The Procon-MG, linked to the Public Ministry of Minas Gerais, imposed a fine of R$ 8,497,500.00 against the pharmacy chain Raia Drogasil S/A (Droga Raia). The penalty stems from the practice of requiring consumers' CPF (individual taxpayer identification) numbers at service counters and checkout points in establishments located in Belo Horizonte.
Droga Raia argued in its defense that collecting CPF numbers is aimed at identifying customer profiles to target exclusive offers and benefits, denying that promotions were made conditional on providing personal data. However, prosecutor Fernando Ferreira Abreu pointed out that this practice, carried out without proper prior notice or transparency, represents a threat to consumer privacy and exposes them to significant risks, such as the misuse of information in the event of a data breach.
The prosecutor illustrated the potential harms, noting that information about medication purchases could be used by health insurers or insurance companies to deny coverage or claims, on the grounds of undisclosed pre-existing conditions.
Procon-MG found that the company violated provisions of the Consumer Protection Code, Federal Decree No. 2,181/97, and Brazil's General Data Protection Law (LGPD), which guarantee the protection of personal data and prohibit its collection without clear and justified consent. During the administrative proceedings, the company rejected transaction and conduct adjustment proposals offered by the oversight body, resulting in the imposition of the fine.
Link to the decision
Source: MPMG