Credit protection and consent: Brazil's top court changes treatment of data in the credit market

Those working in privacy, credit or data governance have seen it before. At some point, it clicks: names, addresses, phone numbers and even estimated income are being shared with third parties — not because of missed payments, but simply because individuals exist as consumers in a credit-driven economy. 

This was the background of a case decided by Brazil's Superior Court of Justice in 2025, in REsp 2.201.694/SP. In the lawsuit, a consumer challenged the sharing of his identifiable registration data by a credit information management and provision company, otherwise known as a credit bureau, to third parties without specific consent.

The decision quickly became a landmark in the interpretation of Brazil's General Data Protection Law as applied to the credit market, establishing clearer limits on the sharing of personal data in the absence of consent.

The ruling revives a tension well-known to privacy professionals. How far may data circulate in the name of credit protection before colliding with the data subject's informational self-determination? And, in practical terms, what changes in risk management and regulatory compliance?

Not all credit data is the same

One of the merits of the decision was forcing the market to acknowledge something historically treated as homogeneous. Not all "credit data" is legally equivalent.

On one side lies credit scoring, understood as a statistical model that generates a risk score based on aggregated variables. Brazilian case law, aligned with international practice, has long recognized that scoring may be used without consent, provided principles such as transparency, proportionality and non-discrimination are respected. A score expresses a probability, not an individual's identity.