Idec notifies Raia Drogasil, owner of Droga Raia, about digital biometrics | Brazil

The Consumer Defense Institute – Idec – notified this Thursday (24) the Raia Drogasil group, owner of the Droga Raia network, to explain about the collection and use of customer biometrics. How did the Techblog, consumers were barred from taking advantage of promotions if they did not register the digital. The institute also sent a letter to the Brazilian Association of Pharmacies – Abrafarma – to find out if other companies are following in Droga Raia’s footsteps.


Drug Raia’s demand for digital from customers hurts the LGPD (Image: George Prentzas/ Unsplash)

Idec questions the purpose of Droga Raia when collecting data

The extrajudicial notification to Raia Drogasil requires the company to stop collecting fingerprints and CPF and explain the purpose of data collection. The 12 questions asked by Idec, contained in the warning, are part of an investigation by the institute into the actions of the drugstore chain. He wants to know why the registration of consumer biometrics.

What motivates Idec are complaints from registered members and reports on social networks of people who were prevented from getting discounts on items under the condition of registering the data, which is sensitive according to the General Data Protection Law. The notification is a joint work of two pro-consumer NGO programs: the areas of Health and Telecommunications and Digital Rights.

Matheus Falcão, Health analyst at Idec, states that there is no clear justification for collecting Droga Raia’s fingerprints; the use of CPF by the pharmacist is also concerned. “We are not clear about this purpose. The law [LGPD] requires explanations of data usage. All this very nebulous scenario increases our concerns and leads to notification”, Falcão told the Techblog.

Matheus Falção, Health Analyst at Idec (Image: Idec/Disclosure)

Matheus Falção, Health Analyst at Idec (Image: Idec/Disclosure)

In addition to notifying the Raia Drogasil group, Idec wrote a letter to Abrafarma, to find out if other networks and pharmaceutical companies have been collecting biometrics and CPF.

“Viccated consent” is applicable to the case, according to Idec

Idec echoes other experts heard by Techblog that there is “addicted consent”. The institute sees that the requirement for biometrics to take advantage of offers harms the consumer, in case he does not consent to the demand. The situation is even more serious because stores may be offering inflated prices.

In Brazil, drug prices are predefined by Cmed, a collegiate body composed of the Ministries of Justice, Economy, Health and the Civil House. The agency is responsible for regulating the price of medicines in pharmacies. But, according to Matheus Falcão, the ceiling of the value established by Cmed is “extremely high” and far from the costs practiced by the market.

“A discount given to Cmed’s price is like that, a false discount, which reveals an economic distortion. This price regulation is problematic. We’ve criticized for years and we have proposals to improve it”, says the analyst at Idec.

And why does Droga Raia just collect digital biometrics?

In addition to the exorbitant price promotions, the pro-consumer institute has some hypotheses as to why Droga Raia collects fingerprints from customers. One of them: the pharmaceutical company is practicing price discrimination. According to the user profile, they offer different discounts – the use of biometrics is to make an “adverse selection” of the consumer base.

Another possible purpose for using digital, according to Falcão, is to have a second mechanism for identifying the consumer in addition to the recipe. Anvisa (National Health Surveillance Agency) determines that pharmacies retain prescriptions from those who ask for medication for controlled use. But Raia Drogasil can use biometrics to have a “second option” of keeping customer information.

In notice to the Techblog, the Personal Data Protection Officer (PDO) of the Raia Drogasil group, Bruno Eduardo Mizga da Silva, says that employees are instructed to request the registration of biometrics “only in cases defined by the Company as necessary or appropriate”. The network says it provides periodic training and guidance to employees to adapt them to the LGPD.

Raia Drug Unit in Vila Madalena (Image: RaiaDrogasil/Disclosure)

Raia Drug Unit in Vila Madalena (Image: RaiaDrogasil/Disclosure)

In cases reported by Techblog this Thursday (24), it was the attendants themselves who justified that the biometrics registration was to update the registration due to the LGPD.

But Idec says that this argument is not unjustified: “Our understanding is that the sector [farmacêutico] it still didn’t explain very well nor the necessity of the CPF, much less the digital one. This goes through explaining the precise purpose. Who are they shared with?”

Idec has already notified Health companies for data exchange

The Raia Drogasil group describes in its privacy policy that biometrics are stored in encrypted form and are not shared with third parties. But other companies in the Health sector, according to Matheus Falcão, have already confessed to exchanging sensitive data with partner companies, such as laboratories.

The network said in a statement to Techblog that does not specifically share the biometrics with third parties: “The biometric data collected by Droga Raia are not used for any purpose other than the initial one (identity confirmation of the data subject) and are not commercialized or provided to third parties.”

How to defend yourself if pharmacies demand your fingerprint?

Finally, the Health analyst at Idec says that in order to defend themselves, the consumer has the right to know the reason for the requirement of personal data in pharmacies:

“He can ask what the discount will be before providing his CPF and digital. It is important that consumers know their rights and the company has a duty to provide the information. Where are you going? And by whom will they be used? We advise you not to provide data that is not necessary for the transaction.”

The deadline given by Idec for responses from Raia Drogasil and Abrafarma is 10 days. From the feedback, the institution can confirm some of its hypotheses related to the treatment and use of customer data.

About the notification of the Brazilian Institute of Consumer Protection, Raia Drogasil responded to the contact of the Techblog with the following positioning:

“Raia Drogasil received the request from IDEC and will provide all the information as it is in line with the legal principles stipulated by the LGPD, being committed to the privacy of its customers and transparency in its business.”

The report sought out the Brazilian Association of Pharmacies — Abrafarma — but got no answer.

Leave a Comment