The use of biometrics registered by customers to get discounts at the Raia Drogasil group pharmacies drew the attention of consumer protection agencies. Procon-SP informs the Techblog which notified Drogasil this Wednesday (7): the company should explain the collection and storage of fingerprint data, in addition to clarifying its discount policy. She runs the risk of being fined up to R$50 million.
Fernando Capez, executive director of Procon-SP, tells the Techblog that Drogasil may be fined up to 2% of its annual sales, with a limit of up to R$ 50 million, in case of irregularity. According to him, by requiring biometrics for discounts, the company violates Article 37 of the Consumer Defense Code (CDC) on hidden or misleading advertising.
When any company conditions the granting of a discount to filling in data, it is also masking the granting of a benefit, because it is buying the consumer’s data without informing him. First, it is misleading advertising, masquerading as a benefit, it is a malicious collection. Second, whoever authorizes the capture of these data does not authorize any advertising.
Fernando Capez, executive director of Procon-SP
What does Drogasil need to explain to Procon-SP?
Drogasil is part of the Raia Drogasil group, controller of Droga Raia. In the notification, Procon-SP requires explanations about the discount policy applied to products at physical points of sale.
To the agency, Drogasil must present information about the data requested from consumers for them to participate in store promotions. The pharmacy network will also have to present the purpose of the biometrics registration — something questioned by LGPD experts interviewed by Techblog.
Still on the discount policy, Procon wants to know if the offers are only available to those who swipe their finger on the fingerprint reader, and if there are other ways to access promotions.
About the data itself, Drogasil must present the complete treatment model of the biometrics provided by customers: collection, storage and encryption. It also needs to detail what procedures are used to update and correct this data for future purchases.
Finally, the agency wants more details about Drogasil’s service to customers of the network, and if there is any way to disable advertising or sponsored ads.
The company has until July 12 to respond to the Procon-SP notification.
Droga Raia requires biometrics for some discounts
How did you find the Techblog, customers of Droga Raia – owned by the Raia Drogasil group – were required to provide data such as biometrics and cell phone number in order to obtain discounts on products; some offers reached 33%. The network said that the registration was to comply with the General Data Protection Law (LGPD), but was questioned by experts.
Idec (Consumer Defense Institute) sent an extrajudicial letter to the Raia Drogasil group and to Abrafarma (Brazilian Association of Pharmacies). He demanded that both explain the use of fingerprints, data considered sensitive, to participate in discounts.
In notice to the Techblog, the Personal Data Protection Officer (PDO) of the Raia Drogasil group says that employees are instructed to request the registration of biometrics “only in cases defined by the Company as necessary or appropriate”. The network claims to provide periodic training and guidance to employees to adapt them to the LGPD.
But lawyer Caroline Dinucci, an expert on LGPD, says that there is no indication of what will be the use of digital – purpose required by law. “It’s kind of weird. They cannot require biometrics if there are other ways to confirm identity. Why don’t you ask for the person’s RG document? What will she achieve by storing the biometrics?”, she stated in an interview.