When analyzing how four companies operating in Brazil handle customer information, research concludes: the General Data Protection Law must be enforced immediately.

Delivery workers are exhausted. And it’s not just because work increased with the COVID-19 pandemic: with isolation, the exploitation of labor by companies such as iFood, Uber Eats, and Rappi intensified even further, as compensation fell during the pandemic—not due to a decrease in service demand, but because of the percentage taken by these platforms. In recent months, many of these workers have started to organize and share information about their work hours, the relationship between the compensation received versus distances traveled, and they are listing a series of demands they intend to bring to the streets in early July.

Long questioned for exploiting cheap labor without providing adequate job security, health, and safety guarantees, these platforms also exploit our personal data. To try to understand the extent to which the use of this data is transparent and compliant with local legislation, we are launching today the research: “Application of Personal Data Protection Law: A Case Study of Companies with Data-Based Business Models.” Conducted between August and October 2019, the research focuses on analyzing the terms of use and privacy policies of services from four companies operating in Brazil (Amazon Prime Video, iFood, Magalu e-commerce, and Social Miner).

[Download the full research PDF in Portuguese here]

As the use of apps for entertainment, food delivery, shopping, studying, working, and communicating was already common, with isolation, it intensified to the point where companies had to review their activities, schedules, increase workforce for delivery apps, and, in the case of streaming companies, reduce video quality to accommodate the significant increase in audience, for example.

At the same time, this also means there is more data circulating than ever before. With this in mind, we asked: are companies observing and adhering to privacy and data protection principles while providing all these services? But what we have seen is that abuses and incidents concerning our privacy have been numerous. Recently, for example, iFood exposed personal information of registered customers, including sensitive items such as address, email, phone number, CPF, last four digits of credit card, order history, and chats with the delivery person.

The research launched today is the Portuguese version of the Brazilian case studies published in the regional research: “Festín de datos. Empresas y datos personales en América Latina,” coordinated by the Colombian NGO Dejusticia.

In the regional context, the country fares poorly compared to neighboring countries, as unlike nuestros hermanos y hermanas, we still do not have a specific law in force. In August 2018, we celebrated the approval of the General Data Protection Law (LGPD) in Brazil. It aims to establish new rules for this sector, bring legal certainty to data processing activities, and ensure that citizens’ rights are respected. From this date, it was determined that public and private institutions would have two years to adapt to the new legislation until its enforcement in August 2020. However, in April 2020—just a few months before the LGPD was to come into effect—President Jair Bolsonaro issued Provisional Measure 959, postponing the Law’s enforcement to May 3, 2021. The MP may still be revoked, returning the effective date to August.

Research Methodology

Based on the comparative analysis methodology developed for the regional research, we analyzed the terms of use and privacy policies (versions from August to October 2019) of four companies with products aimed at the Brazilian public and with the following descriptions: (a) Large Internet Company, (b) Intermediate Internet Company, (c) Startup, and (d) Established/Traditional Company.

Among the companies, the selected ones were Amazon (Large Internet Company), specifically its Amazon Prime Video product offered in Brazil in partnership with Vivo; iFood (intermediate company), whose app download numbers at the time exceeded 10 million, showing the significant growth of the Brazilian food delivery company; Social Miner, a Brazilian startup working in digital marketing and recognized as one of the 100 startups to watch in Brazil; and finally, Magazine Luiza was selected as the Established Company, having emerged before the Internet but being one of the first companies in the country to use the concept of virtual stores and having a digital strategy worth noting.

Once the companies were selected, we described how the chosen organizations emerged, the market they operate in, and the services they offer. For example, it was soon possible to verify how Magazine Luiza’s marketing strategy evolved over the years to better serve the online market. The exponential growth of iFood, a Brazilian food delivery company with over 600,000 orders per day just in Brazil and also present in Mexico, Colombia, and Argentina, was also noteworthy.

Analysis of Privacy Policies and Terms of Use: Highlights

Based on our analysis of the privacy policies and terms of use of the researched companies, here are relevant points for the discussion:

a) Purpose, Consent, and Sharing with Third Parties

• Sometimes, consent is unclear. Especially in the case of Social Miner, consent for the collection of browsing data, supported by cookie collection, occurs through user acceptance on the clients’ websites via notifications on the top or bottom of the screen. However, it is unclear whether there is a standard text provided to users on the clients’ sites or if the cookie tracking notifications are specific enough for users to understand that the collection will be used not only to improve browsing but also for digital marketing purposes.
• There is significant difficulty finding the privacy policies governing Amazon Prime Video if contracted via a telecommunications provider. According to the contract with Vivo, the service is governed by the terms of use of both companies. However, the terms of use for Prime Video subscriptions by Vivo customers do not address data protection for those who subscribed to the service; they only cover contracting, payment, and cancellation procedures.
• Regarding data sharing with third parties, Amazon’s Privacy Notice states that the “company does not sell customer information” but lists actors with whom it shares this data. Among them are entities described as “affiliated business we do not control,” without specifying who these affiliates are. The text merely refers to another document with examples of brands, mostly American, such as Starbucks, OfficeMax, Verizon Wireless, Sprint, T-Mobile, AT&T, J&R Electronics, Eddie Bauer, and Northern Tool + Equipment. It can be inferred that Vivo would also fall into this category. iFood states that “food group members” and “service providers and other partners” may have access to customer data. The policy is broad and does not clarify which data could be shared, suggesting that the company might outsource iFood services to subsidiaries and consequently its user base. Magazine Luiza’s privacy policy, on the other hand, is relatively vague regarding obtaining user consent. The document only addresses data use and the possibility for customers to unsubscribe from marketing email lists but does not mention obtaining prior, informed, and consented authorization guiding data processing.

b) Use of Cookies

• Concerning cookies, Social Miner is the only one with a specific cookie policy, which is expected given that the services provided by the startup rely heavily on cookie tracking for marketing campaigns. iFood specifies that information about user activities on the company’s website or app is aggregated and considered as “non-personal” data, supposedly because it does not allow for individual identification. The policy also classifies “age, individual preferences, language, ZIP code, and area code” as non-personal data. Amazon’s privacy notice also specifically addresses cookies, explaining that it is possible to disable these tools in the browser, but at the same time states that “if you block or reject our cookies, you will not be able to add items to your cart, check out, or use any product on amazon.com that requires you to sign in.” Thus, even though there is an option to disable cookies, it becomes impossible to do so and continue using Amazon’s services.
• iFood’s privacy policy mentions that some of its email messages use a ‘click-through URL’ [external address] linked to the content. When customers click on one of these URLs, they are directed to a different server before reaching the destination page on iFood’s service. The company then uses/monitors this click-through data to understand interest in certain topics and evaluate the effectiveness of communications with customers. If a customer does not want to be monitored in this way, the policy requires them to “not click on text or links in emails sent by iFood.” This practice of directing users to servers before the final destination page is apparently not disclosed to customers at any time—except for those who read the privacy policy thoroughly before clicking on any links in iFood’s emails. This practice is not ideal and may violate users’ rights to clearly consent to data collection.

c) Relationship with GAFAM and Potential Unauthorized Data Handling

• None of the studied privacy policies explicitly mention the handling of sensitive data, although several might involve some profiling activities.

d) Vague Provisions on Data Security and Confidentiality

• The security provisions in the analyzed privacy policies are generic and tend to only disclaim responsibility for data leaks. Social Miner, for instance, states in its privacy policy that it “operates with the highest data security standards but is not responsible for potential data theft or third-party breaches.” To specify its security standards, the startup simply provides a link to a page listing the compliance certificates that Amazon Web Services, likely used by the company, holds worldwide. Social Miner and iFood do not clearly address user notification in cases of breaches, a clear violation of the LGPD.

e) Right to Easily Access, Correct, or Delete Information

• Magazine Luiza treats users as the actual data owners and allows the addition, deletion, or modification of information related to their user profile. Although the document guarantees the user’s right to access, correct, or delete their information, it does not mention the available means for ensuring this right. Furthermore, the privacy policy does not address the possibility of data deletion after the end of the relationship that prompted the data collection.

Conclusions and Recommendations

The research shows that data protection practices in Brazil need significant improvement, considering that many aspects of the analyzed privacy policies and terms of use are not in line with the principles established by the LGPD. However, the enforcement of the LGPD, which will bring many benefits to the protection of citizens’ rights and privacy, is still postponed. Therefore, it is critical that public authorities act to implement the law and ensure that companies are held accountable for their data handling practices, ensuring that citizen data is handled transparently, securely, and in accordance with local legislation.