Apart from the cases described above, other
consumer protection entities also had active roles in cases involving breach
and/or improper use or disclosure of personal data.
The National Consumer Secretariat (SENACON) imposed
a fine to the site Decolar.com in the amount of R$ 7,5 million for offering
different prices to hotel reservations depending on where the consumer was
located (practice known as geo pricing) and for hiding the availability of
accommodations to Brazilian consumers to benefit foreign consumers (practice
known as geo blocking). SENACON considered such practices abusive and
discriminatory, in clear violation of consumer laws that state that suppliers
of goods or services are not allowed to:
·
deny
requests from consumers to the exact extent of their stock availability;
·
deny
sale of goods or services to whom is willing to purchase them on a cash basis;
·
increase
the price of goods or services without just cause.
In addition to the above mentioned fine, the
company was ordered to immediately cease abusive and discriminatory practices,
subject to having its operations suspended and the site shut down.
In another case involving misuse of personal data, the network of
drugstores Drogaria Araújo received a fine in the amount of R$7 million imposed
by Procon-MG for making discounts available to consumer only in case they
informed their tax ID (CPF) at the time of the purchase, without giving any
clear and appropriate information about their registration.
The order resulted from an inquiry involving the facts and the company’s
refusal to adjust its conduct. According to the decision, this practice
violates consumer’s right to clear and appropriate information about the
service being offered, since the drugstore failed to properly inform consumers
about its terms of use, privacy policy and risks to the program’s data security.
Data relative to purchases at a drugstore may reveal sensitive
information about consumers’ health and life that may lead to abusive practices
by companies. Diseases, mental problems and other sensitive information may be
deduced based on purchase habits at drugstores and this information is not
clearly provided to consumers. Therefore, a consumer, the party in disadvantage
in this relationship, did not have the information required to properly consent
to the collection of personal information in exchange for the discount.
According to the public prosecutor at the consumer protection court of
the district of Belo Horizonte, Fernando Ferreira Abreu, “the main scope of the
alleged rewards program is to collect consumers’ tax ID and not to establish a
rewards or loyalty program, per se”, and this constitutes an abusive practice
because discounts cannot be conditioned to the provision of personal
information.
Pursuant to the decision, “constant collection of information concerning
consumers purchase habits, performed in a concealed way and without prior
information, poses great risk to consumers’ intimacy and private life, as well
as subjects them to other risks of different kinds”.
The cases above are proof that the grace period of the LGPD has not been
an impediment to investigations and to have companies held accountable for
their actions, so much so that the operations that took place in 2018 represent
a small sample of what is to come, in particular vis-à-vis the effectiveness of
data protection regulations, in Brazil and abroad.