Facebook Linkedin Instagram Youtube Spotify

Publications

Home » Publications »

Application of the first fine by the ANPD and international approaches to ‘web scraping’
  • Boletim, Data Protection, Innovation and Technology

Application of the first fine by the ANPD and international approaches to ‘web scraping’

Recently, the National Data Protection Authority (ANPD) applied its first sanction targeting a Brazilian telemarketing services company for violation of the General Data Protection Law (LGPD). The case involved the use of data scraping techniques to collect publicly available information on the internet, without the proper consent of the data subjects. The ANPD’s decision warns of the illegality of this practice, even when personal data is publicly accessible.

The ANPD’s key messages

  • The collection and sale of personal databases for telemarketing is not supported by the LGPD and can lead to severe sanctions for companies that engage in such illicit practices in Brazil.
  • The mere availability of data on the internet is not conclusive enough to legitimize the use of this information for any purpose whatsoever.
  • It is mandatory that the company matches the purpose for which the personal data was requested and obtains the consent of the data subjects if there is no specific legal basis.

Web Scraping

The concept of “web scraping” is an automated technique for collecting publicly available information on the internet using technologies and without the proper authorization of the data subjects.

Although personal data is publicly available, its commercial usage requires a correlation with the original purpose for which it was collected. Therefore, the practice is considered non-compliant with the General Data Protection Law.

Risks and recommended precautions for companies that purchase databases

The risk of sanctions does not only affect companies that sell databases. Those that buy databases from dubious sources can also be held liable. Some risks and recommended precautions are:

  • Check the Origin of the Data: Before purchasing any database, it is essential to verify the origin of the data and ensure that the supplier company has the proper authorization or legal basis to collect and sell this information. In this case, the risk is on the part of the purchasing company that negotiates an “infected” database, therefore, in non-compliance with the LGPD.
  • Consent of the Data Subjects: Even if the company purchases a database, it needs to ensure that it has the consent of the data subjects for the processing of this information, if there is no other legal basis that would justify the activity.
  • LGPD Compliance: Purchasing companies should ensure that their data processing activities comply with the LGPD, and respect the principles and rights provided for in the law.
  • Supplier Audit: Conduct regular audits of database providers to ensure that they are also compliant with the LGPD and do not violate the rights of data subjects.
  • Data Minimization: Practicing data minimization means collecting and retaining only the personal information necessary for the specific and informed purpose, avoiding excessive and unnecessary collection of personal data.
  • Accuracy of Personal Data Collected from Public Sources: The accuracy of personal data collected from public sources is a critical issue for companies to consider. In its decision, the ANPD further highlights the importance of ensuring that the personal data obtained is accurate and up to date. Lack of proper verification can lead to inappropriate processing and negatively affect the reliability of information used in business activities. In this case, the company merely stated that it used a certain method but did not provide detailed information on how the databases were constructed. The lack of clarity on the sources of personal data used prevented validation of the legitimacy of the information collected. This led to the conclusion that the processing of the data was carried out in a manner incompatible with the legitimate and specific purposes established by the LGPD.

International Good Practice Principles on the Subject

Understanding how different countries face the challenge of web scraping and the penalties for data breaches is crucial for a wider global view and improvement of the practices adopted in Brazil.

In several countries, data protection laws address the issue of web scraping and the use of personal data from public sources in different approaches. Some jurisdictions have specific regulations for the processing of web scraping data, while others are based on general data protection principles.

In some jurisdictions, personal data that is publicly available and does not contain sensitive information can be collected and used for legitimate purposes. However, even for public data, it is essential to ensure compliance with the principles of purpose, transparency and data minimization.

An example of this is the application of GDPR (General Data Protection Regulation) rules to transactions surrounding the purchase of personal data in the European Union:

  • Severe restrictions on the sale of personal data.
  • Requirement of adequate legal basis and informed consent.
  • Transparency in sales practices and protection of data subjects’ rights.
  • Guaranteed rights of access, rectification and opposition.

In California (USA), there are requirements set out in the California Consumer Privacy Act (CCPA) for the sale of personal data as a direction to authorities, which include:

  • Notice Requirement: Let consumers know about their right to opt out of the sale of their data. This notice should appear in the company’s privacy policy and on its website homepage.
  • Right to Opt Out: Provide an opt-out mechanism that allows consumers to choose not to have their personal information sold. This can be accomplished through a “Do Not Sell My Personal Information” link on the website or other accessible means.
  • Non-discrimination: Companies are prohibited from discriminating against consumers who opt out. This means that companies cannot deny products or services, charge different prices or offer a different level of service to consumers who opt out.
  • Verifying Requests: Companies should have procedures to verify the identity of consumers who make requests related to the sale of their personal information.
  • Parental Consent: For consumers under 16, companies must obtain opt-in consent, or for consumers under 13, they must obtain consent from a parent or guardian, before selling their personal information.
  • Obligations to Third Parties: If a company sells personal information to third parties, it must include certain provisions in its contracts with those vendors to ensure that personal information is handled appropriately and in compliance with the CCPA.
  • Annual Disclosure: Companies that sell personal information must disclose certain information in their privacy policies, including the categories of personal information sold and the categories of third parties to whom the information is sold.
  • Opt-In for Minors: If a company has actual knowledge that a consumer is between the ages of 13 and 16, it must obtain opt-in consent before selling their personal information.

Conclusion

The enforcement of the first fine by the ANPD demonstrates the need to respect the rights of data subjects and to ensure that the processing of personal data is based on valid legal grounds or on the consent of data subjects.

Companies that collect and commercialize personal databases for telemarketing should be aware that this practice is not legal and can lead to significant penalties.

Therefore, it is critical that purchasing companies conduct due diligence in verifying the origin of the data and its compliance with the LGPD. This will prevent financial and reputational damages to organizations.

By implementing good practices, conducting due diligence when acquiring databases and ensuring the accuracy of information, companies demonstrate respect for data subjects and build trust with their customers.

A look at international good practices can also be an important reference in the pursuit of a responsible and respectful approach towards citizens’ personal data. Data privacy is a global priority, and companies need to adapt to this new era of data protection to ensure an environment of trust and respect for rights.

Co-authors: Ana Carolina GontijoCarolina Britski PugaEsther Jerussalmy CunhaDenise Berzin Reupke and Fabrício Bertini Pasquot Polido

Related Posts
Projeto de lei sobre IA pode favorecer transmissão e distribuição
Brasil Energia 17/5/2024 O Projeto de...
Legal Framework for Guarantees (Law 14.711/2023)
16/5/2024 Law 14.711/2023 (Legal Framework for...
Marco Legal das Garantias (Lei 14.711/2023)
16/5/2024 A Lei 14.711/2023 (Marco Legal...
Acquisition in the drywall market is the first transaction rejected by the brazilian competition authority (cade) in 2024
15/5/2024 Having disapproved only two transactions...
Aquisição no mercado de drywall é a primeira operação reprovada pelo Conselho Administrativo de Defesa Econômica (CADE) em 2024
15/5/2024 Tendo reprovado apenas duas operações...
Empregada doméstica usa Google Maps para provar vínculo com patrões
G1 14/5/2024 O celular guarda uma...
Tags
Categories

Paulista Avenue, 1294  – 8º floor

São Paulo  |  SP  |  Brazil

01310-100

+ 55 11 3147 0800

[email protected]

L.O. Baptista Advogados 2018 – All rights reserved. By   |  Privacy Policy | Terms of Use | Compliance Policy