Tracking and Telemetry in the Fight Against Software Piracy: An Analysis Under the LGPD and GDPR

The use of telemetry and tracking technologies by software developers to detect and combat the unauthorized use of their products has become increasingly common. As piracy continues to cause substantial financial losses and disrupt the software industry, companies are turning to tools capable of collecting technical data—such as IP addresses, MAC addresses, geolocation, timestamps, and device identifiers—to protect their intellectual property. This practice, however, raises important legal questions, especially regarding data privacy and the applicability of data protection laws like the General Data Protection Regulation (GDPR) in the European Union and the Lei Geral de Proteção de Dados (LGPD) in Brazil.

From a legal standpoint, the collection of technical data for license compliance purposes is, in general, lawful. Both the GDPR and the LGPD allow the processing of personal data when it serves a legitimate interest of the data controller, particularly when it relates to the exercise of rights in legal, administrative, or arbitration proceedings. Preventing and responding to software piracy falls squarely within this scope. Software companies are entitled to defend their rights and ensure that their products are used in accordance with license agreements. Furthermore, this legal basis is reinforced when users—whether knowingly or not—accept the End User License Agreement (EULA), which often includes clauses that explicitly authorize the collection and use of technical data for compliance and enforcement purposes. Even in the case of pirated installations, courts in different jurisdictions have recognized that users frequently give consent by proceeding with installation steps that involve agreeing to the software terms.

Technical data such as IP addresses or MAC addresses can be classified as personal data under data protection laws when they are linked to an identifiable individual. That does not, however, render their collection unlawful. Rather, it requires the data controller to implement safeguards and comply with principles such as purpose limitation, necessity, and transparency. Companies must inform users—typically through the EULA or a privacy notice—that such data may be collected and used for the purpose of protecting the software developer’s rights. As long as the use of the data is strictly limited to license compliance and intellectual property enforcement, and the data is handled securely and proportionately, the practice is generally in line with applicable regulations.

It is also important to clarify that explicit consent is not the only lawful basis for processing personal data. Both the GDPR and the LGPD recognize legitimate interest as a valid legal ground when it is balanced against the rights and freedoms of the data subject. In cases involving piracy, it would be unreasonable to expect infringers to provide consent for monitoring. That is precisely why the law allows data controllers to rely on other legal bases—particularly when the objective is to investigate and address unlawful activity. What matters most is proportionality: the data collected must be necessary for the specific purpose, and the company must not go beyond what is required to identify and act upon unauthorized use.

In most enforcement programs, the technical data collected is limited, non-sensitive, and used exclusively to identify patterns of piracy. Many systems even employ pseudonymization or hashing techniques to enhance privacy protection while preserving enforcement capacity. Companies involved in software license compliance generally do not collect personal content or sensitive data—only technical indicators needed to determine whether the software is being used in breach of its license.

It is on the basis of these legal permissions that software companies—and increasingly, other rights holders with digital assets, such as audiovisual content producers, publishers, and creators of digital tools—have been investing heavily in tracking technologies and regularization campaigns around the world.