twitter. In the post, she vents: “I understood that even the speech he was instructed to give is misleading: the fingerprint, apparently, is requested ‘only’ for the discount of the health insurance”.
Now it happened to me. At Droga Raia, the attendant told me that the new data protection law required me to register my fingerprint. Talking more, I understood that even the speech he was instructed to give is misleading: the digital one, apparently, is requested “only” for the health insurance discount
— Mariana Valente (@mrnvlnt) June 21, 2021
Mariana is also the director of the Internet Lab, an institute specializing in technology and digital rights. she told the Techblog that Droga Raia’s posture of camouflaging the requirement of biometrics under the argument of adapting to the LGPD “disinforms and hinders the process of understanding what the rights of citizens are”. In this case, she ran into demand from the pharmacist when trying to buy a vitamin. Could not take the product at a discount.
The level of complaints related to the terms “registration” on the specialized website ReclameAqui da Droga Raia increased after the approval of the LGPD. There were 24 complaints in the last year – 22 of them registered in the last 4 months.
The pharmacist usually responds to these complaints that involve biometrics by sending a private message to users. But to Mariana Valente’s tweet, the company replied again that registration was necessary “due to the LGPD’s adjustments”.
Hello Mariana! Please be advised that due to the new General Law for the Protection of Personal Data (LGPD), it is necessary to perform a biometric registration in physical stores or sign a term authorizing the sharing
— Droga Raia (@DRaiaOficial) June 21, 2021
Experts say Droga Raia hurts the LGPD
Specialists in technology and digital law heard by Techblog contest the company’s version. According to them, this data is sensitive and may constitute a violation of the LGPD, as digital biometrics can be used for aggressive marketing campaigns. This violates the law’s principle that companies must limit access to personal data to the minimum necessary, as provided for in Article 6.
Daniel Gatti, director of the Faculty of Science and Technology at PUC-SP, says that the justification given by Droga Raia that the biometrics registry serves as an adaptation to the LGPD does not make sense:
“The problem is that those who choose to put this data are usually from the IT area, which finds it easier to update the system. Forcing the fingerprint is a recurring problem. It must have signed terms to know how the storage of this data is done. If the allegation is precisely to update the LGPD, I would have to sign a term.”
But LGPD lawyer Caroline Dinucci says there is no indication of what the fingerprint will be — another requirement of the law. “The difference between sale and consent is not clear. It’s kind of weird. They cannot require biometrics if there are other ways to confirm identity. Why don’t you ask for the person’s RG document? What will she achieve by storing the biometrics?”, said the lawyer to Techblog.
The Raia Drogasil group offers more ways to validate the identity of customers at the time of purchase: an SMS with a token for confirmation or “prints” authorized by the user at the time of collection. But the way it is put, biometrics seems to have a similar use to a message or other data – which is not the case.
Every time a citizen places their finger on a digital sensor, a unique code associated with their fingerprint is generated. This information is then transferred to a database and stored under encryption. It is a data widely used to access bank accounts. But Daniel Gatti warns: “financial institutions do not store biometrics”.
Pharmacy may be using biometrics for marketing
Droga Raia may be using the fingerprints of customers to develop aggressive ad campaigns. “With biometrics, it can only be that person who uses the equipment [leitor de digital]. With this, the pharmacy is closing deals only with those who frequent the drugstore. This makes sense in marketing campaigns to build customer loyalty. From the point of view of technology, other data are already enough to have this information”, says the professor at PUC-SP.
Caroline Dinucci, from Barreto Dinucci Advocacia, says that offering promotions or club accounts for deals to make customers register the fingerprint also violates the Consumer Protection Code (CDC). She mentions that, in this case, it is possible to say that there is “addicted consent” on the part of Droga Raia. “It’s very tempting: a good discount for providing my biometrics. The person is between the cross and the sword. […] The CDC says that the company has the role of informing the destination of the data so that the consumer can rationally consent – which doesn’t end up happening”, says the lawyer.
For consumers who feel aggrieved by Droga Raia, Dinucci recommends that they adopt legal measures against the drugmaker. But he warns that the company has an advantage by having in its hands the entire history of processing customer data: “The company itself will provide very robust proof that this data has not been leaked. eventually he [cliente] he will be able to prove it, but it will depend on situations he does not control”. The National Data Protection Authority (ANPD), which oversees whether companies are meeting the LGPD criteria, has an ombudsman page that accepts complaints.
State of SP has a law that prohibits pharmacies from requiring CPF
In December 2020, the State of São Paulo passed a law that obliges pharmacies and drugstores to explain the reason for asking for the CPF of the consumer at the time of purchase. The company needs to communicate to the customer, if he provides the data, whether or not to open an account so that he can receive promotions or discounts. If you violate the law, the store must pay a fine of R$5,818. “If the law is concerned with the use of CPFs in pharmacies, imagine biometrics”, says Dinucci.
Lucas Maldonado did not return to Droga Raia, who demanded his fingerprint twice: “I changed my pharmacy. I don’t buy there anymore. I won’t buy any more there while they do it.”
Wanted by Techblog, Droga Raia did not respond until the publication of this report.