Brazil's National Data Protection Authority (ANPD) released Technical Note No. 6/2025, addressing its investigation into personal data processing by pharmacy chains and loyalty programs. The analysis involves RaiaDrogasil S.A. (RaiaDrogasil), STIX Fidelidade e Inteligência S.A. (Stix), and the Brazilian Federation of Associate and Independent Pharmacy Networks (Febrafar).
The investigation seeks to clarify practices related to the collection, storage, and sharing of personal data, with a focus on loyalty programs. The ANPD identified potential irregularities, including the collection of biometric data, improper data storage, use for undisclosed purposes, and sharing with third parties without transparency.
Among the main concerns raised, the report highlights the use of sensitive data, particularly information related to consumers' health. The ANPD found that the loyalty programs under review may be collecting and sharing information in ways that are incompatible with Brazil's General Data Protection Law (LGPD).
There are also questions about the validity of consent provided by customers. The ANPD questions whether consumers are fully aware of how their data is used, especially when consent is conditioned on benefits such as purchase discounts.
The investigation is based on complaints and prior studies, including analyses of privacy policies of pharmacy chains. The ANPD is now evaluating preventive measures and possible administrative sanctions to ensure greater transparency and protection for data subjects.
Source: ANPD
This post was translated from its original version using ChatGPT version 4, with human review.