Claro's Data-Sharing Blunder: A Cautionary Tale for Companies Treating Customer Data Like Party Favors

Table of Contents
What Did Claro Do Wrong?
Brazil's data protection authority, ANPD, has initiated a sanctioning process against telecom operator Claro for sharing customer personal data with credit bureau Serasa without proper legal basis. This isn't just a slap on the wrist—it could set a major precedent for data-sharing practices across Latin America.
The Gist of the Case
Claro allegedly transferred customer data to Serasa for credit scoring purposes without obtaining explicit consent or meeting other lawful grounds under the Brazilian General Data Protection Law (LGPD). The ANPD's move signals that even big players aren't immune to scrutiny.
Why This Matters for Your Business
If you're handling customer data, this case is a wake-up call. Sharing data with third parties—even for seemingly benign purposes like credit checks—requires a solid legal foundation. Think of it like lending your friend's car without asking: you might mean well, but it's still a violation of trust.
Key Takeaways from the ANPD's Action
- Consent is king: Unless you have a specific legal exception, you need clear, informed consent from users before sharing their data.
- Data minimization applies: Only share what's strictly necessary for the purpose.
- Accountability is non-negotiable: You must document your data-sharing activities and be ready to justify them.
What Could Happen to Claro?
Potential penalties include fines of up to 2% of Claro's revenue in Brazil (capped at R$50 million per violation), public warnings, or even a ban on processing certain data. The ANPD's decision will likely influence how other companies approach data sharing.
How to Avoid a Similar Fate
First, audit your data-sharing agreements. Second, ensure you have a lawful basis—usually consent or legitimate interest—and that you've informed users clearly. Third, implement technical safeguards like pseudonymization. And finally, remember that reading privacy policies should be less painful than cleaning grout with a toothbrush—make them clear and concise.
FAQ
What is the LGPD?
The Lei Geral de Proteção de Dados (LGPD) is Brazil's comprehensive data protection law, similar to the EU's GDPR. It regulates how companies collect, use, and share personal data.
Can companies share data without consent?
Yes, but only under specific legal bases like legitimate interest, legal obligation, or contract performance. Consent is the most common and safest route.
What should I do if my company shares data with credit bureaus?
Review your legal basis, update your privacy policy, and ensure you have a data processing agreement in place. Consult a privacy lawyer to stay compliant.
🔍 Data-Sharing Compliance Checklist

NakedPact Editorial Committee
Article created by the NakedPact editorial team. Our mission is to analyze, simplify, and expose unfair terms and hidden risks in everyday contracts to protect citizens and consumers.
Sources and Legal References

Do you own a website?
Want to communicate your data processing transparency to your users? Dynamically use our badge and showcase your platform's compliance.
Recommended Readings

Pseudonymized Data: Japan's Secret Weapon for Competitive Advantage?

Mandatory Arbitration Clauses: The Hidden Trap in Software Contracts That Strips Your Right to Sue

Russia's Pre-Processing Notification: Exceptions You Can't Afford to Ignore
🛡️ Protect your rights with one click
Don't risk signing abusive clauses. Install the free NakedPact extension for Chrome or Firefox and instantly analyze any contract on the web.
Don't trust, verify.
Now that you know the risks, don't sign blindly. Upload your contract to NakedPact and let AI find the hidden clauses for you. It's 100% free.
Analyze Your Contract Now