Drugstores in Brazil are doing it and that concerns me A LOT.
Their modus operandi is to ask you your CPF (it's like an SSN, but not that secret and powerful) and, if you refuse to tell them, you are not eligible for some discounts which can reach 40% in some more expensive items.
Customers happily agree to give their CPFs, completely unaware they are of the potentially disastrous consequences, and we are not even offered something resembling a privacy policy.
Think of the uses of such data. Health insurers could use them to detect and even predict health issues. One could estimate menstrual cycles and even the size of your genitalia.
A Brazilian data protection law is about to become active within the next weeks, but honestly.. such data shouldn't even be collected at all.
I'm looking for support for a bill to forbid drugstores to collect CPFs and to offer any sort of discount to people who identify themselves, but I believe this should be more publicized before being discussed for voting by the Congress. The more active drugstores on the "data business" are part of huge chains and their lobby will definitely be massive. Society should be aware of that and counterbalance for such lobby.
There are commercial services which allows companies to query government's database to check a given CPF's situation.
But they usually don't confirm that the number you give actually belongs to you. I always give a bogus, yet valid number (123.456.789-09). It's usually mapped to a customer, so somebody has already had the same idea or it's the remainders of a test database. They frown sometimes (actual CPFs follow very distinct number patterns) but didn't complain so far.
They don't insist that you use a credit or debit card, which are much more common than cash over here. I couldn't confirm yet, but I suspect that they have access to some identification of yours whenever you use a card, so I usually pay in cash, which is pretty annoying because they never have change.
This is a good point. I often "misspell" private information if its not an official form. If someone had more motivation, they could do a "different-secure-number-per-provider" trick and work out who leaked the information.
That's a good idea. I also feed fake data to those "extra-official" enlistments. But never thought about keeping a control to discover the responsible for the occasional leak.
In Brazilian drugstores, there are legitimate situations where they actually need your data, e.g., when you need some injectable medicine. In such cases, they need to send an official notice for government control, BUT they also ask you for an original document.
P.S.: one might argue that government shouldn't have access to data about injectable medicines you take. Personally, given the severe situation regarding drug-abuse of countries like ours, USA and others, I see some valid motivation in such tight controls.
That's an interesting thought. The european GDPR and I think the california CCPA have some sort of clause that says if you decide not to allow, you have to be treated the same.
But loyalty discount cards and your drugstore example should have a way to get the discount without giving up your anonymity. This would be better for society.
I can't see other way than entirely forbid drugstores from having loyalty/rewards programs based on personal identification.
They would be allowed to ask for your information when buying through app/web, but could never give you discounts or incentives of any sort for buying through such platforms.
And that wouldn't mean they couldn't have a loyalty program: they could give customers stamps on paper cards, paper seals and alikes. It may sound archaic, but some big supermarket chains use this method regularly and it works pretty well.
Good to know about such clauses in GDPR and CCPA. I didn't take the time yet to read our own law in detail. I've read that it's gotten much inspiration from GDPR, but the articles I've read so far didn't mention such clauses, being more focused instead on aspects regarding data storing and sharing with third-parties.
I'm going to read it thoroughly within the next days.
It has a lot of rules with sharing with unrelated usage, whatever entity is using them (first or third party). On practice, that means they'll have to disclose every way they'll use the data, and get authorization for each one.
It doesn't restrict sharing it by itself, it's just that the third party will use the data, and thus will need your authorization.
Their modus operandi is to ask you your CPF (it's like an SSN, but not that secret and powerful) and, if you refuse to tell them, you are not eligible for some discounts which can reach 40% in some more expensive items.
Customers happily agree to give their CPFs, completely unaware they are of the potentially disastrous consequences, and we are not even offered something resembling a privacy policy.
Think of the uses of such data. Health insurers could use them to detect and even predict health issues. One could estimate menstrual cycles and even the size of your genitalia.
A Brazilian data protection law is about to become active within the next weeks, but honestly.. such data shouldn't even be collected at all.
I'm looking for support for a bill to forbid drugstores to collect CPFs and to offer any sort of discount to people who identify themselves, but I believe this should be more publicized before being discussed for voting by the Congress. The more active drugstores on the "data business" are part of huge chains and their lobby will definitely be massive. Society should be aware of that and counterbalance for such lobby.