Clubhouse and LGPD: what the trending social network of the moment knows about you

That’s right, even if you do not have an active account on the Clubhouse platform – or if you have never, at least, registered on the new social network or downloaded the application, the North American company Alpha Exploration Co. may have information about you. I imagine that you must be wondering how that can happen. Then follow the reading of this article, where I will explain a little about what the Clubhouse is, its privacy policy, and its terms of service. Also, I will make a parallel that demonstrates (in)compatibility of the service offered and the Brazilian Data Protection Law (Lei Geral de Proteção de Dados – LGPD).

“I never saw, nor ate, I only hear about it”

Would you like to have the opportunity to chat or listen to the opinions of people you admire but have never had the opportunity to meet in person? Would you like to share the same (virtual) environment as celebrities? Do you like the idea of being part of a space where scholars and renowned professionals discuss different subjects? These are some of the facilities offered by the Clubhouse.

Launched in April 2020, in the middle of the covid-19 pandemic, the platform belongs to Alpha Exploration Co. and was developed by Rohan Seth, a former Google employee, and Paul Davison, a Silicon Valley entrepreneur. Unlike most social networks, the Clubhouse does not aim at exposing the image and building the selfie based on visual symbols. That is, no photos or videos are posted there; the application consists of chat rooms and audio messages in real-time.

The social network is based on audio conversations and allows you to listen to content exchanged between people, whether anonymous or famous. Also, any user can join the conversation. So, what matters is the content you have to share and who is interested in listening to it. In the application, users can create or access chat rooms, with up to five thousand participants, which are divided into different topics (from technology and marketing to politics and entrepreneurship). In addition to group conversations, it is possible to create private chats. If any user of the platform feels invaded or offended by another user, besides reporting, the person may block it. Those users blocked by you will not be able to see or interact with your chat rooms.

Several personalities have been seen on the platform, such as Elon Musk, Mark Zuckerberg, Luciano Huck, Boninho, and Oprah Winfrey.

For now, the application is only available to users of iOS (operating system provided by the company Apple Inc.). To join the social network as a user, it is necessary to be invited by someone who is already part of the platform (which makes each invitation highly valued). Upon joining, each user receives only two invitations. When the user invites someone to join the Clubhouse, their name will appear on that person’s profile, that is, the new user is marked as having been “nominated by”.

The new social network has achieved large numbers of downloads around the world. The audio chat application is currently the champion of downloads in the United States of America (USA) with 2.8 million, with 10 million downloads accumulated globally. In Brazil, the number of downloads has already exceeded 308 thousand.

The platform is considered a unicorn startup, as are Airbnb and Uber. In 2020, the Clubhouse was valued at $ 100 million. In 2021, the valuation reached $ 1 billion. Between January 30 and February 6, 2021, searches for the term Clubhouse grew 525% on the internet. People are so excited to join the social network that some are buying invitations to access the platform!

The basic rules for using the Clubhouse are (i) to be at least 18 years old, (ii) not to use false name or photo, (iii) not to reproduce the audios heard on the platform without permission, (iv) not to spam, among others. Also, commercial use of the application is not permitted.

According to the privacy policy, which is part of the platform’s terms of service, the content shared through the Clubhouse is ephemeral. Conversations cannot be recorded and are also not stored on the platform.

Terms of service, privacy policy and shadow profile

In an interview to Vanity Fair, the responsible company stated that it condemns all forms of racism, hate speech and abuse, as noted in the Community Guidelines and Terms of Service, besides it has trust and safety procedures in place to investigate and resolve any violation of these rules. 

Alpha Exploration Co. claims that its users’ audio messages are recorded and encrypted temporarily, only for the duration of the room and exclusively in the event of a Trust and Safety violation incident. The privacy policy of the application informs that if the room closes without any complaint from any user, the temporarily recorded conversations are immediately deleted. However, if there is an incident, the Clubhouse keeps the audio in storage until “the investigation is completed”. In such cases, the audio will be accessed for investigation but is not available for other users to hear.

The first obscure point regarding the protection of personal data is the fact that the privacy policy of the social network is only available for reading after the user has gone through all phases of registration. Another controversial point is regarding the correction and modification, by the user, of personal information that is stored on the platform. To be able to change, correct or delete any data, you must send an email to support@alphaexplorationco.com. Besides, if the user chooses to delete his account, he must also contact the company through the same email, making it impossible to delete the account immediately.

Also by the company’s privacy policy, each new user who registers at the Clubhouse will be asked to share their mobile contact schedule. The user can accept or not, without prejudice to his interaction with other users of the platform. However, it is understood, by reading the application’s privacy policy, that sharing the contact list makes the experience more dynamic and productive, given that the social network can warn (i) if any of your friends want to join the platform; (ii) created a profile on the platform, or (iii) indicate your profile to potential followers.

Due to users who share their phonebooks, the Clubhouse can store information from people who are not on the platform. That is, even if you do not have an account on the social network, if a friend of yours shares your contact list on your cell phone with the platform, it will have stored certain personal data about you.

The question arises: can a company collect and process personal data from those who have never interacted with it?

This business practice is known as a “shadow profile”. It happens every time that a company, through an activity of its user or client (such as posting a photo, a video, or sharing the contact list), starts to treat data of other people who do not have an account or any relationship with it. It is important to note that this practice is not exclusive to Clubhouse, other applications, such as WhatsApp and Facebook, also use it. However, the platform’s exponential growth, in a short period of time, drew attention to its privacy policies.

What about the protection of personal data at the Clubhouse?

In times of maturity of the culture of privacy and data protection, in the face of so many episodes of leakage of personal information, it is inevitable to question how the Clubhouse deals with the data and privacy of its users. That is, what happens after the chat room closes? Where are users’ audios stored or how are they deleted? How and for what purposes are user data processed?

According to Tek Deeps, the Clubhouse complies with the California Consumer Privacy Act (CCPA), California’s data protection law. However, the platform does not comply with the General Data Protection Regulation (GPDR), the European regulation on the protection of personal data. In fact, the National Data Protection Authority of Hamburg, Germany, initiated an investigation into the modality of sharing the company’s contact books.

In Brazil, the LGPD, strongly inspired by the European regulation, in force since September 18, 2020, directly impacts the processing of personal data. Therefore, it is necessary to question the extent to which the Clubhouse is under Brazilian law.

According to the LGPD, the data collection must be informed to the user, as well as the reasons why it will be done and how it will be used. Likewise, the law highlights that access to data may be revoked at any time, the will of the data subject must be respected. In the opposite direction, the Clubhouse does not provide information on how the data of users of the platform are treated and also does not allow the immediate exit of users of the platform.

Despite providing its services in Brazil, for individuals and data located in the national territory, the terms of service and privacy policy are not available in Portuguese. In addition, there is no mention of the person in charge and how the data subjects may claim their rights, as provided for in the LGPD.

Another subject of discussion is the mention, in terms of service, concerning the prohibition of the use of the application by minors under 18 years of age and, in their privacy policy, and concerning the request that users report if they know of minors who are under age. have provided personal data in the application. Thus, the platform is exempt from the responsibility of inspecting and outsourcing to the user the guarantee of compliance with article 14 of the LGPD, which limits the processing of personal data of children and adolescents.

Whether it is a fad or not, paying attention is essential

It is still too early to presume whether the Clubhouse is a fad or if it is here to stay. However, we must not wait for the answer to be attentive to the protection of our personal data and privacy. For now, the platform does not have a competitor with the same proposal, which is real-time audio conversations, so it may not feel any immediate damage by not adjusting its policies.

The points covered in this text do not prevent the use of the Clubhouse or make it more unsafe than other social networks. In the vast majority of terms of service and application privacy policies, there are obscure points regarding privacy and data protection.

The Clubhouse’s privacy policies are under the CCPA, however, they are at odds with the GDPR and LGPD. Anyway, the application is still in time to review its performance and adapt it to the legislation and needs of European and Brazilian users.

In the meantime, essential care for the use of social networks is recommended. In other words, carefully read the terms of service and privacy policy before using the platform. It is important to highlight that, in the case of the Clubhouse, it is worrying that there are no documents available in Portuguese. This can cause harm to several Brazilians who do not have knowledge of English and wish to join the social network.

The views and opinions expressed in this blogpost are those of the author. 
Illustration by Freepik Stories.