Entry into force of the General Law on Data Protection (LGPD)
The Federal Senate rejected the extension of the General Law of Data Protection (LGPD). Thus, the law only awaits presidential sanction for its entry into force.
But, after all, what are the changes brought by LGPD and its impacts for businesses and consumers?
1. Detailed permissions
Companies must, obligatorily, detail to users the use of their personal data, being forbidden to use generic terms, such as, for example, "improvement of services", without specifying what these improvements would be. Moreover, if the consumer provides his e-mail address with the exclusive purpose of registering for an event, the company may not use it to send promotional messages. It will need detailed permission for each act of using the consumer's personal data.
2. Package of rights
By the norm, each user will have control over their own data and will be able to authorise the collection of their information. The person will have the ability to question a company about the use being made of their name, CPF and purchase records. It also guarantees that the user can rectify inaccurate data and oppose the collection of information considered sensitive, such as their sexual orientation.
The Brazilian Institute for Consumer Protection (Instituto Brasileiro de Defesa do Consumidor) mentioned that the user of a dating application, such as Tinder, may require the company to provide a list of the data it has, how it is handled and with whom it is shared.
3. CPF in the purchase of medicines
The law ensures that consumers can consult a pharmacy about the use of their CPF and purchase records. In the case of informing their CPF to get discounts on a medicine, the customer is guaranteed that their data will not be used to create a "pharmacological profile" - taking advantage of continuous use, for example, to charge more for the medicine.
4. Repair in the event of leaks
Control and operating companies, responsible for collecting and processing data, must keep their procedures registered and may be called at any time to inform a protection report. If the National Data Protection Authority (ANPD) finds the leak, the user must be notified and informed of the measures taken. He or she will also be able to request redress and compensation for the damage.
5. Facial recognition and biometric data
The use of "smart cameras", which collect data on users' emotions through facial recognition, is prohibited without specific authorisation. The sale of facial recognition and biometric data is also prohibited by the law.
6. Digital in condominiums
The installation of biometrics in the entrance gate of condominiums may only be done on a legitimate basis, such as the consent of the residents or the express provision in a contract. It will no longer be allowed to be implemented, in an imposed way, by the administrators. In case of use, the condominium will have to ensure a safe structure for fingerprint collection and storage.
7. Artificial intelligence
The use of artificial intelligence for automated decisions, including access to bank credit and job selection, must be informed to the user, who may or may not authorise it. According to Idec, if an automated decision impacts personal, professional or consumer interests, it may be questioned by the user, asking for it to be reviewed. "If you were disqualified from the first stage of a job selection because you did not smile enough, you can ask for a review of that decision," the institute reports.
8. Personality tests
The law determines that test and app developers request the least amount of data necessary for their activities, respecting, according to Idec, the "principle of purpose". This guideline applies to popular aging tests or tests that change the gender photo. Usually, these apps collect, for free, data beyond the photo, such as friends list, likes and interests, being sold later to companies. The user will have the right to ask the developer for a report of the information collected and ask for it to be deleted.
9. Differentiated pricing
E-commerce companies must inform their customers about their collected data and the eventual offer of individualized prices, based on their location and search history, among others. Consumers may welcome - or not - the policy and, in the event of price differentiation without their consent, seek compensation.
10. Portability of personal data
According to the law, users will have the right to request the portability of their personal data from one tool to another - from Spotify to Deezer, exemplifies Idec. In this case, the responsible party will need to delete your information or make it anonymous. It will be similar to porting from one telephone operator to another.
At first, and briefly, these will be the implementations brought with the General Data Protection Law.
Patrícia Teodoro
Junior Assistant Professor of Contemporary Civil Law at CEDIN Law School
Tag:cpf, data, general, Law, permission, protection