I can certainly see them playing dark pattern games with sensitive privileged data from one business cross-pollinating into unrelated businesses by way of blind user agreement acceptance though.
EDIT: From their most recent 10-K filing[1], under Government regulation:
In addition, Mercado Pago as a payment institution in Brazil is subject to:
...
(iv) Data Protection Law: In August 2018, Brazil approved its first comprehensive data protection law (the “Lei Geral de Proteção de Dados Pessoais” or “LGPD”), which became applicable to our business in Brazil since August 2020. In December 2018, the former president of Brazil issued Provisional Measure No. 869/2018 which amended the LGPD and created Brazil’s national data protection authority (the “ANPDP”). We have created a program to oversee the implementation of relevant changes to our business processes, compliance infrastructures and IT systems to reflect the new requirements and comply with the LGPD. The LGPD establishes detailed rules for the collection, use, processing and storage of personal data and affects all economic sectors, including the relationship between customers and suppliers of goods and services, employees and employers and other relationships in which personal data is collected, whether in a digital or physical environment.
(v) Secrecy rules: In addition to regulations affecting payment schemes, Mercado Pago is also subject to laws relating to internet activities and e-commerce, as well as banking secrecy laws, consumer protection laws, tax laws (and related obligations such as the rules governing the sharing of customer information with tax and financial authorities) and other regulations applicable to Brazilian companies generally. Internet activities in Brazil are regulated by Law No. 12,965/2014, known as the Brazilian Civil Rights Framework for the internet, which embodies a substantial set of rights of internet users and obligations relating to internet service providers, including data protection.
Law No. 12,865/2013 prohibits payment institutions from performing activities that are restricted to financial institutions, such as granting loans directly. In November 2020, the BACEN approved the application filed by MercadoLibre Inc. for authorization to incorporate a financial institution in the modality of credit, financing and investment corporation (SCFI). In light of the authorization granted by BACEN, we incorporated a new entity (Mercado Crédito Sociedade de Crédito, Financiamento e Investimento S.A.), which operates activities related to the granting of loans and obtains better funding alternatives for our business.
...
The BACEN is also implementing the Brazilian Open Banking environment, to enable the sharing of data, products and services between regulated entities — financial institutions, payment institutions and other entities licensed by the BACEN — at the customers' discretion, as far as their own data is concerned (individuals or legal entities). The Open Banking implementation has been gradual, through incremental phases that take into account specific information/services to be shared, and Mercado Pago is a participant of the Open Banking system since February 2021, when its phase 1 started.
[1] https://www.sec.gov/Archives/edgar/data/0001099590/000156276...
